Data PrivacyRight to be Forgotten in the Light of the Court of Justice of the European Union’s Judgment against Google

December 21, 20220

INTRODUCTION

The Right to be Forgotten (hereinafter referred to as “RTBF”) allows to have ones’ information removed from public sources such as online access, engines, libraries, blogs, or any other public platform, once the personal data in question is no longer required or relevant.

It was first established in the European Union (hereinafter referred to as “EU”) in May 2014 as a result of a judgment passed by the Court of Justice of the EU (hereinafter referred to as “CJEU”). The CJEU determined that the EU data protection law gives individuals the right to request search engines such as Google to remove certain results for queries such as queries relating to a person’s name.

Search engines must evaluate if the material in question is “inaccurate, inadequate, irrelevant, or excessive” when deciding what to delist, as well as whether there is a public interest in the information remaining available in search results.

In 2018, the EU introduced the General Data Protection Regulation (hereinafter referred to as “GDPR”). Article 17 of the GDPR establishes a ‘Right to Erasure’ akin to the one recognized by the CJEU under the older law that the GDPR superseded. Some countries outside the EU have also enacted similar laws as well.

WHEN DOES THE RTBF APPLY?

Article 17 of the GDPR defines the conditions in which the RTBF shall be applicable.  An individual has the right to have their personal data erased if any of the following conditions are met:

  • Personal data is no longer required for the purpose for which it was originally processed by an organization.
  • When an organization relies on an individual’s consent as the legal basis for data processing, that individual withdraws their consent.
  • An organization bases its processing of an individual’s data on legitimate interests, the individual objects to the processing, and there is no overriding legitimate interest for the organization to continue with the processing.
  • Personal data is being processed by an organization for direct marketing purposes, and the individual objects to this processing.
  • An organization unlawfully processed an individual’s personal data.
  • In order to comply with a legal rule or requirement, an organization must remove personal data.
  • To provide information society services, an organization processed a child’s personal data.

BACKGROUND OF RIGHT TO BE FORGOTTEN IN THE LIGHT OF CJEU’S JUDGMENT AGAINST GOOGLE

In the case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos [C-131/12], the CJEU established the RTBF in the current EU Data Protection Directive. It was determined that the legislation mandated a halt to the online publication of findings that were no longer relevant after a specific period of time, and the individual requested that they be removed. Google was viewed as an information regulator that had to respect people’s right to data ownership.

The verdict also raised controversy since it established a precedent for the EU’s power to uphold a judgment against an American company even if its servers are located outside of Europe. Google stated that no information was processed in Spain; it only maintained a sales office there, hence the EU information security requirement did not apply. Google has received over 2.5 million requests to remove data from Europe since the ruling.

On September 24, 2019; the CJEU issued two judgments concerning the so-called RTBF. This right, which was established by the same court in its landmark decision in Google Spain SL, Google Inc. v Agencia Española de Protección de Datos [Supra], is now entrenched in Article 17 of the General Data Protection Regulation (GDPR).

In GC and Others [C-136/17], four Applicants independently requested Google to de-reference numerous links to third-party websites holding sensitive data about them. The search results included a satirical photomontage of a former politician, an article naming an applicant as the Church of Scientology’s public relations officer, an article about a judicial investigation involving an applicant, and reports on a criminal hearing in which an applicant was found guilty of sexual assaults on children.

Because Google denied the requests, the applicants filed complaints before the Commission Nationale de l’Informatique et des Libertés (hereinafter referred to as “CNIL”). In Google v. CNIL [C-507/17], the CNIL issued a formal notice to Google, demanding that it remove links from search results globally, i.e., across all domain name extensions used by its search engine.

Google disagreed, limiting itself to deleting the links in question only from domain names belonging to versions of its search engine in the EU Member States, but it advised that this approach be supplemented by geo-blocking. This would block internet users with the Internet Protocol (hereinafter referred to as “IP”) addresses presumed to be in the EU from viewing the affected search results, regardless of the search engine version they use.

The decision in Google v CNIL [Supra] defines the territorial scope of the RTBF, whereas the case GC and Others [Supra] addresses the processing of sensitive data by search engine operators and the de-referencing of the data which interferes with the data subject’s rights to privacy and personal data protection is likely to be particularly serious due to the sensitivity of such data.

Applicability of  GDPR

GDPR is a set of legally binding regulations for the protection of individuals’ personal data in the EU. As the GDPR applies to all websites that attract European visitors, even if they do not particularly target EU nationals, all sites that attract European visitors should comply with it. The RTBF only applies to data held at the time of the request and it does not apply to data generated in the future. The right is not absolute and applies only in limited circumstances.

RTBF IN INDIA

In India, the debate over data protection and privacy was framed in the case of Justice K.S. Puttaswamy v. Union of India [(2017) 10 SCC 1], in which the Supreme Court declared the Right to Privacy as a fundamental right. Standing and Parliamentary Committees have also underlined in their reports the necessity for dedicated laws on data protection and privacy.

In the absence of a data protection law that limits the fundamental right to delete useless and defamatory private material from the online environment, the “RTBF” has received considerable attention in India. As a result of this case, it is evident that it is urgent to consider the RTBF as one of the fundamental rights that a data subject shall be entitled to.

However, organizations that possess sensitive personal data and fail to maintain proper security to secure such data, resulting in wrongful loss or wrongful gain to anybody, may be compelled to pay damages to the affected individual, according to Section 43A of the Information Technology Act of 2000.

The RTBF is not directly included in the notification of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 by the Government of India. It does, however, provide procedures for filing complaints with the designated Grievance Officer in order to have content that exposes personal information about the complainant removed from the Internet without the complainant’s agreement.

The Ministry of Electronics and Information Technology (hereinafter referred to as “MeitY”) recently presented another version of the Data Protection Bill called the Digital Personal Data Protection Bill (hereinafter referred to as “DPDP Bill”), 2022.

The DPDP Bill does not explicitly mention the RTBF according to which a data principal can request the data fiduciary to remove their personal data when it stops serving any fruitful purpose, or simply when the personal information is no more needed. However, the DPDP Bill has subsumed the RTBF under the “Right to Erasure”, wherein a data principal can ask for erasure or correction of their personal data.

PRECEDENTS ON RTBF IN INDIA

  • In Sredharan T v. State of Kerala [WRIT PETITION (CIVIL) NO. 9478 of 2016], the High Court of Kerala recognized the Petitioner’s RTBF as a part of the Right to Privacy and passed an interim order requiring Indian Kanoon to remove the name of a rape victim which was published on its website along with the two judgments rendered by the Kerala High Court in the Writ Petitions filed by her in order to protect her identity.
  • In Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Limited., [CIVIL SUIT (OS) 642 of 2018], the Delhi High Court noted the Plaintiff’s Right to Privacy, of which the “RTBF” and the ‘Right to be Left Alone’ are inbuilt aspects, and guided that any republishing of the content of the originally disputed articles, or any abstract therefrom, as well as altered forms thereof, on any print or digital/electronic platform be held back during the pendency of the current suit.
  • In Jorawer Singh Mundy v. Union of India [WRIT PETITION (CIVIL) NO. 3918 of 2021], the Delhi High Court granted the right to an Indian-American citizen to have a judgment removed from the platforms of Google, Indian Kanoon, and in, as he had been an accused in the case, but eventually had been acquitted. The Court gave an interim relief and directed the said removal of the platforms by recognizing the individual’s right to privacy under Article 21 as it was hampering the professional life of the litigant.

AMLEGALS REMARKS

The RTBF is typically utilized against a private individual (a media or news site). This raises the question of whether basic rights, which are normally enforced against the state, can be applied to private individuals.

Online indexes may become the “judge, jury, and executioner” of the RTBF in the absence of proper regulatory safeguards. There are disadvantages to imposing such dynamic authority on a private substance, especially given the necessity to balance competing liberties, which is frequently the domain of courts.

However, there are real benefits to RTBF as well. The RTBF can provide reassurance of safety and can help to improve organization and independence. When it comes to internet-based personal data and psychological profiles, both state and non-state artists have extensive capabilities.

It is the responsibility of Governments and lawmakers to protect the RTBF and the Right to Privacy as a whole, lest people lose their ability to manage their identity and personal integrity. Moreover, individuals should have ownership of their personal information. The RTBF thus empowers people to regain control over their digital lives.

– Team AMLEGALS assisted by Ms. Shreya Verma(Intern)


For any queries or feedback, please feel free to get in touch with mridusha.guha@amlegals.com or falak.sawlani@amlegals.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

© 2020-21 AMLEGALS Law Firm in Ahmedabad, Mumbai, Kolkata, New Delhi, Bengaluru for IBC, GST, Arbitration, Contract, Due Diligence, Corporate Laws, IPR, White Collar Crime, Litigation & Startup Advisory, Legal Advisory.

 

Disclaimer & Confirmation As per the rules of the Bar Council of India, law firms are not permitted to solicit work and advertise. By clicking on the “I AGREE” button below, user acknowledges the following:
    • there has been no advertisements, personal communication, solicitation, invitation or inducement of any sort whatsoever from us or any of our members to solicit any work through this website;
    • user wishes to gain more information about AMLEGALS and its attorneys for his/her own information and use;
  • the information about us is provided to the user on his/her specific request and any information obtained or materials downloaded from this website is completely at their own volition and any transmission, receipt or use of this site does not create any lawyer-client relationship; and that
  • We are not responsible for any reliance that a user places on such information and shall not be liable for any loss or damage caused due to any inaccuracy in or exclusion of any information, or its interpretation thereof.
However, the user is advised to confirm the veracity of the same from independent and expert sources.