The Digital Personal Data Protection Act, 2023 (“DPDPA”) mandates deletion of personal information that is either no longer required or fits the criteria for deletion. One global exception for the data deletion obligation is when the data is required for compliance with any law.
When to delete data – the easy way
Data deletion is triggered simply when the user withdraws their consent. There can be no data processing without any consent. So, withdrawal of consent not only stops any data processing but also requires an active deletion of data on the part of the entity processing the information. The provision is particularly problematic when data is processed by Artificial Intelligence (“AI”) models. A simple question is: once the information is processed by an AI model to train its weights, how does the data deletion obligation get fulfilled if the user revokes their consent?
When to delete data – the complicated way
Personal data is to be deleted when it is reasonable to assume that the specified purpose of processing is no longer served by the personal data. When is the specified purpose not served is to be determined by the DPDP Rules. Rule 8 of the Draft Rules describes some details on the time period when the specified purpose is no longer served for specific entities.
The Draft Rule 8 requirement
The DPDP Draft Rule states that the entities listed in the Third Schedule shall delete the data within prescribed timelines when they satisfy the twin requirements of (i) the entity is of such class and (ii) processes personal data for the listed purpose.
This data deletion obligation is triggered when the user does not approach the entity for (i) processing personal data for the specified purpose or (ii) exercise of their rights.
The Third Schedule covers three entities – (i) e-commerce entity with more than 2 cr. Registered users, (ii) online gaming intermediary with more than 50 lac users and (iii) social media intermediary with more than 2 cr. Users. For these entities, the qualifying user’s data must be deleted after 3 years. No other guidance is provided on the timeline by the Draft Rules.
The Rules also prescribe a notice to be given to the user 48 hours before deletion of their data. It must also inform the user that they can approach the entity for exercise of their rights or log in to their account to avoid data deletion.
When to delete data – others?
No specific time period is provided as this provision integrates the “storage limitation” principle. To comply with the requirement, the entity processing personal data must prescribe the timelines when they would delete data of a user that does not approach them. These timelines must be reasonable. Most likely within the three year period as prescribed under the Draft Rule 8.
Furthermore, there must be a record of the data deleted by the entity along with when the notice was sent to the user as well as when the data was deleted. This will ensure that the entity processing personal data can demonstrate compliance when required.
