DPDPA vs GDPR: India's consent- only rules strain operations

When European regulators designed the General Data Protection Regulation (GDPR), they recognised a practical truth: consent alone cannot sustain a modern privacy framework.

People enter contracts, make purchases, open bank accounts, accept employment and engage in transactions where data processing is intrinsic to the activity itself, regardless of whether they explicitly agree to each processing activity. GDPR therefore established six lawful bases for processing personal data, recognising that while consent is appropriate for some contexts, it is wholly impractical for others.

An organisation under GDPR can process data because the individual consented, but it can equally process data because processing is necessary to perform a contract, to comply with a legal obligation, to protect vital interests, to carry out a task in the public interest, or to pursue the legitimate interests of the organisation.

This diversity of lawful bases reflects operational reality. Modern commerce and governance cannot function if every data processing activity requires explicit individual permission.

WHY GDPR MOVED BEYOND CONSENT ALONE India's Digital Personal Data Protection Act. 2023 (DPDPA) takes a narrower approach. It recognises only two pathways for lawful processing: consent or processing for “certain legitimate uses.” It does not include contract performance or legitimate interests as independent grounds. The listed legitimate uses are limited, specific, and rarely apply to ordinary commercial activity.

As a result, most organisations in India must rely on consent—even for routine processing that would fall under contract performance or legitimate interests under GDPR. This structural difference creates operational chaos. Although the framework appears simpler, compliance under the DPDPA becomes significantly more difficult than GDPR compliance in practice.

DPDPA’S NARROW LAWFUL BASIS PROBLEM