DPDPA vs GDPR: India’s consent-only rules strain operations

When European regulators designed the General Data Protection Regulation (GDPR), they understood something fundamental about how modern economies function: consent alone cannot carry the weight of an entire privacy framework.

People sign contracts, make purchases, open bank accounts, accept employment, and engage in countless transactions where data processing is necessary regardless of whether they explicitly agree to each processing activity.

The GDPR therefore provided six distinct lawful bases for processing personal data, recognising that consent is appropriate for some contexts but wholly impractical for others.

An organisation under GDPR can process data because the individual consented, but it can equally process data because processing is necessary to perform a contract, to comply with a legal obligation, to protect vital interests, to carry out a task in the public interest, or to pursue the legitimate interests of the organisation.

This diversity of lawful bases reflects operational reality. Modern commerce and governance cannot function if every data processing activity requires explicit individual permission.

Why GDPR Moved Beyond Consent Alone

India's Digital Personal Data Protection Act, 2023 (DPDPA) took a dramatically different approach. The DPDPA provides only two pathways for lawful processing: consent or processing for “certain legitimate uses.”

Critically, the DPDPA does not recognise contract performance or legitimate interests as grounds for processing personal data. The legitimate uses provided under the DPDPA are narrow, specific, and largely inapplicable to ordinary commercial activity.

Critically, the DPDPA does not recognise "contract performance" or "legitimate interests" as grounds for processing personal data. The legitimate uses provided under the DPDPA are narrow, specific, and largely inapplicable to ordinary commercial activity.

Indian organisations therefore have to rely on consent for most of their data processing, even for activities that, under the GDPR, could instead be based on contract performance or legitimate interests.

This structural difference creates operational chaos. Despite appearing simpler on its face, DPDPA compliance is significantly more difficult than GDPR compliance in practice.

DPDPA’s Narrow Lawful Basis Problem

To understand this challenge, consider a straightforward commercial scenario: a customer purchases a product online. The e-commerce platform must process the customer’s name, address, payment information, and contact details to fulfil the order.

Under GDPR, this processing is justified as necessary to perform a contract. The customer entered into a purchase agreement, and the platform processes data to fulfil that agreement. No consent is required because the processing is inherent to the contractual relationship.

Under DPDPA, the e-commerce platform, cannot rely on contract performance because no such lawful basis exists. Instead, it must seek explicit consent for processing personal data to provide its service—and seeking consent comes with its own challenges and complexities.

Under the DPDPA, the e-commerce platform cannot rely on contract performance because no such lawful basis exists. Instead, it must seek explicit consent for processing personal data to provide its service. Seeking consent, however, comes with its own challenges and complexities.

The operational challenge intensifies when the organisation processing data has no direct relationship with the individual whose personal data is being processed. This situation is extraordinarily common in modern commerce. Yet the DPDPA framework assumes a bilateral relationship between Data Fiduciary and Data Principal that often does not exist.

Consent Breakdown in Multi-Party Ecosystems

Consider an Online Travel Agent (OTA) operating in India. When a customer books a flight and hotel through the OTA, the OTA must share personal data with the airline to issue tickets and with the hotel to confirm the reservation.

Each entity—the OTA, airline, and hotel—is a separate Data Fiduciary under the DPDPA because each independently determines the purpose and means of processing the personal data it receives.

Under GDPR, this data sharing operates seamlessly based on contract performance. The customer contracted with the OTA to arrange travel services. The OTA's sharing of data with airlines and hotels is necessary to perform that contract.

Without such sharing, the customer cannot receive the flights and accommodation they purchased. The airline and hotel process data for the same reason. No separate consent is required at each stage because processing is inherent to the contractual relationship.

Under DPDPA, this logic collapses. The airline has no direct contract with the customer—the customer booked through the OTA. The hotel similarly has no direct relationship.

The DPDPA requires that every request for consent shall be accompanied or preceded by a notice given by the Data Fiduciary to the Data Principal. This means the airline must give notice and obtain consent directly from the passenger before processing their data. The hotel must do the same. But how?

The airline and hotel have no direct interface with the customer during booking. Should the airline send a separate email requesting consent before the OTA can complete the booking? Should the hotel interrupt the booking flow with its own consent request?

Such friction would destroy customer experience and make integrated travel bookings practically impossible.

The alternative is for the OTA to obtain layered consent on behalf of downstream Data Fiduciaries—consent covering data sharing with airlines, hotels, and every other entity in the travel ecosystem. But a fundamental question remains: does consent given to one Data Fiduciary satisfy the notice and consent requirements for a different Data Fiduciary?

The DPDPA's text suggests each Data Fiduciary must independently give notice and obtain consent. Layered consent obtained by the OTA may not satisfy the airline's independent obligations.

And what happens if the OTA's consent was invalid—if it did not fulfil all requirements of consent under the DPDPA? Downstream Data Fiduciaries would inherit the legal risk without any ability to verify or cure the deficiency.

Security, Consent Fatigue, and Regulatory Risk

The absence of a legitimate interests basis also creates additional chaos where organisations need to process data for security and fraud prevention.

Consider a bank monitoring customer transactions to detect fraud. The bank processes transaction data, analyses patterns, flags suspicious activity, and may freeze accounts or block fraudulent transactions.

Under GDPR, this processing is justified under legitimate interests. The bank has a legitimate interest in preventing fraud and safeguarding customer funds, balanced against customer privacy—a balance that typically favors processing because fraud prevention benefits both parties. No consent is required.

Under DPDPA, there is no legitimate interests basis. The bank cannot process transaction data for fraud detection unless customers consent or some legitimate use applies. If the bank seeks explicit consent for fraud monitoring, many customers will ignore or refuse, undermining fraud prevention entirely.

The bank faces an impossible choice: obtain meaningful consent (which undermines security) or process without clear lawful basis (which creates legal risk). The cumulative effect is that DPDPA compliance is significantly more difficult than GDPR compliance.

The two-pathway structure forces nearly everything into consent, creating systemic problems. Consent fatigue undermines the framework.

When organisations must obtain consent for every processing activity, users receive so many requests that they stop reading and simply click “agree” or withhold consent entirely. This mechanical consent provides no meaningful privacy protection.

At the same time, lack of consent for certain processing activities creates operational barriers that impede legitimate and necessary business functions.

The solution would be for India to amend the DPDPA to include contract performance and legitimate interests as lawful bases for processing personal data.

Such additions would align India with global practices and provide organisations with the flexibility to operate lawfully. Until such amendments occur, Indian organisations face a compliance landscape that is more restrictive than the GDPR in theory and far more chaotic in practice.

The author is a Partner at Saraf and Partners.

The image accompanying this story was created using AI. The article was edited with limited use of AI-based tool.