Delhi Services and Data Protection Acts: A New Era of Governance and Privacy in India

Delhi Services and Data Protection Acts: A New Era of Governance and Privacy in India

On August 12, 2023, President Droupadi Murmu gave her assent to two landmark legislations that have the potential to transform the governance and privacy landscape in India. The Delhi Services Bill and the Data Protection Act, both passed by the Parliament in the monsoon session, are now laws that will come into force soon.

The Delhi Services Act, 2023

The Delhi Services Act, 2023, is an amendment to the Government of National Capital Territory of Delhi Act, 1991, which defines the powers and functions of the Lieutenant Governor (LG) and the Delhi government. The act aims to clarify the roles and responsibilities of the LG and the Delhi government in the services sector, which includes the administration of civil servants, public utilities, and other essential services.

The act states that the LG’s opinion shall be obtained before taking any executive action based on the decisions taken by the Council of Ministers or a Minister. The act also states that the LG shall exercise such powers and perform such functions as may be delegated to him by the President. The act further states that any rule made by the central government or any regulation made by the LG shall prevail over any inconsistent rule or regulation made by the Delhi government.

The act also grants the LG greater authority over the appointment, transfer, and postings of all Group A and Delhi Andaman and Nicobar Islands Civil Service (DANICS) officers in the National Capital Territory (NCT) of Delhi. The act states that these officers shall be appointed by the President on the recommendation of a board constituted by him. The act also states that these officers shall be under the control of the LG and shall follow his directions.

The act has been hailed by the central government as a necessary step to ensure smooth administration and coordination in Delhi. The central government maintains that the act does not alter the constitutional status of Delhi as a union territory with a legislative assembly. The central government asserts that the act is in line with the constitutional scheme and respects the balance between local and national interests. The central government also claims that the act will promote accountability and transparency in governance.

However, the act has been strongly opposed by the ruling Aam Aadmi Party (AAP) in Delhi, which claims that it undermines the democratic mandate of the people and reduces the elected government to a mere advisory body. The AAP argues that the act violates the spirit of the Constitution and goes against the Supreme Court’s judgment in 2018, which upheld the primacy of the Delhi government over most matters except public order, land, and police. The AAP also contends that the act will hamper the delivery of public services and affect the welfare of the citizens.

The Data Protection Act, 2021

The Data Protection Act, of 2021, is a comprehensive legislation that regulates the collection, processing, storage, disclosure, and use of personal data in India. The act defines personal data as any data that relates to a natural person who is identifiable, directly or indirectly. The act also defines sensitive personal data as personal data that reveals or relates to passwords, financial data, health data, official identifiers, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe, religious or political beliefs or affiliations. The act further defines non-personal data as any data that is not personal data.

The act establishes a Data Protection Authority of India (DPAI), which is responsible for protecting the interests of data principals (individuals whose personal data is processed), preventing misuse of personal data, ensuring compliance with the act, and promoting awareness of data protection. The act also lays down various principles and obligations for data fiduciaries (entities or individuals who determine the purpose and means of processing personal data) and data processors (entities or individuals who process personal data on behalf of data fiduciaries).

Some of these principles and obligations include:

• Obtaining consent from data principals before collecting or processing their personal data
• Providing notice to data principals about the purpose, nature, source, and duration of processing their personal data
• Limiting collection and processing of personal data to what is necessary, relevant, and reasonable for achieving a lawful purpose
• Ensuring accuracy and quality of personal data
• Implementing appropriate security safeguards to protect personal data from unauthorized access, modification, disclosure, or destruction
• Notifying DPAI and data principals in case of any personal data breach
• Transferring personal data outside India only under certain conditions
• Deleting or anonymising anonymising      personal data after its purpose is served or upon request from data principals

The act also grants various rights to data principals such as:

• Right to confirmation and access: Data principals have the right to obtain confirmation from data fiduciaries whether their personal data is being processed and access their personal data
• Right to correction and erasure: Data principals have the right to seek correction of inaccurate or incomplete personal data and erasure of personal data that is no longer necessary or consented to
• Right to data portability: Data principals have the right to receive their personal data in a structured, commonly used, and machine-readable format and transfer it to another data fiduciary
• Right to object and restrict: Data principals have the right to object to or restrict the processing of their personal data for certain purposes such as direct marketing, profiling, or automated decision making
• Right to be forgotten: Data principals have the right to restrict or prevent the disclosure of their personal data by data fiduciaries under certain circumstances

The act also prescribes various penalties and remedies for violations of its provisions. The penalties range from Rs. 5 crore or 2% of the annual turnover of the data fiduciary, whichever is higher, to Rs. 15 crore or 4% of the annual turnover of the data fiduciary, whichever is higher. The act also empowers DPAI to issue warnings, reprimands, orders, or directions to data fiduciaries or data processors for compliance. The act also provides compensation to data principals for any harm caused by violation of their rights or breach of their personal data.

The act has been welcomed by many stakeholders as a landmark legislation that aims to protect the privacy and dignity of individuals in the digital age. The act is seen as a comprehensive and progressive framework that balances the interests of individuals, businesses, and the state. The act is also expected to boost the digital economy and foster innovation and trust in India.

However, the act has also faced some criticism and concerns from various quarters. Some of these concerns include:

• The act grants wide broad exemptions to the state for processing personal data for purposes such as security, law enforcement, public order, sovereignty, integrity, or friendly relations with foreign states. This may undermine the privacy rights of individuals and create scope for misuse or abuse of power by the state.
• The act mandates data localization for sensitive personal data and critical personal data (a category of personal data that may be notified by the government). This may increase the cost and complexity of doing business in India and affect the competitiveness and growth of the digital sector.
• The act does not provide adequate safeguards or oversight mechanisms for non-personal data. This may pose risks to the privacy and security of individuals and groups whose personal data may be de-identified or aggregated into non-personal data.
• The act does not adequately address the issues of consent fatigue, informed consent, meaningful consent, or consent withdrawal by data principals. This may affect the autonomy and agency of individuals over their personal data.
• The act does not clearly define some key terms such as harm, anonymization, de-identification, profiling, automated decision-making, etc. This may create ambiguity and confusion in the interpretation and implementation of the act.

Conclusion

Delhi Services and Data Protection Acts are two important legislations that have implications for the governance and development of Delhi and India respectively. While both acts have their merits and demerits, they also reflect the need for dialogue and consensus among various stakeholders on issues such as federalism, democracy, privacy, security, innovation, and growth. As both acts come into force shortly, it remains to be seen how they will shape the future of Delhi and India in the digital era.