January 23, 2022

Data Protection and Privacy in India: An Overview of the Recommendations of the Srikrishna Committee


The rapid growth of the digital economy and technological advancements have made it crucial to protect the personal data of individuals. Data protection refers to policies and procedures seeking to minimise intrusion into the privacy of an individual caused by collection and usage of their personal data. Earlier, the usage and transfer of personal data of citizens were regulated by the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011[1], under the Information Technology Act, 2000[2]. The act had prescribed minimum standards on the privacy and disclosure of information, collection of information, transfer of information and reasonable security practices and procedures. The rules hold the companies using the data liable for compensating the individual, in case of any negligence in maintaining security standards while dealing with the data. The act does not suffice the concerns arising from today’s digital economy, where most transactions involve processing of personal data. Personal data is any type of data that can be used to directly or indirectly identify an individual example name, picture, phone number, address (which enable direct identification), as well as IP address or user name (which enable indirect identification).The Expert Committee in its report, held that while the IT rules were a novel attempt at data protection at the time they were introduced, the pace of development of digital economy has shown its shortcomings.3 For instance, (i) the definition of sensitive personal data under the rules is narrow, and (ii) some of the provisions can be overridden by a contract. Further, the IT Act applies only to companies, not to the government.

Need of the Personal Data Protection Bill 2019

The Ministry of Electronics & Information Technology in 2017 formed the B.N. Srikrishna Committee for making recommendations for a draft bill on data protection law. The Committee submitted their report in July 2018 along with the draft Personal Data Protection Bill which will have jurisdiction over processing of personal data, if that data has been used, shared, disclosed, collected or otherwise processed in India, and also ensures data localization, i.e. a copy of all personal data should be mandatorily stored in India. Finally, the personal data protection bill was introduced by the Minister of Electronics and Information Technology, Mr. Ravi Shankar Prasad, on December 11, 2019[3] to enhance technological progress while at the same time adopting personal data protection requirements to meet compliance. This will be India’s first law on the protection of personal data and will repeal S. 43A of the IT Act.

Key Features of the Bill

  • The Bill proposes a broader reach. It will not only apply to persons in India but also to persons outside India in relation to businesses carried on in India, the offering of goods or services to individuals in India or the profiling of individuals in India.[4]
  • It categorizes certain personal data as sensitive personal data. This means all personal data, which may, reveal, be related to, or constitute (i) financial data; (ii) health data; (iii) official identifier; (iv) sex life; (v) sexual orientation; (vi) biometric data; (vii) genetic data; (viii) transgender status; (ix) intersex status; (x) caste or tribe; (xi) religious or political belief or affiliation; or (xii) any other data categorized as such by the Central Government,[5]
  • The Bill provides for the establishment of Data protection Authority of India which will be accoutable for protecting the interests of data principals, preventing misuse of personal data and ensuring compliance with the new law and promote awareness of data protection.[6] It entitles the Authority with judicial powers as are vested in a civil court under the Criminal Procedure Code (CrPC).
  • Offences under the Bill include: (i) processing or transferring personal data in violation of the Bill, punishable with a fine of Rs 15 crore or 4% of the annual turnover of the fiduciary, whichever is higher, and (ii) failure to conduct a data audit, punishable with a fine of five crore rupees or 2% of the annual turnover of the fiduciary, whichever is higher.[7]
  • The Authority shall appoint adjudicating officers for the purpose of adjudging penalties or awarding compensation[8]
  • The Bill also establishes an appellate tribunal, to which a person aggrieved by an order of the adjudicating officer may prefer an appeal[9]

Invasion of Privacy violates Article 21

On August 24th, 2017, the Supreme Court in the decision of Justice K.S. Puttaswamy (retd.) &Anr vs. Union of India and Ors [10]observed that right to privacy is a constitutionally protected right which arises out of Article 21 of the Indian Constitution[11]. It is necessary to protect personal data as an essential facet of informational privacy. The court stated that every person should have the right to control commercial use of his or her identity and that the “right of individuals to exclusively commercially exploit their identity and personal information, to control the information that is available about them on the internet and to disseminate certain personal information for limited purposes alone” emanates from this right. This is the first time that the Supreme Court has explicitly recognised the right of individuals over their personal data. It also recognizes the necessity to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation. It explicitly overrules previous judgements of the Supreme Court in Kharak Singh vs State of UP[12] and M.P Sharma vs Satish Chandra[13], which had held that there is no fundamental right to privacy under the Indian Constitution.

However, the protection under Article 21 is not absolute and is subject to certain restrictions. For instance, the right could be restricted if there is a law created by the legislature to restrict the same and considering this, personal data protection bill is presently falling under it. Processing of personal data is exempted from the provisions of the Bill in some cases. For example, the central government can exempt any of its agencies in the interest of security of state, public order, sovereignty and integrity of India, and friendly relations with foreign states. Processing of personal data is also exempted from provisions of the Bill for certain other purposes such as prevention, investigation, or prosecution of any offence, or research and journalistic purposes. Further, personal data of individuals can be processed without their consent in certain circumstances such as: (i) if required by the State for providing benefits to the individual, (ii) legal proceedings, (iii) to respond to a medical emergency.[14]


India is not a party to any convention on protection of personal data but is equivalent to the General data protection regulation[15] . The General data protection regulation is the new EU legal framework governing the use of personal data across the EU which lays down rules relating to the protection of natural persons with regard to the processing and free movement of personal data. It will apply to an Indian organization only if such organisation provides goods or services to EU citizens or monitors their behaviour within EU. However, India has adopted or is a party to other international declarations and conventions such as the Universal Declaration of Human Rights and the International Covenant on Civil and Political Rights, which recognise the right to privacy. The Bill will serve not only to improve consumers’ trust with companies, but it will also help India establish herself and build trust on the international landscape.

[1] Ministry of Communications and Information Technology notification, April 11, 2011 available at https://www.meity.gov.in/writereaddata/files/GSR313E_10511%281%29_0.pdf .

[2] Information Technology Act, 2000 , ACT NO. 21 OF 2000 available at https://www.indiacode.nic.in/bitstream/123456789/1999/3/A2000-21.pdf .

[3] The Personal Data Protection Bill, 2019, Bill No. 373 of 2019 available at https://www.prsindia.org/sites/default/files/bill_files/Personal%20Data%20Protection%20Bill%2C%202019.pdf .

[4] Section 33, The Personal Data Protection Bill ,2019.

[5] Section 15,The Personal Data Protection Bill, 2019.

[6] Section 41, The Personal Data Protection Bill, 2019.

[7] Section 57, The Personal Data Protection Bill, 2019.

[8] Section 62(1) , The Personal Data Protection Bill, 2019.

[9] Section 67, The Personal Data Protection Bill, 2019.

[10] (2017) 10 SCC 1.

[11] Article 21, The Constitution of India, 1950.

[12] 1963 AIR 1295.

[13] 1954 AIR 300.

[14] Section 35, The Personal Data Protection Bill, 2019.

[15] General data protection regulation 2016/679 available at https://gdpr-info.eu/ .

Author: Ruchika Baweja (Nirma University)

Law Library LawBhoomi

Leave a Reply