The average person who clicks ‘delete’ on any account of theirs may think that this means that their account and data have been immediately deleted. However, in most cases, this is almost never the case. The deletion of data depends on what is known as a retention period, provided under specific laws which specify how long the data must be maintained. That is why it would be wise to exercise caution and due diligence before signing up for an account, because even if an individual has second thoughts and deletes their account, the data will remain in the servers of an entity whose service they signed up for. It is also important to glance over the section on data retention in the privacy policy of an entity since some are vaguely worded, while others provide long retention periods.The DPDP ActFor a long time, India did not have dedicated data privacy legislation. Even though it enacted legislation in 2023 and issued Rules in 2025, the same were not effectively in force. On 13.11.2025, the Ministry of Electronics and Information Technology (MEITY),notified both the Digital Personal Data Protection Act, 2023 (DPDP Act) and the Digital Personal Data Protection Rules, 2025(DPDP Rules). On the same day, it notified the establishment of the Data Protection Board of India (DPBI). It further specified that the DPBI would consist of four members. The DPDP Act provides citizens with the right to have their data deleted once they withdraw their consent or the purpose for which the data was collected is over. There is a specific right of erasure which is also provided. However, the problem is the exception contained in the DPDP Act, which allows for longer retention periods under specific laws or regulations. This may lead to the safeguards becoming ineffective. The DPDP Act is an important development because it lays down that unless the retention of data is necessary to comply with law, a Data Fiduciary (generally a company/service provider handling personal data) must erase personal data once an individual withdraws their consent or the purpose of collecting the data is completed, whichever happens earlier. The Data Fiduciary must also ensure that its data processor (the entity which processes data on its behalf) deletes personal data in its possession.The exception contained in the DPDP Act ensures that if a sectoral regulator (such as the Securities and Exchange Board of India) has a specific retention period in its regulations or the Union government has mandated a specific retention period in a law, the data must be maintained for a longer period. An individual may think that their data has been deleted once they withdraw their consent. However, this data will be maintained or archived in the servers of the data fiduciary for the specified retention period which it is obligated to do. The provision dealing with data erasure, will come into force from May 13, 2027 as per the Gazette Notification. What happens when you delete a social media account?The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (2021 IT Rules) specify retention periods. If an individual opens an account with an intermediary (e.g. a company), then the registration information must be maintained for 180 days from the date of withdrawal of consent. The 2021 IT Rules also provide for situations in which records and information of content to which access has been disabled or removed for a violation of the specified rule to be maintained as evidence for investigation purposes for 180 days. This period can be longer if a Court or lawfully authorised Government agencies requires the data to be retained for a longer period. This means that if triggered, data could be retained indefinitely for investigation purposes. Effectively, this means that if an individual is using an App or a service on a smartphone and decides to delete their account, then the intermediary must maintain that information for 180 days from the date of deletion or termination of registration, and if the individual’s account has been flagged for a violation, then too the data must be maintained for 180 days.Apart from using social media and Apps, perhaps the most vital part of people’s lives is dealing with banks. It is important to examine what the retention period is while dealing with financial information and banks. What about financial data, such as Know Your Customer Data?The Prevention of Money Laundering Act, 2002 (PMLA) provides for a retention period of 5 years from the date of the transaction between the client and the bank. However, specific master directions by the Reserve Bank of India (RBI) allow banks to maintain information for more than 5 years through certain master directions issued by it and 5 years from the end of the business relationship between a client and a bank has ended or an account has been closed whichever is later for KYC dataThe RBI recently revamped all its master directions and issued consolidated entity-specific master directions. The RBI (Commercial Banks-Know Your Customer Directions (KYC)), 2025 provide a retention period of at least 5 years. The directions also have requirements to periodically re-conduct KYC, depending on the risk profile of customers which ranges from two years for high risk, eight years for medium risk and ten years for low-risk customers. This can lead to a much longer retention period than the 5 years prescribed by the PMLA. It can contribute to uncertainty while complying with the provisions of the DPDP Act since data will be periodically refreshed and retained in systems of banks. Similar provisions are found in other RBI master directions which have been recently updated. This demonstrates two things:First, that the PMLA requires banks to maintain information for 5 years from the date of the transaction between the client and the bank; Second, that the RBI has given liberty to banks to maintain data collected for more than 5 years without prescribing an outer limit. This puts the data of customers who have banking relationships, even after the termination of that relationship, at an increased risk of falling victim to data breaches and the compromising of their data. Further, it goes against the spirit of the DPDP Act, which gives individuals a right of erasure except for specific laws which are operating in the field. The end of anonymity: VPNsThe Indian Computer Emergency Response Team (CERT-IN) Directions 2022, require data centres, virtual private service providers, cloud service providers and VPNs to register the specified information and maintain it for five years or longer, if required legally. Crucially, while VPNs seek to guarantee privacy by hiding the Internet Protocol Addresses (IP Address), of their customers, these directions require them to maintain the IP Address allotted to the individual as well as their physical addresses. This means that anyone who registers for a VPN in India will have their information specified in the directions maintained for 5 years. Some VPN service providers have refused to comply and moved their servers out of India. The indefinite retention of health dataThe Indian Medical Council (Professional Conduct, Etiquette and Ethics) Regulations, 2002 provide a retention period of 3 years from the date of commencement of the treatment of patients. The Ayushman Bharat Digital Mission Consultation Paper on Proposed Health Data Retention Policy recommends a retention period of 10 years for the specified categories of health data. What is interesting is that it proposes that medico-legal documents, immunisation records, clinical trials, birth registers, and death registers be retained permanently. It recommends a 10-year retention period for in-patient records after the last interaction/encounter. For minors, it recommends that the data be maintained till their 18th birthday or 10 years, whichever comes later. For deceased patients, the retention period is 10 years after the last encounter. This Consultation Paper predates the DPDP Act and is not law. It will be interesting to see whether these suggested retention periods become a reality, considering the increasing prevalence of digital health records in India. Currently, under the Drugs and Cosmetics Rules, 1945 (Drugs Rules), prescriptions for restricted drugs to are to be maintained by pharmacists for two years. A prescription is not a medico-legal document and will not have to be retained permanently. Certain registers and records under the Drugs Rules must be maintained for 3 years. However, these are not explicitly prescriptions. Nurses care for newborn babies born on the first day of 2026, at the Indira Gandhi Memorial Hospital, in Agartala, Thursday, Jan. 1, 2026. Photo: PTI.The National Digital Health Mission: Health Data Management Policy specifies the kinds of records which are to be maintained. It does not appear to provide any specific retention period, which will only add to the ambiguity on just how long this data must be maintained. The policy specifies that the personal data will be retained as long as is necessary to fulfil the purpose of the collection of data and not longer, unless consent is given, or there is a legal obligation. Three possibilities arise:Either the Section of the DPDP Act, which mandates that data is immediately deleted on withdrawal of consent applies to health data; Or, on the fulfilment of the purpose for which data was collected. The retention periods under existing laws will apply to digital health data as well.In view of this ambiguity, there should be a specific retention period also provided for digital health data. What about the right of erasure guaranteed by the DPDP Act? The DPDP Act gives individuals the right to erase their data in accordance with procedure prescribed by law. As discussed earlier, the DPDP Act also obligates a Data Fiduciary to delete data once consent is withdrawn or the purpose of collection of data is fulfilled. However, the effect of the law is diluted by an omnibus exception allowing for specific regulation to override the Act, leading to longer retention periods. Read together, both provisions of the DPDP Act govern the regime of data retention. For instance, the Criminal Procedure (Identification) Act, 2022, provides a retention period of 75 years for biometrics. This is on the face of it excessive, considering that if a person is accused or suspected of having committed a criminal offence and the trial is pending, then there will be a virtually indefinite storage of their biometric data. The Act does have an exception which provides for deletion of data if an accused is released without trial, acquitted or discharged after exhausting all legal remedies. The Rules under the Act provide the procedure to have data deleted. The main provision of the law does not cover the accused, but there is a section which effectively extends it to any person who the Magistrate thinks should be directed to give their measurements for the purpose of investigation. Further, a holistic reading of the law indicates that this will cover even those accused of an offence. While this is good in theory, given the many years legal proceedings can continue in India, this retention period can be extremely long for sensitive categories of data. Also, having this data deleted, while possible in theory, may be more difficult in practice. The three-pronged test for invading a citizen’s privacy The Supreme Court of India in Justice K.S Puttaswamy v Union of India (2017) laid down a three-pronged test to assess whether an intrusion into privacy is justified:There must be legality i.e. which postulates the existence of a law;There must be a legitimate State aim; andProportionality which ensures a rational nexus between the objects and the means adopted to achieve them. Inordinately long data retention will be an invasion of privacy and must satisfy the test laid down by the Supreme Court. Clearly, a 75-year retention period for someone who is merely accused of an offence or is suspected of having committed an offence is not proportional to the object sought to be achieved. Similarly, each law or regulation laying down a retention period must be examined based on the three-pronged test laid down by the Supreme Court. The requirement to delete data is integral to the DPDP Act, as is evident from its essence. However, individuals should be cognisant of the fact that simply deleting something at their end does not mean that it is actually deleted. It would be unrealistic to expect data to be completely obliterated the minute an individual deletes it because organisations need to safeguard themselves legally. However, at the same time, there must be a consolidated retention code which consolidates all retention periods at one place to provide regulatory certainty to entities and individuals trying to navigate the multiple retention periods across different laws and regulations. A consolidated government-provided retention codeIndia could consider consolidating all retention periods under Indian law and sectoral regulations into one uniform retention code which would make compliance easier for entities and add greater clarity to the process. The MEITY could be tasked with notifying a retention code which could then be referred to by all stakeholders. Further, this retention code should be harmonised with sectoral regulations and should avoid contradictions between the intent of the DPDP, which is to ensure deletion of data and to prevent indefinite storage of data. India must not lean towards having permanent retention periods for sensitive data such as health data and biometric data. There may be some documents or records which may have to be retained permanently to safeguard from litigation risk, but that cannot be a ground for arguing for a permanent retention period. Having a MEITY provided uniform retention code, which is publicly available will make it easy for the general public to know the specific retention period which is relevant to them so that they can make an informed decision on whether to provide their data to an entity. If we examine the retention periods in social media/smartphone apps, banking, and health, there is a trend that while the DPDP Act and the DPDP Rules in spirit are aimed at ensuring data deletion, the sectoral regulations are diluting this intent. This is also seen in the retention period of 3 years provided in the DPDP Rules, which require data to be deleted if the specified purpose is no longer being served and there is no contact between the individual and the Data Fiduciary. The DPDP Rules provide that a notice of 48 hours must be given before erasing the data, which gives an individual an opportunity to establish contact to keep their account active. Thus, having long retention periods conflicts with the intent of the DPDP Act and DPDP Rules to ensure that data does not unnecessarily linger in the hands of entities and be potentially compromised in data breaches. The fact is that data breaches are almost routine. Take for instance the data breach of Star Health in 2024 in which reportedly 30 million users’ data was leaked. The hacker also reportedly demanded a hefty ransom. The Ayushman Bharat Consultation Paper’s suggestion that medico-legal documents be retained permanently will pose an immense privacy risk if implemented, given the digitisation of health records. A more reasonable period, in line with existing laws and regulations, should be considered. The need of the hour is to have reasonable and implementable retention periods across sectors which balance the interests of all stakeholders and a clear, consolidated statement about the same. Raghav Tankha is a technology lawyer specialising in data privacy. Views expressed are personal and do not constitute legal advice.