The Digital Personal Data Protection (DPDP) Act, 2023 is a step closer to being implemented with draft rules being notified earlier this month. Public feedback is due by February 18, after which the government will finalize and set compliance timelines.

Under the DPDP Act, implications for data retention are as follows:

• Mandatory Data Erasure: Data Fiduciaries must erase personal data upon Data Principal withdrawing her consent or as soon as the specified purpose is no longer being served, whichever is earlier.
• Request for Erasure: Data Principals can request personal data erasure, which must be fulfilled unless retention is justified for specified purposes or regulatory/ legal compliance.
• Obligation to Instruct Data Processors: Data Fiduciaries must ensure their Data Processors erase any personal data shared with them, in cases when erasure condition is met.
• Retention Exception: Personal data may be retained only if necessary, for other regulatory/ legal obligations or for the original purpose of collection.

The draft rules (Rule 8) introduce a significant change in the storage and retention of personal data for specific classes of Data Fiduciaries. The rules limit data retention to three years from the Data Principal’s last interaction or the Rules’ commencement, whichever is later, for e-commerce firms and social media intermediaries with over 2 crore registered users and gaming companies with over 50 lakh registered users. Before deletion, Data Fiduciaries must notify the Data Principal with 48 hours’ notice.

This leaves several grey areas:

• Retention Timelines: A Data Fiduciary may retain personal data for three years after the rules take effect, even if the Data Principal’s last interaction was years ago, posing challenges for compliance.
• Sector-Specific Issues:

• E-commerce: Balancing data retention for loyalty programs and personalization with deletion timelines will be complicated for companies.
• Social Media: Platforms can retain personal data of deceased individuals for three years unless a designated nominee requests erasure, even if the account is removed from public view.
• Gaming: Deleting historical gamer data impacts analytics and monetization, pushing companies to innovate in real-time processing.

• Notice Limitations: The 48-hour notice for data deletion may be insufficient, especially if users change contact information or miss notifications. Dormant users might lose data valuable for personalization and need to re-register, disrupting customer experience.
• Erasure Standards: The lack of clarity on “data erasure” raises questions—should companies delete, archive, or anonymize data, and will anonymization suffice as deletion?

Addressing these gaps is essential to ensure clarity, fairness, and effective compliance. In the current form, the rules may give rise to Companies facing a heavy operational burden in ensuring compliance with varying retention periods, including deploying robust systems to track, delete, and notify users:

Automation Needs: Industries like gaming, telecom, and transportation must automate data retention, deletion, and user notifications.

Personalization Impact: Shorter retention periods challenge sectors reliant on long-term data for personalization and analytics, driving innovation in real-time processing.

Processor Compliance: Ensuring third-party data processors adhere to retention rules complicates vendor management.

Legal Alignment: Industries must align DPDP retention rules with sector-specific laws like HIPAA (healthcare), property laws (real estate), and national security regulations (telecom).

Penalty Risks: Non-compliance with retention mandates could incur penalties up to ₹250 crore, necessitating strong data governance frameworks.

The overlap of digital businesses in multiple fields, such as online pharmacies offering health services or e-commerce firms selling financial products, increases the potential for conflicts. Additionally, the Act does not address whether retained data can be used to train Large Language Models (LLMs), raising concerns about indefinite data retention without clear limitations.

The draft rules bring the Act closer to implementation; now incorporating public feedback thoughtfully is key to ensuring effectiveness and compliance feasibility.

The author is Mini Gupta, Cybersecurity Consulting Partner at EY India.

Disclaimer: The views expressed are solely of the author and ETCISO does not necessarily subscribe to it. ETCISO shall not be responsible for any damage caused to any person/organization directly or indirectly.