This article is written by Goutam Mishra, pursuing Diploma in Cyber Law, FinTech Regulations, and Technology Contracts from LawSikho.
From signing up in your Hotstar account to browsing on the internet, you are constantly exposing information about yourself which can be used for frauds, misrepresentation, fake accounts, and various other cyber sins. This information is available on various websites which store, interpret and sell data collected to various entities which exploit it for their needs. This personal data can also be a source of many cybercrimes and hence, poses a new challenge to our legal machinery. Recently after a brief discussion about the principle in Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González, the right to be forgotten principle has been integrated in various legal enactments as armour against personal data theft. This article aims to discuss the principle and its applicability in the Indian context.
Right to be forgotten : explained
When we use the internet, visit various websites, shop online, post stuff on digital media, watch videos on YouTube, we leave behind digital footprints. The granularity of information that can be harvested from these footprints by data thieves is unimaginable. They harvest information about everything in our lives, from everything we buy, what are our likes/dislikes, where we live, our relationships, etc. This information can be accessed on online directories like directories such as People Finder, Truthfinder, White Pages, and other background check sites. This information can be easily used by hackers, identity thieves, etc. for malicious use.
Right to be forgotten promises us control over how many personal data about us is in public space online. This right originated in the famous Google Spain case. It is the right to get such personal data removed from the internet, search, databases, websites, or any other public platforms, once such data in question is no longer relevant. But as this freely available data is also exploited commercially which is essential in the digital age. The business model of certain companies revolves around data. Hence, it is essential to strike a balance between commercial and personal interests.
Developments in the US and Europe
The right to be forgotten has been recognized in various legal provisions. It finds its place in the GDPR rules in addition to the right to erasure in Article 17. Article 17(2) of GDPR states that where the data of a person has been made public, and the controller of such data is obliged to erase it from the public domain (by virtue of 17(1), which states the conditions where the data is subject has right to demand data erasure), the controller has the duty to take technical measures and to inform all the entities processing such personal data to erase all likes, copies, and replication of the data. This shall be done taking into account available technology and the cost of implementation.
Unfortunately, the US currently has no legal framework which supports the balancing act but India has made progress at this front with its Personal Data Protection Bill 2019. Let us understand and analyze the principle in the Indian scenario.
PDP Bill and right to be forgotten
The Indian PDP bill brought into the picture in 2018, came up with many changes to the Indian data processing and privacy laws. One of such provisions elucidated the right to be forgotten which was not a part of the Indian Techno-legal system under the IT rules and Act earlier. Section 20 of the bill provides the Right to be forgotten. It says that the data principal i.e., a person whose data has been collected, has the right to prevent or restrict the continued disclosure of such data in cases where-
- Such data is not needed any longer and has served its purpose.
- The consent given to release such data was under Section 11 and such consent has been withdrawn.
- Release of such data was done against the law or any particular Act.
The bill proposed the appointment of an Adjudicating officer for enforcing the right. The enforcement of the right is only done on the order by the Adjudicating officer appointed under the bill. The officer has to take into account a lot of factors before passing the order including;
- The sensitivity of the personal data,
- The scale of disclosure and degree of accessibility that sought to be restricted or prevented,
- The role of the individual in public life,
- The relevance of the personal data to the public, and
- The nature of the disclosure and the activities of the individual.
Also, the data principal shall be liable to show that his right in preventing disclosure of such data overrides the right to right to information of other citizens.
Where any person feels that the personal data, disclosure of which has been restricted by the appointed Adjudicating Officer does not comply with such order, he can file for a review before the officer, following which, the adjudicating officer shall review the data as per the five factors mentioned above. If a person is not satisfied with the order by the Adjudicating Officer, he may approach the appellate tribunal with his appeal.
Critical analysis of the provisions
Interestingly, the legislature called for adjudicating officers to decide on matters with reference to enforcement of the right direction, without such cases being referred to the data fiduciary (an organization that determines the means and purpose of the processing of data) first. It may be that the government was worried that the data fiduciaries may erase the data at the request of the principal without proper compliance to the criteria and factors provided in Section 20 of the bill. Hence, as a solution, they put in a legal provision to refer the matters to the Adjudicating Officer directly who would comply with the provisions and maintain a balance between the right to information of the citizens and the right to be forgotten by the individual. But is this really in tandem with Indian common law flow in recent years?
The privacy debate reignited with the KS Puttaswamy v/s Union of India which elucidated the meaning and essentials of privacy. Privacy at its core means a choice by an individual to be left alone and not be bothered by society as long as he does not do anything illegal or harmful to society and people around him. In the KS Puttaswamy case, this was reiterated and the court said:
“Privacy includes at its core the preservation of personal intimacies, the sanctity of family life, marriage, procreation, the home, and sexual orientation. Privacy also connotes a right to be left alone. Privacy safeguards individual autonomy and recognizes the ability of the individual to control vital aspects of his or her life. Personal choices governing a way of life are intrinsic to privacy.”
The appointment of an Adjudicating Officer to decide if an individual has the right to decide about his information may cause intervention to the right to privacy of an individual. The line between protecting the citizens’ rights and violating the individuals is thin and such a line needs to be respected. Empowering the state to adjudicate in case of such claims goes against the ruling in the KS Puttaswamy case and hence, the data fiduciaries and search engines must be given such power to decide within a strict legal framework.
The committee which was behind the bill recommended not to have complete erasure of information due to concerns on free speech. But the proposal by the committee failed to see the essence of privacy. There have been rising concerns that the right to be forgotten shall be the biggest threat to freedom of speech and expression in the future. However, the EU with its robust legal framework has been handling claims effectively with minimum state intervention. The EU has a legal framework that elucidates a detailed process as to how the data fiduciaries should deal with the claims on a case-to-case basis. It envisages the data controllers to apply the balancing test on claims by the principal to determine the validity of such claims. India can learn from this, apply the principle and provide the jurisdiction in such claims to the search engines. If the legislature provides a robust and detailed legal framework as to how the data fiduciary (whoever is bestowed with the power of handling such claims) must handle claims on a case-to-case basis, and elucidates clear criteria for a balancing test to be employed by the search engines during the test, the balance between both the rights shall be maintained without encountering major issues.
I strongly feel that India as a country is better off without such a bill if it bestows the Adjudicating Officer and indirectly, the State with the power to decide the validity of such claims. Perhaps if such a bill passes, we would need to move away from our cell phones to ensure that we don’t provide more personal data which shall be controlled by the state.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: