In a move toward stricter data protection measures, the government is considering regulations that would compel online platforms to permanently erase personal data of users who have remained inactive on their accounts for three consecutive years.
Sources reveal that this initiative forms a part of the upcoming executive rules associated with the Digital Personal Data Protection (DPDP) Act, ratified as law in August this year.
One pivotal proposal suggests requiring online platforms to permanently delete personal data of users who haven't engaged with their accounts for three consecutive years. This applies to a wide range of online entities, including:
E-commerce companies
Online marketplaces
Gaming intermediaries
All social media intermediaries
This rule applies regardless of the platform's number of users in India, potentially impacting millions of accounts across various platforms. The move aims to empower users and give them greater control over their digital footprint, ensuring dormant data isn't retained indefinitely.
The draft rules are expected to propose two potential solutions:
One proposed method involves utilizing a digital locker system linked to a government-issued ID like Aadhaar. This approach would leverage existing infrastructure for age verification, potentially streamlining the process.
Alternatively, the draft rules might allow the industry to create its own electronic token system for age verification. However, such a system would require government approval and strict security measures to ensure its reliability and prevent misuse.
Exemptions from verifiable parental consent and age verification may be considered for certain entities, such as healthcare and educational institutions.
The proposed deletion regulation is expected to encompass a wide spectrum of online platforms, including e-commerce entities, online marketplaces, gaming intermediaries, and social media intermediaries. Notably, this rule would apply uniformly, regardless of the user count these platforms have in India.
While the DPDP Act awaits operationalization through at least 25 formulated rules, one significant aspect addresses age verification for minors accessing online services. The legislation mandates platforms to secure "verifiable parental consent" for individuals below 18 years, presenting a challenge for the industry, as the Act doesn’t prescribe methodologies for age-gating.
To address the age verification hurdle, authorities are considering two distinct approaches. One involves leveraging a digital locker system integrated with a government-issued identification, such as Aadhaar. The other envisages an electronic token system that requires government authorization. Interestingly, certain entities like healthcare and educational institutions might be exempt from the consent and age-gating prerequisites.
Central to these developments is the endeavor to draft comprehensive rules that ensure stringent data protection while addressing complexities, particularly concerning underage users. Establishing a robust consent framework remains a key focus, aiming to safeguard user data privacy while facilitating responsible digital engagement.
The forthcoming regulations, poised to define and fortify data protection protocols, are expected to engender debates within the industry regarding the practical implementation of age verification and data deletion mandates. They signify a concerted effort by authorities to augment safeguards around personal data in an increasingly digitized landscape.
The upcoming data protection rules represent a significant step towards establishing a robust data privacy framework in India. The proposals regarding dormant accounts and child protection highlight the government's commitment to balancing user rights with business interests. As the draft rules finalize and implementation commences, navigating these new regulations will require careful adaptation from online platforms and informed choices from users to navigate the evolving digital landscape responsibly.