[Vishal Patidar and Mohit Jain are fourth-year students at the National Law Institute University (NLIU), Bhopal. In this piece, the authors interrogate the procedural friction introduced by the Digital Personal Data Protection (DPDP) Rules, 2025, specifically regarding the storage limitation mandate. The piece argues that Rule 8(3) fundamentally undermines the protections of Section 8(7) of the parent Act by transforming data retention from a narrow exception into a generalized obligation for fiduciaries. By examining the impact on the right to erasure and the expansion of state access to personal data, the authors highlight how these new rules may nullify core principles of consent and notice. The analysis concludes that without immediate clarification, the current framework risks establishing a disproportionate data-retention regime that conflicts with the constitutional guarantee of privacy.]
INTRODUCTION
The Digital Personal Data Protection Act, 2023 (hereinafter DPDP Act, 2023) is the primary legislation governing the processing of digital personal data. The Long title of the Act mentions twin objectives of the Act, firstly to protect the digital personal data of the data principals and secondly, it places an obligation on data fiduciaries to process such personal data for lawful purposes and other connected purposes. On 14th November 2025, the Ministry of Electronics and Telecommunications notified the Digital Personal Data Protection Rules, 2025 (hereinafter DPDP Rules), which provides a procedural and operational framework for implementing the Act.
This paper argues that the Rule 8(3) of the DPDP Rules fundamentally undermines the storage limitation guarantee under section 8(7) of the DPDP Act, 2023 by converting data retention from a narrowly tailored exception into a generalized obligation. When read with Section 17(2)(a), this framework effectively nullifies the right to erasure and enables a disproportionate expansion of State access to personal data, raising serious constitutional concerns. It further examines the impact on data principals right to notice under Section 5, consent under Section 6, right to erasure of data under Section 8(7), and grievance redressal under Section 13 alongside the compliance obligations imposed on data fiduciaries unless addressed prior to full enforcement of the Act.
Storage Limitation Under the DPDP Act: Statutory Design
Section 8(7) of the Act mandates that personal data of the individual must be erased once the data principal withdraws consent or when the purpose for which the data was processed has been fulfilled, unless such retention is required under law. This section recognizes the principle of storage limitation which is a universally recognized principle in data privacy law such as General Personal Data Regulation, 2016 , California Consumer Protection Act, 2020, etc. and is a cornerstone of informational privacy. This principle of storage limitation rests on the idea that continued retention of personal data is an ongoing interference with the privacy of the individual and therefore must be justified.
The principle of storage limitation serves as a critical safeguard against the indefinite retention and potential misuse of personal data by both private and state actors. By ensuring that data is erased once its purpose is fulfilled, it minimizes the risk of unauthorized access and surveillance. Section 8(7) recognizes this idea by making erasure as the default rule once the legal basis for processing the data ceases.
How Rule 8(3) violates the principle of storage limitation?
The introduction of Rule 8(3) in the DPDP Rules, 2025 fundamentally alters the statutory position under section 8(7) of the Act by prioritising retention of the data over deletion.
Rule 8(3) is flawed on two grounds and risks violating the rights of various stakeholders, including the data principal:
The first Anomaly: Indiscriminate Application to All Data Fiduciaries:
The first anomaly in Rule 8(3) is its failure to distinguish between categories of Data Fiduciaries on the basis of scale, nature, and volume of data being processed by them. This distinction is also echoed under Article 30 and Recital 13 of General Personal Data Regulation, 2016. The distinction is reasoned on the fact that a large technology platform processing the data of millions of individuals stands on an entirely different footing from small and medium enterprises and startups processing the data of a few hundred, and both are distinct from entities formally designated as Significant Data Fiduciaries under Section 10 of the Act. Yet Rule 8(3) treats all of them identically, by imposing an obligation on all Data Fiduciaries to retain personal data (including log and traffic data) for a period of one year after the purpose has been served, without any regard to the scale, nature, or volume of data being processed. This blanket approach imposes a disproportionate burden to comply with the requirements set out under the rule upon small and medium enterprises, startups, and entities that lack sophisticated storage and adequate cybersecurity infrastructure.
This blanket approach stands in complete contrast to the risk-based compliance model that has been adopted by the UK’s Data Protection Act, 2018 read with the UK’s GDPR. Article 24 of the UK GDPR entails controllers to implement technical and organisational measures taking into account the nature, scope, context and purposes of processing, as well as the risks to the rights and freedom of natural persons. Further, Article 30(5), of the GDPR applied through the Data Protection Act, 2018, exempts those organizations that employs less than 250 individuals from record-keeping obligations unless the condition specified therein. These provisions ensure that the obligation to retain data is based on the scale and risk, by exempting organizations of smaller and medium sizes from the onerous obligations unless their processing poses risk to the rights of individuals since smaller organizations typically process limited volume of personal data, reducing the likelihood and severity of personal harms and therefore imposing full compliance burden on them would be disproportionate and could stifle business activity in addition to the fact that these organisations may lack the necessary infrastructure to store and protect such volume of data for a required period
Whereas under the DPDP Rules, it fails to incorporate any such kind of differentiation. Rule 8(3) becomes operationally impractical, even though the purpose of the collection of data has been served.
The Second Anomaly: Mandatory retention as the default rule:
Rule 8(3) requires the Data Fiduciaries to retain personal data of the data principals, along with the associated traffic data and logs, for a period of one year for the purposes specified in seventh schedule of the Rules, even if the purpose for which the data has been collected has been fulfilled or the data principal has withdrawn its consent. This shifts the principle of storage limitation as recognized under section 8(7) of the Act on its hat by making data retention as the default rule rather than a limited exception. The protection under section 8(7) of the Act for the erasure of the data is rendered ineffective when rule 8(3) is read together with section 17(2)(a) of the Act. The purposes specified in the seventh schedule such as the sovereignty and integrity of India, security of the state, and performance of functions under any law correspond directly with the grounds specified under section 17(2)(a) of the Act on which state instrumentalities are exempted from the application of certain provisions of the Act. Since Section 17(2)(a) operates as a notwithstanding clause, it overrides the obligation to erase the data of the individual specified under section 8(7), allowing mandatory retention of the data.
Though Section 8(7) permits the retention of the data where it is “required under law”, Rule 8(3) itself becomes that legal requirement. Once personal data is retained pursuant to rule 8(3), any subsequent access or its processing of the data is protected by section 17(2)(a) of the Act, rendering the obligation to erase unenforceable. What it leads to is that the right to erasure survives only on the paper, not in operation, wherever the interest of the state is invoked i.e. data retention becomes the rule rather than an exception. Further when such an exemption is invoked, data principals lose their rights to notice, informed consent, erasure and grievance redressal. Rule 8(3) ensures that personal data along with the metadata of the individuals is retained, at the same time section 17(2)(a) removes the obligation on the state to justify its actions or limit such retention. Rule 8(3) along with section 17(2)(a) neutralise the right to erasure on two counts, firstly by mandating retention and secondly by exempting state authorities from any kind of accountability.
FAILURE OF THE PROPORTIONALITY TEST:
The Supreme Court in the landmark case of K.S. Puttaswamy v. Union of India held that any infringement of the right to privacy enshrined under Article 21 must satisfy a three-fold test of legality, necessity and proportionality. Rule 8(3) fails the proportionality test on three grounds. Firstly, the grounds for retaining the data are vaguely defined, thereby permitting access for broad reasons such as “public order” or “security and integrity of the state” creating significant scope for abuse of these grounds. Secondly, unlike other jurisdictions like the United Kingdom, Rule 8(3) need not require any independent or judicial oversight prior to access of the personal data of individual by the state. Whereas in the UK, under the UK Investigatory Powers Act, 2016, authorities require a warrant to be issued by the secretary of the state to access communications data and a warrant is issued only after the secretary is satisfied that the access is necessary or proportionate to a legitimate aim, as defined under Section 19 of the Act.
Furthermore, Sections 20 and 21 of the Act render such a warrant legally ineffective unless it is approved by an independent Judicial Commissioner, who is mandated under this section to review the executive’s assessment of necessity and proportionality, creating a two-layer safety protection before the authorities could access the data. Section 87 of the Act, even at the stage of data retention, requires the issuance of notice of data retention only when the Secretary of state is of the opinion that such a retention is necessary and proportionate, while having regard to the level of intrusion as well as to the availability of less intrusive measures which could be used.
These ex-ante safeguards are further complemented by continuous ex post oversight exercised by the Investigatory Powers Commissioner under Part VIII of the Act, while the UK GDPR reinforces the principle of storage limitation as a default rule under Article 5(1)(e), that no personal data shall be retained after the purpose for which it is collected has been served. In complete contrast is Rule 8(3), which mandates the blanket retention of the data based on vaguely defined state purposes without any judicial authorisation or oversight, rendering the interference constitutionally disproportionate. Thirdly, a blanket one-year retention which is applicable to all data fiduciaries is manifestly excessive and is not the least intrusive measure which is available to achieve legitimate state objectives.
EMERGENCE OF A SURVILLENACE ARCHITECTURE
These anomalies in the rule 8(3) leads to several serious consequences. Firstly, it leads to the creation of permanent data trails without any transparency or oversight. The mandatory retention ensures the continued existence of personal data and logs, on the other hand section 17(2)(a) eliminates the duty to inform the data principal when such data is accessed or used. Thus, there is a possibility that data might be retrospectively accessed for broad state purposes without any contemporaneous necessity.
Secondly, Schedule 7 increases the discretionary power of authorities by using extremely broad and undefined terms such as sovereignty and security of the state, performance of any function under any law, disclosure of any information for fulfilling any obligation under any law, as these phrases lack pin pointedness and are wide in nature, and fall squarely within the vice of vagueness. As the Supreme Court held in Chintaman Rao v. State of Madhya Pradesh, a statute must be struck down as unconstitutional where the possibility of it being applied for purposes not sanctioned by the Constitution, cannot be ruled out. The importance of clear and definable standards has been described by the U.S. Supreme Court in Grayned v. City of Rockford as “if arbitrary and discriminatory enforcement is to be prevented, laws must provide explicit standards for those who apply them. A vague law impermissibly delegates basic policy matters to policemen, judges, and juries for resolution on an ad hoc and subjective basis, with the attendant dangers of arbitrary and discriminatory applications.” Schedule 7 leaves a wide room open for state access to personal data on grounds that no data principal can reasonably anticipate and no authority is meaningfully guided to apply.
Thirdly, it leads to the curtailment of the rights of data principals as they cannot seek their right to notice, grievance redressal etc because the purposes under Seventh Schedule align with state functions contemplated under Section 17, since Section 17 is a non-obstante clause having overriding effect over the chapter II of the Act, and resultantly the data principal is left without any protection
The cumulative effect of it is the emergence of a state-led surveillance architecture whereby the state, which has the duty to give effect to the right to privacy is the one who is taking it away.
WAY FORWARD
The structural anomalies within the DPDP Act and Rules suggest that the framework is tilting more toward institutional data retention than individual autonomy, in the veil of “data protection” law. To fix this, the first and most urgent step is to ditch the one-size-fits-all mandate of Rule 8(3). Instead of burdening a local startup with the same heavy storage costs as a tech giant, the government should adopt a risk-based model similar to the UK GDPR, where compliance obligations are calibrated to the scale and sensitivity of the processing.
Furthermore, we must address the surveillance architecture created by broad State exemptions. The blanket one-year retention period in Rule 8(3) is “manifestly excessive” and lacks the guardrails seen in more mature jurisdictions. A viable way forward is to introduce independent or judicial oversight, ensuring that any State access to retained data is actually necessary and proportionate. Without any judicial oversight to review executive decisions, the right to erasure remains a hollow promise wherever State interests are invoked.