Key Elements of a Democratic Government

UPSC GS2 — Accountability:

Constitutional accountability:

• Parliament: Questions, debates, no-confidence motion, committee scrutiny
• CAG (Comptroller and Auditor General): Art. 148; audits government spending; reports to Parliament
• Elections: Periodic accountability through votes

Statutory accountability:

• RTI Act 2005: Citizens can demand information from any public authority within 30 days (standard); 48 hours for matters involving life or liberty (Section 7(1)); Central/State Information Commissioners; landmark law for transparency; ~60 lakh RTI applications filed annually
• Lokpal and Lokayuktas Act 2013: Anti-corruption ombudsman for Centre (Lokpal) and States (Lokayukta); investigates corruption allegations against public officials including PM (with safeguards)
• Whistleblower Protection Act 2014: Protects those who expose corruption

Judicial accountability:

• Judicial Review: Courts can strike down laws/executive actions that violate the Constitution
• Writs (Art. 32, 226): Habeas Corpus, Mandamus, Prohibition, Certiorari, Quo Warranto — citizens can approach courts against government actions
• PIL (Public Interest Litigation): Liberalised standing to approach Supreme Court on public issues

Social accountability:

• Free press: Media scrutiny; investigative journalism
• Civil society: NGOs, think tanks, advocacy groups
• Social audit: Gram Sabhas verify MGNREGS and other programme implementation

[Additional] Right to Privacy — Puttaswamy I and II (GS2 — Polity / Fundamental Rights / Governance):

Origin of the case: Justice K.S. Puttaswamy (retired Karnataka HC judge) filed a writ petition in 2012 challenging the Aadhaar scheme — collecting biometric data (fingerprints, retina scans) in a centralised UIDAI database. The government argued that privacy was NOT a fundamental right, citing M.P. Sharma (1954) and Kharak Singh (1962). The Supreme Court referred the threshold question — is privacy a fundamental right? — to a nine-judge Constitution Bench.

Puttaswamy I — August 24, 2017:

Three-Pronged test for any state restriction on privacy:

1. Legality — a valid law must authorise the restriction
2. Necessity — the restriction must pursue a legitimate state objective
3. Proportionality — the means must not go beyond what is necessary

Three dimensions of privacy identified:

1. Bodily integrity — physical person, bodily surveillance
2. Informational privacy — data about the individual, control over personal data
3. Decisional autonomy — personal choices (food, dress, sexual orientation, relationships)

Puttaswamy II — Aadhaar Judgment (September 26, 2018):

Policy chain: Puttaswamy → DPDP Act: Puttaswamy I (2017) → constitutionally recognised right to informational privacy → parliamentary obligation to enact data protection law → Digital Personal Data Protection Act, 2023 operationalises this constitutional right (see Additional 4b).

UPSC synthesis: Puttaswamy = GS2 Polity + Fundamental Rights. Key exam facts: Justice K.S. Puttaswamy v. Union of India = August 24, 2017 = nine-judge Constitution Bench = CJI J.S. Khehar presiding = unanimous (6 concurring opinions, no dissent); right to privacy = fundamental right under Articles 14, 19, 21 (primarily Art. 21); three dimensions = bodily integrity + informational privacy + decisional autonomy; three-pronged test = legality + necessity + proportionality; overruled M.P. Sharma (1954) (8-judge, privacy not a right) and Kharak Singh (1962); Puttaswamy II = September 26, 2018 (Aadhaar valid 4:1; Section 57 struck down — bank/mobile linking mandatory); led to DPDP Act 2023. Prelims trap: Puttaswamy was a nine-judge bench (NOT 5 or 7); the judgment was unanimous with 6 concurring opinions (NOT a split verdict); the bench was led by CJI Khehar (NOT CJI Chandrachud — Chandrachud was a member and wrote the main concurring opinion but was NOT CJI at the time); M.P. Sharma that was overruled was an 8-judge bench from 1954 (NOT 5-judge and NOT from the 1960s).

[Additional] DPDP Act 2023 — Rights, Obligations, Penalties, and Implementation Status (GS2 — Governance / Rights / Technology):

Nodal ministry: Ministry of Electronics and Information Technology (MeitY)

Rights of Data Principals (citizens):

Core obligations on Data Fiduciaries:

• Obtain free, specific, informed, and unambiguous consent with a plain-language notice
• Process data only for the specified lawful purpose — no secondary use without fresh consent
• Implement reasonable security safeguards to prevent data breaches
• Notify the DPBI and affected Data Principals of any personal data breach
• Erase personal data once the purpose is fulfilled (storage limitation)
• No processing of children's personal data without verifiable parental consent; no tracking/behavioural monitoring of children

Additional obligations for Significant Data Fiduciaries (SDFs):

• Appoint a Data Protection Officer (DPO)
• Conduct Data Protection Impact Assessments (DPIAs)
• Undergo independent audits
• Comply with data localisation requirements as specified by the Central Government

Penalty schedule:

Note: Penalties are monetary (not criminal); the DPDP Act does not impose imprisonment. The Act also does not define "harm" — a noted analytical gap in the legislation.

Implementation timeline (phased):

As of May 2026: Phase 1 is operational; DPBI is constituted; organizations are in the compliance preparation stage. Full enforcement of substantive rights and penalties begins May 2027.

Critical gap in DPDP Act (common Mains question): The DPDP Act exempts the Central Government and its instrumentalities from several provisions — including the right to data erasure — when processing data for national security, law enforcement, or public interest. Critics (and the Parliamentary Standing Committee) noted this creates a state surveillance exemption that may not be fully consistent with the proportionality test in Puttaswamy I. This is a live governance debate.

UPSC synthesis: DPDP Act 2023 = GS2 Governance + Digital Rights. Key exam facts: Full name = Digital Personal Data Protection Act, 2023 (No. 22 of 2023); presidential assent = August 11, 2023; rules notified = November 13, 2025; nodal ministry = MeitY; Data Protection Board = NCR/Delhi = Chairperson + 4 Members = civil court powers; largest penalty = Rs. 250 crore (security safeguard failure); children's data penalty = Rs. 200 crore; No imprisonment — monetary penalties only; rights of Data Principals = access + correction/erasure + withdraw consent + grievance + nominate; full enforcement from May 14, 2027 (Phase 3); constitutional basis = Puttaswamy I (2017) right to informational privacy. Prelims trap: Penalties are monetary (NOT criminal imprisonment — a key distinction from IT Act 2000 which does have imprisonment provisions); largest penalty = Rs. 250 crore (NOT Rs. 500 crore or Rs. 100 crore); nodal ministry = MeitY (NOT Ministry of Law or Home Ministry); the Act was notified in force November 2025 (NOT 2023 — only presidential assent was August 2023; full enforcement phases run to 2027); government instrumentalities are partially exempt from DPDP Act provisions — meaning citizens cannot claim all data rights against the government in all contexts.