Section 12 of the Digital Personal Data Protection Act, 2023
Right to correction and erasure of personal data under the Digital Personal Data Protection Act
Protection of personal data is the cornerstone of individual rights in the rapidly evolving digital landscape. Digital Personal Data Protection Act, 2023 (DPDP Act) represents a significant stride in this direction, with Section 12 specifically addressing the right to correction and erasure. This comprehensive provision, when read alongside the Draft Digital Personal Data Protection Rules (DPDP Rules), establishes a robust framework empowering individuals to maintain control over their personal information in the digital ecosystem.
Section 12 of the DPDP Act establishes two fundamental rights for Data Principals:
- 1. The right to correction, completion, and updating of personal data
- 2. The right to erasure of personal data
These rights apply specifically to personal data for which the Data Principal has previously provided consent, including consent given under Section 7(a) of the DPDP Act. Notably, these rights must be exercised in accordance with any existing legal requirements or procedures.
When a Data Fiduciary receives a correction request from a Data Principal, three specific actions are mandated under Section 12(2):
- Correction of inaccurate or misleading data: Ensuring the accuracy of personal information
- Completion of incomplete data: Filling gaps in partial information
- Updating of personal data: Ensuring information remains current and relevant
These obligations represent the operationalization of the Data Principal's right to maintain accurate personal information. The DPDP Act places the responsibility squarely on Data Fiduciaries to implement these corrections promptly upon receiving a request from the Data Principal.
The provision pertaining to the right of erasure under Section 12(3) requires Data Principals to submit requests "in such manner as may be prescribed." The prescribed manner is provided for in the DPDP Rules. Upon receiving such requests, Data Fiduciaries must erase the personal data, subject to two important exceptions:
- 1. When retention is necessary for the specified purpose for which the data was collected.
- 2. When retention is required for complying with any law currently in force in India.
This establishes the right to erasure as a qualified rather than an absolute right, balancing individual control with legitimate business needs and legal compliance requirements.
Rule 8 of the DPDP Rules complements Section 12 by establishing a framework for automated erasure of personal data after specified periods of inactivity. This rule applies to specific classes of Data Fiduciaries processing personal data for purposes outlined in the Third Schedule.
As per Rule 8(1), Data Fiduciaries must erase personal data if, for the time period specified in the Third Schedule, the Data Principal neither approaches the Data Fiduciary for the performance of the specified purposes nor exercises any rights related to the processing of such data.
This automatic erasure is subject to two exceptions:
- 1. When retention is necessary for the specified purpose for which the data was collected.
- 2. When retention is required for complying with any law currently in force in India.
Rule 8(2) establishes an important procedural safeguard. It provides that Data Fiduciaries must notify Data Principals at least 48 hours before completing the erasure time period. This notification must inform the Data Principal of the following components:
- The personal data of the Data Principal will be erased upon completion of the specified period
- The erasure of personal data can be prevented if the Data Principal either:
- ○ Logs into their user account
- ○ Otherwise initiates contact with the Data Fiduciary for the performance of the specified purpose
- ○ Exercises rights in relation to the processing of their personal data
This notification requirement ensures that Data Principals have a final opportunity to prevent erasure if they wish to maintain their data relationship with the Fiduciary.
Rule 13 establishes the procedural framework through which Data Principals can exercise their rights under Section 12. This rule ensures that Data Fiduciaries and the Consent Managers follow the principles of transparency.
1. Publication of the Procedure
Under Rule 13(1), Data Fiduciaries and Consent Managers must publish on their websites, applications, or both:
- • Details of the means by which Data Principals may request to exercise their rights
- • Any particulars required to identify the Data Principal (such as username or other identifier) under the terms of service
This transparency requirement ensures that Data Principals can easily locate and understand the procedures for exercising their rights.
2. Request Mechanism for Exercise of Rights
Rule 13(2) specifically addresses how Data Principals can exercise their rights to access information about personal data and its erasure. It stipulates that:
- • Requests must be made to the Data Fiduciary to whom consent was previously given
- • Requests must use the means published by the Data Fiduciary
- • Requests must furnish the particulars required by the Data Fiduciary for identification
This provides a structured pathway for Data Principals to exercise their rights while enabling Data Fiduciaries to verify the identity of requesters.
Section 12 of the DPDP Act, read alongside Rules 8 and 13, establishes a robust framework for the correction and erasure of personal data in India. This framework recognizes the fundamental right of individuals to control their personal information while acknowledging legitimate reasons for data retention.
The provisions strike a delicate balance between individual rights and practical realities, creating obligations for Data Fiduciaries that are meaningful yet implementable. The automatic erasure provisions for inactive accounts represent a particularly forward-thinking approach, ensuring that data does not linger indefinitely in organizational databases.
However, several challenges may arise in the implementation of these provisions and rules. Technical complexity in tracking inactivity periods across large data sets and determining the legitimate retention exceptions in cases where data serves multiple purposes are some of the foremost challenges we will face. Apart from that, smaller organisations will have resource restraints which might hamper their ability to comply with automated erasure obligations.
Nevertheless, as organizations implement these provisions and Data Principals begin exercising these rights, they will develop a more nuanced understanding of how these provisions work in practice. Regulatory guidance and judicial interpretations will further refine the parameters of these rights, ultimately contributing to a more privacy-respecting digital ecosystem in India.
Through the right to correction and erasure, the DPDP Act empowers individuals to participate actively in the management of their digital identities while providing organizations with clear guidelines on their obligations regarding personal data management.