India's Data Paradox: Navigating CERT-In's Retention Mandates and DPDP's Privacy Principles

NEW DELHI – A complex and challenging legal paradox is emerging for corporations operating in India, placing them at the intersection of stringent national security directives and a newly minted data privacy regime. On one hand, the Indian Computer Emergency Response Team (CERT-In) mandates extensive, long-term data retention for a wide array of digital entities. On the other, the Digital Personal Data Protection Act, 2023 (DPDP Act) champions principles of data minimization and purpose limitation. For legal and compliance teams, navigating this dual mandate is not merely a technical challenge but a critical exercise in legal interpretation and risk management.

The core of the issue lies in reconciling two distinct legislative philosophies. CERT-In's directives, issued under the Information Technology Act, 2000, are fundamentally security-driven. They compel organizations to act as data custodians for forensic and law enforcement purposes. In contrast, the DPDP Act positions organizations as fiduciaries of personal data, obligating them to collect and retain only what is necessary for a specified purpose. This creates a compliance tightrope, particularly for data-intensive sectors like HR technology and healthcare, where the lines between necessary processing, security logging, and privacy obligations are increasingly blurred.

The Mandate to Remember: CERT-In's Broad Retention Net

The directives from CERT-In establish a formidable data retention framework. The baseline requirement is sweeping: "all service providers, intermediaries, data centres, body corporate and government organisations" must enable and maintain logs of all their ICT systems securely within Indian jurisdiction for a rolling period of 180 days. This information must be readily available to CERT-In upon request or when reporting a cyber incident.

However, for specific, high-stakes sectors, the obligations are far more onerous. The directives single out critical digital infrastructure and service providers, imposing a minimum five-year retention period. This extended mandate applies to:

• Data Centres, Virtual Private Server (VPS), Cloud Service, and VPN Service Providers: These entities must maintain detailed customer information for "a period of 5 years or longer." This includes validated names, allotted IP addresses, the purpose for hiring services, and verified contact details.
• Virtual Asset Service Providers (Crypto Exchanges): These firms are required to maintain all Know Your Customer (KYC) data and financial transaction records for five years. The rules demand that records be granular enough to reconstruct individual transactions, including IP addresses, timestamps, and time zones of the parties involved.

These requirements effectively transform a vast swath of the digital economy into a repository of historical data for potential state security and criminal investigation purposes. For legal counsel, this means ensuring that internal data management policies, infrastructure, and vendor contracts explicitly account for these long-term, India-specific storage and retrieval obligations.

The Mandate to Forget: The Rise of Data Privacy under DPDP

Juxtaposed against CERT-In's retentionist approach is the new privacy-centric paradigm of the DPDP Act. While the Act allows for data processing necessary for compliance with Indian law, its core principles echo global standards like the GDPR, emphasizing data minimization, purpose limitation, and storage limitation. Organizations are expected to erase personal data once the specified purpose for its collection is fulfilled and it is no longer required for legal or business purposes.

This creates a direct tension. For example, when an employee leaves a company, under a pure privacy framework, much of their personal data processed by an Applicant Tracking System (ATS) or internal HR platform should be deleted after a reasonable period. However, CERT-In's logging requirements may mandate that system access logs, IP addresses, and other ICT data associated with that former employee be retained for 180 days or longer.

The challenge is amplified in sectors like healthcare. The move towards digital credentialing for medical professionals involves processing highly sensitive personal information, including licenses, certifications, and background checks. A source notes that new regulations like the DPDP Act "require secure processing of patient data and stronger standards for records, access, consent, etc.," pushing healthcare organizations to adopt modern, secure systems. While these systems streamline compliance and reduce errors, they also centralize vast amounts of sensitive data that fall under both the DPDP Act's protection and CERT-In's purview.

Case Studies in Compliance: HR Tech and Healthcare

The practical implications of this legal duality are most apparent in the technology platforms that underpin modern business operations.

1. Applicant Tracking Systems (ATS): A Crucible of Compliance

Modern recruitment is powered by sophisticated ATS platforms that process millions of job applications. A comprehensive 2025 analysis of the ATS market reveals that security and compliance have become the top evaluation criteria for businesses, weighted at 25%. Platforms are now judged on their ability to provide "GDPR/CCPA compliance with documented audit trails" and adherence to standards like SOC 2 Type II and ISO 27001.

As one report on the subject states, "With 87% of data breaches in recruitment involving candidate personal information, ATS security has become a critical business risk factor." The report explicitly highlights the potential for fines up to ₹50 crores under India's DPDP Act, making robust compliance non-negotiable. An ATS operating in India must therefore be architected to: * Securely process and store candidate data according to DPDP principles (e.g., consent, notice). * Simultaneously log all system activities, including access and data modification, and retain these logs for 180 days in India as per CERT-In rules. * Provide functionality for data subject rights under the DPDP Act (e.g., right to erasure) while carving out exceptions for data that must be retained under the CERT-In directives.

2. Digital Credentialing in Healthcare: Balancing Efficiency and Data Protection

The healthcare sector's transition from manual, paper-based credentialing to automated digital platforms showcases a similar challenge. Digital systems offer immense benefits in efficiency, error reduction, and compliance tracking. They automate primary source verification (PSV) through digital integrations, conduct automated background and sanctions screening, and provide alerts for expiring licenses.

However, these platforms become repositories of extremely sensitive professional and personal data. One industry analysis warns of the inherent risks: "The management of sensitive and personal data and information entailing licenses, documents, IDs, etc., requires a robust protection system. If there is a breach of security, then companies will not just face huge data loss but also penalties and image damage."

For a hospital system using such a platform, their legal team must ensure the system can distinguish between the core credentialing data (which should be managed per DPDP's purpose limitation principle) and the system-level ICT logs (which must be retained under CERT-In's mandate).

A Framework for Legal Strategy

For general counsel and compliance officers, addressing this data paradox requires a multi-pronged strategy that moves beyond mere policy drafting into technical and operational integration.

• Data Mapping and Classification: The first step is a rigorous data mapping exercise to identify what data is collected, where it is stored, and which legal regime applies. Data must be classified not just by sensitivity (personal, sensitive personal, etc.) but by its governing retention rule (e.g., "DPDP-General," "CERT-In-180 Day Log," "CERT-In-5 Year Crypto KYC").

• Architecting for Compliance: Technology systems, whether built in-house or procured from vendors, must be designed with this legal duality in mind. This means demanding features like granular data lifecycle management, geographically specific data storage capabilities (for the "within Indian jurisdiction" rule), and robust, auditable logging that is segregated from core application data.

• Vendor Due Diligence: The legal scrutiny applied to technology vendors must be intensified. Contracts should include specific clauses warranting compliance with both the DPDP Act and relevant CERT-In directives. Questions about data residency, encryption standards (e.g., AES-256), and certifications (SOC 2, ISO 27001) are no longer box-ticking exercises but central to mitigating legal risk.

• Policy Harmonization: Internal data management policies must be updated to reflect this paradox. They should clearly articulate to employees and stakeholders why certain data is retained for extended periods, citing the specific legal obligation under CERT-In, while simultaneously affirming the company’s commitment to DPDP principles for all other personal data.

Ultimately, the directives from CERT-In and the principles of the DPDP Act are not a zero-sum game. They represent two sides of the same coin: building a secure and trustworthy digital ecosystem. For the legal profession, the task is to guide organizations in crafting the sophisticated compliance frameworks necessary to respect both sides of that coin, ensuring that the mandate to remember does not unlawfully eclipse the right to be forgotten.