Online platforms may need to delete data of users inactive for 3yrs

New Digital Personal Data Protection Rules proposed by the government may require online platforms, including e-commerce, gaming, and social media, to permanently delete data of inactive users

The Indian government is contemplating a significant provision in the upcoming Digital Personal Data Protection (DPDP) rules, suggesting the permanent deletion of user data for accounts that have been inactive for a continuous three-year period, according to a report by The Indian Express (IE). This proposal, yet to be officially released, is part of the draft executive rules under the DPDP Act, enacted as law in August 2023.

An early version of the draft, according to a report by MoneyControl, suggests that user data deletion may apply to e-commerce, online gaming, and social media companies with over 20 million users registered in India. Platforms would be required to notify users 48 hours before the expiration of the three-year period, informing them of impending data erasure due to inactivity. Users will also be informed that the deletion can be averted by logging into their accounts.

Additionally, the forthcoming rules might mandate any platform, whether private or government, processing user data to promptly inform the Data Protection Board (DPB) of any data breach upon awareness. The DPB, established under the DPDP Act, would require platforms to communicate breach details on a best-effort basis, including a description, date and time of awareness, breach location, extent, and potential impact.

According to a senior government official, as reported by IE, this rule could be applied universally to platforms, irrespective of their user base in India. At least 25 such rules are anticipated under this Act.

Other key aspects under consideration include the development of a "consent framework" to authenticate a child's age before accessing online services. The Act mandates "verifiable parental consent" for individuals under 18 years, posing a challenge for the industry as it lacks specific guidelines for age verification.

Two methods are likely to be recommended: a digital locker system supported by government ID, such as Aadhaar, and an electronic token system subject to government authorisation. Certain entities, particularly in healthcare and education, might be exempted from stringent age-gating requirements.