Passage Based Questions: Data Protection Law | Legal Reasoning for CLAT PDF Download

Passage 1: Core Principles of the Digital Personal Data Protection Act

The Digital Personal Data Protection Act (DPDPA), 2023, is a landmark legislation in India aimed at safeguarding personal data in an increasingly digital world. Applicable to data processed within India and data processed abroad for services offered to individuals in India, including non-citizens, the Act establishes a robust framework for privacy protection. Personal data can only be processed for lawful purposes, requiring explicit consent that is free, specific, informed, unconditional, and unambiguous, typically evidenced by a clear action like signing a form or ticking a box. Sensitive personal data, such as health, biometric, or financial information, demands enhanced security measures, including encryption and restricted access, to prevent unauthorized use or breaches. Data Fiduciaries—entities processing personal data—are obligated to provide transparent notices detailing the purpose of data collection, the categories of data, individual rights, and grievance redressal mechanisms. Individuals are empowered with rights to access a summary of their data, request corrections or erasure, and know the identities of third parties with whom their data is shared. They can also withdraw consent at any time, halting further processing unless a legitimate purpose, such as a legal obligation, applies. The Data Protection Board, established under the Act, oversees compliance, investigates violations, and resolves disputes, ensuring accountability. Non-compliance can lead to penalties, including fines up to ₹250 crore or restrictions on data processing. Challenges include enforcing the Act against foreign entities and raising public awareness about data rights, as many individuals may not fully understand their entitlements. By aligning with global standards like the GDPR, the DPDPA aims to foster trust in India’s digital ecosystem while balancing individual privacy with the needs of businesses in a data-driven economy.

Q1: What type of consent must a Data Fiduciary obtain to process personal data under the DPDPA, 2023?
(A) General consent
(B) Explicit consent
(C) Implied consent
(D) Written consent

View Answer  

Answer: (B) Explicit consent
Explanation: The passage states that processing personal data demands explicit consent that is free, specific, informed, unconditional, and unambiguous, such as signing a form or ticking a box.
Why other options are incorrect: (A) General consent lacks specificity; (C) implied consent is insufficient; (D) written consent is not explicitly mandated.

Q2: What is the maximum fine for violating the DPDPA, 2023?
(A) ₹50 crore
(B) ₹150 crore
(C) ₹250 crore
(D) ₹300 crore

View Answer  

Answer: (C) ₹250 crore
Explanation: The passage specifies that non-compliance with the DPDPA can lead to fines up to ₹250 crore or restrictions on data processing.
Why other options are incorrect: (A), (B), and (D) do not match the passage’s stated maximum fine of ₹250 crore.

Q3: Lakshmi, a user of a payment app, consents to share her financial data for transactions but later discovers the app shared her data with an advertising agency without her knowledge. The app’s notice did not mention third-party sharing. Which DPDPA obligation did the app violate, and what right can Lakshmi exercise?
(A) Consent obligation, right to data erasure
(B) Transparent notice obligation, right to know third-party identities
(C) Security obligation, right to withdraw consent
(D) Lawful purpose obligation, right to file a grievance

View Answer  

Answer: (B) Transparent notice obligation, right to know third-party identities
Explanation: The passage mandates that Data Fiduciaries provide transparent notices detailing third-party data sharing. The app’s failure to disclose sharing with the advertising agency violates this obligation. Lakshmi can exercise her right to know the identities of third parties with whom her data is shared, as outlined in the passage.
Why other options are incorrect: (A) Consent was given; erasure is unrelated; (C) security is not the issue; withdrawal is possible but less relevant; (D) lawful purpose is not violated; filing a grievance is not a listed individual right.

Q4: A foreign travel booking platform collects passport details from Indian users without explicit consent, claiming it’s for “booking verification.” A user, Tarun, finds his data exposed in a breach due to lack of encryption. Which DPDPA provision is primarily violated, and what penalty can the Data Protection Board impose?
(A) Consent provision, fine up to ₹250 crore
(B) Security provision, warning only
(C) Notice provision, data processing restriction
(D) Data sharing provision, data erasure order

View Answer  

Answer: (A) Consent provision, fine up to ₹250 crore
Explanation: The passage states that explicit consent is mandatory for processing personal data, and the DPDPA applies to foreign entities serving Indian users. The platform’s failure to obtain consent for passport details is the primary violation. The Data Protection Board can impose a fine up to ₹250 crore for non-compliance, as per the passage.
Why other options are incorrect: (B) Security (encryption) is a secondary issue; warnings are not specified; (C) notice is not the primary violation; (D) data sharing is not the main issue, and erasure is a user right, not a Board penalty.

Q5: A health insurance app collects biometric data for user authentication but fails to use restricted access, leading to a breach affecting 2,000 users. The company claims compliance with consent and argues no penalty applies due to no financial loss. Which evidence best supports the Data Protection Board’s case for a penalty under the DPDPA, 2023?
(A) Proof of failure to implement restricted access for biometric data
(B) Evidence of user consent for biometric data collection
(C) Testimony that no users faced financial loss
(D) Confirmation of a transparent notice provided to users

View Answer  

Answer: (A) Proof of failure to implement restricted access for biometric data
Explanation: The passage specifies that sensitive data, like biometric information, must have enhanced security measures, such as restricted access. The app’s failure to implement restricted access justifies a penalty (up to ₹250 crore), as non-compliance is actionable regardless of consent or financial loss.
Why other options are incorrect: (B) Consent doesn’t excuse security failures; (C) financial loss is not required for penalties; (D) notice compliance doesn’t address the security violation.

Passage 2: Justice K.S. Puttaswamy v. Union of India (2017): Recognising Privacy as a Fundamental Right

The Justice K.S. Puttaswamy v. Union of India (2017) case is a landmark Supreme Court judgment that recognized the right to privacy as a fundamental right under the Indian Constitution. Triggered by a challenge to the Aadhaar scheme—which involved mandatory biometric data collection—the petitioners argued that it violated individual privacy. A nine-judge bench unanimously held that privacy is protected under Articles 14, 19, and 21, and overruled earlier judgments that denied this right. The Court established a three-fold test—legality, necessity, and proportionality—for any state intrusion on privacy. Although the Aadhaar Act's validity was addressed separately in 2018, this judgment laid the foundation for future decisions on data protection, personal autonomy, and surveillance laws. It also influenced the enactment of the Digital Personal Data Protection Act, 2023, marking a major step toward aligning India with global human rights standards..

Q1: Under which articles of the Indian Constitution did the Supreme Court recognize the right to privacy in the Puttaswamy case (2017)?
(A) Articles 14, 15, and 21
(B) Articles 14, 19, and 21
(C) Articles 19, 20, and 21
(D) Articles 14, 15, and 19

View Answer  

Answer: (B) Articles 14, 19, and 21
Explanation: The passage states that the Supreme Court in Puttaswamy (2017) held privacy as a fundamental right under Articles 14, 19, and 21.
Why other options are incorrect: (A) Article 15 is not mentioned; (C) Article 20 is not included; (D) Article 15 is unrelated, and Article 21 is missing.

Q2: What test did the Puttaswamy (2017) judgment establish to evaluate state intrusion on the right to privacy?
(A) Reasonableness, fairness, and justice
(B) Legality, necessity, and proportionality
(C) Transparency, accountability, and legality
(D) Necessity, consent, and fairness

View Answer  

Answer: (B) Legality, necessity, and proportionality
Explanation: The passage specifies that the Puttaswamy judgment established a three-fold test—legality, necessity, and proportionality—for state intrusion on privacy.
Why other options are incorrect: (A) Reasonableness and justice are not specified; (C) transparency and accountability are not part of the test; (D) consent is not included in the test.

Q3: Ananya challenges a government surveillance program that collects her call records without legal authorization, claiming it violates her privacy. Based on the Puttaswamy (2017) judgment, which principle is most likely violated, and what test must the government satisfy to justify the program?
(A) Right to equality, reasonableness test
(B) Right to privacy, three-fold test
(C) Right to free speech, fairness test
(D) Right to data protection, consent test

View Answer  

Answer: (B) Right to privacy, three-fold test
Explanation: The passage states that Puttaswamy recognized privacy as a fundamental right, and unauthorized surveillance violates this right. The government must satisfy the three-fold test (legality, necessity, proportionality) to justify the intrusion, as per the passage.
Why other options are incorrect: (A) Equality (Article 14) is not the primary issue; (C) free speech (Article 19) is secondary; (D) data protection is a consequence, not the core right, and consent is not the test.

Q4: A state mandates biometric data collection for welfare benefits without a law or clear public interest justification. Ravi, a beneficiary, argues this violates his privacy rights under Puttaswamy (2017). Which element of the three-fold test is most likely unmet, and how does this relate to the DPDPA, 2023?
(A) Proportionality, requiring informed consent
(B) Legality, requiring a statutory basis
(C) Necessity, requiring data minimization
(D) Fairness, requiring grievance redressal

View Answer  

Answer: (B) Legality, requiring a statutory basis
Explanation: The passage notes that the Puttaswamy judgment requires state intrusion on privacy to meet the legality prong of the three-fold test, meaning it must be backed by law. The absence of a law for biometric collection violates this. The passage links Puttaswamy to the DPDPA, which provides a statutory basis for data protection, reinforcing the need for legality.
Why other options are incorrect: (A) Proportionality follows legality; consent is a DPDPA principle; (C) necessity is secondary here; data minimization is DPDPA-specific; (D) fairness is not part of the test; grievance redressal is a DPDPA feature.

Q5: A private company collects facial recognition data for employee attendance without clear justification or employee consent, citing operational efficiency. An employee, Vikram, challenges this as a privacy violation under Puttaswamy (2017). Which evidence best supports Vikram’s claim, and how does the DPDPA, 2023, strengthen his case?

(A) Lack of employee consent, requiring explicit consent for sensitive data
(B) Absence of financial loss, requiring data breach proof
(C) Operational efficiency claim, requiring third-party sharing notice
(D) Lack of grievance mechanism, requiring Data Protection Board oversight

View Answer  

Answer: (A) Lack of employee consent, requiring explicit consent for sensitive data
Explanation: The passage states that Puttaswamy protects privacy as a fundamental right, and unauthorized data collection violates this right. Lack of consent for facial recognition data supports Vikram’s claim. The passage notes Puttaswamy’s influence on the DPDPA, which mandates explicit consent for sensitive data like biometrics, strengthening Vikram’s case.
Why other options are incorrect: (B) Financial loss is not required for a privacy violation; (C) efficiency is irrelevant; third-party sharing is not the issue; (D) grievance mechanisms are DPDPA-specific, not central to Puttaswamy.

Passage 3: General Data Protection Regulation (GDPR)

Organizations must have a legal basis (e.g., consent, contract, legitimate interest) for processing personal data and are required to report data breaches within 72 hours. The regulation enforces "privacy by design and default" and imposes strict fines—up to €20 million or 4% of global turnover. Notable cases include fines against Amazon, Google, and Meta. GDPR has influenced India’s Digital Personal Data Protection Act, 2023, though with differences in scope, penalties, and enforcement. For CLAT, GDPR is key for understanding global data protection standards, legal reasoning, and its comparison with Indian frameworks like the DPDPA and IT Rules, 2011.

Q1: Which principle ensures that GDPR-compliant data processing collects only necessary information?
(A) Purpose limitation
(B) Data minimization
(C) Accountability
(D) Implicit consent

View Answer  

Answer: (B) Data minimization
Explanation: Data minimization, a core GDPR principle, limits data collection to what is necessary for the stated purpose.
Why other options are incorrect: (A) Purpose limitation restricts data use to specific purposes; (C) accountability ensures compliance measures; (D) consent must be explicit, not implicit.

Q2: What is the maximum penalty for GDPR violations?
(A) €10 million or 2% of global turnover
(B) €20 million or 4% of global turnover
(C) €30 million or 6% of global turnover
(D) €50 million or 8% of global turnover

View Answer  

Answer: (B) €20 million or 4% of global turnover
Explanation: GDPR imposes fines up to €20 million or 4% of global turnover for non-compliance, whichever is higher.
Why other options are incorrect: (A), (C), and (D) do not match GDPR’s specified maximum penalty.

Q3: An Indian fintech company serving EU clients collects user transaction data for analytics without explicit consent. A client, Sofia, demands her data be deleted under GDPR. Which principle is likely violated, and which right is Sofia exercising?
(A) Accountability, right to rectification
(B) Lawfulness, right to erasure
(C) Data minimization, right to objection
(D) Purpose limitation, right to access

View Answer  

Answer: (B) Lawfulness, right to erasure
Explanation: GDPR mandates a legal basis like explicit consent for data processing, which the company lacks, violating lawfulness. Sofia exercises her right to erasure (Right to be Forgotten), as GDPR allows data subjects to request data deletion.
Why other options are incorrect: (A) Accountability relates to compliance, not consent; rectification corrects data; (C) data minimization is secondary; objection stops processing; (D) purpose limitation is not the primary issue; access provides data summaries.

Q4: A Mumbai-based app developer, offering services to EU users, suffers a data breach exposing user emails but reports it after 96 hours, citing DPDPA compliance. Which GDPR obligation is violated, and how does this differ from the DPDPA, 2023?
(A) Privacy by design, DPDPA lacks specific breach timelines
(B) Breach reporting, DPDPA has no 72-hour deadline
(C) Legal basis, DPDPA allows broader consent exceptions
(D) Data minimization, DPDPA mandates encryption

View Answer  

Answer: (B) Breach reporting, DPDPA has no 72-hour deadline
Explanation: GDPR requires data breach reporting within 72 hours, which the developer violates by reporting after 96 hours. Unlike GDPR, DPDPA does not specify a 72-hour reporting deadline, reflecting a key enforcement difference.
Why other options are incorrect: (A) Privacy by design is unrelated to reporting; (C) legal basis is not the issue; consent rules differ but are irrelevant; (D) data minimization and encryption are not the primary violations.

Q5: A global retailer processes EU user data for loyalty programs, claiming “legitimate interest” without consent. A user, Luca, objects and cites GDPR, arguing the processing lacks justification. Which evidence best supports Luca’s claim, and how does GDPR’s consent approach differ from the DPDPA, 2023?
(A) Lack of explicit consent, GDPR prioritizes consent for sensitive processing
(B) Use of legitimate interest, DPDPA allows broader legitimate interests
(C) Absence of data breach, DPDPA imposes stricter fines
(D) Failure to limit data, DPDPA requires privacy by design

View Answer  

Answer: (A) Lack of explicit consent, GDPR prioritizes consent for sensitive processing
Explanation: GDPR lists consent as a primary legal basis, especially for sensitive processing like loyalty programs, and allows users to object, supporting Luca’s claim against reliance on “legitimate interest.” GDPR emphasizes explicit consent, while DPDPA allows limited processing without consent for legitimate purposes, a notable difference.
Why other options are incorrect: (B) Legitimate interest is valid under GDPR, weakening the claim; (C) data breach is irrelevant; DPDPA fines are not stricter; (D) data limitation is secondary; DPDPA also emphasizes privacy by design.