New Delhi, March 26: A new report by Esya Centre titled “The DPDPA and India’s Digital Economy: Balancing Data Rights, Innovation, and Growth” highlights that certain provisions of India’s Digital Personal Data Protection Act (DPDPA) may inadvertently hinder innovation, increase compliance costs for businesses, and slow the growth of India’s digital economy.
Based on a primary survey of 300 firms across major technology and industrial hubs in India, the study evaluates how two key provisions of the DPDPA, Section 3(c)(ii) relating to publicly available personal data and Section 7 governing legitimate uses of data are likely to affect firms’ operations, investments, and innovation strategies.
Section 3(c)(ii) of the DPDPA exempts any publicly available personal data, provided it has been made public by the individual it pertains to, or by a third party under a legal obligation. This means that any entity seeking to use publicly available personal data must first verify that it meets these conditions, which is difficult to do at scale.
Meanwhile, Section 7 lays down certain legitimate uses for which users’ digital personal data may be processed without obtaining their consent, but these are rather narrow. Section 7 omits grounds such as “legitimate interest” and “contractual necessity”, which are a staple across global data protection laws like the EU GDPR from its ambit. This limits its utility as an alternative ground to consent under the DPDPA. Having a largely-consent centric data protection law means that even routine data operations may require consent such as direct marketing or spam protection.
The findings suggest that the current design of the law could create significant operational challenges, particularly for start-ups, SMEs, and companies developing artificial intelligence (AI) solutions.
Key Findings
The report reveals several trends regarding how businesses anticipate responding to the DPDPA:
· Verification of publicly available data is technically difficult: Nearly 8 in 10 firms report that verifying the origin of publicly available personal data required under Section 3(c)(ii) is challenging, with many stating that it may be practically impossible at scale. Thus, 7 in 10 firms perceive such verification requirements as a major barrier to AI development.
· Verification requirements will lead to high compliance costs: Around 85 percent of surveyed firms anticipate that compliance costs associated with Section 3(c)(ii) could significantly impact their turnover, with 57 percent of AI-focused firms estimating costs exceeding 10 percent of turnover. These increased costs may lead to exclusionary effects against SMEs.
· Innovation spending likely to decline – Firms anticipate their compliance costs increasing by 10-30 percent, due to Section 3(c)(ii)’s verification requirements and the DPDPA’s omission of contractual necessity and legitimate interest as legal grounds for data processing. This may force companies to redirect funds from R&D and innovation towards compliance, with three out of four firms stating that they may defer or scale down innovation-related investments.
· Business disruptions expected due to limited legal grounds for data processing: The report notes that 83 percent of firms anticipate business disruptions because the DPDPA does not currently recognise “legitimate interest” or “contractual necessity” as lawful grounds for processing personal data, both of which are standard in global data protection frameworks.
· 6 in 10 firms also anticipate moderate to extreme disruptions in business development, because the omission of these grounds prevents them from reaching out to prospective customers without their consent. This estimation of disruption is likely conservative because 6 in 10 firms were unaware that the DPDPA omits these grounds, and so may not have internalised its legal implications for their business.
Implications for India’s Digital Economy
The study highlights that publicly available data is a critical input for training AI models and developing digital services. However, the requirement to verify whether such data was made public directly by individuals or by third parties under legal obligation may create a significant barrier to accessing data at scale.
Similarly, the absence of legitimate interest and contractual necessity in the legal framework means that many routine activities such as spam prevention, direct marketing, or transaction processing may require explicit user consent, which businesses say is difficult to operationalise.
The report notes that while the DPDPA represents a major step toward strengthening India’s data protection framework, overly restrictive provisions could inadvertently slow innovation in emerging technologies such as AI.
Industry Perspectives
The survey also indicates that firms seek targeted adjustments to the DPDPA to enhance clarity, flexibility and operational feasibility, as indicated below:
· 61 percent of firms favour sector-specific data protection rules instead of a single omnibus framework, and a notable proportion favour targeted amendments to the DPDPA.
- 47 percent support introducing “legitimate interest” and “contractual necessity” as lawful grounds for data processing under the DPDPA.
- Over 40 percent believe that all publicly available personal data should be exempt from additional consent requirements.
Policy Recommendations
To ensure that India’s data protection framework supports innovation and the growth of Indian start-ups and SMEs, the report recommends:
- Amending Section 3(c)(ii) by removing sub-clauses (A) and (B), to ensure start-ups can use publicly available personal data without risking non-compliance with the DPDPA.
- Expanding Section 7 to recognise legitimate interest and contractual necessity as lawful grounds for processing digital personal data without consent.
- In the short term, introducing targeted exemptions under Section 17 for activities that rely on legitimate interest and contractual necessity, such as:
- Using community-generated data for spam prevention and detection
- Using third-party data for protecting the network and cybersecurity
- Using personal data for direct marketing
- Using personal data for any transaction processing
- Using publicly available personal data to train or fine-tune AI models without the need to verify who made the data public or whether it was made public because of a legal obligation.
