Who Spoke First? Interpreting "Voluntarily Provided" Under Section 7(a) Of DPDP Act
The Digital Personal Data Protection Act, 2023 and the DPDP Rules, 2025 together establish India's framework for the processing of digital personal data. The Act governs the relationship between Data Principals (individuals whose data is processed) and Data Fiduciaries (persons who determine the purpose and means of processing), with enforcement through the Data Protection Board of India. At the centre of this framework is Section 4, which permits a Data Fiduciary to process personal data only on one of two grounds: the consent of the Data Principal under Section 4(a), or "certain legitimate uses" listed in Section 7 under Section 4(b). There is no third option.
The consent pathway is procedurally demanding. Section 5 requires an itemised notice before or alongside any consent request. Section 6(1) requires consent to be "free, specific, informed, unconditional and unambiguous with a clear affirmative action." Section 6(10) places the burden of proof on the Data Fiduciary. This is an opt-in structure. The legitimate uses pathway under Section 7 is different: it lists nine grounds for processing without consent, ranging from State functions to medical emergencies to employment. Most are situationally specific. Section 7(a), which permits processing where the Data Principal has "voluntarily provided" her data, is the broadest and the most ambiguous.
To see why this matters, consider a concrete problem. X makes a purchase at Y, a pharmacy. She provides her phone number and asks Y to send a receipt by SMS. Y processes her personal data under Section 7(a). This is the Act's own illustration, and it presents no difficulty.
Now consider a small variation. Y, the pharmacy, asks X for her phone number so that it can send her a digital receipt. X provides it without hesitation. The data is the same, the purpose is the same, and there is no coercion. But Y initiated the request. Can Y still rely on Section 7(a)? Or must it now go through the full notice-and-consent machinery under Sections 5 and 6?
The answer turns on what "voluntarily provided" means in Section 7(a), and the Act does not define the term. The DPDP Rules, 2025 are silent on this point. The better (and safer) reading is that "voluntarily provided" requires the Data Principal to have initiated the sharing of her personal data unprompted. It does not merely require the absence of coercion. For practitioners, the stakes are straightforward: the compliance cost of obtaining consent where Section 7(a) might have sufficed is far lower than the risk of relying on Section 7(a) where it does not apply.
I. The Interpretive Pressure
Section 7(a) permits processing "for the specified purpose for which the Data Principal has voluntarily provided her personal data to the Data Fiduciary, and in respect of which she has not indicated to the Data Fiduciary that she does not consent to the use of her personal data." Two conditions must be satisfied: the Data Principal must have voluntarily provided the data, and she must not have indicated that she objects to its use. This is an opt-out structure. The Data Principal need not affirm her consent; she need only not have denied it.
The structural point is this: Section 7(a) sits outside the consent machinery. If "voluntarily" merely means "freely," which is already required by Section 6(1) for valid consent, then Section 7(a) would be nothing more than consent without the procedural safeguards. It would add nothing to the Act. This cannot be right, and it is this redundancy that creates the interpretive pressure worth examining.
II. The Case for the Broad Reading
There is genuine force in the argument that "voluntarily provided" simply means "provided without coercion," regardless of who initiated the transaction. This position deserves fair treatment before examining why it falls short.
First, illustrations in Indian statutory interpretation are aids, not definitions. The Supreme Court has held that an illustration cannot control the generality of a section's language. Both illustrations to Section 7(a) depict the Data Principal as the initiating party, but this does not necessarily limit the section to such scenarios. The illustrations may simply depict the most common case.
Second, "voluntarily" has a settled meaning in other areas of law that does not require initiation. In criminal law, a "voluntary act" is one performed of one's own free will, without compulsion. In contract law, a "voluntary transfer" is one made without duress. A person who hands over property at a shopkeeper's request, without being pressured, has acted voluntarily. On this ordinary meaning, the pharmacy scenario where Y asks and X willingly provides would qualify.
Third, there is a practical absurdity problem. If Section 7(a) only covers unsolicited data sharing, its real-world application shrinks to vanishingly rare edge cases. Most commercial transactions involve some solicitation by the Data Fiduciary. The legislature presumably did not intend to create a legitimate use ground that almost never applies.
Fourth, the narrow reading creates what one might call a compliance cliff. The pharmacy that asks for the phone number must comply with Sections 5 and 6 in full. The pharmacy where the customer volunteers the number unprompted does not. The distinction turns entirely on who spoke first, with dramatically different compliance consequences. This seems arbitrary.
These are serious arguments. But they do not survive the textual and structural difficulties they create.
The broad reading cannot explain why the legislature chose "voluntarily provided" rather than simply "provided." If "voluntarily" adds nothing that is not already captured by Section 6(1)'s requirement that consent be "free," then the word is surplusage. The canon against redundancy, ut res magis valeat quam pereat, demands that every word in a statute carry independent meaning. The broad reading renders "voluntarily" meaningless.
The opt-out structure of Section 7(a) also presupposes initiation by the Data Principal. The provision requires that she has "not indicated... that she does not consent." This negative condition, the absence of an objection, makes structural sense only when the Data Principal has already taken the affirmative step of providing the data on her own initiative. If the Data Fiduciary solicited and received the data, the appropriate mechanism is opt-in consent under Section 6, where the affirmative action comes after a notice and request. The opt-out framing in Section 7(a) is designed for a different factual pattern.
III. The Affirmative Case
The affirmative case for the narrow reading rests on its own terms, not merely as a negation of the broad view.
The expression "voluntarily provided" describes an act of initiative: the Data Principal chose to deliver her data, unprompted, for a purpose she had in mind.
The illustrations reinforce this. When both illustrations to a provision depict the same factual pattern, that is significant evidence of legislative intent. In Illustration I, X proactively provides her data and requests a receipt. In Illustration II, X initiates contact with a broker and shares her data for a purpose she has articulated. The legislature had the opportunity to include an illustration where the Data Fiduciary solicited the data. It did not.
The narrow reading also creates structural coherence. Section 7(a) covers the case where the Data Principal acts first: she walks in, shares her data, and expects something in return. Sections 4(a), 5, and 6 cover the case where the Data Fiduciary acts first: it requests data, provides a notice, and obtains consent. This division of labour gives practitioners a workable rule: if the Fiduciary initiated the collection, use consent; if the Data Principal did, consider Section 7(a).
So the narrow reading does not make Section 7(a) useless. It gives it a defined and principled scope. And it protects Data Principals by ensuring that whenever a Data Fiduciary solicits personal data, the full consent machinery applies: itemised notice, affirmative consent, the right to withdraw, and the burden of proof on the Fiduciary.
IV. Practical Implications
For practitioners advising clients, the following approach is worth considering. Rely on Section 7(a) only when the Data Principal initiated the data sharing: she walked in, called, messaged, or otherwise proactively provided her data for a purpose she articulated. The Data Fiduciary did not solicit or request the data.
Whenever the Data Fiduciary initiates the data collection, even if the Data Principal provides the data willingly, use the consent pathway under Sections 4(a), 5, and 6. The fact that the Fiduciary solicited it takes the transaction outside Section 7(a).
The harder cases are digital. The pharmacy example is intuitive because it involves a physical interaction where the sequence of events is observable. But the real volume of Section 7(a) disputes will involve app sign-ups, online form submissions, and e-commerce transactions. When a user fills in her email address on a website's contact form and submits a query, she has arguably "voluntarily provided" her data for a purpose she initiated. But when the same website presents a registration form that requires an email address before granting access, the Data Fiduciary has solicited the data, and Section 7(a) should not apply. The difficulty lies in the many interactions that fall between these poles: pre-filled forms, prompted fields during checkout, optional data entry alongside mandatory fields. In digital contexts, "who spoke first" is often genuinely murky. Practitioners should map out their client's data collection flows and identify, for each touchpoint, whether the user or the platform initiated the data exchange.
Beyond these digital ambiguities, even physical interactions will not always fit neatly into these categories. A customer who walks into a store and is asked at checkout whether she would like a digital receipt occupies ambiguous territory. When in doubt, default to consent.
This interpretive issue will likely be resolved by Board proceedings or judicial decision. Until then, the narrower reading is the safer course.
So let us return to our pharmacy. When X walks in and hands over her phone number for a receipt, Y processes under Section 7(a). When Y asks X for her number, Y needs consent. The difference is who spoke first. Under the Act, that difference matters.
Author is a Project Lead at the Centre for Applied Data Protection. Views are Personal