Un-learning the Data Principal:A Critical Analysis of Erasure Under the DPDPA, 2023

Authored BY: Soham Das

Jadavpur University, Kolkata, India

I. Introduction

Digital permanence forms one of the defining anxieties of contemporary life. Unlike physical records which are subject to decay, bureaucratic obscurity and the natural degradation of institutional memory, data stored in digital ecosystems persists indefinitely. A decade-old court filing, a retracted medical record, a youthful indiscretion captured in text: all remain easily accessible at any moment, across jurisdictions, by anyone with a browser. The law’s response to this condition has been uneven and in many respects, tardy.

India’s Digital Personal Data Protection Act, 2023 (hereinafter “DPDPA” or “the Act”) represents the legislature’s most consequential attempt to address this deficit. As the country’s first comprehensive statute governing the collection, retention, and deletion of personal data, it arrives against a backdrop of rapid digital growth, expanding state surveillance capacity and a Supreme Court mandate to legislate the privacy rights affirmed in the Constitution. At the centre of the Act’s architecture sits a provision of considerable analytical interest: the right to erasure or what the broader jurisprudential literature recognizes as the right to be forgotten. This right represents the individual’s legal entitlement to demand the deletion of personal data that is no longer relevant, accurate or lawfully necessary. Its articulation within the DPDPA, however, is structurally constrained in ways that warrant critical scrutiny. This article examines the statutory formulation of the right to erasure, evaluates its adequacy against comparative international frameworks, identifies the principal lacunae in the current legislative design, and proposes targeted reforms grounded in constitutional principle and comparative legislative practice.

II. Conceptual Origins and Constitutional Foundations

The right to be forgotten did not emerge as a doctrinally coherent concept until the information economy had already rendered personal data commercially valuable and institutionally indispensable. Its theoretical underpinning rests on the claim that individuals possess a legitimate interest not only in controlling the initial disclosure of personal information, but also in limiting the temporal reach of that disclosure. A right of access to one’s own data is hollow without a correlative right to demand its removal when the basis for its retention has expired. The concept received its most authoritative judicial articulation in Google Spain SL v. Agencia Espanola de Proteccion de Datos (2014), in which the Court of Justice of the European Union held that individuals may compel search engine operators to de-list links to personal information that is inadequate, irrelevant, or excessive in relation to the purposes of data processing, irrespective of the lawfulness of the original publication. The European Parliament subsequently codified this principle in Article 17 of the General Data Protection Regulation (GDPR), establishing an enforceable right of erasure with six independent grounds and carefully considered exceptions for public interest research, journalistic expression, public health and the establishment of legal claims.

India’s constitutional moment arrived by a different route. In Justice K.S. Puttaswamy (Retd.) v. Union of India (2017), a nine-judge constitutional bench of the Supreme Court unanimously recognized privacy as a fundamental right under Article 21 of the Constitution. Crucially, the Court’s analysis extended to informational self-determination, defining it as the individual’s authority to govern the collection, use, storage and dissemination of personal data. This formulation established not merely a philosophical aspiration but a justifiable constitutional entitlement, placing the burden on Parliament to enact legislation commensurate with its scope. The DPDPA must accordingly be evaluated against the demanding standard that Puttaswamy set.

III. The DPDPA’s Erasure Framework: Statutory Architecture

The DPDPA confers upon data principals, the natural persons to whom personal data pertains, a right to correction and erasure under Section 12 of the Act. Upon receipt of an erasure request, a data fiduciary defined as the entity that determines the purpose and means of personal data processing, is obligated to delete the relevant data. The obligation is however, subject to a material qualification: the fiduciary may retain the data where its continued storage remains necessary for the purpose for which it was originally collected, or where a legal obligation requires retention.

Section 6(4) furnishes a supplementary mechanism. A data principal who withdraws consent to processing is entitled to require the fiduciary to cease processing and to delete the data, unless an independent lawful basis for continued processing subsists. In practical terms, this consent-withdrawal mechanism operates as an auxiliary route to erasure, though it is properly characterized as a right incident to consent withdrawal rather than a freestanding entitlement to deletion. The Act further introduces a tiered regulatory structure by distinguishing between ordinary data fiduciaries and Significant Data Fiduciaries (SDFs): entities designated by the Central Government on account of the volume or sensitivity of the data they process, or the particular risks they pose to individual rights or national security. Significant Data Fiduciaries are subject to enhanced obligations, including the appointment of a Data Protection Officer, the conduct of Data Protection Impact Assessments, and periodic algorithmic audits. This graduated approach reflects a degree of proportionality in regulatory design that merits acknowledgment, even as its operational adequacy warrants scrutiny.

IV. Structural Limitations: A Critical Assessment

Notwithstanding its legislative achievements, the DPDPA’s erasure framework is subject to several structural limitations that materially diminish the practical force of the right it ostensibly confers. The most consequential deficiency is the Act’s exclusively purpose-bound formulation of the erasure obligation. The right to deletion activates only where continued retention is no longer necessary for the original purpose of processing. This construction places the determination of necessity principally within the discretion of the data fiduciary rather than the data principal. No independent mechanism requires the fiduciary to justify its assessment of necessity to a neutral adjudicatory body, and no presumption operates in favour of deletion upon the expiry of a reasonable retention period. By contrast, the GDPR’s Article 17 establishes six independent grounds for erasure, including a distinct right to object to processing predicated on the controller’s legitimate interests, which does not depend on demonstrating the illegality or irrelevance of the original collection.The DPDPA’s silence on objection-based erasure grounds leaves a significant gap in the individual’s arsenal of data rights. A second limitation flows from the Act’s foundational reliance on consent as the primary basis for lawful processing. While the consent framework is coherent within its own logic, the Act simultaneously recognizes a broad category of “legitimate uses” for which processing may proceed in the absence of consent: state functions, compliance with legal obligations, medical emergencies and employment-related purposes. Within these categories, no robust right of erasure attaches once the underlying justification for processing ceases to apply. Personal data collected during a declared public health emergency, for instance, may continue to be retained without adequate legal recourse for the individuals whose data it comprises. The Act does not resolve this question, and the omission is substantively significant. Thirdly, the protections afforded to children’s data while progressive in their prohibition on targeted advertising and behavioral monitoring, do not extend to individuals who have attained majority and seek to erase data collected during their minority.The absence of such a provision is inconsistent with the growing international recognition of enhanced informational autonomy rights for adults seeking to disassociate from their pre-majority digital records. Fourth, the institutional design of the Data Protection Board, the body empowered to adjudicate complaints and impose financial penalties, raises questions of adjudicatory independence. The Act’s provisions governing the appointment, tenure, and removal of Board members afford the executive a degree of structural influence that may compromise the Board’s capacity to function as an impartial rights-enforcement tribunal. In Shreya Singhal v. Union of India (2015), the Supreme Court affirmed that the meaningful protection of constitutional rights requires oversight mechanisms genuinely insulated from political contingency. The Board’s current constitution may fall short of this standard.

V. Situating India in the Global Landscape

A comparative analysis of data protection legislation situates India’s erasure framework in instructive relief. Across the three jurisdictions most relevant to this inquiry, the DPDPA occupies a median position: more developed than certain nascent frameworks, but more constrained than the most robust international precedents. The GDPR remains the most comprehensive legislative model for the right to erasure. Its six independent erasure grounds, obligation to notify downstream processors of deletion requests, and explicit de-indexing dimension, as affirmed in Google Spain, together constitute a procedurally robust framework. The regulation’s financial penalty structure, reaching up to twenty million euros or four percent of global annual turnover, operationalizes its substantive provisions with credible deterrent force.

China’s Personal Information Protection Law (PIPL), in force since November 2021, grants a deletion right under Article 47 operative in circumstances where the processing purpose is fulfilled, the retention period has expired, or processing was conducted without lawful basis. The PIPL’s enforcement architecture operates within a distinctive political context, but its substantive scope is broadly congruent with the European model and in several respects more explicit than India’s formulation. The California Consumer Privacy Act (CCPA) provides consumers with a right to request deletion subject to enumerated exceptions covering security research, the exercise of free expression, compliance with legal obligations, and other specified grounds. It is narrower in scope than the GDPR but considerably more operationalized than the DPDPA’s current formulation, particularly with respect to the mechanisms through which deletion requests are processed and communicated to third-party recipients.

India’s framework, measured against these comparators, reflects a statute shaped by the particular constraints of legislative consensus and administrative feasibility. Its tiered regulatory approach and accessible redressal mechanism are genuine virtues. The Act’s restrictive formulation of the erasure right and the limited downstream obligations it imposes, however, suggest a framework whose substantive commitments have not yet caught up with its constitutional ambitions.

VI. Reforming the Framework: Policy Recommendations

Three principal reforms merit serious consideration by Parliament and the relevant regulatory authorities. The first and most structurally important reform is the introduction of an independent objection-based erasure ground, modeled on the GDPR’s Article 21. This provision would entitle data principals to demand deletion where processing is predicated on legitimate interests rather than consent, and where the individual demonstrates that such processing causes disproportionate prejudice to personal privacy.Without such a ground, the DPDPA’s erasure framework will remain hostage to the fiduciary’s unilateral determination of what counts as necessary retention.

A second reform concerns cascading notification obligations. The current Act imposes no explicit duty on data fiduciaries to notify downstream processors and third-party recipients of erasure decisions. Without such an obligation, erasure at the point of primary collection is practically ineffective: the data continues to circulate among secondary recipients who face no legal compulsion to delete it. Parliament should amend the Act to require fiduciaries to transmit erasure requests to all downstream recipients who have processed the relevant data, thereby giving substantive content to what is presently a formal right. Thirdly, the institutional independence of the Data Protection Board requires legislative reinforcement. Statutory guarantees of fixed tenure for Board members, transparent and merit-based appointment processes, and restrictions on executive removal without parliamentary sanction would substantially strengthen the Board’s capacity to function as an impartial adjudicatory body. These reforms are not merely procedural: they are constitutionally mandated by the principle, affirmed across multiple Supreme Court decisions, that meaningful rights require genuinely independent enforcement.

The Central Government should additionally exercise its rule-making power under Section 33 of the Act to promulgate sector-specific erasure standards for health, finance, and telecommunications. In these domains, the persistence of inaccurate or obsolete personal data does not merely inconvenience data principals: it imposes concrete dignitary, financial, and physical harms that generic legislative provisions are ill-suited to address.

VII. Accountability Over Algorithmic Anarchy

The Digital Personal Data Protection Act, 2023 marks a formative development in India’s data governance landscape. Its recognition of the data principal’s right to erasure, its tiered regulatory architecture, and its provision of a relatively accessible redressal mechanism all represent genuine legislative progress. The Act is, in this sense, a foundation worth building on. The limitations identified in this analysis are equally real. The purpose-bound character of the erasure obligation, the absence of objection-based deletion grounds, the inadequacy of downstream notification requirements, and the institutional design vulnerabilities of the Data Protection Board collectively constrain the practical efficacy of a right whose constitutional necessity the Supreme Court has already confirmed. Statutory rights that cannot be effectively exercised are not rights in any meaningful sense; they are aspirations expressed in legislative language.

The path from aspiration to operationalized entitlement runs through judicial interpretation, regulatory elaboration, and legislative amendment. Courts must read the Act’s privacy provisions generously, in conformity with the constitutional standard established in Puttaswamy. The Data Protection Board must develop a body of practice that treats the deletion of personal data as the default condition, and continued retention as the exception requiring justification. Parliament must be prepared to revisit the statutory text as experience reveals its structural limits. Informational self-determination is a constitutional right. The law must ultimately be adequate to that description.

Reference(S):

Digital Personal Data Protection Act, No. 22 of 2023 (India) [hereinafter DPDPA].

THE DIGITAL PERSONAL DATA PROTECTION ACT, 2023 (NO. 22 OF 2023) An Act to provide for the processing of digital personal data in

Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD), Case C-131/12, ECLI:EU:C:2014:317 (May 13, 2014).

Google Spain SL v. Agencia Española de Protección de Datos – Global Freedom of Expression

General Data Protection Regulation, Regulation (EU) 2016/679, arts. 17, 83, 2016 O.J. (L 119) 1 [hereinafter GDPR].

GDPR

Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 SCC 1 (India).

JUSTICE K.S. PUTTASWAMY VS. UNION OF INDIA – South Asian Translaw Database – PRIVACY

DPDPA, supra note 1, s. 12.

Digital Personal Data Protection Act, 2023 DPDPA SECTION 12 WITH INTERPRETATION

GDPR, supra note 3, arts. 17(3)(a)-(d), 21.