When Consent Becomes a Paper Tiger: Section 7(a) of DPDPA, 2023 AND The Third-Party Doctrine
INTRODUCTION
Consent is the kernel of digital privacy, a significant expression of an individual’s autonomy. Yet, its power is only as strong as the boundaries that protect it. Strip away consent, and data protection laws become little more than legal theatre. What happens when consent ceases to be an active decision but a silent assumption? When deliberate choice dissolves into legal fiction, and ‘deemed consent’ authorizes the use of personal data? When simply providing information voluntarily is mistaken for genuine consent, privacy shifts from being a matter of intent to one of interpretation. In such moments, a system is created where the consent is no longer in the hands of an individual but shifts surreptitiously in the hands of those who process the data, under the garb of it being ‘voluntarily provided’ by the individual herself, effectively escaping the liability.
In India, the Digital Personal Data Protection Act, 2023 (DPDPA) provides the legal framework on how the data fiduciary can process the personal data of an individual i.e., a data principal, in a lawful manner. Section 4 of the DPDPA delineates the grounds for such processing, either based on the consent of the data principal (as per Section 6), or for ‘certain legitimate uses’ (as per Section 7). This article aims to analyze and correlate the U.S. legal principle of third-party doctrine with Section 7(a) of DPDPA, both of which permit the processing of personal data when voluntarily provided by the data principal. It highlights, firstly, the risks of treating voluntary sharing as implied consent for data processing by third parties; secondly, the parallels between this framework and the U.S. third-party doctrine; and thirdly, proposes targeted legislative recommendations to strengthen safeguards and ensure meaningful control over personal data.
SECTION 7(A) OF THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023
Under the DPDPA, personal data can generally be processed only with the consent of the data principal, as outlined under Section 6, following a prior notice under Section 5. This provision mandates that such consent must be free, specific, informed, unconditional, and capable of being withdrawn. However, Section 7 carves out specific exceptions under the heading of ‘certain legitimate uses’, where data may be processed without obtaining explicit consent. Specifically, Section 7(a) of DPDPA states that the personal data of a data principal may be processed by a data fiduciary “(a) for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data.” Notably, this provision removes the requirement of a formal consent workflow, allowing data processing based solely on the data principal’s voluntary disclosure and silence. . A similar provision was previously incorporated in The Digital Personal Data Protection Bill, 2022, titled ‘Deemed Consent’. The data principal is ‘deemed’ to have given consent in such limited circumstances. The government justified this provision by stating that seeking consent in certain situations is ‘impractical’ or ‘counterproductive’, necessitating its replacement with deemed consent. This provision, by not requiring explicit consent through a notice in specific circumstances, may open a Pandora’s box of potential misuse by the data fiduciaries, in turn violating the privacy of the individual. They could argue that the subsequent use of the personal data aligns with the initial objective i.e., the ‘specified purpose’, which was essentially ‘voluntarily provided’ by the data principal herself. The emergence of such circumstances goes against the very objective the Act seeks to uphold.
THE U.S. THIRD-PARTY DOCTRINE
Under U.S. law, the third-party doctrine holds that individuals lose their ‘reasonable expectation of privacy’ in information they voluntarily share with third parties such as banks, telecom providers, or internet service platforms. Once disclosed, this data is no longer protected under the Fourth Amendment (which protects individuals against unreasonable searches and seizures by the government). The foundation for this reasoning was laid in Katz v. United States (1967), where the U.S. Supreme Court departed from a purely property-based view of privacy, one that linked constitutional protections to physical trespass or ownership of property, such as a home or office. Instead, the Court shifted towards an individual-based view, focusing on whether the person had a legitimate expectation of privacy in the context, regardless of property rights. In Katz, Justice Harlan, in his concurring opinion, articulated a two-part test: first, that a person must exhibit a subjective expectation of privacy, and second, that this expectation must be one society recognizes as reasonable.
Over time, the third-party doctrine was shaped through key rulings, beginning with United States v. Miller (1976), where the Court held that a person has no legitimate expectation of privacy in the information written on a check. The reasoning was that the check was necessarily disclosed to various third parties during processing. This logic was extended in Smith v. Maryland (1979), where the Court found that data voluntarily given to third parties—such as dialed phone numbers—is not protected under the Fourth Amendment. Notably, in Miller and Smith, the Court seemed to abandon the vision set forth in Katz, which recognized that the right to privacy protects ‘individuals and not places’. Instead, the majority reverted to property-based notions of privacy, suggesting that once such property-related information, no matter how confidential, is voluntarily disclosed to a third party, the individual’s expectation of privacy is extinguished. This trajectory shows how courts have allowed voluntary disclosure to effectively nullify individual privacy rights. A similar implication arises under India’s new data protection regime. Just as the third-party doctrine in the U.S. allows data originally shared for one purpose (e.g., financial transactions or phone calls) to be repurposed without the individual’s knowledge or control, Section 7(a) of the DPDPA may similarly allow Indian data fiduciaries to extend data processing beyond the originally expected use, so long as they can claim it aligns with the ‘specified purpose’. In both cases, meaningful control over personal data is not lost through outright denial of rights, but through the redefinition of what counts as consent.
THE TROJAN HORSE OF INDIAN PRIVACY
India’s privacy doctrines, though freshly inked on constitutional parchment, risk fading into footnotes if personal data, once ‘voluntarily provided’, is treated as a transferable asset, compromising privacy as it is circulated freely to third parties via sophisticated online technologies under the presumption of consent. Section 7(a) of the DPDPA, if stretched like its American counterpart, may well invite the ghost of the third-party doctrine in through the back door. However, in the Indian context, the Supreme Court has explicitly rejected such a doctrine. In District Registrar and Collector v. Canara Bank (2005), the Court held that the mere act of voluntarily handing over documents to a third party, such as a bank, does not extinguish the individual’s right to privacy over such information. Tellingly, even in the United States, where the third-party doctrine first took root, its relevance is being re-examined in light of digital realities. In United States v. Jones (2012), Justice Sotomayor cautioned that third-party doctrine “is ill suited to the digital age, in which people reveal a great deal about themselves to third parties in the course of carrying out mundane tasks.”
Yet, despite categorical rejection of the third-party doctrine in the Indian context, Section 7(a) might unintentionally (or intentionally) revive its logic, albeit in a slightly different form. While the provision restricts processing to the ‘specified purpose’ for which personal data is ‘voluntarily provided’, the real concern lies in its potential for overly broad interpretation. For instance, take a job search portal (a data fiduciary) which collects user resumes, qualifications, and job preferences of people (data principals) to help them find relevant job matches. However, the portal begins algorithmically ranking candidates based on behavioural scores drawn from subtle indicators, such as the tone of their cover letters, frequency of grammatical errors (flagged as carelessness), use of emojis in bios, click patterns, browsing times (e.g., job searches late at night flagged as ‘disengaged’ or ‘desperate’), and even passive cues from integrated social media profiles (linked voluntarily by the user). These profile rankings are then selectively shared with recruiters (third parties). While this doesn’t directly engage the third-party doctrine in its U.S. constitutional sense, where it primarily concerns warrantless state access to data held by third parties, it reflects the broader logic behind it: that voluntary disclosure can dilute an individual’s control over downstream data use, even absent fresh consent. What enables the third-party sharing is the framing of such processing as implied consent, one that subtly stretches the specified purpose, while still giving the job portal enough cover to argue that it falls within the Section 7(a) exception, merely because the data was “voluntarily provided”. The concern, then, is not that the specified purpose will be entirely disregarded, but that it may be gradually extended from X to X+1 and still defended as falling within the original scope, simply because the data was voluntarily shared. It is this quiet repurposing, driven not by bad faith but by interpretive elasticity, that makes the provision quietly powerful and a textbook case of function creep.
THE GUARDIANS OF INDIAN PRIVACY
But where does the solution lie? Does that mean we should scrap Section 7(a) altogether? Not quite. Consider the Act’s own illustration under Section 7(a): a customer at a pharmacy voluntarily shares her number to receive a receipt via text. Must the shopkeeper, in the chaos of a morning rush, pause to whip out a formal consent notice and get it signed for every pack of cough syrup? That’s not privacy protection, it’s a red tape circus. Deleting Section 7(a) would seem impractical. Instead, some small legislative tweaks could reshape the architecture of implied consent within this provision.
Notably, Section 7(a) appears to take cues from Singapore’s Personal Data Protection Act, 2012 (Singapore’s PDPA). Section 15(1) of the Singapore’s PDPA states that an individual is deemed to have consented for the processing of personal data, if he “voluntarily provides the personal data to the organisation for that purpose”, provided it is “reasonable that the individual would voluntarily provide the data”. This ensures that such consent is limited to purposes that are objectively obvious and reasonably appropriate in the given circumstances. While both the DPDPA and Singapore’s PDPA permit data processing for specified purposes, the Indian law notably omits the crucial requirement of ‘reasonable expectation’, thereby broadening the scope of the provision. As illustrated in the job portal example above, behavioural profiling based on voluntarily provided data may not be something a data principal would have reasonably expected at the time of disclosure, nor should the law, in its protective role, presume otherwise. Incorporating the principle of reasonable expectation of privacy in the statute’s language (or through clarifications in the Act’s Explanations or Rules) would narrow the provision’s scope and prevent organizations from exploiting it as a loophole for unintended data processing.
However, this principle has an inherent flaw: it risks normalizing data collection without a meaningful consent simply because people are used to it. For instance, one might come to “reasonably expect” a shopping app to track their activity, even if they never explicitly agreed to such tracking. Adopting Justice Harlan’s two-fold test of ‘reasonable expectation of privacy’ in this context would be misguided. The test has been repeatedly criticized as ‘subjective’ and ‘unproductive’ notably in Kyllo v. United States (2001). Justice Nariman, in Justice K.S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. (2017), explicitly rejected the applicability of this test, noting that it is “circular in the sense that there is no invasion of privacy unless the individual whose privacy is invaded had a reasonable expectation of privacy.” This circularity weakens the test’s applicability, as it relies on expectations created by society rather than legal standards grounded in meaningful consent.
In doing so, the test risks perpetuating a status quo of diminished privacy, rather than challenging it. Instead of asking what privacy people have come to expect, the law must ask what privacy they deserve to retain in a digital age where Foucault’s panopticon no longer needs walls but just a screen and a tap.
In light of these concerns, a stricter interpretation of Section 7(a) is essential to safeguard against misuse. Consent, even when implied, must be strictly confined to specified and clearly communicated purposes and once that purpose comes to an end, the consent by default extinguishes. While Illustration 2 to Section 7(a) reflects this principle, it remains absent from the main statutory text. Consent must also remain easily withdrawable and must never be presumed in cases involving sensitive personal data or situations where such processing may lead to harmful ramifications. Crucially, the onus lies on data fiduciaries to ensure that the data principals genuinely understand the nature, purpose and consequences of processing the personal data they are voluntarily providing. To that end, compliance with foundational data protection principles, such as transparency, necessity, proportionality, purpose limitation, and storage limitation, is non-negotiable. This would ensure that implied consent serves as a residuary safeguard rather than a loophole, acting as a narrowly tailored exception aligned with the constitutional promise of privacy.
CONCLUSION
Sir Tim Berners-Lee, the architect of the World Wide Web, envisioned the creation of a better and more connected world, where the Web would serve as a universal resource. Almost 30 years after its invention, in a blog post, he admitted that it has become a breeding ground for inequality and division and “swayed by powerful forces who use it for their own agendas.” That warning echoes with uncomfortable clarity in India’s approach to data governance today. While the third-party doctrine in the U.S. has primarily operated in the context of government access to personal information, India’s DPDPA revives its essence more subtly (and perhaps more dangerously). The phrasing of Section 7(a) risks enabling both state authorities and private corporations to obtain personal data (from the primary data fiduciary) under a blanket of assumed consent, simply by aligning their extended use with the loosely interpreted ‘specified purpose’ for which the data was originally and ‘voluntarily’ provided’. By sleight of policy design, the ghost of the third-party doctrine creeps back in, not by law, but by loophole. The danger lies not just in who collects the data, but in how easily constitutional privacy protections may be bypassed by invoking technical compliance rather than meaningful consent. Like a Trojan Horse wheeled past our vigilance, Section 7(a) bears the gift of consent, but within its hollow frame lurks the quiet return of the third-party doctrine. If India fails to heed the lessons of past doctrines camouflaged in legitimacy, this paper tiger of consent will roar loud enough to destroy the very freedoms that data protection laws are meant to defend.
[*Nandinii Tandon is a 3rd Year B.A. LL.B (Hons.) student at Rajiv Gandhi National University of Law, Punjab.
**Mehul Sharma is a 2nd Year B.A. LL.B (Hons.) student at Rajiv Gandhi National University of Law, Punjab.]