This article is written by Adhila Muhammed Arif, a student of Government Law College Thiruvananthapuram. This article seeks to explore the right to be forgotten and the provisions in the Personal Data Protection Bill related to it.
This article has been published by Rachit Garg.
Since we live in a digital economy, our personal data has become a highly valuable entity. It is used by several businesses and organisations to target advertising. The storing of internet users’ data has raised concerns regarding privacy, potential misuse, unauthorised processing of data, etc. This has led to many jurisdictions proposing and implementing legislation with the intent to protect the privacy of individuals. From the inception of social media networks, many individuals have found their personal details being made openly available without their consent, and once something is made available on the internet, it is very difficult to take it down. This has led to many jurisdictions recognizing the ‘right to be forgotten’, allowing individuals to have control over the availability of their data and their existence online.
Personal Data Protection Bill, 2019 – scope and importance
In 2017, in the case of Justice K.S. Puttaswamy v. the Union of India (2017), a nine-judge bench of the Supreme Court affirmed that the right to privacy is a fundamental right and that it is an intrinsic part of Article 21 of the Indian Constitution. After the passing of this judgement, the Ministry of Electronics and Information Technology formed a committee led by retired Supreme Court judge B.N. Srikrishna, submitted a report titled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians” along with the draft bill on personal data protection. After that, the revised Personal Data Protection Bill, 2019, was proposed by Mr. Ravi Shankar Prasad, Minister for Electronics and Information Technology, in the Lok Sabha in 2019. Following that, the Bill was later referred to a joint parliamentary committee and several amendments were proposed by it in 2020, which may or may not be accepted. Firstly, the committee proposed to include non-personal data as well and title the legislation as Data Protection Bill. It also recommended that the interests of the state and the economy must be put on the same footing as data protection.
It contains terms such as data principal, data fiduciaries, and data processor. Data principal is the person to whom the data is connected. Data fiduciary refers to an entity, which could be the state or a company, that determines the purpose and means of the processing of personal data. And lastly, a data processor refers to the entity that processes personal data on behalf of the fiduciary.
It classifies data into three types which are personal data, sensitive personal data, and critical personal data.
- Personal data refers to general personal information like name and address.
- Sensitive personal data refers to things like sexual orientation, religious beliefs, etc.
- Critical personal data refers to intelligence and defence services data and data related to foreign bank services.
It prohibits sharing and processing of critical personal data outside the territory of India. It places limitations on sharing and processing of sensitive data, which can only be done with the consent of the use. The Bill also proposes for a Data Protection Authority to be established in Clause 41(1), which would ensure that the provisions in the Bill are enforced and complied with. The Bill also allows data principals or the persons to whom the data is related to, to change or erase their personal data. It also creates exceptions for the consent requirements. That is, in the times of medical emergencies, for taking legal action, and for delivering state services.
The right to be forgotten
The right to be forgotten is a part of an individual’s right to privacy. The right to be forgotten, is the right of the data principal to restrict or prevent the continuing disclosure of his personal data by a data fiduciary. It is the right to remove publicly available information from the internet search, databases, and websites when it is no longer needed. This protects people who have been victimised by revenge porn, those involved in criminal cases, or anything that could affect a person’s career and reputation. Though it falls under the purview of the right to privacy, it is not explicitly recognized in any legislation in India. However, in the case of Zulfiqar Ahman Khan v. Quintillion Businessman Media Pvt. Ltd & Ors. (2019), the Delhi High Court recognized the right to be forgotten and the right to be left alone as inherent aspects of the right to privacy.
The origin of the right to be forgotten lies in the famous case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González (2014). This was regarding an article published in a newspaper regarding a property being forced to sell by Mario Costeja Gonzalez for the settlement of a social security debt. On searching his name, one could find the article. Hence, in 2009, he contacted the newspaper and requested that details of the forced property sale be removed from the public domain. On the denial of the request, he requested Google Spain SL to take the information down. The Court of Justice of the European Union held that Google will have to remove the information from the search results whereas the website can retain the information. This judgement became a precedent for the right of individuals to request organisations to remove any information regarding them that is irrelevant from the public domain.
The Organisation for Economic Cooperation and Development (OECD), of which India is a member of, formulated the Guidelines on the Protection of Privacy and Transborder Flows of Personal Data in 1980. There are some privacy principles coined by the OECD, which are a part of the guidelines, one of which being individual participation in being able to know about one’s personal data possessed by an organisation, so that one can delete or rectify such information. Though it is not explicitly mentioned as the right to be forgotten, the OECD promotes an individual’s right to remove his or her personal data from being possessed by an organisation.
In Section 43A of the Information Technology Act, 2000, organisations that possess sensitive personal data, and are negligent in maintaining reasonable security to protect such data, which causes wrongful loss or wrongful gain to anyone, such organisations will be liable to pay damages to the affected person. In the Government of India’s notification of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the right to be forgotten is not explicitly mentioned. However, it has provisions for submitting complaints to the designated Grievance Officer to remove content that reveals something about the complainant without his or her consent on the internet.
The ‘right to be forgotten’ in Personal Data Protection Bill, 2019
The following are the provisions in the Personal Data Protection Bill, 2019 that concern the right to be forgotten:
- Chapter V of the Personal Data Protection Bill mentions the right to be forgotten as a right of a data principal under Clause 20. According to Clause 20(1), the following are the grounds for claiming the right to restrict disclosure of any personal data:
- once the purpose has been achieved, or
- when the data principal’s consent has been withdrawn, or
- when the disclosure was made in an unlawful manner, the data principal can restrict the disclosure of the concerned personal data.
- The Bill also provides for the appointment of an Adjudicating Officer by the Union Government. In order to avail the right under Clause 20, it is necessary for the data principal to show that his claim meets one of the three aforementioned conditions to the Adjudicating Officer and demonstrate how his right to be forgotten overrides the right to information and freedom of speech and expression of other citizens, as per Clause 20(2).
- Clause 20(3) lays down the factors that must be considered by the Adjudicating Officer before issuing an order on the claim of right to be forgotten of a data principal, and they are the following:
- Sensitivity of the personal data;
- The extent of disclosure and accessibility that the data principal seeks to restrict;
- Importance of the data principal’s role in public;
- Relevance of the personal data to the public;
- The nature of the disclosure and activities of the data fiduciary, especially whether the data fiduciary systematically facilitates access to personal data and whether the restriction of the disclosure would significantly affect them.
- As per Clause 20(4), if any other person finds the order unreasonable and uncalled for, can apply for a review of the order to the Adjudicating Officer.
- Data principals can also appeal against the decision of the Adjudicating Officer to the appellate board, as per Clause 20(5).
- As per Clause 21, the right to be forgotten, unlike the other rights of the data principal, does not require the data principal to request the data fiduciary to restrict or prevent the disclosure of any personal data. The data principal is only required to make an application to the Adjudication Officer to enforce this right.
The Personal Data Protection Bill, 2019 restricts the right to be forgotten to only the disclosure of personal data. The Draft Data Protection Bill, 2021 suggests including the processing of personal data as well to the scope of the right to be forgotten. This suggestion may or may not be taken into consideration.
Provisions of Personal Data Protection Bill, 2019 that supplement the ‘right to be forgotten’
There are also some provisions in the Bill that essentially supplements the right to be forgotten, which are the following:
- Clause 18 deals with the ‘right to correction and erasure’, which tends to slightly overlap with the right to be forgotten. This includes correction of inaccurate or misleading personal data and erasure of personal data that is no longer necessary for the purpose for which it was processed. Wherever the data fiduciary makes such a correction or erasure, the individuals and entities to whom such data was disclosed must be notified by the data fiduciary.
- As per Clause 9, a data fiduciary cannot retain any personal data beyond the particular period for which it was required, unless it is explicitly consented to by the data principal or there is compulsion by law. Data fiduciaries are also obligated to undertake a periodic review to determine whether it is necessary to retain the personal data or not.
- Clause 36(b) states an exception to the right to restrict disclosure of personal data, wherever the personal data is required for enforcing a legal right or claim, to defend charges, for receiving legal advice, etc.
Comparison with provisions in GDPR
The European Union’s General Data Protection Regulation (GDPR) was one of the first statutes to recognize the ‘right to be forgotten’ under Article 17. In the GDPR, the right to be forgotten is termed as the ‘right to erasure’. As per this Article, the data subject has the right to have his personal data erased by the data controller without undue delay. Here, undue delay refers to a month.
One of the following conditions must be satisfied for the application of the right as per Article 17:
- The personal data is no longer needed by the concerned organisation for the purpose for which it was obtained and processed.
- The organisation depends on the data subject’s consent for processing the data, and the individual withdraws the consent.
- The organisation relies on certain legitimate grounds for processing the data, which is objected to by the data subject and the organisation’s justifications do not override the interests of the data subject.
- The organisation processes information for direct marketing and the data subject, objects to it.
- The data processing by the organisation is unlawful.
- When erasing personal data is required to comply with a ruling.
- The organisation had processed the personal data of a child to provide information society services.
The regulation also prescribed the grounds on which the organisation’s right to process information overrides the data subject’s right to be forgotten. The following are the grounds prescribed:
- Right to freedom of expression and information.
- The data processed is used for public interest.
- Data is used to comply with a legal rule or obligation.
- Data is used for establishing legal defence or legal claims.
- Data represents information that achieves something for public, historical, or scientific purposes.
- Data is used in the health sector for public interest.
As per Article 19, once the data controller has made any rectification or erasure of personal data, the communication of such correction or erasure has to be made to all the entities or recipients to whom the data has been disclosed. The data controller also has an obligation to disclose the information about such recipients if the data subject requests.
It is pretty evident that the GDPR provides a wider scope for the right to be forgotten compared to the Personal Data Protection Bill. It is notable that the GDPR provides the right to be forgotten to the processing of personal data as well. The PDP Bill does not guarantee speedy remedy, unlike the GDPR. The GDPR is far more elaborate on the grounds to be considered by the controller in comparison with the PDP Bill.
Critical analysis of the Personal Data Protection Bill, 2019
The Personal Data Protection Bill, 2019 would be the first legislation in India to recognize the right to be forgotten, once it is enacted. However, it is notable that the bill does not substantiate the remedies for restricting or preventing the disclosure. It could be complete deletion or simply making access to the data difficult by delinking or deindexing. Deindexing is essentially removing the link of the data from the search results of the search engine, but it does not delete the data from the website which published it. There are no grounds prescribed for the Adjudication Officer to decide what remedy is appropriate. It is all left to the discretion of the Adjudication Officer. Another concern posed by the Bill is its censorship aspect. Since the Adjudication Officers are appointed by the Union Government and have the power to censor data on the internet, this is seen as a threat to the principle of separation of powers and judicial independence. While Chapter II of the Bill contains provisions for restriction of processing of personal data, the right to be forgotten has to be widened to include the right to object processing as well, and not just disclosure.
Though it is possible for individuals to remove their personal data from public platforms through means such as the IT Rules, defamation, obscenity, etc. the Personal Data Protection Bill would be the first law in India that explicitly recognizes the ‘right to be forgotten’. While there is a conflict between the censorship aspects of the right with the rights to information, speech and expression, it is an essential component of the right to privacy, as affirmed in the decision in the case of Zulfiqar Ahman Khan v. Quintillion Businessman Media Pvt. Ltd & Ors. (2019). In the digital age, where data security and privacy are always compromised, it is crucial for us to protect the privacy of individuals and their personal data from being misused.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: