.svg){kind=small}
.png)
The DPDP Act allows data fiduciaries to deny service if a user refuses consent for data "necessary" to provide that service.
This is a reasonable provision - in most cases.
If you don't provide a Bank consent to process your home address for KYC purposes, they can't open a Bank account for you under law.
Refuse consent. Lose the service.
The Supreme Court's ongoing hearing on WhatsApp's privacy policy is exposing how this logic breaks down in cases where a) Data Fiduciary is a monopoly and b) What is "necessary" is not as clear cut.
When the data fiduciary controls the market, "find another provider" becomes a weapon against privacy.
The Supreme Court's oral observations on February 3
The Supreme Court heard arguments in Meta and WhatsApp's appeal against the CCI's βΉ213 crore penalty for abuse of dominance β rooted in WhatsApp's 2021 privacy policy update that required users to accept expanded data sharing with Meta or stop using the service.
Key oral observations from the bench:
CJ Surya Kant questioned how "a poor woman selling fruits on the street" could be expected to understand how her data was being used.
The bench referred to "silent customers" who were "digitally dependent and unaware" and alleged Meta was "committing theft of private information." The language goes well beyond the CCI's competition-law framing β the court seems to be reading this as a fundamental rights issue.
Justice Bagchi raised a different issue β "rent sharing." DPDP has no framework for users to share in the economic value generated from their data.
These are oral observations - so not binding yet. But the tension they highlight will remain - whatever the final judgement is.
DPDP allows for service denial
The DPDP currently allows denial of services if a customer rejects "necessary consent" (see Section 6(4) of the DPDP Act and its accompanying illustration)
Let's say you're opening an account with a new Bank. During onboarding it needs your home address to do KYC. If you refuse this, then the Bank cannot perform KYC and, therefore, cannot open your account. The design logic is sound - how can a Bank open your account if you don't consent to do KYC with it?
This works when two conditions hold:
- The user has genuine alternatives. Here, the user can choose to remain with their current banking provider rather than doing fresh KYC.
- What the fiduciary calls "necessary" processing is actually necessary for the service β not for adjacent business models like advertising.
The WhatsApp case breaks both conditions.
In the hands of monopolies, DPDP's provision for service denial turns into a weapon
WhatsApp is not "just another messaging app" β it has over 500 million users in India β and is the default infrastructure for personal communication, workplace coordination, and local commerce.
Critical networks like family groups, employer communications and kirana order systems exist on WhatsApp not necessarily due to product preference but because everyone else is on WhatsApp!
This leads to 3 privacy damaging consequences:
Service denial is not "merely a matter of choice." Leaving WhatsApp means disconnecting from networks essential to daily living. When every professional contact, family member, and local vendor is on WhatsApp, the data principal cannot really exercise free consent to "opt out".
"Necessary" gets defined by the data fiduciary. WhatsApp's 2021 policy update bundled message delivery β clearly necessary for a messaging service β with metadata sharing with Meta for ad targeting β clearly not necessary for message delivery. DPDP doesn't explicitly define what "necessary for the service" means. With this gap, dominant players will define necessity as broadly as their business model requires.
Consent is practically coerced. The user "consents" because the alternative β losing access to their own social and professional networks β is disproportionate to the ask. Consent is "technically compliant" but "practically coerced."
DPDP v Competition Law v Constitutional Right to Privacy - no clear answer yet
The hearing is forcing three areas of law into contact with each other - with no clear conclusion yet.
DPDP Act and Competition Law
The CCI's βΉ213 crore penalty against WhatsApp was decided as an abuse-of-dominance action - not the DPDP Act.
The CCI reasoned that WhatsApp used its market position to extract consent that no competitive market would yield. Users accepted the 2021 policy not because the terms were fair, but because they had no real alternative.
Is consent extracted under monopoly conditions qualitatively different from consent in competitive markets?
If so, does the DPDP Act need a specific amendment or is the Competition Act enough?
DPDP Act and Constitutional Law
The constitutional right to privacy was established in the Supreme Court's nine-judge bench decision in Puttaswamy (2017), which laid down that any restriction on privacy must meet tests of legality, necessity, and proportionality.
The bench's language in the WhatsApp hearing β "you cannot play with the right to privacy of citizens" β echoes Puttaswamy's proportionality framework.
DPDP may permit consent denial. But if exercising that permission produces outcomes that are disproportionate β demanding maximalist data sharing from a captive user base in exchange for access to essential communication infrastructure β constitutional limits may apply.
Will the Court overrule or "amend" DPDP's consent denial provision using the Puttaswamy judgement?
DPDP Act and general commercial fairness
Justice Bagchi's observation about "rent sharing" opens a more speculative (and wilder) line of inquiry.
Personal data has economic value that platforms monetise but users get zero share of this value.
If a platform extracts significant economic value from user data, does that change the proportionality analysis?
Ultimately, all of the above are oral observations, not binding findings. But the tensions they expose won't disappear with the final ruling β however it goes.
Three open questions worth monitoring
Will the final judgement address market power explicitly? If the court's eventual judgment distinguishes between dominant and non-dominant fiduciaries on consent rights - the judgement would practically be a "DPDP amendment" that all large monopolistic platforms must follow. This could have spillover effects into industries like Telecom, Airlines etc.
Do the DPDP rules define "necessary"? The statute leaves "necessary for the service" undefined. Will this judgement provide a "judicial definition?"
Does competition enforcement start intersecting with DPDP compliance? The CCI has already penalised WhatsApp. The SC is examining the same conduct under privacy. If these regimes start being read together β as the bench's observations suggest β compliance teams at dominant platforms will need to think about market position as a variable in their data protection strategy.
Disclaimer: This is operational analysis, not legal advice. Consult legal counsel for interpretation specific to your organisation.
