News Security

Justice Srikrishna committee recommends 2-4% of company’s worldwide revenue as penalty for any data breach

A big step towards bringing governance in data handling by the companies operating out of India

After European GDPR got into effect, now India has brought its recommendations thought Justice BN Srikrishna committee. Justice Srikrishna’s report entitled – “A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians along with a draft of The Personal Data Protection Bill, 2018, deliberate upon many aspects of data travel while creating his recommendations.

Justice Srikrishna said data privacy is a burning issue and there are three parts to the triangle. “The citizen’s rights have to be protected, the responsibilities of the states have to be defined but the data protection can’t be at the cost of trade and industry.”

The report has mandated penalties for violations, criminal proceedings, setting up of a data authority, provision of withdrawal of consent and concept of consent fatigue.

Some of the key recommendations by Justice Srikrishna committee include, all organizations should appoint data protection officers, they will also act as point of contact for individual grievances, personal data should be processed only for clear and specific purpose, individuals should have rights to withdraw their consent, firms will have to ensure to have one copy in personal data in India, critical data shall only be processed in a server or data center located in India.

Similarly, on the lines of GDPR, the committee has also recommended in terms of penalties. The committee recommends that 2-4% of company’s worldwide turnover or fine between Rs.5 crore to Rs.15 crore, whichever is higher to be applied in case of the company found not to have compliant.

However, the committee has given some exceptions to the journalistic purpose or for purely personal and domestic purpose.

Similarly, the committee also recommended that a data protection fund and a data protection awareness fund to be created through proceeds from penalties and fines.

NASSCOM-DSCI in a Statement said “The Personal Data Protection Bill released by the Justice Srikrishna committee has suggested a much-needed framework for data protection and privacy in the country. The Bill builds on the Supreme Court Judgement that advocated privacy as a fundamental right for the country and creates a framework for all stakeholders to be more responsible and build trust while dealing with personal data. NASSCOM-DSCI welcome the thrust on creating an institutional structure through a Data Protection Authority in the country as well as the importance of Privacy by Design.”

NASSCOM-DSCI has been advocating for a healthy balance between privacy and Innovation, given that India is today emerging as a preferred hub for innovation and STEM talent globally. Policies that govern data protection, storage and classification need to be carefully crafted given the global footprint of the IT-BPM sector. Service providers in India process financial, healthcare and other data of citizens globally. India is also the destination for R&D, Product Development and Analytics, Shared Services.

Mandating localization of all personal data as proposed in the bill is likely to become a trade barrier in the key markets. Startups from India that are going global may not be able to leverage global cloud platforms and will face similar barriers as they expand in new markets.

Ramesh Mamgain, Area Vice President, India and SAARC Region, Commvault, said, “The report released by Justice BN Srikrishna-led committee for the data protection law is a welcome step. The committee’s recommendation for setting up a Data Protection Authority (DPA) which will be responsible for monitoring, enforcement, standard setting, awareness creation and grievance handling is a reflection of a comprehensive approach towards data management in India. With several instances of data leaks on both individual as well as organizational level that have taken place in the past had created an alarming situation across the country. With the regulation taking form, citizens of the country can now be assured of the safety of their sensitive data. Similar to EU’s GDPR, the Data Protection Law in India is a much needed regulation which will institutionalize processes for organizations across all sectors to better manage both primary and secondary.”

As per Vidur Gupta, partner, government and public sector, EY India: “The data protection report of the committee led by Justice Srikrishna, will be a key step towards building the important base of ‘trusted’ digital India. The proposed introduction of a Digital Protection Authority (DPA) as an independent regulatory body with wider powers would be quite beneficial in the enforcement of the data protection law. Further, the recommendation of bringing public entities under the gambit of law would not only strengthen the confidence of citizens but also define specific safety measures for their personal data while using eGovernance services.”

“It is now imperative that recommendations of the Committee be critically examined and potential direct and indirect costs and benefits be identified and analyzed to help policymakers in decision making”, noted Pradeep S Mehta, Secretary General, CUTS International.

The members of the commit included, Telecom secretary Aruna Sundararajan, UID CEO Ajay Bhushan Pandey, National Cyber Security coordinator Gulshan Rai and Vidhi Centre for Legal Policy research director Arghya Sengupta are other members of the committee along with Gopalakrishnan S, joint secretary, Ministry of Electronics and IT. The other members of the committee will include Ajay Kumar, additional secretary, MeitY, Rama Vedashree, CEO of Data Security Council of India, Rishikesha T

Mr.Srinivas Rao, Co-Founder & CEO, Aujas said, “As India leapfrogs into a digital revolution, the importance of data protection policies becomes pertinent and the recommendations of the Srikrishna panel will go a long way in establishing the same. The activity of data storage is similar to the duties of a bank in which data must be consensually given, and the storage of the same must be secure beyond all doubt. Given that India is among the largest producers of data in the world, it is imperative that we have comprehensive legislation in place, to monitor what enterprises and governments do with this data. The panel’s suggestions go further to reiterate the point that once retrieved, secure storage of this data must be guaranteed to the consumer. As the consumer is a key stakeholder in the Digital India campaign, these rulings serve to instil confidence and faith in the movement, and embrace the digital dream.”


Now it is in the hands of the government of India as to how would they take it forward in both the houses and pass the bill before creating a law. Of course, it will take some time beyond the monsoon session of the parliament.

Related posts

COAI announces its leadership for the year 2024-25 at AGM 2024


Mercury Security collaborates with HID


CFS ropes in new Global Head for IT