Data Protection and Privacy in India: An Overview of the Recommendations of the Srikrishna Committee
๐ Background: Why Was the Srikrishna Committee Formed?
In 2017, after growing concerns over digital privacy and the use of personal data, the Government of India set up a committee chaired by Justice B.N. Srikrishna, a retired Supreme Court judge.
The committee's mandate: draft a data protection framework for India.
The move was also prompted by the Puttaswamy judgment (2017), in which the Supreme Court declared privacy as a fundamental right under Article 21 of the Constitution.
๐ The Srikrishna Committee Report (2018)
The committee submitted its report titled:
"A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians"
It was accompanied by a draft law: the Personal Data Protection Bill, 2018.
๐ Key Recommendations of the Srikrishna Committee
1. Recognition of Privacy as a Fundamental Right
The report upholds the Right to Privacy as a fundamental, enforceable right.
Data protection is a vital part of ensuring this right in the digital age.
2. Definition of Personal Data and Sensitive Data
Personal Data: Any data that can identify a person directly or indirectly.
Sensitive Personal Data: Includes health data, biometric data, caste, religion, sexual orientation, financial data, etc.
3. Data Fiduciary and Data Principal
Data Principal: The person whose data is being collected (i.e., the individual).
Data Fiduciary: The entity (company, government, or person) that processes the data.
4. Consent-Based Data Processing
Informed, clear, and specific consent must be obtained from individuals before collecting their personal data.
Consent should be revocable, and data should only be collected for specific purposes.
5. Data Localisation
A copy of all personal data must be stored in India.
Certain categories of data (critical personal data) must be stored and processed only in India.
6. Creation of a Data Protection Authority (DPA)
A regulatory body to enforce compliance, conduct investigations, and handle complaints.
The DPA would also issue codes of practice and monitor cross-border data transfers.
7. Rights of Individuals (Data Principals)
The committee proposed several rights for individuals:
Right to Confirmation and Access
Right to Correction
Right to Data Portability
Right to be Forgotten
8. Accountability of Data Fiduciaries
Organizations must ensure transparency, security, and fairness.
They must appoint Data Protection Officers if dealing with large-scale or sensitive data.
Conduct Data Protection Impact Assessments before initiating risky data processing.
9. Cross-Border Data Transfer
Allowed only if:
Adequate protection exists in the recipient country,
Explicit consent is obtained, or
Approved by the DPA.
10. Penalties and Offenses
Non-compliance could attract significant monetary penalties.
For example:
Failure to protect personal data: up to โน5 crore or 2% of global turnover.
Failure to meet DPA directions: up to โน15 crore or 4% of global turnover.
๐ง Critical Analysis
โ Strengths:
Strong user rights framework and focus on transparency.
Proposes independent regulator (DPA).
Balances innovation with individual autonomy.
Recognizes privacy as a constitutional right.
โ Concerns:
Data localisation may hurt global businesses and innovation.
Government has been exempted in many cases, raising concerns about surveillance.
DPA's independence and operational clarity remain key concerns.
๐๏ธ Aftermath and Developments
The recommendations formed the basis of the Personal Data Protection Bill, 2019, which was introduced in Parliament.
In August 2023, India replaced it with the Digital Personal Data Protection (DPDP) Act, 2023, which aligns with some of the committeeโs recommendations but also introduces changes.
๐ Conclusion
The Srikrishna Committee laid the foundational framework for Indiaโs data protection regime. While not without flaws, its emphasis on privacy, consent, and accountability remains a milestone in shaping Indiaโs digital rights discourse.
Do write to us if you need any further assistance.
RELATED Blog
0 comments