Delhi Services and Data Protection Acts: A New Era of Governance and Privacy in India
Delhi Services and Data Protection Acts: A New Era of Governance and Privacy in India
On August 12, 2023, President Droupadi Murmu gave her assent to
two landmark legislations that have the potential to transform the governance
and privacy landscape in India. The Delhi Services Bill and the Data Protection
Act, both passed by the Parliament in the monsoon session, are now laws that
will come into force soon.
The Delhi Services Act, 2023
The Delhi Services Act, 2023, is an amendment to the Government of
National Capital Territory of Delhi Act, 1991, which defines the powers and
functions of the Lieutenant Governor (LG) and the Delhi government. The act
aims to clarify the roles and responsibilities of the LG and the Delhi government
in the services sector, which includes the administration of civil
servants, public utilities, and other essential services.
The act states that the LG’s opinion shall be obtained before
taking any executive action based on the decisions taken by the Council of
Ministers or a Minister. The act also states that the LG shall exercise such
powers and perform such functions as may be delegated to him by the President.
The act further states that any rule made by the central government or any
regulation made by the LG shall prevail over any inconsistent rule or
regulation made by the Delhi government.
The act also grants the LG greater authority over the appointment,
transfer, and postings of all Group A and Delhi Andaman and Nicobar Islands Civil
Service (DANICS) officers in the National Capital Territory (NCT) of Delhi. The
act states that these officers shall be appointed by the President on the
recommendation of a board constituted by him. The act also states that these
officers shall be under the control of the LG and shall follow his directions.
The act has been hailed by the central government as a necessary
step to ensure smooth administration and coordination in Delhi. The central
government maintains that the act does not alter the constitutional status of
Delhi as a union territory with a legislative assembly. The central government
asserts that the act is in line with the constitutional scheme and respects the
balance between local and national interests. The central government also
claims that the act will promote accountability and transparency in governance.
However, the act has been strongly opposed by the ruling Aam Aadmi
Party (AAP) in Delhi, which claims that it undermines the democratic mandate of
the people and reduces the elected government to a mere advisory body. The AAP
argues that the act violates the spirit of the Constitution and goes against
the Supreme Court’s judgment in 2018, which upheld the primacy of the Delhi
government over most matters except public order, land, and police. The AAP
also contends that the act will hamper the delivery of public services and
affect the welfare of the citizens.
The Data Protection Act, 2021
The Data Protection Act, of 2021, is a comprehensive legislation that
regulates the collection, processing, storage, disclosure, and use of personal
data in India. The act defines personal data as any data that relates to a
natural person who is identifiable, directly or indirectly. The act also
defines sensitive personal data as personal data that reveals or relates to
passwords, financial data, health data, official identifiers, sex life, sexual
orientation, biometric data, genetic data, transgender status, intersex status,
caste or tribe, religious or political beliefs or affiliations. The act further
defines non-personal data as any data that is not personal data.
The act establishes a Data Protection Authority of India (DPAI),
which is responsible for protecting the interests of data principals
(individuals whose personal data is processed), preventing misuse of personal
data, ensuring compliance with the act, and promoting awareness of data
protection. The act also lays down various principles and obligations for data
fiduciaries (entities or individuals who determine the purpose and means of
processing personal data) and data processors (entities or individuals who
process personal data on behalf of data fiduciaries).
Some of these principles and obligations include:
- Obtaining consent from data
principals before collecting or processing their personal data
- Providing notice to data
principals about the purpose, nature, source, and duration of processing
their personal data
- Limiting collection and
processing of personal data to what is necessary, relevant, and reasonable
for achieving a lawful purpose
- Ensuring accuracy and quality
of personal data
- Implementing appropriate
security safeguards to protect personal data from unauthorized access,
modification, disclosure, or destruction
- Notifying DPAI and data
principals in case of any personal data breach
- Transferring personal data
outside India only under certain conditions
- Deleting or anonymising anonymising personal data after its purpose is served or upon request from data
principals
The act also grants various rights to data principals such as:
- Right to confirmation and
access: Data principals have the right to obtain confirmation from data
fiduciaries whether their personal data is being processed and access
their personal data
- Right to correction and
erasure: Data principals have the right to seek correction of inaccurate
or incomplete personal data and erasure of personal data that is no longer
necessary or consented to
- Right to data portability: Data
principals have the right to receive their personal data in a structured,
commonly used, and machine-readable format and transfer it to another data
fiduciary
- Right to object and restrict:
Data principals have the right to object to or restrict the processing of
their personal data for certain purposes such as direct marketing,
profiling, or automated decision making
- Right to be forgotten: Data
principals have the right to restrict or prevent the disclosure of their
personal data by data fiduciaries under certain circumstances
The act also prescribes various penalties and remedies for
violations of its provisions. The penalties range from Rs. 5 crore or 2% of the
annual turnover of the data fiduciary, whichever is higher, to Rs. 15 crore or
4% of the annual turnover of the data fiduciary, whichever is higher. The act
also empowers DPAI to issue warnings, reprimands, orders, or directions to data
fiduciaries or data processors for compliance. The act also provides compensation to data principals for any harm caused by violation of their
rights or breach of their personal data.
The act has been welcomed by many stakeholders as a landmark
legislation that aims to protect the privacy and dignity of individuals in the
digital age. The act is seen as a comprehensive and progressive framework that
balances the interests of individuals, businesses, and the state. The act is
also expected to boost the digital economy and foster innovation and trust in
India.
However, the act has also faced some criticism
and concerns from various quarters. Some of these concerns include:
- The act grants wide broad exemptions
to the state for processing personal data for purposes such as security,
law enforcement, public order, sovereignty, integrity, or friendly
relations with foreign states. This may undermine the privacy rights of
individuals and create scope for misuse or abuse of power by the state.
- The act mandates data
localization for sensitive personal data and critical personal data (a
category of personal data that may be notified by the government). This
may increase the cost and complexity of doing business in India and affect
the competitiveness and growth of the digital sector.
- The act does not provide
adequate safeguards or oversight mechanisms for non-personal data. This
may pose risks to the privacy and security of individuals and groups whose
personal data may be de-identified or aggregated into non-personal data.
- The act does not adequately
address the issues of consent fatigue, informed consent, meaningful
consent, or consent withdrawal by data principals. This may affect the
autonomy and agency of individuals over their personal data.
- The act does not clearly define
some key terms such as harm, anonymization, de-identification, profiling,
automated decision-making, etc. This may create ambiguity and confusion in the interpretation and implementation of the act.
Conclusion
Delhi Services and Data Protection Acts are two important legislations that have implications for the governance and development of Delhi and India respectively. While both acts have their merits and demerits, they also reflect the need for dialogue and consensus among various stakeholders on issues such as federalism, democracy, privacy, security, innovation, and growth. As both acts come into force shortly, it remains to be seen how they will shape the future of Delhi and India in the digital era.
Comments
Post a Comment
Thanks, For Your Valuable Comment