Right to Forget (Right to Erasure) under India’s DPDP Act
The Right to Forget, also referred to as the Right to Erasure, is a critical aspect of the Digital Personal Data Protection (DPDP) Act, 2023. This right empowers individuals (data principals) to request the deletion of their personal data when it no longer serves its original purpose or when consent is withdrawn. The law ensures that individuals have greater control over their personal data.
The Right to Forget applies to both digital data and personal data originally collected in physical form and later digitized. This includes personal information stored across multiple sources like databases, workstations, and cloud environments.
When an individual exercises this right, the data fiduciary must delete or stop the further processing of personal data. For example, if an individual provided their personal details to a service provider and later terminates the relationship, they can request the removal of all stored PII data.
Right to Forget After Death
One important extension of the DPDP Act is its potential implications for personal data after the death of the individual. In many cases, an individual’s personal data continues to exist in various systems, such as social media accounts, financial institutions, and cloud storage, even after they have passed away.
The DPDP Act recognizes this challenge and grants the nominee or legal heirs of a deceased individual the right to request the erasure of their personal data. This provision ensures that the deceased’s data is not misused or exploited, offering a way to protect the privacy and dignity of individuals beyond their lifetime. Family members, nominees, or legal representatives can approach data fiduciaries to request the deletion of sensitive information such as financial records, identification numbers (like Aadhaar and PAN), and any other personal details stored by organizations.
For example, if someone has passed away, their family members or legal representatives may want to ensure that the individual’s social media accounts, personal emails, or online financial accounts are erased to prevent any potential misuse or unauthorized access. This right ensures a more secure digital environment for the deceased’s legacy and their families.
Exceptions and Limitations
While the Right to Forget is a powerful tool, there are certain limitations and exceptions where this right may not apply. These exceptions ensure that the data can be retained under specific circumstances, including:
- Legal Obligations : If the data is necessary for complying with legal obligations, such as tax laws or court orders, it may not be eligible for erasure.
- Public Interest or Research: In cases where personal data is required for public interest purposes, historical archives, or scientific research, it may be retained despite a request for deletion.
- Legal Claims: If the data is essential for defending against legal claims or disputes, the data fiduciary may refuse to erase it.
These exceptions ensure that the Right to Forget doesn’t interfere with legitimate uses of personal data and strikes a balance between individual rights and broader societal needs.
Impact on Data Governance
For organizations, the Right to Forget introduces new challenges in terms of data governance. Businesses must implement processes and systems that can efficiently identify and delete personal data when requested. This applies not only to living individuals but also to data left behind after an individual’s death. Companies handling personal data must be prepared to honor erasure requests from legal representatives of the deceased, further emphasizing the importance of privacy-focused data management.
Failure to comply with these requests, including after an individual’s death, can lead to significant penalties under the DPDP Act. Organizations are required to balance privacy obligations with business and legal requirements, ensuring that personal data is not retained longer than necessary.