Tanish Arora
Introduction
The concept of the right to be forgotten was recognised in French jurisprudence, where it was known as ‘le droit a l’oubli’, which refers to the “ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic.” This right was conferred upon released convicts to help them start afresh and independent of their past, by allowing them to have their name erased from the official databases. It was really brought into the limelight by the landmark case of Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, wherein the European Court of Justice allowed the deletion of the information damaging Mr. Gonzalez’s reputation from Google as it was now irrelevant and unrequired, hence recognising the right to be forgotten.
India has taken time to recognise the right to be forgotten, which is a topic that has generated mass discussions and debates due to its probable far-reaching effects on the society. This right is conferred upon a data principal when there is unwanted processing of an individual’s personal data. However, the concerned data cannot be removed merely on the whims and fancies of the data principal as the decision must be taken keeping in mind the limitations imposed by the aforesaid right on the rights to freedom of speech and expression and the right to information, and moreover, due consideration should also be placed upon the underlying public interest in the contents of the data. Thus, the right to be forgotten must be exercised by balancing it with the abovementioned factors. The Digital Personal Data Protection Act, 2023 (‘DPDPA’) has been drafted by observing the judicial inconsistencies and factoring in the various suggestions stated in the Srikrishna Committee Report. After the enactment of the DPDPA on 11th August 2023, the statutory recognition was accorded to the right to be forgotten.
This article traces out the present status of the right to be forgotten in both India and the European Union, where the building bricks of the right’s jurisprudence were laid, and also suggest various reforms in the Personal Data Protection Bill, 2022 which would lead to its more effective implementation.
Controversy Regarding the Recognition of the Right to be Forgotten
There has been a lot of controversy regarding the question of whether the right should be recognised or not owing to its potential impact in our lives. The advantages of conferring this right is that it provides an individual more control over their data; helps eliminate damaging and illegally uploaded information and crucially, it also does not let a person’s past weigh down on his/her shoulders, and, instead gives them the chance to start afresh. On the flip side, it also has certain cons, namely, the potential to be misused; undefined boundaries due to dearth of laws and judgements; reduced transparency and the limitations in both the right to information and the right to freedom of the press.
An analysis of the right’s pros and cons leads to the inference that the pros outweigh the cons, which can be appropriately tackled by taking the appropriate steps, hence the right should be given the due recognition. The potential misuse and the unclear boundaries can be settled by having well drafted laws, while the right to erasure can be harmoniously constructed with the right to information and that of freedom of the press by applying the five criteria test, which seeks to resolve this conflict by considering the vital parameters, namely, the sensitiveness of the data; the extent of restriction sought; the data fiduciary’s activities and the nature of disclosure; prominence of the applicant in the public and lastly, the necessity of the data for the public. The incorporation of this test was also recommended by the Srikrishna Report.
Evolution in India
The right to be forgotten has had an inconsistent jurisprudence regarding its recognition and existence in India. The question of the right’s existence first came up in Dharamraj Bhanushankar Dave v. State of Gujarat, wherein it was pleaded to the Court to bar the respondent from publishing the judgment which could adversely impact the petitioner despite his acquittal. The Gujarat High Court (‘HC’) declined exercising the right due to absence of any legal ground to bar the respondents and also due to the reason that the facts and circumstances of the case did not lead to the contravention of Article 21 of the Constitution.
However, the Karnataka HC in {Name Redacted} vs The Registrar General, directed the removal of the name of the daughter of the petitioner from the cause title and orders, thereby acknowledging the right to erasure in sensitive cases involving women. The Delhi HC also acknowledged the right to be forgotten in Jorawer Singh Mundy v. Union of India, wherein the applicant sought the removal of the judgement, which was allegedly blemishing his reputation. It was also opined that this right helps in silencing the prior events in a person’s life. Moreover, even the SC in the celebrated case of K.S. Puttaswamy v. Union of India accepted that the right to life enshrined under Article 21 included the right to be forgotten under its ambit. It was further held that this right is not absolute and cannot be utilised if the data was necessary for fulfilling legal obligations; defending, establishing or executing legal claims; exercising the right to freedom of speech and expression; for statistical, historical or scientific purposes; executing a duty in public health or interest and protecting information in public interest.
In addition to this, the Legislature has also played its part by enacting the Digital Personal Data Protection Act, 2023 with the aim of balancing the individual rights and public interest for processing digital personal data. Section 13 of the Act confers the right to correction and erasure of personal data on the data principal, by providing that data fiduciaries shall act on the request made by the data principals by updating, correcting, completing or erasing the data. It also outlines that if a request for data erasure is received, it may be acceded to only if the purpose of its collection is fulfilled and the data is not required to be retained for legal purposes. It must be noted that the data principal is bound under Section 16(4) to submit verifiable authentic information.
Further, Section 18(1) of the Act encapsulates the exceptions wherein this right will not be applicable, namely, when the data is required for discharging the judicial or quasi-judicial functions; when the data is needed for the enforcement of legal rights or claims; in the situations wherein data is processed for preventing, detecting, investigating or the prosecuting any offence or law violations and if the data is outside the territory of India and it is processed by a person based in India pursuant to a contract. The second clause of the aforesaid section provides that the Union Government can exempt the Act’s application when data is required for statistical purposes or for preserving or preventing incitement to cognizable offences relating to public order, security, sovereignty, integrity, friendly relations with other states. The Act also provides for the establishment of the Data Protection Board under Section 19, whose functions are to determine the compliance of the provisions; to penalise the offenders and to carry out functions directed by the Central Government. The Criminal Procedure (Identification) Rules state that the investigating authority can collect identifiable information like biological samples and fingerprints, and the same will be recorded in digital or electronic form for 75 years, except in cases of acquittal, where it will be destroyed. However, a Court or Magistrate may direct the retention of details after recording reasons in writing in the exempted cases. This rule is a limitation on the right to be forgotten and it has the potential to have serious consequences towards the right to privacy.
Developments regarding the right in the European Union
The European Union was credited with the tag of being the birthplace of the right to be forgotten. The right originated in France, and became the talk of the town due to the judgement of the European Court of Justice (‘ECJ’) in Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, where the right to erasure was given affirmation and the deletion of the data from the Google database was allowed.
In GC and Others v. CNIL, the question arose as to whether search engines are prohibited to process special category of personal data like religious beliefs or political opinions. It was held by the ECJ that Google will have the same responsibilities as a data controller as its search results provide the links to the websites containing personal data. Further, due to the practical unviability of taking consent of every person connected with the data, Google has to take action regarding the data only when it is intimidated by the user and justification has to be provided only in the instances when the removal of a hyperlink containing sensitive data is requested for. Another issue was that when the current situation is not described by the conviction in the past, should it be removed. The Court held that before the removal, the right to information of the public along with the other criterion in the five criteria test against the fundamental rights of the applicant have to be balanced, and only then a decision should be taken. It was laid down in Google v. CNIL, another case which was decided on the same day, that the data fiduciary needs to delete the link only within the server operating in the EU member states, and not in its servers catering to the rest of the world, which has been considered to be a controversial finding.
Recently in TU & RE vs Google LLC, the European Court of Justice held that the obligation of proving the inaccuracy of the facts is vested with the data principal and only if it is proved, the duty of the data fiduciary to remove the same arises. Further, it enhanced the scope of the right to erasure as set out in the Google Spain case to include the removal of photographs or thumbnails in spite of the fact that they provide links to the original source, albeit subjecting the deletion to the balancing of rights and public interest.
The law on the subject is not settled just by precedents as there also exists concrete legislation on the same. The General Data Protection Regulations provide for the right to be forgotten in Recitals 65 and 66, and also in Article 17 which states that a person has the right to get his data released within one month from filing a request to that effect. It also provides the conditions in which the data can be removed, which are that the data is no longer required; the data is being held illegally; the withdrawal of the consent to process data; the legitimate interest to process the data has come to an end; the personal data of a child has been processed to offer the information society services and if the data fiduciary is legal obligated to that effect. There also exist exceptions to the aforesaid right, namely, if the data is required for legal claims or defence; is required for compliance with legal obligations; is required due to public interest, is needed for public health purposes or to perform occupational or preventative medicine etc. The organisation has the right to deny or to ask for a “reasonable fee” to do the needful.
Necessary reforms for an effective implementation in India
In this day and age, the internet has an unforgettable memory, which can lead to adverse impacts in the future as some remote occurrence in the past could also result in ruining an individual’s present as well as future. This burden does not enable the individual to be freed from the shackles of their past deeds, and hence they cannot start fresh. This is where the right to be forgotten comes in as a savior and removes the concerned incident from the web so that one can live unassociated from the same and have a new beginning.
The enactment of the Digital Personal Data Protection Act, 2023 by the Indian legislature is a commendable step as it enshrines the right to erasure as a legal right and also helps to settle the judicial inconsistencies regarding the aforesaid right. However, this law needs certain reforms for its adequate implementation:
- First and foremost, it is necessary for the effective implementation of the right that a reasonable time period must be put in place before which the data fiduciary is obligated to decide upon the request and also for the Data Protection Board to decide on the cases.
- Moreover, it should be clearly specified that along with articles, thumbnails, photographs and videos also fall under the scope of right to be forgotten, and they can also be removed after applying the five criterion test as mentioned above.
- Further, the Act should also provide for the compensation to the data fiduciary if the decision of the data principle to not accede to the request is mala fide or without any reasonable apprehension regarding the balancing of the fundamental rights or the balancing of public interest with the deletion of data.
- The most critical reform regarding the right to be forgotten is that it should not be restricted to the domain wherein the applicant has asked for the removal, rather it should have a wide application and if the request is acceded to, then the data must be deleted from all the domains. If the current route is trodden on, then the right to erasure would become meaningless as the concerned data could still be accessed from an alternate domain name, thus rendering the right ineffective and meaningless. The objective behind the creation of the right would be fulfilled only if the data cannot be accessed at all after the acceptance of the request.
- It is pertinent to note that the aspect of relevancy is changing rapidly in this modern world, hence, it is quite possible that the concerned data was not relevant when the right to be forgotten was sought to be exercised, but it becomes relevant in the future due to any reason making the information relevant. A possible solution to the same could be that the Data Protection Board is mandated to create an offline repository for the links which are made inaccessible by exercising the right to erasure, so that they can be made accessible when required by the Data Protection Board or the Hon’ble courts.
Thus, it is crystal clear that the right to be forgotten needs to be strengthened so that the jurisprudential thinking behind its introduction is realized, and hence, implemented into the practical life, but at the same time, it should be checked that it does not conflict with the essential rights or public interest.
The author is a third year student at National Law University, Odisha.
NUALS Law Journal 