New Delhi, Dec. 1 -- At its core, India's Digital Personal Data Protection Act (DPDPA), whose Rules were issued recently, makes consent king. No personal data may be processed without "free, specific, informed, unconditional and unambiguous" consent for a "specific purpose."

Such precision, in theory, should assure individuals of meaningful notice and control. But the Act also recognizes "Legitimate Use," a carve-out allowing data fiduciaries to process personal data without consent, unless the individual explicitly objects. Here lies an interpretative fork: if every usage must be individually specified and notified, when does 'legitimate use' ever truly apply? In effect, organizations are left with a puzzle: how to exhaustively abide by...