One of the hallmark features of the current Digital Era is that information and access to such information is practically unrestricted and permanently available. Such permanent nature of the cyberspace allows people to remember and recall the information at the tip of their fingers, which otherwise would have been irretrievable. However, this apparent permanence and ease with which information is available also makes it very difficult for individuals to keep certain kinds of information “private”.
Concepts like personal autonomy and privacy are a basic and inalienable part of human dignity and fall under basic Human Rights, protected by both National as well as International Law. However, with growing international and digital presence of corporations worldwide, several private companies collect large amount of data which is not only retained and stored, but is also used for Research and Development (R&D) purposes. .
The Right to be Forgotten (RTBF) comes as a remedy to this state of affairs. It is pertinent to note that RTBF does not exist in the international domain as an independent right but as a part of the Right to Privacy. However, the General Data Protection Regulation (GDPR) does recognise RTBF separately and in addition to the Right to Erasure.
Public International Law
Traces of RTBF can actually be found in parts of Article 17 and Article 19 of the International Covenant on Civil and Political Rights (ICCPR). Article 17 protects and safeguards the Right to Privacy and personal autonomy, dignity and choices of an individual against arbitrary Governmental action. Such Right to Privacy also transcends into and is inevitably linked to the right to control one’s Personal Information available in the public domain. The Right to Privacy pertaining to data revolves around four major principles:
- Collection Limitation Principle – The data that is collected from a person must be limited to only necessary and crucial information and, at the same time, the process of collection must be conducted fairly, lawfully and only after taking due consent of the Data Subject.
- Data Quality Principle – The data collected must be relevant to the purpose of use and limited to the exact information required.
- Purpose Specification – When the data is being collected, the purpose of such collection must be specified to the Data Subject and after the completion of such purpose, such data must not be shared nor should the data be used further for other, unspecified purposes.
- Security Safeguard Principle – The personal data of the Data Subject must be protected against risk of loss, unauthorized access, destruction and other use(s) for which the Data Subject has not provided his/her consent.
Further, the ICCPR talks about freedom of expression which, in and of itself, comes with the cost of restricting access to and protecting any information that could hamper the dignity of another individual.
RTBF, in the international domain, can be incorporated with regards to deletion of criminal records, information of defamatory or extremely personal nature, etc. Article 19 of the ICCPR recognizes that certain data and information have implications on privacy. However, it fails to provide individuals a distinctive idea of the concept of RTBF. It propagates the idea that individuals do not have the absolute right to control the information about them available in the public domain and, therefore, there is insufficient recognition given to RTBF under Public International Law.
European Union (EU)
In order to gain a holistic understanding of the evolution of RTBF internationally, it is also important to note that RTBF first gained prominence after the decision of the Court of Justice of the European Union (CJEU) in 2014, in the case of Google Spain et al v. Mario Costeja Gonzalez [C-131/12, ECLI:EU:C:2014:317] (Google Spain Case).
The primary issue in this case was that Google continued to display a particular result of an auction notice issued against the Respondent, even though the issue had already been resolved. The Respondent argued that his privacy was being breached by such information being readily accessible in the public domain and, hence, such information should be taken down. The CJEU held that where the information is “inaccurate, inadequate, irrelevant or excessive” with regards to the person, such person has the right to ask Search Engines (like Google) to take down such information about them.
As mentioned above, a semblance of recognition has been granted to RTBF in Articles 17 and 19 of the GDPR, wherein the Data Subject can ask the Controller to erase his/her/its personal data without any undue delay and the latter shall be obligated to do the same, and furthermore to communicate such erasure to each recipient to whom the personal data has been disclosed till then.
Specifically, Article 17 of the GDPR mentions the Right to Erasure and states that a Data Subject has the right to obtain, from the Controller, the deletion of certain data concerning him/her/it when such data:
- Is no longer necessary for the specified purpose;
- When he/she/it has withdrawn the consent to process such data;
- When there are no legitimate grounds for processing such data;
- When the said data has been processed unlawfully;
- When there exists a law, which requires the erasure of the said data.
When the decision of the CJEU in the Google Spain Case is read in conjunction with Article 17 of the GDPR, we see that the EU Law imposes a clear statutory obligation on the private entities collecting and processing the data in so far as such entities must mandatorily comply with the Data Subject’s Right to Erasure.
The law, however, neither mentions the process of such erasure nor how and from where such data must be erased. Further, with regards to Article 17(2) of the GDPR, if the Controller has made the personal data public, the Data Subject has the right to get erased all links and information that any other Controller(s) may have against him/her/it as well.
This request for erasure is not subject to any particular form and the Controller may not require the same to be made/submitted in any specific form. However, the identity of the Data Subject must be proven in a particular manner. If the identity is not proven, the Controller may either request more information or refuse to entertain such request to erase the information.
Further, according to Article 19 of the GDPR, the Controller must inform all the recipients of the data about the correction and/or erasure and ensure that they make the necessary changes at their end as well. The application of RTBF, however, is limited to some extent because of the limitations that come along with Right to Freedom of Expression and Information. Therefore, RTBF is usually limited with regards to legal obligations, public interest, research purposes, etc.
Article 4 (1) of the GDPR defines ‘personal data’ as any information which can help in identifying a natural person. Information such as name, location, any identification number, or other details pertaining to genetic, mental, cultural, economic, physiological, or social identity of that natural person comes under the ambit of ‘personal data’.
However, when someone seeks the erasure of any information available in the public domain, there is no clarity as to whether the will of the specific individual will prevail or the general Right to Information.
Further complications arise when personal data is incorporated in statistics and used for R&D purposes. In such cases, it becomes extremely difficult to argue which data can be ‘forgotten’ and to what extent. Moreover, Article 17(1)(a) also provides for deletion of data in case it is no longer required. The parameters for circumstances that satisfy the scope of the term “no longer necessary” are not clear and therefore, very subjective.
POSITION IN INDIA
Right to Privacy was only recognized in India in 2017, post the landmark judgement of the Hon’ble Supreme Court of India (SC) in the case of Justice K.S. Puttaswamy (Retd.) v. Union of India (AIR 2017 SC 4161) (Puttaswamy Case) wherein the SC recognized that the information belonging/pertaining to a person also has an element of personal autonomy and comes under the ambit of privacy. Therefore, such individual has a right to control the information about him/her in the public domain.
In the case of Subhranshu Rout @ Gugul v. State of Orissa (BLAPL No. 4592 of 2020, High Court of Orissa), wherein the Petitioner had allegedly raped a woman and uploaded photos and videos of the act on Facebook to blackmail her. After police intervention, the accused deleted the posts from Facebook and filed a Bail Application. However, even after the posts were deleted from Facebook, they were present and saved on the Facebook Servers, nonetheless.
The Orissa High Court observed that, although the concept of RTBF has been recognized internationally, yet in India, the concept does not have a solid basis so far. Further, even though the data pertaining to the crime committed has been deleted from a website, such deletion can in no way imply that the crime was itself not committed. The Orissa High Court was, however, seemingly in favor of RTBF since, in its opinion, the same would play a crucial role in safeguarding the victim’s interests and dignity over cyberspace.
Further, in the case of Bhanushankar Dave v State of Gujarat (2015 SCC OnLineGuj 2019), the Petitioner, wanting to exercise his RTBF, contended that the information pertaining to an old case law wherein he had been acquitted should be removed from a publication’s website. The Gujarat High Court did not per se recognize RTBF and stated that such removal would be a violation of the Right to Information and therefore cannot be carried out. Therefore, the Gujarat High Court held that websites cannot be restricted from publishing non-reportable judgments in the name of RTBF.
In the case of [Name Redacted] v. Registrar General (Writ Petition No.62038 Of 2016), wherein the rape victim’s name was requested to be removed from the official records, the Karnataka High Court recognized RTBF and stated that such information is personal information and, therefore, the victim has the right to control the same and, thus, ordered for the removal of the name from the judgement.
In the case of Jorawer Singh Mundy v UOI (W.P.(C) 3918/2021), a Single Judge Bench of the Delhi High Court recognised the Petitioner’s RTBF as a subset of his fundamental Right to Privacy. In doing so, the Delhi High Court has furthered the jurisprudence on RTBF in India, which has been previously adjudicated upon by various High Courts between 2016 and 2020, albeit unevenly.
Commendably, the Delhi High Court, for the first time, squarely framed the issue which “requires examination of both the Right to Privacy of the Petitioner on the one hand, and the Right to Information of the public and maintenance of transparency in judicial records on the other hand”. Framing the issue in this way and locating it within a post-Puttaswamy legal framework, in itself clears up the more foundational issues present in the previous judgments pertaining to RTBF.
The Personal Data Protection Bill, 2019 (PDPB) does attempt to recognize and give substance to RTBF. Section 20 of the PDPB gives an individual the right to restrict or prevent the continuing disclosure of personal data when the data has no purpose or no longer necessary, when such data was disclosed without the consent of the concerned individual, or when such disclosure is manifestly against the law.
The provision, however, would only be enforced when approved by an Adjudicating Officer and such Officer would have to consider the sensitivity of personal data, the scale of disclosure and accessibility that is sought to be prevented, role of the concerned individual in public life, relevance of such personal data in public as well as the nature of the disclosure and the activities of the individual.
In the backdrop of lack of privacy laws in India, this Bill comes as a ray of hope and the efficacy of the same shall depend on the manner in which it is implemented.
RTBF has been widely accepted as an inherent aspect of the Right to Privacy across several jurisdictions globally. However, it comes with its own set of challenges. For starters, RTBF is in direct conflict with both the Freedom of Expression under Article 19(2) as well as the Right to Information under Article 21 and, therefore, lies on a slippery slope.
There is, most definitely, a need to strike a balance between the various facets of Right to Privacy, on the one hand, and Right to Freedom of Expression or Information, on the other hand. Further, until the PDPB is passed by the Parliament, the law in place derived through the various judgements of the High Courts remains ambiguous and unclear. The High Courts have repeatedly expressed a stark difference in opinions with regards to the existence of RTBF as part of Right to Privacy or not and to what extent. Therefore, only a comprehensive law can address this issue with any sense of finality and build a pathway for the future evolution of the same.
For any query or feedback, please feel free to connect with firstname.lastname@example.org or email@example.com.