Data PrivacyA Comparative Guide to Compliance with the Right to be forgotten in India

INTRODUCTION

Right to be forgotten (hereinafter referred to as ‘RTBF’) and Right to Erasure (hereinafter referred to as ‘RTE’), often used interchangeably, refer to one of the essential limbs of the right to privacy of a natural person as well as the right to protection from processing of their personal data and free movement of such data. The latter is considered a Fundamental Right as per Article 8 (1) of the Charter of Fundamental Rights of the European Union (hereinafter referred to as “EU”) and is also acknowledged in the Directive 2016/679 of the General Data Protection Regulations (hereinafter referred to as ‘GDPR’).

In India, the RTBF has been sporadically recognized by various High Courts in a litany of cases, for instance, in the State of Punjab. v. Gurmeet Singh and Ors (1996 AIR 1393), S.T. v. State of Kerala W.P. (C) (9478 of 2016), Sri Vasunathan v. Registrar General (W.P. 62038 of 2016), and Subranshu Raot v. State of Odisha W.P. (C) (4159 of 2020) to name a few. However, at the same time an adverse view of not of recognising the right has also been taken in cases such as Dave v. State of Gujarat (SCA 1854 of 2015).

With the recent enactment of the Digital Personal Data Protection Act, 2023 (hereinafter referred to as ‘the Act’), RTE has been officially considered as a recognized right of the data principal as per Section 12 of the Act. However, RTE as per Section 12 is limited in its scope as compared to the RTBF under Article 17 of the GDPR. Recital 66 of GDPR’s interpretation clarifies that RTE is a subset of RTBF and RTE is an effort to extend RTBF to the online environment.

COMPARATIVE ANALYSIS OF SECTION 12 OF THE ACT AND ARTICLE 17 F GDPR

A. Indian provisions on RTE

• Chapter III of the Act enshrines the rights and duties of the data principal. Understanding the scope of rights and duties of the data principal will aid in suggesting appropriate remedies in comparison to international compliance.
• Section 11 of the Act provides for the data principal to access information from the Data Fiduciary wherein they have the right to obtain their personal data, for which consent has been given freely, from the data fiduciary. They can avail this right by requesting the information in the provided manner:

1. A summary of personal data being processed and the processing activity undertaken

2. Identities of other data fiduciaries and processors with whom the data has been shared including the description of data shared

3. Any other information related to the personal data and its processing

• Section 12 of the Act provides for the Right to correction, completion, update and erasure of personal data for which consent has been obtained by the data principal and the right can only be denied in cases where its retention is needed for the specified purpose or for compliance with the law.

B. European Union provisions on RTE

• Article 17 of GDPR states that the ‘data subjects’ have the right to request for erasure of their personal data without any undue delay and the same should be promptly dealt with if the request complies with any one of the following conditions:

1. Data is no longer necessary for the purpose it was collected

2. Withdrawal of consent and no legal ground for processing

3. The data subject objects to the processing of data and there are no legitimate overriding grounds (equivalent to ‘Certain legitimate uses’ of the Act)

4. Data unlawfully processed

5. Data to be erased due to legal obligation

6. Data collected for informative society services as per Article 8(1).

• Further, Article 17 (2) requires the ‘controller’ to erase the data if it’s made public and further instruct other controllers to whom the data was shared.
• Article 17 (3) provides for exceptions wherein the data in question is needed for:
  1. Exercising the right to freedom of expression and information
  2. Legal obligation compliance or for carrying out a task in public interest or exercising official authority of the ‘controller’
  3. For public interest in area of public health
  4. For archiving in public interest, scientific or historical research purposes or statistical purposes and erasure is likely to render the latter purpose for processing impossible.
  5. For legal claims

Analysis

A bare perusal of the Indian law makes it apparent that it operates on a generalised application of data protection whereas the GDPR reflects a detailed provision addressing the majority of the concerns of the ‘data subject’. However, the most elemental difference is the lack of emphasis on the duration of compliance in India as compared to GDPR’s prioritization to protect their ‘data subject’ from the impact of undue delay.

Additionally, the RTE under GDPR is broad enough to include unlawful processing of data, i.e., data processing without the consent of the ‘data subject’ whereas in India, RTE exists only on digital personal data for which they have given consent for processing.

But above all, the scope of RTE in India is limited in comparison to the EU due to the core differences in the definition of personal data:

1. In India, the term ‘personal data’ only refers to digitalized personal data or physically collected data which is subsequently converted into a digitalized form

2. Whereas in the EU, it refers to personal data that will be processed through automated means either wholly or partly. Additionally, it also includes personal data which is or will be part of a filing system.

LEARNINGS FROM THE LEGAL COMPLIANCE OF GDPR BY MULTI-NATIONAL COMPANIES

1. Google

In 2014 there arose an infamous case concerning Google in the Court of Justice of the European Union which was Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González (2014), where the Court settled the question of whether RTBF is a right of the ‘data subject’ in the affirmative by clarifying the old directive 95/46/EC’s intention by upholding the following views:

a. Processing of personal data also includes activities undertaken by search engines, i.e., displaying results.

b. Data Controllers have the responsibility to remove content by virtue of RTBF, in certain circumstances

After the adaptation of the new directive of 2016/679, yet another case against Google came to the forefront, in the case of Google LLC v Commission nationale de l’informatique et des libertés (CNIL) (2019), this time originating in France, whereafter the geographical limitation of GDPR compliances was restricted within the EU.

The aforementioned case laws required Google, the biggest search engine aggregator of data, to substantially change its internal data collection and storing policies causing it to make the most robust RTBF compliance.

On their website, Google has essentially created a platform for their data subjects to put in a request for removal of their data from the search engine. Furthermore, Google has also created separate platforms for their other respective products. Google has also provided an RTBF Platform of social media intermediaries for user-friendly access, if the content to be removed is self-published.

It further explains how the decision-making process takes place while considering a request for removal. Most importantly, they process the request while considering the impact of such removal in terms of:

1. Role in public life

2. Source of information

3. Content age

4. Effect on Google’s users

5. Nature of the data being false or true

6. Sensitivity of the data

7. And any other consideration that they seem appropriate

In the form columns, specific URLs which the user wants to be removed should be pasted accompanied by the respective reasons for removal. Additionally, the combination of searches which results in the URLs are also to be removed if requested. After filling out the form, a digital signature is collected for the appropriate processing of the request.

2. Apple Inc.

After the introduction of GDPR in the EU, Apple introduced an entirely new webpage to their official website titled ‘data and privacy’ for its customers wherein mechanisms are provided to fulfil all corresponding obligations and compliances under the GDPR compliance by creating various forms within their website to fill in a request for:

1. Removal of data either temporarily or permanently (by deactivating or deleting your account),

2. Obtain a copy of your data stored with Apple,

3. Transfer a copy of your data,

4. Correct your data.

Interestingly, Apple has not limited compliance only in EU; rather, has allowed all the aforementioned services to customers around the world to avail their RTE.

3. Meta Platforms Inc.

Meta is the parent organisation for Instagram and Facebook, two of the most popular social networking sites. According to reports, at least 3.96 billion people use atleast on of Meta’s platforms, thus Meta as an MNC deals with the personal data of many people around the world. After GDPR, they revamped their privacy obligations and provided clear instructions on how their customers can choose to manage their personal data.

The methodology for having data deleted off of Meta platforms is different from its peer platforms. Meta provides clarity regarding its manner and conduct of collecting, storing and deleting data on their webpage titled ‘Meta Privacy Centre’. There are two primary ways in which data principles/users can have their data deleted from Meta products:

A. Selective Deletion

The users are provided the opportunity to selectively delete user-generated data such as texts or images uploaded as ‘posts’ on its three primary platforms – Facebook, Instagram, and WhatsApp. However, Meta does not clarify whether such user-generated content is deleted from its own records as well.

B. Account Deletion

A more effective alternative to selective deletion is Account Deletion where the users are provided an opportunity to permanently delete their entire accounts on the platform subsequent to which the respective Meta platform will stop showing the user’s account and the details contained therein to other users or third parties using the search options on the platform.

However, it must be noted that Meta does not completely delete data from its own servers. On their own website Meta acknowledges that it retains the user’s deleted data which it can use for its own commercial purposes or compliance purposes: –

“We keep information for as long as we need it to provide our products, comply with legal obligations or to protect our or other’s interests. We decide how long we need information on a case-by-case basis. Here’s what we consider when we decide:

• If we need it to operate or provide our products. For example, we need to keep some of your information to maintain your account.
• The feature that we use it for and how that feature works. For example, messages sent using Messenger’s vanish mode are retained for less time than regular messages.
• How long we need to retain the information for to comply with certain legal obligations.
• If we need it for other legitimate purposes, such as to prevent harm; investigate possible violations of our terms or policies; promote safety, security and integrity; or protect ourselves, including our rights, property or products

In some instances, and for specific reasons, we’ll keep information for an extended period of time.”

Thus, despite the GDPR provisions mandating RTBF and RTE, regardless of selective deletion or permanent account deletion, one cannot ensure complete removal of a user’s data from Meta’s servers and/or databases.

4. X (formerly Twitter)

X, previously known as Twitter, chose to have a different approach for its privacy compliance wherein it provides a platform to submit queries regarding privacy and personal data of the data subject for appropriate processing. Although, it does not explicitly mention ‘RTBF’ or ‘RTE’, it provides for ‘cancellation of data’.

It further provides for a separate portal to directly contact the Data Protection Officer at X if the user wants any particular action done regarding with respect to their data or regarding any other data privacy-related queries.

Amazon

In a similar vein to Meta, Amazon allows its user’s to permanently delete their account in lieu of deleting their data that is stored with Amazon. However, as an e-commerce company, it is legally required to retain data such as order history.

In addition to being an e-commerce website, Amazon also has a digital arm called Amazon Web Services (hereinafter referred to as “AWS”) which provides digital database and business infrastructure software to many companies; thus, Amazon indirectly deals with the data of not only its own users but also the data of its customer companies’ users. To ensure effective deletion of such customer’s user data Amazon uses its in-house Redshift software for compliance with data privacy regulations around the world.

Thus, for companies that purchase AWS-based capabilities, Redshift incorporates an architectural pattern with a strong foundation for protecting storage data. Furthermore, it assists in effective governance, data mapping, audit tracking, data discovery and findability, separate processing of Personally Identifiable Data (hereinafter referred to as ‘PII’) and non-PII, and most importantly has a robust data erasure mechanism wherein, Restricted backup, Physical and Logical deletes, Backup and restore is majorly simplified.

AMLEGALS REMARKS

EU, in 1995, via their directive 95/46/EC, acknowledged the fundamental right of natural persons to protect their personal data and its processing. In fact, in a revolutionary paper on privacy from 1890 titled “The Right to Privacy” its authors Samuel D. Warren II and Louis Brandeis, highlighted the dire need for the protection of privacy and personal data in the age of digitization. The jurisprudence, around the globe, is fairly clear on that standing.

However, in India, RTBF is accepted to the extent of RTE mentioned under Section 11 of the Act. The EU’s GDPR guidelines and the resulting compliance by various big MNC’s can act as a great aid for companies around the globe to incorporating the most efficient manner of protecting and processing data even in compliance with the upcoming Act in India. Interestingly, the actual compliance of the RTBF is undertaken during the processing of the request wherein the corporates evaluate an individual’s RTBF against its exceptions, as RTBF is not an absolute right.

Nevertheless, the fundamental tenet for operational procedures aimed at safeguarding customer data effectively lies in the expeditious processing of requests, devoid of any “undue delay.” Consequently, paramount among priorities, companies are obligated to guarantee the timely fulfilment of such requests.

– Team AMLEGALS assisted by Mr. Sashwat Banerjee & Ms. Devyani Mishra

For any queries or feedback feel free to reach out to mridusha.guha@amlegals.com or jason.james@amlegals.com