Recent cyber frauds affecting 3.6 million Indians in 2024 with losses of Rs 22,845 crore highlight the urgent need for robust data protection. The Justice B.N. Srikrishna Committee Report (2018) provides a comprehensive framework for personal data protection in India's digital ecosystem.

Strengths of the Srikrishna Report

• Comprehensive Legal Framework

  • Establishes consent-based data processing with clear lawful bases
  • Introduces data fiduciaries concept with defined obligations and accountability
  • Mandates data collection only for "clear, specific, and lawful" purposes
  • Provides detailed classification of personal and sensitive personal data
  • Incorporates privacy by design principles in system architecture

• Individual Rights Protection

  • Grants "Right to be Forgotten" allowing data erasure requests
  • Ensures data portability enabling users to transfer data between services
  • Provides right to confirmation and access of personal data processing
  • Establishes grievance redressal mechanisms for data subjects
  • Mandates data breach notifications within 72 hours

• Institutional Safeguards

  • Proposes independent Data Protection Authority (DPA) for enforcement
  • Recommends stringent penalties up to 4% of global turnover
  • Establishes adjudication mechanisms for dispute resolution
  • Requires mandatory Data Protection Officers for large organizations
  • Mandates data protection impact assessments for high-risk processing

Weaknesses of the Srikrishna Report

• Implementation Challenges

  • High compliance costs burden small and medium enterprises
  • Lack of technical infrastructure guidelines for data localization
  • Insufficient capacity building provisions for businesses
  • Complex regulatory framework creating operational difficulties
  • Absence of sector-specific implementation roadmaps

• Government Exemptions Concerns

  • Broad state surveillance powers undermining privacy rights
  • Vague definitions of "public interest" allowing potential misuse
  • Limited judicial oversight on government data processing
  • Conflicts with fundamental right to privacy (Puttaswamy judgment)
  • Inadequate safeguards against executive overreach

• Technological Limitations

  • Cross-border data transfer provisions remain unclear
  • Limited guidance on AI and machine learning applications
  • Insufficient provisions for IoT and blockchain technologies
  • Lacks framework for anonymization and pseudonymization
  • Absence of standards for emerging biometric data processing

The Srikrishna Report provides a solid foundation for data protection but requires balanced implementation through the Digital Personal Data Protection Act 2023, addressing regulatory gaps while fostering India's digital economy growth.