Section 4 - The Gateway Provision for All Data Processing
Section 4 of the DPDPA is the gateway through which every data processing activity must pass. It establishes a fundamental principle: no person shall process the digital personal data of a Data Principal except in accordance with the provisions of the Act and for a lawful purpose. This seemingly simple provision carries enormous weight. It means that every single instance of processing - from collecting a customer's name at checkout to running machine learning models on user behaviour - must be justified by one of the two lawful grounds recognised by the Act. There is no general right to process personal data, no default permission, and no grandfathering of legacy practices. Every processing activity, whether initiated before or after the Act's commencement, must satisfy Section 4. Organisations that have operated for years under the assumption that they can process data unless specifically prohibited must now invert their thinking: processing is prohibited unless specifically authorised.
The Two Lawful Grounds - Consent and Legitimate Uses
Section 4 recognises exactly two lawful grounds for processing digital personal data. The first ground is consent of the Data Principal, governed by the detailed provisions of Section 6. The second ground is 'certain legitimate uses', governed by Section 7. There is no third option. Unlike the GDPR, which provides six lawful bases for processing (consent, contract performance, legal obligation, vital interests, public task, and legitimate interests), the DPDPA consolidates all non-consent bases into a single category of legitimate uses. This binary framework simplifies the legal analysis in some respects but also means that any processing activity that does not fit within the Section 7 legitimate uses must rely on consent - there is no fallback 'legitimate interests' basis that organisations can invoke unilaterally. For businesses accustomed to the GDPR framework, this narrowing is one of the most significant differences between the two regimes and requires careful reassessment of existing legal bases.
- Ground 1: Consent of the Data Principal (Section 6) - free, specific, informed, unconditional, and unambiguous
- Ground 2: Certain legitimate uses (Section 7) - nine specific categories of processing that do not require consent
- No other lawful grounds exist under the DPDPA - all processing must fall within one of these two
What Constitutes a 'Lawful Purpose'
Section 4 requires that processing be for a 'lawful purpose'. A purpose is considered lawful unless it is expressly forbidden by law. This means the analysis is two-fold: first, the processing must rest on one of the two lawful grounds (consent or legitimate uses); second, the purpose itself must not be prohibited by any law. For example, collecting personal data with consent for the purpose of delivering a product is lawful. Collecting personal data with consent for the purpose of facilitating illegal gambling is not - even though consent exists, the purpose is forbidden by law. Similarly, processing employee data for payroll under Section 7's employment-related legitimate use is lawful, but processing that same data to discriminate on prohibited grounds would not be lawful despite having a legitimate use basis. The lawful purpose requirement operates as a second filter - even if you have a valid legal ground, the end purpose must itself be legal. This dual requirement prevents misuse of the consent and legitimate uses framework.
What Is Expressly Forbidden - The Negative Boundary
Section 4 states that a Data Principal may give consent for the processing of her personal data for any specified purpose that is not expressly forbidden by law. The phrase 'expressly forbidden by law' establishes a negative boundary. It does not require the purpose to be explicitly authorised - only that it not be explicitly prohibited. This gives organisations reasonable flexibility to define purposes, provided those purposes do not violate existing laws. Activities expressly forbidden by Indian law include processing data for illegal surveillance without lawful authority, using personal data for caste-based discrimination, processing data to facilitate money laundering or terrorist financing, and using data in ways that violate the Indian Penal Code. Sector-specific regulations add further prohibitions - for instance, the RBI prohibits certain uses of financial data, and the IRDAI restricts how insurance-related personal data may be used. Organisations should maintain a register of prohibited purposes applicable to their sector to ensure no processing activity crosses this line.
- Processing for purposes violating the Indian Penal Code or any criminal statute is forbidden
- Data processing for discriminatory purposes prohibited under the Constitution or anti-discrimination laws is forbidden
- Sector-specific prohibitions from RBI, SEBI, IRDAI, and other regulators add additional forbidden purposes
- The test is 'expressly forbidden' - implicit or arguable prohibitions may not meet this threshold
Interaction Between Section 4, Section 6, and Section 7
Section 4 operates as the umbrella provision, while Sections 6 and 7 provide the detailed requirements for each lawful ground. When relying on consent (Section 6), the Data Fiduciary must ensure the consent meets all five qualities - free, specific, informed, unconditional, and unambiguous - and must provide the notice required under Section 5 before or at the time of seeking consent. When relying on legitimate uses (Section 7), the Data Fiduciary must identify which of the nine specific categories of legitimate uses applies and ensure the processing falls squarely within that category's boundaries. A single processing activity cannot rely on both grounds simultaneously for the same data and purpose - you must choose one. However, different processing activities within the same organisation may rely on different grounds. Your marketing emails require consent under Section 6, but your payroll processing may rely on legitimate uses under Section 7. Organisations should create a processing register that maps each activity to its corresponding lawful ground, ensuring clarity and auditability.
Practical Impact on Existing Data Processing
Section 4 has immediate practical consequences for data processing activities that pre-date the DPDPA. Many organisations in India have historically processed personal data under broad terms and conditions, implied consent, or simply without any formal legal basis. Section 4 requires all of this to be regularised. For data collected before the DPDPA where you wish to continue processing, you have two options: obtain fresh consent that meets Section 6 requirements, or identify a legitimate use under Section 7 that covers the processing. Section 5(2) provides a transition mechanism for existing data - you must provide notice to Data Principals 'as soon as reasonably practicable' describing the personal data processed and the purpose. If consent is required and not previously obtained in a compliant manner, you must obtain it. This retrospective application means that organisations cannot simply continue legacy processing by grandfathering old practices. A comprehensive data audit is essential to identify all existing processing activities and map them to a valid legal ground.
Building a Lawful Basis Register
Given the binary framework of Section 4, every compliance programme should include a lawful basis register - a structured document that records each data processing activity, the lawful ground relied upon, and the supporting evidence. For each consent-based activity, the register should record the notice given, the consent obtained, the date and method of consent, and the current status (active or withdrawn). For each legitimate-use-based activity, it should identify the specific Section 7 category, explain why the activity falls within that category, and document any limitations or conditions. This register serves multiple purposes: it provides evidence of compliance to the Data Protection Board during investigations, it helps identify processing activities without a valid legal ground that need to be remediated, and it facilitates responses to Data Principal access requests. Kraver.ai's compliance platform generates and maintains this register automatically by analysing your data processing activities against Section 4 requirements.
- Map every processing activity to either Section 6 (consent) or Section 7 (legitimate use)
- Document the specific consent notice or legitimate use category for each activity
- Review and update the register when processing activities change or new ones are added
- Use the register as evidence during regulatory inquiries and audits
How Kraver.ai Helps
Kraver.ai simplifies the Section 4 compliance challenge by automating the identification and mapping of lawful grounds for every data processing activity in your organisation. Our AI-powered data discovery engine scans your systems to identify all personal data processing activities, then maps each one to the appropriate lawful ground - consent under Section 6 or legitimate use under Section 7. The platform flags processing activities that lack a valid legal basis, generating remediation recommendations with specific steps to obtain consent or document a legitimate use. For ongoing compliance, Kraver.ai continuously monitors new processing activities - such as a new marketing campaign or a new vendor integration - and alerts your team when a lawful basis assessment is needed. The platform maintains your lawful basis register in real time, ensuring it is always audit-ready. With Kraver.ai, building and maintaining your Section 4 compliance is automated, accurate, and always up to date.