In the current age of the Social Media, it is impossible for the information posted on the Internet to ever be truly ‘forgotten’. While such data can be put to use for numerous purposes, it can do more harm than good to the Data Subject (Owner of the data) if it is used in unethical ways and/or without his/her authorisation, in particular if such use is not in line with the intended use of such data, since it can adversely impact the Data Subject’s reputation, personal safety, etc. As a result, if the privacy of the Data Subject cannot be protected from the onset, an alternative can – and should – be granted to individuals by means of having the right to request/demand that their personal information must be erased retroactively.
The Right to be Forgotten (‘RTBF’), also known as the Right to Erasure, is a relatively recent and modern notion which suggests that individuals should have a civil right that consists of two components:
- The Right to De-List or Oblivion, which requires search engines like Google to remove requested URLs; and
- The Right to Erasure, which requires websites to delete confidential and personal information from their records.
In 2014, the European Union’s Court of Justice (‘CJEU’) pronounced a historic decision in Google Spain SL v. Agencia Espanola de Proteccion de Datos (AEPD) and Mario Costeja González (‘Google Spain Case’) that prompted an intense debate over the future of search engines and the collection and storage of personal data. Previously, the Internet was seen as a repository of lasting memories, but because of the overarching privacy values and growing concerns about unethical and unauthorised usage of the immense amount of data stored online and with corporations permanently, the European Union (‘the EU’) has been a vociferous proponent for the enactment and implementation of strengthened Data Protection Regulations in the past few decades.
The 21st century has witnessed India transitioning towards an ever-increasingly interconnected global digital world, where individuals’ decisions are inevitably inspired and affected by the Internet. In such a scenario, the Judicial System is under mounting pressure to safeguard its citizens’ rights, in particular when juxtaposed against the backdrop of the free-flowing exchange of information that the Internet has come to represent.
However, the Legislature as well as the Judicial System in India are still grappling with the development of a comprehensive Data Protection Regime/Framework in India. Given the nascent stage of this framework, it still – at first glance – does not come across as well-developed enough to encompass RTBF. To truly commence the process of including such a right under a new legislation, it would be crucial to balance the necessity for the said right against the current/existing legal framework and socio-political climate. It is mainly for this reason that the Indian Legislature as well as Judiciary have raised the issues pertinent to the Fundamental Right to Privacy several times, but with little impact.
GENESIS OF RIGHT TO BE FORGOTTEN
Pronouncement in the Google Spain Case (CJEU)
The Data Protection Directive, adopted in 1995, indirectly gave way to the RTBF, whose principal goal is to preserve Fundamental Rights while not impeding the free flow of data. In the Google Spain Case, the CJEU ruled that, under the Directive, Search Engines are “controllers,” and their activities clearly fall under the purview of “processing of personal information”.
Further, it was also held that the Data Subject may also request that URLs containing personal information that is “inaccurate, insufficient, irrelevant or excessive” in nature for the specific and intended purpose of data processing should be removed from specific Search Engines. Essentially, the CJEU’s reasoning was that an individual’s entitlement to Data Protection outweighed a Search Engine’s commercial interests. Furthermore, the CJEU has also explicitly declared that RTBF will not be utilised in a way that would result in a violation of other basic rights, especially that of freedom of expression and media.
Effectuation in General Data Protection Regulation, 2016
In April 2016, the General Data Protection Regulation (‘GDPR’) was enacted, superseding the Data Protection Directive, 1995. Article 17 of the GDPR incorporates RTBF as laid down under the judgement in the Google Spain Case. It gives people the right to decide what data to reveal to Data Controllers, especially Search Engines. The GDPR method implements RTBF by requiring the concerned Search Engine to promptly delete the link upon a request from the Data Subject and then proceed to consider the request on merits.
Moreover, the Search Engine is tasked with determining if the request is legally genuine and, further, with conducting the removal without alerting the person whose online material has been erased. Since the reasons for removing a link are not necessarily specified, the Search Engine has a lot of leeway and discretion in deciding whether or not to remove the same. The GDPR’s proposed RTBF makes no distinction between Personal Data made public by the Data Subject himself, on the one hand, and Personal Data made public by a Third Party, on the other hand. The GDPR mentions the need to balance RTBF as against the Freedom of Speech and Expression, but it does not include any guiding principles to assist private corporations.
CURRENT LEGAL FRAMEWORK IN INDIA
In the past couple of decades, India has witnessed several instances involving the Right to Privacy, which was read into Article 21 of the Constitution. This Right to Privacy was originally highlighted in the landmark case of Kharak Singh vs State of Uttar Pradesh (AIR 1963 SC 1295) (“Kharak Singh Case”) wherein Justice Subba Rao, in his dissenting opinion, observed that privacy is a component of personal liberty, even though the same has not been expressly provided for in the Constitution. He further observed that an infringement of such Right to Privacy hampers the very expression of a person’s innermost thoughts.
Although the roots of the Right to Privacy go as far back in Indian jurisprudence as the aforementioned dissenting opinion, and although the same has since been confirmed as a Fundamental Right by the Hon’ble Supreme Court (“SC”) in its landmark judgement in the case of (Retd.) Justice K.S. Puttaswamy vs Union of India [(2017) 10 SCC 1] (“Puttaswamy Case”), the current Data Protection framework in India, as enacted by the Information Technology Act of 2000 and the policies ensuing from it still do not fully reflect a recognition of an individual’s Right to Privacy, let alone his/her “Right to be Forgotten.”
After much discussion and deliberation and judicial inconsistencies on the matter, the Personal Data Protection Bill, 2019 (“PDPB”) was introduced, based largely on the Report of the Justice B. N. Srikrishna Committee, which finally attempts to grant formal protection to the Fundamental Right to Privacy and, in particular, to RTBF. This is primarily inspired by the General Data Protection Regulation of 2016 (“GDPR”).
Section 20 of the PDPB allows a Public Authority to prevent or restrict the ongoing disclosure of Personal Data in three circumstances:
- When the data has served its intended purpose;
- When the Data Principal/Data Subject retracts his/her consent for collecting, processing, and/or storing such Personal Data; and
- When the disclosure of such Personal Data violates any existing legislation.
To exercise the above-mentioned right, the Data Principal/Data Subject must submit an Application to the Adjudicating Officer, who will grant or deny the said Application based on the conditions outlined in the PDPB. The Adjudicating Officer(s) will use, inter alia, the following criteria to decide whether or not to exercise such right:
- The sensitivity of the personal information;
- The degree of accessibility sought to be constrained;
- The role of the Data Principal/Data Subject in public discourse;
- The relevance of such data to the general populace; and
- The nature of the disclosure and activities of the Data Fiduciary.
JUDICIAL PRECEDENTS ON RIGHT TO BE FORGOTTEN
RTBF was a foreign concept in India until 2015, when the Gujarat High Court, in the case of Dharmaraj Bhanushankar Dave v. State of Gujarat (SCA 1854 of 2015), while dealing with the deletion of a non-reportable judgement from a website, held that there can be no removal of such information since it will continue to remain on the database(s) of the High Court regardless. Despite the fact that no mention of RTBF was made in this case, it did implicitly allow for a discussion of this new notion.
Further, the Orissa High Court, in the matter of Subhranshu Rout @ Gugul v. State of Odisha (BLAPL No. 4592 of 2020), relying on the SC’s ruling in the Puttaswamy Case, raised the issue of an individual’s RTBF digitally, advocating for the enforcement of Article 21 of the Indian Constitution, which deals with the Right to Life and Personal Liberty, as a remedy for victims whose compromising information was available on the Internet. Although there is currently no statute recognising RTBF, it is in line with and compatible with the current judicial trends pertaining to the Right to Privacy in India.
Furthermore, in Zulfiqar Ahman Khan v. Quintillion Business Media Ltd. [CS (OS) 642/2018], the Delhi High Court acknowledged the “Right to be Forgotten” and “Right to be Left Alone” as fundamental aspects of the “Right to Privacy.” Later, in the case of Sri Vasunathan v. Registrar General [Writ Petition No. 62038 of 2016 (GM-RES)], the Karnataka High Court clearly acknowledged RTBF, albeit in a restricted sense, thereby granting the Petitioner’s request to have his daughter’s name redacted from a judgement concerning accusations relating to forgery. It was maintained that recognising RTBF would be similar to attempts in other “western countries” that seek to support this right in circumstances that would be sensitive in nature, involving people’s “modesty” or “reputation,” particularly that of women.
Similarly, in a Writ Petition filed before the Kerala High Court, RTBF was further recognised and the Petitioner’s request for the removal of his name from certain websites was allowed. Recently, Ashutosh Kaushik, a former contestant from popular Indian Reality-TV Shows, also petitioned the Delhi High Court to have his videos, pictures, and articles taken off the internet, invoking his “Right to be Forgotten” as an essential component of his Right to Life guaranteed and enshrined under Article 21 of the Constitution.
DOES THE RIGHT TO BE FORGOTTEN HAVE A FUTURE IN INDIA?
In essence, RTBF demands that the Right to Privacy and the Right to Freedom of Speech must be harmonised and balanced. The Right to Privacy, which has long since been recognised as a basic right in Europe, has not been crystallised either as a constitutional or a statutory right in India. However, landmark judicial precedents have resulted in the same being read into Article 21 of the Constitution as an inherent and essential component of the Right to Life enshrined therein.
Despite this fact, the growth and development of the jurisprudence and acceptance of this right have thus far been restricted to enforcement against Governmental monitoring alone. Thus, it would be safe to say that, so long as the Right to Privacy does not find a concrete representation in the laws of India, either by way of a specific legislation and/or regulation(s) protecting people’s Personal Data on online forums, any inclusion of RTBF in India would, ultimately, have a weak and insufficient foundation.
As proposed in the Draft Bill on Right to Privacy, 2014, the Right to Privacy must be entrenched statutorily in Indian jurisprudence and must extend to encompass both private individuals as well as the State. Furthermore, Data Protection Regulations, such as the Information Technology (Intermediary Guidelines) Rules, 2011, which currently only provide a bare minimum level of Data Protection, must be strengthened and defined more comprehensively and precisely. Such legal changes are necessary and of utmost importance in ensuring that the Right to Privacy and, in turn, RTBF is utilised carefully and balanced adequately against the Fundamental Right of Freedom of Speech & Expression.
While India contemplates the best methods to modernise its Data Privacy and Data Protection regime, enshrining the Right to be Forgotten may be more than just a tool to preserve personal privacy – there is a high likelihood that the same may also be misused as a powerful means of suppressing information and content. The prevailing ad hoc jurisprudence has also laid a lot of emphasis on the necessity for a well-structured Data Protection legislation since, in the absence of a clear legal direction, different and divergent perspectives on this issue are likely to emerge.
In such situations, current jurisprudence on the Right to Privacy as construed under Article 21 may be of little utility. Furthermore, while global trends have clearly showcased how important RTBF can be in giving people more control over their personal data and information stored online, it is also just as – if not more – important to ensure that the Right to be Forgotten must be limited to specific and special circumstances and must not clash with the Fundamental Right to Freedom of Speech & Expression guaranteed by Article 19.
For any query or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com.