Right to Erase or Risk of Being Erased? The Flaws of Mandatory Data Erasure
- November 18, 2025
- Rajesh Vellakkat
The publication of the Digital Personal Data Protection Rules, 2025, in the Official Gazette on 13 November 2025 introduces, under Rule 8, a stringent set of erasure requirements for certain high-volume Data Fiduciaries—namely, e-commerce platforms and social-media intermediaries with 20 million users or more, and online gaming intermediaries with at least five million users. Under this rule, such entities must delete personal data unless its retention is legally required, and must initiate erasure when a user account has been inactive for three years. The process includes a mandatory 48-hour notice to the Data Principal, after which, if the user fails to log into the account, the fiduciary is obliged to erase the data.
Although this framework may appear at first glance to advance privacy protection, it raises significant concerns. The mandatory deletion of dormant accounts risks inadvertently destroying an individual’s digital history—personal records, communications, receipts, and documents that may hold long-term personal or legal value. A 48-hour response window is unreasonably short; a Data Principal may easily miss such a notification, or may be incapacitated, travelling, or otherwise unable to react within the allotted time. Rather than safeguarding individual rights, this provision could result in the irreversible loss of valuable information.
This approach also reflects a deeper conceptual confusion. The government appears to enforce data subject rights with a data fiduciary’s time-bound obligation to delete. Data erasure, under established global privacy norms, is fundamentally a user-driven prerogative—not a rigid, time-bound compliance burden imposed on organisations. Control over the fate of personal data should rest with the Data Principal, not be dictated by an automated regulatory timetable.
GDPR and most contemporary privacy regimes recognise the Right to Erasure as an individual right: personal data must be deleted when it is no longer necessary and when the individual expressly requests its removal. The obligation arises from the individual’s autonomy, not from a statutorily prescribed expiration period. By mandating deletion after a fixed period of inactivity, the DPDP Rules 2025 depart from this rights-based foundation and risk undermining the very autonomy they seek to protect. Lawmakers should not impose an arbitrary duration that automatically deems personal data no longer relevant.
This problem becomes even more pronounced in today’s digital environment. E-commerce receipts are often stored exclusively online within user accounts; warranty documents are maintained digitally; and cloud storage services allow users to keep important personal files, records, and archives in electronic form. A mandatory deletion requirement triggered solely by account inactivity could cause substantial inconvenience and, in many cases, irreversible harm to Data Principals who rely on these digital repositories.
Rule 8, therefore, requires urgent reconsideration. A policy intended to protect privacy should not inadvertently compromise personal autonomy, digital continuity, or the preservation of an individual’s historical and informational legacy.
The government appears to enforce data subject rights with a data fiduciary’s time-bound obligation to delete. Data erasure, under established global privacy norms, is fundamentally a user-driven prerogative—not a rigid, time-bound compliance burden imposed on organisations. Control over the fate of personal data should rest with the Data Principal, not be dictated by an automated regulatory timetable.
