data protection India: DPDP rules: Ecommerce, gaming, social media platforms to delete personal user data after three years

Data fiduciaries such as ecommerce, online gaming and social media platforms will have to erase personal data of a user three years after it is no longer required, according to the draft rules of the Digital Personal Data Protection (DPDP) Act.The draft rules apply to ecommerce entities having not less than 2 crore registered users in India, online gaming intermediary having not less than 50 lakh registered users in India and social media intermediary having not less than 2 crore registered users in the country. These provisions pertain to Section 8 of the draft rules.

These data fiduciaries have to notify users at least 48 hours before erasing their data, allowing them to request for retaining the data if they wish to, like their profiles, email addresses and phone numbers, to access money, goods or services.

“At least forty-eight hours before completion of the time period for erasure of personal data under this rule, the Data Fiduciary shall inform the Data Principal that such personal data shall be erased upon completion of such period, unless she logs into her user account or otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose or exercises her rights in relation to the processing of such personal data,” according to draft rules.

A data fiduciary will protect personal data in its possession or under its control, including in respect of any processing undertaken by it or on its behalf by a data processor, by taking reasonable security safeguards to prevent personal data breach.

“On becoming aware of any personal data breach, the Data Fiduciary shall, to the best of its knowledge, intimate to each affected Data Principal, in a concise, clear and plain manner and without delay, through her user account or any mode of communication registered by her with the Data Fiduciary,” the draft rules read.

They need to inform users about the description of the data breach, including its nature, extent and the timing and location of its occurrence, the consequences relevant to her, that are likely to arise from the breach, the measures implemented and being implemented by the Data Fiduciary, if any, to mitigate risk, the safety measures that she may take to protect her interests; and business contact information of a person who is able to respond on behalf of the Data Fiduciary, to queries, if any, of the Data Principal.The DPDP Act was passed in Parliament in August 2023 and the government is seeking feedback on the draft rules through the MyGov portal till February 18, 2025.