Updated: Aug 30
In an era where the right to privacy is protected as a fundamental right, the right to be forgotten is the inevitable next development. Emerging from the French adaptation of the same, droit a l’oubli, or the right to be forgotten relates to the concept of online privacy. The right to be forgotten codifies that, individuals are vested with the right to ask businesses and organisations to erase their personal information from the systems and servers. The right to be forgotten invokes scrutiny from articles 19, codifying protection of certain rights regarding freedom of speech, and 21, codifying protection in respect to conviction of offences. Before we dive into the Indian context of the right to be forgotten let’s understand the international happenings which led to India’s recognition and passing of the Personal Data Protection (PDP) bill in 2019.
Turkey passed its data protection law on a directive but did not have any regulations on the right to be forgotten until June of 2015 when a verdict was delivered on a key case. The case law acknowledged the right to be forgotten as a personal right and a precedent decision was also developed. In this case, the plaintiff was the victim of sexual assault and had filed legal action against the same and a decision had been given for the crime, however, this judgement had been published in a criminal law book including the plaintiff’s legal name. She then claimed that having her name used without a pseudonym in a criminal law book constituted an attack against her personal rights and requested compensation. After a number of appeals, the Supreme Court Assembly of Civil Chambers said “The right to be forgotten provides an individual with the right of “controlling his/her past”, “requesting certain matters to be erased from his/her past or not be recalled”, while vesting obligations on the addressee of the data to take measures for avoiding the recall of the information of the individual or to prevent the use of such information by third parties. It is accepted that such right provides the right to compel third parties to erase the content related to the individual such as photos and internet blogs and the right to demand the removal of information with respect to past punishments or information and photos which may cause unfavourable comments on the individual.” The judgement then, concluded that the publication of the plaintiff's name without a pseudonym was in violation of the rights to be forgotten as well as the privacy of the individual.
The Chamber considered the protection of personal data as closely related to human rights and as being associated with personhood stating that disclosing personal data may violate privacy and also offend various other associated rights. The Chamber defines the right to be forgotten as a right to request the erasure and the prevention of the transmission of personal data which is not preferred to be known by third parties and as a right to request the data to be forgotten which may be related to a negative past instance stored in digital memory.
In 2018 The General Data Protection Regulation (GDPR) bill was passed in the EU granting statutory recognition to the right to be forgotten in the form of the right to erasure under Article 17, Recitals 65 and 66. The bill stated that the individual or the ‘data subject’ is granted the right to ask the ‘controller’, the body responsible for the processing of their personal data, to erase the private data without undue delay, approximately a month. This position, however, remains unclear as to whether an individual in the EU can request search engine operators to remove links beyond the territorial scope or not. This confusion mainly arises from the ruling by the Court of Justice for the EU in Google v. CNIL (2019). The judgement, in this case, was pronounced in favour of Google, stating that such a request for erasure will not bind the operator to de-link the data on all versions of its search engine worldwide. The GDPR bill also outlines as per Articles 6,7 and 13(1)(c) that the organisations must provide a lawful basis for collecting the personal data of any data subject. If this lawful basis is no longer deemed applicable, then the data subject may request the erasure of their personal data. The GDPR then puts the onus on the data controller to defend their maintenance of the personal data of data subjects as well as to verify that the person who requests the erasure, is in fact the person to whom said data concerns.
It is then also understood that the right to be forgotten is a qualified right subject to limitations. Some possible limitations include; if the data is being stored and processed is, in compliance with the current laws, in the interest of the public or public health, as a significant part in academic research where the lack of said data will greatly hamper the research, integral to a legal claim or defence, or the request is unfounded or excessive as deemed so by an Information Commissioner. If for any reason, the controller decides not to comply, they are mandated to inform the data subject about the reasoning allowing the data subject recourse to complain before a supervisory board or court against such decision of the controller.
In 2017, after the EU began recognising these concerns and the Justice Puttaswamy judgement was passed, the Indian government started the process to create data protection laws. They established a committee, headed by a retired Supreme Court Judge, Justice BN Srikrishna, to deliberate over the IT laws and the data privacy regime of the country. The committee proposed the Personal Data Protection (PDP) bill which went on to be passed by voice vote on Dec 2nd of 2021.
The PDP bill is consent centric meaning that lawful consent must be obtained before the data subject their data can be processed and made the deployment of privacy vital by design. The bill also changed the terminology making “data subjects”, “data principles” and “data controllers”, “data fiduciaries”. The bill acknowledges the right to be forgotten as the right against continued disclosure to be granted with regard to the extent of the data principle’s personal information being revealed. This right was granted under section 27 of the bill so as to “limit, delete or correct the disclosure of the personal data on the internet”. These regulations are proposed to be monitored and regulated by the Data Protection Authority as per section 27(2) of the bill which is to be set up as an autonomous regulatory body.
The Joint Parliamentary Committee was of the view that non-personal data should be accorded the same level of protection as personal data since it is possible to get the details of individuals through analytical processes and any future development in this field may lead to identification and correlation of data leaving the data principle totally exposed. The JPC also noted that data localisation, restricting the flow of data from one country to another, is essential. In the Indian context, data localisation will make it mandatory for companies collecting critical consumer data to store and process it in data centres within India’s borders.
Social media platforms have been given clear guidelines to ensure compliance failing which they would be held liable for penalty. As part of these guidelines, the bill introduced Standardisation Testing and Quality Certification (STQC)aimed at ensuring high-quality, reliable software and hardware to protect from concealed backdoors being embedded in them which allow remote access to resources. The bill also outlined the fact that the right to be forgotten is not an absolute right and is subject to exemptions. For example, in instances of national security. These exemptions allow the government to process data in the interest of maintaining the sovereignty and integrity of the nation. Government agencies are allowed to obtain consent from the data principle to undertake this processing but there are situations when even this may not be feasible. Such instances have been outlined in sections 12, 13 and 14.
While the right to be forgotten has been codified in law there are still some debates surrounding its constitutionality and the consequences that come with certain sections of the PDP bill. One debate surrounds the Articles, 19 and 21. In the justice Puttaswamy judgement, the Supreme Court of India declared the right to privacy as a natural right essential to enjoy a dignified life paving the way for the right to be forgotten to be read into the constitution. Article 19 on the other hand grants freedom of speech and expression as well as the right to information, to all citizens, this then creates a constitutional dilemma. Does the right to be forgotten, infringe on the right to information?
Another issue surrounds the exemption made in the bill allowing a competent authority to retain or remove pieces of information. The decisions made by this body will have a significant impact on the freedom of the press in the nation. Procedural confusion may also arise regarding the correct authority to approach in order to gain access to particular pieces of information.
The right to be forgotten then is a qualified right that is essential in allowing citizens their right to privacy, however, it is tricky to implement. The PDP bill is the first step towards realising the right to be forgotten in India, aiming to strike the delicate balance honouring Articles 19 and 21. The right to be forgotten of Indian citizens, however, extends beyond the bounds of India requiring a look into international laws governing the same. This is crucial in order to maintain the sanctity of the right to be forgotten.
Navin Kumar Jaggi
Dhriti S. Somasundar