New Digital Personal Data Protection rules issued, firms to erase user data after 3 years of inactivity
Platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years.
Platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years.
Platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years.
New Delhi: The government has issued new, detailed guidelines under the Digital Personal Data Protection (DPDP) Act, imposing stringent rules on data retention by e-commerce platforms, social media intermediaries, and online gaming companies.
Under the newly introduced guidelines, platforms will be required to delete the personal data of any user who has not logged in or used the service for three consecutive years. The regulation applies to online gaming companies with more than 50 lakh users, as well as social media and e-commerce platforms with more than two crore registered users in India.
Companies must give inactive users 48 hours' notice before deleting their data, and warn them that their data will be deleted if they don't use the platform within that time frame.
For digital platforms with more than 50 lakh users, known as significant data fiduciaries, the Act also establishes a higher compliance threshold.
The compliance threshold is higher for digital platforms with more than 50 lakh users, which are considered significant data fiduciaries.
To ensure their systems, algorithms, and procedures do not infringe on user rights, these organisations are required to conduct an annual audit and a Data Protection Impact Assessment. They must additionally verify each year that their technical measures remain safe and compliant.
Although the DPDP Act permits cross-border transfers of personal data, the government has made it clear that these transfers must follow rules that may be communicated regularly. This is especially true if user data is transferred to a foreign state or any organisation under the control of a foreign government.
To strengthen data governance and improve user protection across the rapidly growing digital ecosystem, the new regulations are part of the operationalisation of India's first digital privacy law.
The government notified the rules for the Digital Personal Data Protection (DPDP) Act, formally operationalising India's first digital privacy law and setting the compliance clock ticking for companies handling user data.
Social media sites, online gateways, and any other organisations handling personal data are required by the new framework to provide users with a detailed explanation of the information being collected and clarify how it will be used.
"With the DPDP Rules now notified, Indian enterprises have a clear roadmap on how they collect, process, secure and govern personal data. The phased rollout is crucial, it gives organisations the space to operationalise privacy, recalibrate their data architecture and embed accountable fiduciary practices seamlessly," said Murali Rao, Partner and Leader, Cybersecurity Consulting, EY India.
(With IANS inputs)