The Centre may require online platforms to permanently delete personal data of users who have been inactive on their accounts for at least three years in a row.
The yet-to-be-released data protection rules suggest mandating permanent deletion of user data on various online platforms, as per media reports.
These rules, once released, are expected to extend to ecommerce companies, online marketplaces, gaming intermediaries and social media platforms, irrespective of the number of users they have in India.
The draft rules are expected to recommend permitting allied healthcare professionals, clinical establishments, medical educational institutes, healthcare professionals, health services, and mental healthcare establishments to utilise certain publicly available personal and non-personal data for purposes such as public health, evidence-based research, archiving, and statistical analysis.
The draft also proposes granting an exemption to educational institutes under the jurisdiction of the central government, state government, or any local authority, as well as those dedicated to “higher education,” research, scientific, and technical education, allowing them to process such data for research purposes.
In the event of a personal data breach, the draft rules may stipulate that the intermediary managing the data must promptly, within 72 hours of detecting the incident, notify the Data Protection Board (DPB) of the details, circumstances, and reasons surrounding the breach.
Reports indicate that the government is expected to release administrative rules for the Digital Personal Data Protection (DPDP) Rules soon, with the final version of the Bill expected to be notified by the end of the next month.
Last week, executives from social media and internet intermediaries engaged in discussions with senior officials from the Ministry of Electronics and Information Technology. Key topics addressed included child gating, the establishment of consent architecture, and the definition of rights and obligations for data principals.
After years of anticipation, India saw the enactment of its data protection law earlier this year. The DPDP Bill successfully passed in the Lok Sabha on August 7 and the Rajya Sabha two days later. Subsequently, on August 11, President Droupadi Murmu granted her assent to the Bill, officially transforming it into an Act.
The DPDP Act mandates the establishment of a Data Protection Board of India to oversee its implementation. In the event of a personal data breach, the board will play a pivotal role in investigating the matter and imposing penalties as deemed necessary.
The Act seeks to protect the privacy of Indian citizens. In case of any breach for misusing citizens’ data or failing to protect the digital data of individuals, the Act proposes a penalty of up to INR 250 Cr on entities.
The post Online Platforms Could Be Obligated To Erase Data Of Users Inactive For 3 Years appeared first on Inc42 Media.