Introduction
The phrase “data is the new oil” has created a misconception that all pieces of data have value and so it should be stored. Thinking that there is value in data, all types of data collecting entities such as individuals, companies, government departments and professionals, etc. are in the habit of storing data indefinitely, beyond their regulatory obligations or operational needs, leading to data bloating. There are three primary reasons why they become data bloated: (i) the fondness to accumulate; (ii) the inertia to throw things; and (iii) procrastination. Humans have had a hoarder’s mentality to store all types of digital data coupled with indolence, this has resulted worldwide data to reach an astounding 175 zettabytes as per the International Data Corporation (IDC’s) Report1. A zettabyte is equal to a trillion gigabytes. Just to understand the magnitude, as per David Reinsel (Sr. VP of IDC)2 if 175 zettabytes data were put in discs, then we would have a stack of discs that could get us to the moon 23 times.
Data retention and absence of maximum period of retention in India
Maintaining data records as a legal requirement has existed for quite some time in India. Many Indian laws contain provisions with expressions such as “maintenance of record” or “preservation of register”, which mandate retention of data. Retention of data is a pan-sectoral practice, from the Minimum Wages Act, 19483 to the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 20214, an entity is required to retain a data for a minimum time-frame, however, such laws and rules are usually silent on the maximum time-frame for retention of data and the consequences of indefinite retention, etc.
Regulations such as the New Drugs and Clinical Trials Rules, 20195 require biotech companies to retain all data, records related to such bioavailability or bioequivalence study for a period of 5 years; the Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 20026 mandate medical doctors to maintain medical record of patients for 3 years. Such data retention regulations were usually designed in absence of concerns regarding privacy aspects of the individuals concerned, which led to data being stored indefinitely.
What the Digital Personal Data Protection Act, 2023 has to say about data retention?
The Digital Personal Data Protection Act, 2023 (DPDPA)7 which is India’s novel privacy law, regulates processing of digital personal data and prescribes data protection rights of data principals.8 It applies homogenously to all entities which process9 personal data, including storing such data. The DPDPA like the global privacy laws such as General Data Protection Regulations (GDPR)10 in Europe or the Health Insurance Portability and Accountability Act, 1996 (HIPAA)11 in USA imbibe the principals of storage limitation12 and data minimisation.13 These principles pose a duty on the data processing entity (or the data fiduciary14) to collect only minimum amount of personal data which is required to deliver the service and erase such personal data when all purposes relating to its existence is discharged. Many entities are already retaining data as per the requirement of their sectoral regulations. Usually such data sets also have “personal data” component such as name, age, contact details embedded, which brings it within the purview of the DPDPA and the data erasure compliances enshrined in it. Since the DPDPA’s objective and legal framework relating to privacy is entirely new with no direct predecessor, a lack of continuity or lineage from an already existing Indian law, the unheard data erasure mandate of the DPDPA will pose a challenge for all entities.
Data slimming for companies, an inescapable task for future
Entities have been used to storing excess data due to the ease associated with storage of such data. The plummeting cost of storage has resulted in massive data junkyards in all organisations. The risks of leakage of old and archived data sets are much higher today due to the advent of the DPDPA. Prospectively, all entities will not only have to abide by the prescribed timelines but also craft exhaustive data retention policy for their organisation/office. Jumping the signal here could lead to the entity being fined up to 5.2 million EUR15 in Indian jurisdiction. In foreign jurisdictions such as the GDPR, the implementation of storage limitation is approached with seriousness and rigour, for example, the Finnish Data Protection Authority (DPA) fined16 EUR 0.8 million to an online retailer after investigations revealed that it had not specified storage period of the data collected for the customer account of its online shop, and was storing such data for indefinite periods in its systems.
Conclusion
Data erasure is a legal right17 provided to the data principals and so its casts a duty towards all data fiduciaries.18 Data erasure can be achieved by data deletion, anonymisation or destruction. Deletion should not be confused with merely hiding data or putting the same in the trash bin. Data deletion effectively includes a proof of deletion. Globally, presence of standards such as National Institutes of Standards and Technology (NIST)19 SP 800-88 or the Department of Defence (DoD)20 5220.22-M or ever evolving practices such as cryptographic shredding, auto deletion triggers bring to light the importance attached to letting go of data. Around the world, letting go of excess data has become a process owing to operational needs and privacy laws, in India also, entities will have to imbibe the idea of letting of excess data for smooth data governance.
*Manager, K&S Digiprotect Services Private Limited. Author can be reached at: chandrasekhar@knsdigiprotect.com
**CEO, K&S Digiprotect Services Private Limited. Author can be reached at: aman@knsdigiprotect.com.
1. As reported by the International Data Corporation, the relevant information is Andy Patrizio, “IDC: Expect 175 Zettabytes of Data Worldwide by 2025” (networkworld.com).
2. The relevant statement can be accessed in this article, Andy Patrizio, “IDC: Expect 175 Zettabytes of Data Worldwide by 2025” (networkworld.com).
3. Minimum Wages Act, 1948, S. 18, requires employer to maintain a record in a register of employee details, work hours and work performed, wages paid, etc. As such no maximum period of retention is applicable.
4. As per, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, R. 3(1)(b)(g), all social media intermediaries are required to retain all information regarding a user registration account post deletion, for a period of 180 days.
5. New Drugs and Clinical Trials Rules, 2019.
6. Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 made under Indian Medical Council Act, 1956 which is now National Medical Commission Act, 2019.
7. Digital Personal Data Protection Act, 2023.
8. Digital Personal Data Protection Act, 2023, S. 2(j) defined as:
2. Definitions.— (j) “data principal” means the individual to whom the personal data relates and where such individual is—
(i) a child, includes the parents or lawful guardian of such a child; and
(ii) a person with disability, includes her lawful guardian, acting on her behalf.
9. Digital Personal Data Protection Act, 2023, S. 2(x) defined as:
2. Definitions.— (x) “processing” in relation to personal data, means a wholly or partly automated operation or set of operations performed on digital personal data, and includes operations such as collection, recording, organisation, structuring, storage, adaptation, retrieval, use, alignment or combination, indexing, sharing, disclosure by transmission, dissemination or otherwise making available, restriction, erasure or destruction.
10. General Data Protection Regulations, 2016 (EU).
11. Health Insurance Portability and Accountability Act, 1996 (US).
12. The principle of storage limitation requires entities to limit storage of personal data to the extent, the purpose of storing such data is present. Once the purpose of storing such data is completed, such personal data can be erased or anonymised subject to applicable law. More information on this principle is Data Protection Principles, A Guide to the Data Protection Principles, “Principle (e): Storage Limitation”, UK Information Commissioners Office (ico.org.uk).
13. The principle of data minimisation requires entities to collect minimum amounts of personal data which is required to deliver a service to an individual element. More information on this principle is UK GDPR Guidance and Resources, Children’s Information, Children’s Code Guidance and Resources, Age-Appropriate Design: A Code of Practice for Online Services, “8. Data Minimisation”, UK Information Commissioners Office (ico.org.uk).
14. Digital Personal Data Protection Act, 2023, S. 2(i) defined as:
2. Definitions.—(i) “data fiduciary” means any person who alone or in conjunction with other persons determines the purpose and means of processing of personal data.
15. Digital Personal Data Protection Act, 2023, Schedule, Provision 7 any general breach of provisions of the Digital Personal Data Protection Act, 2023 can attract a fine of up to Rs 50 crores or around EUR 5.2 million.
16. The news report containing information of the Finnish DPA fined online retailer Verkkokauppa.com is “Finnish SA: Administrative Fine of € 856,000 for Failing to Define Storage Period of Customer Data” (edpb.europa.eu, 8-5-2024).
17. Digital Personal Data Protection Act, 2023, S. 8(7) prescribe data erasure duty for the data fiduciaries:
8. General obligations of data fiduciary.— (7) A data fiduciary shall, unless retention is necessary for compliance with any law for the time being in force—
(a) erase personal data, upon the data principal withdrawing her consent or as soon as it is reasonable to assume that the specified purpose is no longer being served, whichever is earlier; and
(b) cause its data processor to erase any personal data that was made available by the data fiduciary for processing to such data processor.
18. Data fiduciaries are entities such as companies, individuals, associations, government departments, etc. which decide the means and purposes of data processing. They usually also collect personal data themselves.
19. NIST stands for National Institutes of Standards and Technology. It is a non-regulatory agency in the United States Department of Commerce. NIST develops and maintains standards for industries, including cybersecurity, engineering and physical science.
20. This standard is provided by the Department of Defence of the US Government.
