Puttuswamy judgement: fundamental right to privacy under art 21.

Privacy is multi-dimensional
- Includes freedom, information and decision making.
- Need for Comprehensive framework for legislation with respect to processing of
information

Sri krishna committee: for transfer of data outside India authority's permission.
JPC Reprt 2021: For personal data, classified as sensitive and critical personal sensitive data.

Digital Personal Data Protection Act 2023- assented to but not enforced yet.
Key Terminologies:

1. Consent : free (in terms of contract law terms- not under undue influence), unambiguous,
informed, for specific means, clear affirmative action, unconditional
2. Lawful Purpose: something that is not barred by law
3. Data Minimisation:
4. Purpose Limitation: process should be limited for the purpose the data is taken for.
5. Data Retention : again should be for a specific purpose
6. Data Localisation : storing data within a specific jurisdiction

Notice and consent requirements

Sec. 43 A - SPDI Rules- they start from here.

- Notice must be in English and localised in any of the 22 languages.

- Signify an agreement to the processing of personal data.
- Specify purpose of processing
- Manner of exercising withdrawal of consent, grievance redressal and complaints mechanism

Deemed consent is not given under the DPDP Act.

Grounds for processing personal data:

Children’s data processing:

- Child = under 18
- Verified parental consent: nobody knows what this is: no specified definition
- prohibition on tracking, behavioural monitoring or targeted ads
- Prevention of harm
- Exemption for some data fiduciaries / purposes
- Possibility of reducing the age of consent for significant data fiduciaries

Significant data fiduciaries:

- public order
- security of the state
- volume and sensitivity
- risk to rights of data principals
- potential impact on sovereignty and integrity
- risk to electoral democracy

Cross Border Data Flows:

- Data fiduciaries can transfer data to any country or territory that is not restricted by the
Central Government.
- Restricted countries will be notified on any relevant factors, including geo-political and
national security concerns.
- Sectoral regulations that impose restrictions on data transfers (such as RBI regulations or
the CERT-In VPN regulations) will continue, however.

Data Protection Board in India:

- Composition:
- Chairperson and 6 other members
- Special knowledge or practical experience in data governance, administration or
implementation of laws related to social or consumer protection
- Blocking Powers:
- Upon the Board’s advice and for the interests of the general public, the Central
Government can block access to any digital data.

Sec. 17 (1) Exemptions from Obligations:

- Necessary for enforcing any legal right or claim

- Court/ tribunal/ quasi- judicial body
- Prevention, detection, investigation or prosecution of any offence
- Processing of personal data of individual outside India from within India.
- Certain competition interest such as mergers, demergers, amalgamations, etc.
- Ascertaining

Government Exemption:

- State or its instrumentalities are exempted in the interests of:

- Sovereignty and integrity of India, security of the state, friendly relations with foreign
states, maintenance of public order, or preventing incitement to any cognizable offence
related to it.

Exemptions for startups: (DPIT authority)

- Notice requirements
- Obligations related to SDFs.
- Obligations related to right to information
- Accuracy and completeness of personal data
- Restrictions on retention of personal data.