Introduction
The right to erasure, sometimes called the right to be forgotten, has occupied a central position in data protection discourse since the Court of Justice of the European Union articulated it in Google Spain SL v. Agencia Española de Protección de Datos (2014). In that landmark decision, the CJEU held that a natural person has the right to request that a search engine operator remove links to information about them that is inadequate, irrelevant, or no longer relevant, even when the underlying source material remains lawfully published. This delisting rather than deletion approach resolved, for the immediate purpose of search engines, the philosophical and technical problem of complete erasure from a distributed information ecosystem.
India’s Digital Personal Data Protection Act, 2023 approaches the right differently. Section 12(1)(b) of the Act grants the data principal the right to erasure of personal data provided to the data fiduciary, to the extent no longer necessary for the specified purpose or where consent has been withdrawn and no legal basis for retention exists. Section 13 provides that upon withdrawal of consent, the data fiduciary must cease to process data and cause the data processor to do so as well. These provisions establish the statutory right in broad terms; the implementing rules, still pending as of early 2026, are expected to define the procedural mechanics.
The gap between this statutory formulation and the technical reality of how data is stored, replicated, processed, and used in modern digital systems is substantial. This article explores that gap systematically: the architecture of distributed data systems and why erasure within them is technically complex, the conflict between erasure rights and legally mandated retention obligations, the particular problem of erasure in AI training data, and the regulatory and design choices that could make the right meaningful in practice.
Legal Framework
Section 12 of the DPDP Act grants data principals four rights: the right to access information about their data, the right to correction and updating of inaccurate or incomplete data, the right to erasure as described above, and the right to grievance redressal. These rights must be exercised through the mechanisms prescribed by the rules, which will likely include a standardised request format, defined timelines for fiduciary response, and escalation pathways to the Data Protection Board.
The right to erasure in Section 12(1)(b) is carefully circumscribed. It arises when personal data is no longer necessary for the specified purpose or when consent is withdrawn. It does not create an absolute right to demand erasure at any time for any reason; rather, it creates a conditional right tied to the lawful basis for processing. If a data fiduciary has a legal obligation to retain data, that obligation overrides the erasure right. If retention is necessary for the performance of a contract, erasure cannot be compelled before the contract is complete.
The interplay with retention obligations under other laws is significant. The Income Tax Act requires maintenance of financial records for prescribed periods. The Companies Act, 2013 requires preservation of certain categories of company records for periods ranging from 8 to 30 years. The Prevention of Money Laundering Act requires retention of KYC and transaction records for five years. The Banking Regulation Act and RBI directives require banks to retain customer records for defined periods. The Information Technology (Preservation and Retention of Information by Intermediaries) Rules, 2021 require intermediaries to preserve information involved in cybercrime investigations for 180 days or longer if directed. These retention mandates collectively mean that for a significant portion of personal data held by financial institutions, banks, regulated entities, and intermediaries, the right to erasure is legally subordinate to retention obligations.
Section 17 of the DPDP Act exempts state instrumentalities processing data in the interest of sovereignty, security, or public order from the operation of Sections 12 and 13, among others. This exemption means that the government, which processes vast quantities of personal data through Aadhaar, welfare databases, taxation systems, and law enforcement records, is not subject to the erasure right in most of its data processing activities.
Judicial Developments
The right to be forgotten has been addressed by Indian courts before the DPDP Act’s enactment, primarily in the context of requests to remove court judgments from online legal databases and search engine results. The Kerala High Court in Sredharan v. State of Kerala (2021) recognised a right to be forgotten in the context of a criminal acquittal, holding that a person acquitted of charges has a legitimate interest in having the case removed from public online databases, particularly when continued online visibility causes ongoing reputational harm disproportionate to any public interest.
The Karnataka High Court in Jorawar Singh Mundy v. Union of India (2021) ordered the removal of a judgment from Indian Kanoon and Google search results, where the petitioner had been acquitted and the continued online visibility of the judgment was causing professional harm. The court balanced the right to privacy against the right to access information, finding that the individual privacy interest prevailed given the acquittal and the passage of time.
The Delhi High Court has taken a more cautious approach in cases involving requests to remove information about civil proceedings, noting that court judgments form part of the public record and that the right to be forgotten must be balanced against transparency and the public’s right to know about judicial proceedings.
These decisions address the delisting dimension (search engine results and database indexing) rather than the deletion dimension (physical removal of data from storage systems). The DPDP Act’s right to erasure goes further, requiring actual deletion from the data fiduciary’s systems, not merely delisting from public access.
Contemporary Issues and Analysis
The technical complexity of erasure in modern data ecosystems is frequently underappreciated in legal analysis. Contemporary data architectures involve multiple layers of storage and replication that make complete erasure far more complex than deleting a record from a primary database.
Production databases are typically replicated across multiple geographic locations for resilience, meaning a deletion from one replica must propagate across all replicas, a process that takes time and depends on replication lag. Backup systems create periodic snapshots of production data, meaning that data deleted from the production database persists in backups until those backups are cycled out, which in enterprise systems may take months or years. Data warehouse and analytics environments receive copies of production data for reporting and business intelligence purposes; deletion from production does not automatically propagate to these environments. Log files generated by applications often contain fragments of personal data, including user actions, input values, and error messages, that are not structured as personal data records and therefore are not readily identifiable for deletion. Content delivery networks cache data at edge locations for performance purposes, creating additional copies that must be purged.
Distributed ledger and blockchain systems present a unique erasure challenge. By design, blockchain records are immutable; once written, data cannot be deleted from the chain without breaking the chain’s cryptographic integrity. Permissioned blockchain systems used in supply chain, financial, and healthcare applications increasingly store personal data, creating a direct conflict with erasure rights. Technical solutions proposed include storing personal data off-chain with only cryptographic hashes on-chain, and cryptographic deletion (destroying the encryption keys for data that cannot be deleted from the chain), but neither approach constitutes complete erasure in the traditional sense.
The AI training data problem is the most conceptually difficult erasure challenge. Once personal data is incorporated into the training corpus of a machine learning model, the model’s parameters embed statistical representations derived from that data. There is no technically feasible method to “un-train” a model by removing a specific individual’s data while preserving the model’s other capabilities. The model must either be retrained from scratch without the individual’s data (prohibitively expensive for large models) or the erasure request must be declined. Machine unlearning is an active research field, but techniques capable of reliably removing specific data points from large language models or other complex neural architectures while preserving model performance are not yet mature enough for production deployment.
This creates a profound challenge for data fiduciaries operating AI systems. If a company trained a fraud detection model on customer transaction data, and a customer subsequently withdraws consent and requests erasure, the company faces a technical impossibility if it must remove the customer’s influence from the trained model. The DPDP Act’s implementing rules will need to address this directly, either by creating exceptions for AI training purposes or by establishing “privacy by design” standards that prevent personal data from being incorporated into AI training without appropriate anonymisation.
Comparative and International Perspective
The GDPR’s approach to erasure under Article 17 is more detailed than the DPDP Act’s formulation. The GDPR lists specific grounds for erasure requests (data no longer necessary, consent withdrawn, data unlawfully processed, legal obligation to erase, data collected in relation to information society services from children) and specific grounds for refusing erasure (freedom of expression, compliance with a legal obligation, public interest, scientific or historical research, legal claims). This structured balancing framework provides more predictability than the DPDP Act’s general formulation.
The GDPR also addresses the AI training problem, albeit imperfectly. Recital 26 clarifies that anonymised data is outside the GDPR’s scope, and the draft EU AI Act (now enacted) addresses high-risk AI systems with requirements for data governance and management, including accuracy of training data and minimisation obligations. The tension between GDPR erasure rights and AI training has been the subject of several decisions by European Data Protection Authorities, with varying conclusions about when training data use is compatible with consent withdrawal.
The California Consumer Privacy Act (CCPA) and its successor CPRA grant California consumers the right to request deletion of their personal information, subject to exceptions for legal obligations, security, research, and internal uses compatible with the original collection context. The CCPA explicitly carves out data necessary to detect security incidents, fraud, and illegal activity, as well as data necessary to enable internal uses that are reasonably aligned with consumer expectations. These detailed exceptions provide clearer guidance than the DPDP Act’s more general framework.
Brazil’s LGPD article 18 provides similar erasure rights, with exceptions for legal obligations and legitimate interests. Brazil’s ANPD has provided guidance on the application of these rights to specific contexts including financial services and public sector data.
Practical and Policy Implications
For data fiduciaries in India, the operationalisation of the right to erasure will require investment in technical infrastructure and process redesign. Data mapping, the process of documenting where personal data exists across an organisation’s systems, is the foundation of any erasure capability. Without knowing where data resides, systematic deletion in response to requests is impossible. Most Indian organisations, outside the largest technology and financial companies, lack comprehensive data maps.
Identity verification for erasure requests creates a paradox: to process an erasure request, the data fiduciary must be able to identify the requesting individual in their systems. This requires retaining identifying information long enough to process the request, which itself involves processing personal data. The implementing rules will need to address how identity verification for rights requests interacts with data minimisation principles.
The consent manager framework in the DPDP Act could play an important role in simplifying erasure. If a data principal’s consent and data relationships are managed through a registered consent manager, the consent manager can relay withdrawal and erasure requests across multiple data fiduciaries simultaneously, reducing the burden on individuals of managing their data across fragmented digital services.
Suggestions and Reforms
The implementing rules should provide a tiered erasure framework, recognising the technical reality that “erasure” means different things in different contexts. For structured personal data in active databases, erasure should mean deletion within a defined timeframe. For backup copies, erasure should mean exclusion from restoration and deletion upon the next backup rotation cycle. For AI training data, erasure should mean removal from future training runs, with an obligation to retrain models when technically feasible and where the original data made a material contribution. For anonymised or aggregated data where re-identification is not reasonably possible, no erasure obligation should arise.
The rules should provide a specific exemption for erasure requests that are technically impossible or disproportionately costly to implement, subject to the data fiduciary demonstrating to the Data Protection Board that it has implemented privacy by design measures to minimise the personal data incorporated into technically complex systems.
Courts should develop the India-specific right to be forgotten for online information through a clear balancing framework that weighs the petitioner’s privacy interest, the length of time elapsed, the nature of the information, and the genuine public interest in access. The acquittal cases provide a useful starting point; extension of the principle to other contexts should be done carefully.
Conclusion
The right to erasure under the DPDP Act is both a meaningful legal entitlement and a technically difficult obligation. The Act’s formulation is appropriately flexible, but the flexibility will mean different things depending on how the implementing rules resolve the technical and legal tensions. The rules must confront the AI training problem directly, address the lifecycle of data across backup and analytics systems, and provide workable exceptions that prevent the right from becoming a tool for regulatory arbitrage while ensuring it remains substantive.
The deepest insight from comparative analysis is that erasure rights are strongest when they are paired with strong data minimisation requirements that prevent unnecessary data collection in the first place. The right to erasure is a cure; data minimisation is the prevention. India’s DPDP framework, when fully implemented, should prioritise both equally.