This article is written by Tarannum Vashisht, a student of Rajiv Gandhi National University Of Law, Punjab. This article throws light on the concept of erasing Information online. It also explains the right to be forgotten or the right to erase in India and the European Union.
The Internet has entered almost every sphere of human life, becoming an inexplicable part of our lives. However, even many regular internet users are not fully versed with the amount of harm that the internet can do to their lives, if not used with proper precautions. This article aims to elaborate on how our personal information can be leaked online. In addition to this, it gives a detailed insight into the rights available to the people of India and the European Union in this regard.
Why do you need to bother about erasing information online?
Intentionally or unintentionally, we give away a lot of our personal information online. This can be by signing up for amazon prime, or Paytm, etc. Out of the internet users, one third admit to knowing nothing about their personal information which is available online. Tons of cyber information available online has opened the gates for new legal challenges for which adequate laws have to be framed.
Also, it just doesn’t stop with not saving your passwords online or not giving away any of your personal information online. Much more is splayed across cyberspace ranging from the people you are connected with on social media, your buying patterns, frequent visiting to some website, etc.
If you fail to protect your personal information from online hackers, the damage caused to you can be huge. These can range from stealing your social security benefits, filing of compensation claims using your credentials, and using your names for making monetary transactions in their name to using your credentials for making fake passports, PAN cards, etc. Also, the most drastic harm that you may sustain is that of harming your reputation.
From whom do you need to be careful?
One obvious source from where your information can be leaked and then misused is from the huge online players like twitter, amazon, and Instagram. A lot of informational websites are also in search of your personal information, and make accounts just to access this information.
Another source from where personal information of users may be leaked is through huge data brokers like Choicepoint, Acxiom, etc. Data brokers may even provide information like phone numbers, addresses, names of family members, etc. Law firms may also serve as a source where personal information may be leaked.
The information posted on social networking sites like Instagram and Facebook, containing defamatory content by anonymous users may also cause a huge loss of reputation in both personal and professional life.
Considering these points, the right to erase information online seems to be the only way to protect oneself from this growing menace.
Right to be forgotten in European Union
Understanding the concept of the right to be forgotten in the European Union is important because the Personal Data Protection Bill, 2018, which formally introduces the rule of Right To Be Forgotten is based in spirit on the EU’s conceptualization of the rule of right to be forgotten.
The history of the rule of right to be forgotten in the European Union dates back to the year 1995 with the enactment of the Directive 95/46/EC. Although there was no direct mention of this rule, a combined reference to Article 6(1)(e) and Article 12(b), gave its citizens the right to be forgotten.
The former talks about the fact that data should not be available online after it becomes unnecessary or the purpose for which the data was made available in the first place consummates. It should then be removed or be made available only after a renewed permission from the owner of such information is taken.
The latter talks about the right of the owner of some personal information, to block, correct, or erase such information if it does not align with the directives provided under these rules. Till then there was no precise mention of the right to be forgotten in the European Union.
This was laid down in the case of Google Spain SL v/s Agencia Española de Protección de Datos & Mario Costeja González. This case was filed by Mr. Costeja Gonzalez in 2010 against a newspaper, La Vanguardia and Google with spanish data protection agency.
He complained that whenever internet users searched his name on this search engine, what appeared on the screen was links to pages of La Vanguardia dated 19 Jan 1998 and 09 March 1998. These pages provided personal information of the complainant relating to a matter dealing with the recovery of social security debts, which was ultimately resolved.
The complainant requested the court to order La Vanguardia and Google to remove or conceal his personal information from public view. The court ordered that La Vanguardia had the right to publish information and hence its publishing was upheld by the court. However, the complaint against Google was upheld. The court held that Google was a search engine and operators of search engines came well within the definition of ‘controllers’ under Section 2(d) of the directives. Hence, Google was ordered to remove that information. Most importantly, the court recognized the right to be forgotten of individuals, where there is no further need to display their personal information online.
In May 2018, the European Union passed GDPR, its new legislation on data protection, repealing the directives. Article 3(2) makes a novel provision, making itself applicable to some companies which were not established in the European Union and hence they come under its regulation too.
Another significant aspect of GDPR is that it makes a distinct provision of Right To Be Forgotten, under its Article 17. Article 17 states that that data subject (the owner of the information) has a right to ask the data controller to delete his personal information, in case that information becomes irrelevant, or if such a situation arises where personal data is being unlawfully processed by some outsider or simply a situation when the data subject wishes to withdraw his consent to display his personal information.
Laws in India regarding right to eraser
The rule of Right To Be Forgotten does not exist in the already available rules on data protection under Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) which are issued under Information Technology Act, 2000.
This new rule of Right To Eraser was introduced by the Personal Data Protection Bill 2018. According to this bill, the right to eraser is the right of a person to delink, limit, correct, or even delete any information which the user considers to be personal, whose continued presence on the internet would prove to be embarrassing, misleading or irrelevant.
Section 27 of this bill states that as soon as some information that is provided on the internet becomes irrelevant, the right to display it for public viewing expires. A renewed acceptance has to be taken from the owner of such information for continued display of such information online.
Subsection 2 of the above-mentioned Section also makes the provision of an officer, called the adjudicating officer, who would decide on whether such information should be corrected or not. The adjudicating officer would possess the power to decide between the competing claims of the right to privacy on the one hand and the right to information on the other.
Major case laws
The rule of Right To Be Forgotten is fairly a new concept in India, on which an act is yet to be passed. The Indian Judiciary has only recently recognized this rule. Let’s take a look at the evolution of this right in Indian judiciary-
Dharamraj Bhanushankar Dave v. State of Gujarat & Ors
In this case, the issue of the right to be forgotten arose and the Gujarat High Court denied such right to the petitioner. The facts of this case are that the petitioner had been acquitted of all charges of criminal conspiracy and murder, of which he was previously charged by the sessions court and subsequently by the High Court of Gujarat.
This judgment was non- reportable, yet the respondent published it on the internet. The petitioner claimed that this act of the respondent was harming his reputation in both personal and professional life. However, in this case, the court ruled against the petitioner. It held that the copies of a judgement of the High Court can be given to anyone. Additionally, the court was of the view that the petitioner had failed to prove an infringement of Article 21. Hence Right To Be Forgotten was not recognized by the Gujarat High Court in this case.
Sri Vasunathan v. The Registrar General & Ors.
In this case, an FIR was filed by the petitioner’s daughter against a man for compelling her to marry, and subsequently for annulment of the marriage certificate. The parties ultimately entered into a settlement, on the conditions that all criminal charges would be withdrawn by the petitioner. Subsequently, the man filed an application before the honourable High court of Karnataka for quashing the FIR that had been filed.
The court passed an order dated 15.06.2015, in which the name and details of the petitioner’s daughter were mentioned. The petitioner contended that this would harm the reputation of his daughter, and hence requested that her name and credentials be removed from the order. The High court accepted the request and hence recognized the Right To Be Forgotten.
Subodh Gupta v. Herdecene & Ors.
In this case, various allegations were levied on Subodh Gupta for sexual harassment through an Instagram account named ‘Herdscene’. The allegations were from multiple unnamed women. A civil defamation case was filled by Subodh Gupta against this anonymous Instagram account, claiming that all allegations were false. Damages of Rs. 5 crores were also sought from this account in the case filed in the Delhi High Court.
The court noted that no proceedings had been initiated against Subodh Gupta by any of these women. It was held by the honourable court that such defamatory content cannot be displayed to the public without any legal backing. Also, the same if allowed to continue can lead to mischief.
The court has directed that-
- Posts of December 2018 and January 2019, which contain sexual harassment allegations against Subodh Gupta have to be removed or blocked.
- Seven google search results that have links to sexual harassment allegations on Subodh Gupta were ordered to be removed. It was also ordered that the articles mentioned above are to be blocked by both Google and Facebook.
- The nine articles detailing the resignation of petitioners from the Serendipity Arts Festival were also ordered to be removed.
This the court contends is the right of the petitioner to be forgotten. Delhi High Court has asked Instagram to furnish in a closed envelope the name of the account operator on the next hearing.
Issues regarding the right to be forgotten rule of India
The most important issue is that to date there is no precise legislation regarding the Right to be forgotten. The personal data protection bill is yet to become an act. However, there are some issues with this bill too, which are enumerated below.
The right to be forgotten in a lot of situations comes in direct conflict with the right to information. The most common example of this is the right of a convict to erase information regarding his conviction so that he escapes media coverage. This can’t be permitted, because this act would be a direct contravention of the right to information of citizens.
The second issue which arises is with regards to the adjudicating officer. He has the power to decide between the competing claims of the right to privacy and the right to information, but this can cause a serious infringement of the freedom of the press.
Take for example a famous politician who has recently been convicted, and has to be covered by the media and his issue is still pending with the adjudicating officer. Journalists have to await the decision of the adjudicating officer for a lot of time, which most importantly is uncertain. This would jeopardize the freedom of the press.
The third issue is that this would cause a lot of confusion for the common man. He would find himself in a fix when deciding upon whether to go to the data protection officer or the central information commission.
The last, but the most important issue is that of national interest. The Government of India is at liberty to process and display any amount of information in the name of national interest. There is no authority to keep a check on the government when it comes to this issue. Therefore, it wouldn’t be completely wrong to say that the adjudicating officer is virtually controlled by the government of India.
The right to be forgotten has been well established by the European Union, however, such an amount of progress is yet to be reached in India. The data protection bill can bring about a lot of changes in the jurisprudence of the country when enacted. The Indian Judiciary has also evolved to recognize this principle of data privacy. Some aspects that I would like to bring to the notice of the reader are that for the success of this act in India, privacy needs to be recognized as a ground for reasonable restriction under Article 19 of the Indian constitution. Also, a successful balance has to be struck between the right to privacy and the right to information. This law should be enacted in such a way that it minimizes the conflict between fundamental rights.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: