E-commerce platforms, social media intermediaries, and online gaming platforms with significant user bases in India will soon be required to erase personal data of users three years after it is no longer needed. This directive is part of the draft rules under the Digital Personal Data Protection (DPDP) Act, released for public feedback.
The draft rules apply to:
• E-commerce entities with at least 2 crore registered users in India. • Online gaming intermediaries with not less than 50 lakh registered users. • Social media intermediaries with at least 2 crore registered users.
These provisions are detailed under Section 8 of the draft rules.
Data fiduciaries, as these entities are referred to, must notify users at least 48 hours before erasing their data. This notification will allow users to request retention of their information, such as profiles, email addresses, and phone numbers if required to access goods, services, or funds.
“At least forty-eight hours before completion of the time period for the erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased unless she logs into her user account or otherwise initiates contact with the Data Fiduciary,” the draft rules state.
In the event of a data breach, data fiduciaries must take reasonable security measures and inform affected users promptly. The notification must include:
• A description of the breach, including its nature, timing, and location. • Potential consequences for the user. • Mitigation measures being implemented. • Safety steps the user can take to protect themselves. • Contact details of a representative who can address user queries.
“On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate each affected Data Principal in a concise, clear, and plain manner and without delay,” the draft reads.
The government is soliciting feedback on the draft rules through the MyGov portal until February 18, 2025. The DPDP Act, passed in August 2023, aims to strengthen data protection regulations and foster trust between users and digital platforms.
The draft rules signal a significant shift in India’s data privacy framework, holding platforms accountable for data retention and breaches. Entities must now balance compliance with the Act while ensuring smooth user experiences.
Expert Opinions
Ruchin Kumar, VP - South Asia, Futurex said, "DPDP Act 2023 is a landmark initiative designed to protect the personally identifiable information (PII) of Indian citizens while fostering trust in the country’s thriving digital ecosystem. These measures mean organizations must elevate their data security practices to comply with the Act and uphold individuals’ privacy rights in the digital era. This not only protects individual’s personal information but also fosters trust in India’s digital ecosystem."
"The Act mandates strong encryption for data both at rest and in transit, emphasizing the use of advanced encryption algorithms and secure protocols. It also stresses the importance of centralized encryption key management solutions and the use of hardware security modules (HSMs) to protect encryption keys. These measures mean organizations must elevate their data security practices to comply with the Act and uphold individuals’ privacy rights in the digital era. This not only protects individual’s personal information but also fosters trust in India’s digital ecosystem, Kumar added.
Mayuran Palanisamy, Partner, Deloitte India commented, "The DPDPA rules are quite detailed and give much needed direction to the businesses in India by expounding upon compliance to be carried out by them, such as obligations measures for Significant Data Fiduciaries, registration and obligations of Consent Managers, the establishment and functioning of the Data Protection Board, including specifics of data breach intimation to Data Principles and the Board, process for the Principals to exercise their rights and timelines for Data Fiduciaries to respond to grievances."
"We foresee that businesses will face some complex challenges in managing consent as it forms the heart of the law. Maintaining consent artefacts and offering the option to withdraw consent for specific purposes could necessitate changes at the design and architecture level of applications and platforms. Further, organizations will need to invest in both technical infrastructure and processes to meet these requirements effectively. This includes relooking into data collection practices, implementing consent management systems, establishing clear data lifecycle protocols and actually percolating down these practices at an implementation level," Palanisamy added.
Shahana Chatterji, Partner, Shardul Amarchand Mangaldas & Co. said, “We welcome the release of the draft rules for public consultation, marking a significant step toward implementing the much-anticipated Digital Personal Data Protection (DPDP) Act. This initiative reflects the government's commitment to fostering a robust framework for data protection in India. While the draft rules are a positive move, we believe there is an opportunity to further enhance operational clarity in certain areas, and we are confident that these discussions will lead to a balanced and practical regulatory framework.“
Shreya Suri, Partner, IndusLaw commented, “It is encouraging to finally witness progress on this front. As the industry reviews the draft rules for the Digital Personal Data Protection Act, there are a few initial reflections to consider. These rules were highly anticipated, with the expectation that they would address implementation challenges, procedural gaps, and areas where the Act required further clarity. While the draft does attempt to cover some of these aspects, there is still significant ground to cover. I anticipate rigorous public consultations to gather comprehensive feedback, ensuring that the final version reflects the needs and perspectives of all stakeholders. Continued input and guidance from the government will be essential to drive effective implementation.”
"An interesting development is the introduction of potential obligations for significant data fiduciaries regarding cross-border data sharing. While the Act largely permits such transfers, apart from blacklisted jurisdictions, the draft rules hint at the possibility of additional oversight. A proposed committee may recommend that certain personal data be restricted from being transferred outside India, which adds a new dimension to the regulatory landscape that will be important for stakeholders to consider. Additionally, the classification of data fiduciaries in the draft rules, which focuses on defining retention periods for data, seems to currently apply only to three categories of fiduciaries. However, there are concerns among various stakeholders regarding the need for additional use cases, which have yet to be addressed. This leaves some important questions about data retention practices for certain types of data fiduciaries still unanswered," Suri added.