Authored By: Samrudhi Mohapatra
SOA University
Introduction
In 2021, a survivor of sexual assault filed a petition before the Delhi High Court seeking the removal of her name from online databases that had indexed old judicial records identifying her as a victim.[1] The court confronted a question that Indian law had not been designed to answer: does a person have the right to demand that accurate, lawfully obtained information about them be erased from the internet? The petition exposed a structural gap at the heart of Indian data protection law one that the passage of time and the proliferation of artificial intelligence have since made significantly wider.
Artificial intelligence systems now perform a function that was once the exclusive preserve of human memory: they aggregate, index, correlate, and indefinitely preserve personal data at a scale that no individual or institution could previously achieve. Search engines powered by machine learning resurface decade-old judgments within milliseconds. Recommendation algorithms re-expose sensitive biographical details to new audiences without the subject’s knowledge. Facial recognition systems link present identities to past records that individuals had every reason to believe were forgotten. In each of these contexts, the question of who controls personal data and whether a data subject may compel its deletion has become one of the defining legal questions of the digital age.
This article argues that the right to erasure, as currently articulated in Indian law, is structurally inadequate to address the challenges posed by AI-driven data retention and processing. The Digital Personal Data Protection Act, 2023 (DPDPA) introduces a statutory right to erasure for the first time in Indian law, but its scope is narrow, its exceptions are broad, and its enforcement mechanisms are untested.[2] Legislative reform, guided by comparative experience from the European Union and the United Kingdom, is necessary to establish a framework that is both workable and proportionate. The article proceeds as follows. Section II sets out the existing legal framework governing data erasure in India. Section III analyses the doctrinal difficulties that AI presents for each relevant provision. Section IV examines how selected foreign jurisdictions have responded. Section V proposes a framework for reform in the Indian context.
The Existing Legal Framework
Constitutional Foundations
The constitutional basis for data erasure in India derives from the right to privacy recognised by the Supreme Court in Justice K.S. Puttaswamy (Retd.) v Union of India.[3] The nine-judge bench held unanimously that privacy is a fundamental right under Article 21 of the Constitution. Crucially, the Court acknowledged that informational privacy the right of individuals to control information about themselves forms a distinct and protected dimension of this right. Several concurring opinions expressly contemplated that the right to be forgotten might fall within the scope of Article 21, though the question was left for further determination.
Subsequent High Court decisions attempted to operationalise this principle. In Jorawar Singh Mundy v Union of India,[4] the Delhi High Court directed Google India to delist search results linking the petitioner to old criminal proceedings in which he had been acquitted. The Court reasoned that continued indexing of the acquittal record interfered disproportionately with the petitioner’s right to reputation and dignity. However, the judgment lacked a clear doctrinal framework and did not specify the standard against which competing interests in the freedom of expression and the public record should be weighed.
The Digital Personal Data Protection Act, 2023
The DPDPA represents India’s first comprehensive statutory framework for personal data protection. Section 13 of the Act confers on data principals individuals whose personal data is processed a right to erasure, enabling them to request the correction, completion, or erasure of personal data that is no longer necessary for the purpose for which it was originally collected.[5] Data fiduciaries entities that determine the purpose and means of data processing are obliged to comply with such requests unless retention is required by law or for the performance of a legal obligation.
The Act also imposes a general duty of data minimisation on data fiduciaries under Section 8, requiring that only such personal data as is necessary for the specified purpose be collected and retained. Read together with Section 13, this creates a statutory architecture that in principle supports the erasure of data that has outlived its legitimate purpose.
III. Doctrinal Difficulties in the Age of AI
The Problem of Distributed Data
The most fundamental difficulty that AI-driven systems pose for any erasure framework is the distributed nature of modern data retention. When a data principal requests erasure from a data fiduciary, the statutory obligation in Section 13 of the DPDPA applies to that fiduciary’s own processing. It does not extend, at least not automatically, to third-party systems that have processed copies of the data, to AI models trained on the data before the erasure request was made, or to downstream databases populated by the original fiduciary’s disclosures.[6]
This gap is not merely theoretical. Large language models trained on internet-scraped datasets may incorporate personal information about identifiable individuals into their parameters in ways that cannot be reversed by simply deleting the original source. Machine unlearning the technical process by which a trained model is modified to remove the influence of specific training data remains an immature and computationally expensive technique. The DPDPA does not address this problem. The Act’s definition of “data fiduciary” is broad enough in principle to include AI developers and deployers, but the specific mechanisms by which erasure rights might apply to trained models are entirely unaddressed.
The Lawful Purposes Exception and Its Overreach
Section 13 of the DPDPA permits data fiduciaries to refuse erasure requests where processing is required for the performance of a legal obligation or for compliance with a court order. This exception, while necessary in principle, is drafted in terms broad enough to defeat a significant proportion of legitimate erasure claims. AI systems operated by government agencies, financial institutions, and healthcare providers frequently process personal data under statutory frameworks that impose indefinite retention obligations. In these contexts, the erasure right under Section 13 is effectively unenforceable.[7]
The DPDPA further permits data processing for legitimate uses under Section 7, a category that is defined broadly and subject to government notification. The interaction between this provision and the erasure right in Section 13 is not addressed in the Act, creating the possibility that data fiduciaries may invoke legitimate use grounds to resist erasure requests even where the original purpose for which data was collected has long since ceased.
Enforcement Mechanisms and Structural Weaknesses
The enforcement architecture of the DPDPA relies primarily on a Data Protection Board constituted under Section 18. The Board is empowered to adjudicate complaints from data principals and impose financial penalties on data fiduciaries. However, the Board is not yet operationally constituted, the rules governing its procedure have not been finalised, and the Act does not provide for a right of appeal to an independent judicial body at first instance.[8] For data principals seeking timely erasure of information that is actively causing harm such as survivors of abuse whose identifying information continues to circulate online this enforcement timeline is inadequate.
Comparative Perspectives
The European Union: A Graduated Framework
The most developed legislative framework for the right to erasure is Article 17 of the General Data Protection Regulation (GDPR), which the Court of Justice of the European Union (CJEU) has interpreted in a line of decisions beginning with Google Spain SL v Agencia Española de Protección de Datos.[9] The CJEU established that search engines are independent data controllers and that individuals may require them to delist search results linking their name to information that is inadequate, irrelevant, or excessive in relation to the purposes of processing. The standard requires a balancing exercise between the data subject’s rights under Articles 7 and 8 of the Charter of Fundamental Rights and the public’s right of access to information under Article 11.
The EU framework is notable for its explicit treatment of automated decision-making. Article 22 of the GDPR grants data subjects the right not to be subject to decisions based solely on automated processing, including profiling, which produces legal or similarly significant effects. While this provision does not directly address erasure, it reflects a legislative recognition that AI-driven processing raises distinct concerns that require specific statutory responses a recognition that is entirely absent from the DPDPA.
The United Kingdom: Post-Brexit Divergence
Following its departure from the European Union, the United Kingdom retained the GDPR framework as the UK GDPR, with modifications introduced by the Data Protection Act 2018. The Information Commissioner’s Office has issued guidance clarifying that the right to erasure applies to automated systems including AI-based processing tools, and that the lawful purposes exception must be construed narrowly and proportionately.[10] The UK approach offers a useful model for India because it demonstrates that a robust erasure framework can be maintained within a legal system that, like India’s, operates through common law traditions and a strong judicial review mechanism.
A Framework for Reform
This article submits that effective reform of the right to erasure under Indian law requires intervention at three levels: definitional clarity, expanded substantive scope, and meaningful enforcement.
First, the DPDPA should be amended to expressly define the obligations of data fiduciaries who operate or deploy AI systems that process personal data. The definition of “processing” in the Act should be clarified to include the training, fine-tuning, and deployment of machine learning models on personal data. Fiduciaries whose AI systems have been trained on data that is subsequently the subject of a valid erasure request should be required to implement reasonable technical measures to suppress the influence of that data in their systems, with a proportionality standard governing the extent of the obligation.
Second, the lawful purposes exception in Section 13 should be subject to a necessity and proportionality test, modelled on the standard applied by the CJEU in Google Spain. Data fiduciaries should be required to demonstrate not merely that a legal basis for retention exists, but that continued retention is proportionate to the data subject’s right to erasure in the specific circumstances. High-risk categories of data including health data, biometric data, and data relating to criminal proceedings should attract a heightened standard of justification.
Third, the Data Protection Board should be provided with the capacity and resources to adjudicate erasure complaints on an expedited basis. Interim relief including a temporary suppression order requiring a data fiduciary to restrict access to disputed data pending adjudication should be available as a remedial measure. Decisions of the Board should be subject to appeal before the High Court under Article 226 of the Constitution, ensuring that judicial oversight is available without requiring data principals to initiate original constitutional proceedings.
Conclusion
The right to be forgotten is not, as its critics sometimes suggest, a right to rewrite history. It is, more precisely, a right to proportionality the right to demand that personal data does not circulate indefinitely simply because it was once lawfully collected. In an era defined by AI systems that aggregate, retain, and resurface personal information at previously unimaginable scale, the adequacy of any data protection framework must be measured against this challenge.
The DPDPA represents a significant legislative advance over the prior absence of statutory data protection in India. However, its treatment of the right to erasure is insufficient to address the structural problems created by AI-driven data retention. The gap between the Act’s aspirations and its operational effect will widen as AI systems become more deeply embedded in public and private sector data processing. Reform along the lines proposed in this article definitionally precise, proportionality-grounded, and institutionally supported is both legally sound and practically necessary.
References and Bibliography
Primary Sources
Constitution of India, 1950, Article 21.
Digital Personal Data Protection Act, 2023 (Act 22 of 2023), Sections 7, 8, 13, 18.
General Data Protection Regulation (EU) 2016/679, Articles 17, 22.
Data Protection Act 2018 (UK), c 12.
Justice K.S. Puttaswamy (Retd.) v Union of India (2017) 10 SCC 1.
Jorawar Singh Mundy v Union of India & Ors, W.P. (C) 3918/2021 (Delhi High Court).
Google Spain SL v Agencia Española de Protección de Datos (Case C-131/12) [2014] 3 WLR 659 (CJEU).
Secondary Sources
Nripendra Misra, ‘Privacy as a Fundamental Right: Mapping the Puttaswamy Framework’ (2018) 30 National Law School of India Review 45.
Woodrow Hartzog and Evan Selinger, ‘Obscurity: A Better Privacy Framework for Big Data’ (2013) 93 Boston University Law Review 1.
Rosen J, ‘The Right to Be Forgotten’ (2012) 64 Stanford Law Review Online 88.
Information Commissioner’s Office (UK), ‘Right to Erasure’ (Guidance, March 2023) <https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/> accessed 25 May 2026.
Article 29 Working Party, ‘Guidelines on Automated Individual Decision-making and Profiling’ (WP251rev.01, 2018).
[1] See Nipun Saxena v Union of India (2019) 2 SCC 703, in which the Supreme Court directed that the identity of sexual offence survivors must not be disclosed; the broader issue of online indexing of prior judicial records has since been raised before several High Courts.
[2] Digital Personal Data Protection Act 2023 (Act 22 of 2023), s 13.
[3] (2017) 10 SCC 1 (nine-judge bench).
[4] W.P. (C) 3918/2021 (Delhi High Court, order dated 23 April 2021).
[5] DPDPA 2023, s 13(1).
[6] For the technical dimensions of this problem, see Cao Y and Yang J, ‘Towards Making Systems Forget with Machine Unlearning’ (2015 IEEE Symposium on Security and Privacy).
[7] DPDPA 2023, s 13(3)(b).
[8] DPDPA 2023, ss 18–27. As of the date of this article, the Data Protection Board has not been constituted.
[9] (Case C-131/12) [2014] 3 WLR 659.
[10] Information Commissioner’s Office, ‘Right to Erasure’ (Guidance, March 2023).





