AUTHORS, PUBLISHERS, AND DATA RETENTION: A LEGAL STUDY UNDER INDIA’S DIGITAL PERSONAL DATA PROTECTION ACT

Introduction

In today’s digital world, personal data has become one of the most valuable  and also vulnerable assets for businesses, governments, and online platforms. Every interaction conducted through digital systems generates information that can identify individuals, including names, addresses, financial records, identity documents, and communication details. As India’s digital economy continues to expand rapidly, concerns relating to privacy, misuse of information, unauthorized access, and data security have become increasingly important.

To address these concerns, India enacted the Digital Personal Data Protection Act, 2023 (DPDP Act). The legislation establishes a legal framework governing the collection, storage, use, processing, and deletion of personal data. Its objective is to protect the privacy rights of individuals while also enabling lawful and responsible data processing for business and governance purposes.

The law has particular significance for professionals working in creative industries, especially authors and writers, who routinely share personal information, unpublished manuscripts, research materials, and confidential communications with publishers and digital platforms.

What Is Personal Data?

Personal data refers to any information that can identify an individual either directly or indirectly. Under the DPDP Act, this includes information such as:

  • Names
  • Mobile numbers
  • Email addresses
  • Aadhaar details
  • Financial and banking information
  • Location data
  • Identity documents

The Act applies primarily to digital personal data processed within India. It may also apply to organizations located outside India if they offer goods or services to individuals in India.

As digital communication and cloud storage become central to business operations, the protection of personal information has become a critical legal and ethical responsibility.

Key Principles of India’s Data Protection Law

The DPDP Act is built upon several foundational principles intended to ensure responsible data governance.

Consent-Based Processing

Organizations must obtain clear and informed consent before collecting or processing personal data. Consent should be free, specific, informed, and capable of being withdrawn easily by the individual.

This principle ensures that individuals retain meaningful control over how their personal information is used.

Purpose Limitation

Personal data may only be used for the purpose for which it was originally collected. Organizations cannot repurpose data for unrelated activities without obtaining fresh authorization.

For example, if a publisher collects an author’s banking information for royalty payments, that information cannot later be used for unrelated marketing activities without consent.

Data Minimization

The law discourages excessive collection of information. Organizations should collect only the data necessary for a legitimate purpose.

Data Security

Entities handling personal information are required to implement reasonable safeguards to prevent unauthorized access, data breaches, leaks, or misuse.

Data Erasure

Personal data must be deleted once the purpose for which it was collected has been fulfilled or when consent has been withdrawn, unless another law requires its retention.

Rights of Individuals Under the DPDP Act

The DPDP Act grants several important rights to individuals, often referred to as “Data Principals.”

These rights include:

  • The right to access information regarding their personal data
  • The right to correct inaccurate or outdated information
  • The right to request erasure of personal data
  • The right to grievance redressal
  • The right to nominate another individual to exercise rights in certain situations

These rights strengthen transparency and provide individuals with greater control over their digital identities.

DATA PROTECTION AND THE PUBLISHING INDUSTRY

The publishing industry increasingly operates through digital systems. Authors regularly submit manuscripts, contracts, identity documents, financial records, editorial correspondence, and research materials electronically.

As a result, publishers often possess large quantities of both personal and professionally sensitive information belonging to writers.

This has created growing concerns regarding:

  • Privacy protection
  • Intellectual property security
  • Confidentiality of unpublished works
  • Long-term storage of author data
  • Unauthorized retention or use of manuscripts

In recent years, many authors have begun requesting data destruction certificates from publishers once contractual relationships end or projects are terminated.

What Is a Data Destruction Certificate?

A data destruction certificate is a formal document confirming that an organization has permanently deleted or destroyed specified data from its systems and archives.

In the publishing industry, such data may include:

  • Manuscript files
  • Unpublished drafts
  • Research materials
  • Contracts and correspondence
  • Financial records
  • Identity documents
  • Editorial communications

The certificate serves as evidence that unauthorized copies of the author’s materials are no longer being retained.

Why Authors Seek Data Destruction?

Protection of Intellectual Property

Unpublished manuscripts, concepts, and research may possess considerable creative and commercial value. Authors naturally seek assurance that unused material will not later be leaked, reused, or circulated without permission.

Privacy and Personal Security

Publishers often store sensitive information, including addresses, tax documents, and banking details. Writers increasingly wish to ensure that such information is not retained unnecessarily after the professional relationship concludes.

Contract Expiry and Rights Reversion

When contracts expire or publication rights revert to the author, many writers expect that unused materials and unnecessary personal information will also be deleted.

Growing Awareness of Privacy Rights

Global developments in privacy law, including the GDPR in Europe and India’s DPDP Act, have increased awareness regarding an individual’s right to request deletion of personal information.

Why Publishers Sometimes Refuse

Despite these concerns, publishers may refuse to issue formal data destruction certificates for several legitimate reasons.

Legal Retention Requirements

Publishing companies may be legally required to preserve certain records for accounting, taxation, audit, or legal purposes. Royalty records and contractual documents are often retained for many years.

Archival Policies

Some publishers maintain archives of manuscripts and editorial communications for operational, historical, or internal business reasons.

Ongoing Contractual Rights

Where a publisher still possesses active publishing or distribution rights, it may claim a continuing business interest in retaining related files.

Technical Limitations

Modern digital storage systems often include cloud backups and archival servers, making complete deletion difficult to guarantee with absolute certainty.

Absence of Industry Standards

Unlike sectors such as healthcare or finance, publishing does not yet follow universally accepted standards relating to data destruction certification.

Legal and Ethical Considerations

Even where publishers possess lawful grounds to retain certain records, transparency remains extremely important.

Ethical publishing practices should involve clear communication regarding:

  • What information is being retained
  • Why it is being retained
  • How long it will remain stored
  • Who has access to the information
  • What information has already been deleted

A complete refusal without explanation may damage trust between authors and publishers.

Rights of Authors Under Data Protection Law

Writers and authors possess important rights under modern data protection principles.

Right to Data Security

Authors have the right to expect publishers to protect their personal information and confidential materials through appropriate security measures.

Right to Transparency

Writers may seek information regarding how their personal data is stored, processed, and retained.

Right to Request Erasure

Authors may request deletion of unnecessary personal information and unused digital materials once contractual obligations have concluded.

Right to Confidentiality

Publishers should not misuse unpublished manuscripts, confidential drafts, or research materials without authorization.

Right to Seek Confirmation of Deletion

Although Indian law does not specifically require publishers to issue formal destruction certificates, authors may still request written confirmation that certain data has been deleted.

What Authors Can Do?

Authors facing refusal from publishers should adopt a structured and professional approach.

Review the Publishing Agreement

The first step is to examine clauses relating to:

  • Confidentiality
  • Data handling
  • Rights reversion
  • Manuscript retention
  • Contract termination

Submit a Formal Written Request

A professional written request should clearly specify:

  • What data should be deleted
  • Whether unpublished materials are included
  • Whether written confirmation is sought

Request Partial Confirmation

Even if a publisher refuses to provide a formal certificate, authors may still request:

  • Confirmation by email
  • A list of retained records
  • An explanation of the legal basis for retention

Seek Legal Advice

Where sensitive intellectual property or confidential materials are involved, consulting a lawyer experienced in publishing law, intellectual property law, or privacy law may be appropriate.

The Need for Better Industry Standards

As digital publishing continues to evolve, stronger standards relating to data governance and privacy are becoming increasingly necessary.

Both publishers and authors would benefit from:

  • Clearer contractual language
  • Transparent retention policies
  • Secure digital storage practices
  • Standardized deletion procedures
  • Responsible end-of-contract data management

Providing reasonable deletion confirmations can strengthen professional trust while balancing legitimate legal and operational requirements.

CONCLUSION

India’s Digital Personal Data Protection Act, 2023 represents a major step toward strengthening privacy rights and promoting responsible data governance. The law seeks to balance technological growth and innovation with the protection of individual privacy.

For authors and writers, the law is particularly important because publishers frequently handle both sensitive personal information and valuable unpublished creative material. Writers therefore possess legitimate concerns relating to confidentiality, transparency, intellectual property protection, and responsible data handling.

In India, authors often remain one of the most vulnerable sections of the creative community. Despite the existence of data protection and copyright laws, many writers feel that they receive inadequate practical protection. While legal frameworks exist on paper, effective implementation and enforcement continue to remain major challenges.

Authors frequently face difficulties in protecting their intellectual property, unpublished manuscripts, personal data, and contractual rights. Legal remedies are often slow, expensive, and difficult to pursue, particularly for independent writers who may lack financial or institutional support.

Ironically, those who contribute to society by creating literature, spreading knowledge, and shaping public thought are at times treated with neglect and insufficient professional respect. Concerns relating to unauthorized use of content, lack of transparency, weak contractual safeguards, delayed royalties, and poor data governance have created growing dissatisfaction within the publishing ecosystem.

These challenges have also affected the broader publishing industry. Increasing legal uncertainties, operational difficulties, digital piracy, and declining trust between authors and publishers have contributed to concerns about the long-term sustainability of publishing operations in India. Some publishing houses have reduced their presence or reconsidered their business strategies in the Indian market due to these structural and regulatory challenges.

Strengthening enforcement mechanisms, improving transparency, ensuring fair contractual practices, and creating stronger protections for authors’ rights are essential for building a healthier and more sustainable publishing environment in India.

As awareness of digital privacy continues to grow, the publishing industry may eventually need to adopt clearer and more standardized practices relating to data retention, deletion, and certification. They have no idea of Data Protection Act.

 

Shruti Desai

19th May 2026