In implementing the DPDPA 2023, and cleaning up the past unregulated collection of personal data by organizations, the Act has prescribed that “Consent should be obtained even for the legacy personal data collection of a data fiduciary. In such cases there could be a large number of data principals who may not return either a valid consent to continue processing or a decision to withdraw consent. Such personal data are “Orphaned for lack of consent” and needs to be purged within a reasonable time.
While ITA 2000 implies that such data should be deleted within one year, DPDPA Rules 2025 seem to indicate possible retention for 3 years in specific cases such as large Social Media Intermediaries, Gaming Intermediaries or E Commerce entities.
There are specific legal requirements for retention of data for long periods after its processing because of other legal provisions such as in Banking or Health sector. In such cases simply remains in the storage to be retrieved only on very exceptional circumstances. However during this period the data remains vulnerable to be stolen and misused creating a burden to the data fiduciary . Additionally data in the hands of a data fiduciary may also be an “Evidence” in a legal proceeding and therefore cannot be deleted till the disputes are settled in the Court.
The retention of data by a data fiduciary when it is no longer required for processing is a security burden and hence it would be good to ensure that such data is deleted.
When data is required for research purpose they may be anonymized or de-identified or pseudonymised.
In all other cases the data remains as a potential risk for the data fiduciary and has to be encrypted and kept safely.
Some times data of deceased persons with or without nomination may also remain “Unclaimed”.
In order to address all such instances, it is considered necessary for the Government to create a “National Archival of Personal Data” and enable depositing of all deleted personal data by the data fiduciaries. Part of this may be “Unclaimed Personal Data” and part of it may be “Required for Legal necessities”.
Such data should be properly indexed and should be retrievable on a later day if the data principal wakes up from slumber and claims it as his lost property.
This archive will ensure that “History is not destroyed” in the guise of “Right to Forget” or “Right to Erasure” and that the nation preserves the value of all data created in India for whatever it is worth including supporting the Indian AI development.
Comments are welcome
Naavi
