Justice B. N. Srikrishna Committee on Data Protection

The Justice B. N. Srikrishna Committee was a ten-member Committee of Experts on a Data Protection Framework for India, constituted by the Ministry of Electronics and Information Technology (MeitY) through an office memorandum dated 31 July 2017. Its chairman was Justice Bellur Narayanaswamy Srikrishna, a former judge of the Supreme Court of India. The committee's creation was directly contemporaneous with the constitutional moment that gave it urgency: on 24 August 2017, a nine-judge bench of the Supreme Court in Justice K. S. Puttaswamy (Retd.) v. Union of India unanimously held that the right to privacy is a fundamental right intrinsic to Article 21 of the Constitution. The committee was tasked with studying issues relating to data protection, recommending methods to address them, and drafting a data protection bill. Its mandate flowed from the recognition that India, despite hosting one of the world's largest digital populations and the Aadhaar identity programme, lacked any horizontal statute governing the processing of personal information.

The committee's procedural work unfolded over roughly fourteen months. It first released a White Paper in November 2017, a consultative document of nearly 240 pages that posed structured questions on scope, jurisdiction, consent, cross-border data flows, enforcement, and the institutional design of a regulator. The White Paper invited public comments and was followed by public consultations held in Delhi, Bengaluru, Mumbai, and Hyderabad, drawing submissions from industry, civil society, academics, and government departments. After synthesising these inputs, the committee submitted its final report — titled A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians — to the Union Minister for Electronics and IT, Ravi Shankar Prasad, on 27 July 2018. Accompanying the report was a draft instrument, the Personal Data Protection Bill, 2018, the first such legislative text produced in India.

The committee's substantive design borrowed conceptual architecture from the European Union's General Data Protection Regulation while adapting it to Indian conditions. It introduced into Indian discourse the roles of the data fiduciary (the entity determining the purpose and means of processing, analogous to the GDPR's "controller") and the data principal (the individual to whom the data relates, analogous to the "data subject"). It proposed grounds for lawful processing, rights of confirmation, correction, and data portability, obligations of purpose and collection limitation, and the creation of a Data Protection Authority of India as the regulator. Two of its most contested recommendations were a data localisation requirement — mandating that at least one serving copy of personal data be stored on servers located in India, with "critical" personal data stored exclusively in India — and broad exemptions permitting the state to process data for sovereign and security functions.

The report did not itself become law; it began a multi-year legislative journey through India's ministries and Parliament. MeitY revised the draft into the Personal Data Protection Bill, 2019, introduced in the Lok Sabha on 11 December 2019 and referred to a Joint Parliamentary Committee. That bill was withdrawn on 3 August 2022. A leaner Digital Personal Data Protection Bill was circulated in November 2022, introduced in Parliament in August 2023, and enacted as the Digital Personal Data Protection Act, 2023, which received presidential assent on 11 August 2023. The 2023 Act retained the fiduciary–principal vocabulary and the Data Protection Board concept the committee pioneered, while diluting hard data-localisation mandates in favour of a negative-list approach to cross-border transfers.

The committee should be distinguished from adjacent bodies and instruments. It is not the Justice A. P. Shah Group of Experts on Privacy (2012), whose report under the Planning Commission articulated nine privacy principles but did not draft a bill. Nor is it the Joint Parliamentary Committee that scrutinised the 2019 bill — a parliamentary forum rather than an executive expert panel. The committee's draft is also distinct from the Information Technology Act, 2000 and its Section 43A rules of 2011, which governed "sensitive personal data" narrowly and which the new statutory regime supersedes. Practitioners should likewise not conflate the committee's 2018 draft with the enacted 2023 Act, which differs materially on localisation, the regulator's independence, and exemptions.

The committee's own legacy is marked by a notable internal dissent. Justice Srikrishna himself, after the 2019 bill emerged, publicly criticised the wide exemptions granted to government agencies under Clause 35, warning that the provisions could create an "Orwellian state" by allowing the executive to exempt any agency from the law's application. This critique foreshadowed enduring debates over the balance between state surveillance powers and individual privacy that persist under the 2023 Act and its pending implementing rules. The tension between the Puttaswamy proportionality standard and broad statutory carve-outs remains the central unresolved fault line in Indian data governance.

For the working practitioner — whether a civil services aspirant preparing General Studies Paper III, a policy researcher, or a desk officer tracking India's digital regulation — the Srikrishna Committee is the foundational reference point for the country's data protection regime. It supplies the vocabulary, the doctrinal lineage from Puttaswamy, and the policy controversies (localisation, regulator autonomy, state exemptions) that frame every subsequent draft and the final 2023 statute. Understanding the committee clarifies why India's law looks as it does, what was proposed but not adopted, and where contemporary rule-making continues to contest the original design.