This article is written by Parul Chaudhary, pursuing Diploma in International Data Protection and Privacy Laws from Lawsikho.
The right to be forgotten is a concept of online privacy where individuals are vested with the right to ask businesses and organisations to erase their personal information from their systems and servers. That would essentially mean that their private data will not pop-up during internet searches and in other search engines or directories. The idea has emerged from the French adaptation of the same as droit a l’oubli that encompasses within itself the right to privacy as well as the right to be forgotten, especially directed at the print and online media. This notion is based on the view that every person should be granted the freedom to carry on with their lives privately and freely without having to worry about the events of the past or the stigmas related to it. The fundamental right to privacy gives everyone the autonomy to robe oneself in obscurity, if one wishes to, and get his/her personal data deleted from the internet. But as it is apparent from the very nature of the internet that a process to erase data is not as simple as it looks. The worldwide web is a highly interconnected network where data deleted from one source does not ensure that the data is truly gone from the internet. It travels through a myriad of servers and gets stored at different locations over the cloud. So, it is difficult for organisations to comply with a right to be forgotten request in its absolute form.
In this article, the author has attempted to analyse the position of the right to be forgotten as it emerged and the dilemma that has been created thereby between Articles 19 and 21 of the Constitution of India, 1950.
But before that let us have a quick glance at how the international framework recognises the particular right:
The European Union General Data Protection Regulation stance
The General Data Protection Regulation (GDPR) which was passed in 2018 by the European Union (EU) bloc encapsulates the right to be forgotten. The GDPR grants statutory recognition to the right to be forgotten in the form of the right to erasure under Article 17, Recitals 65 and 66. The individual or “data subject”, as is defined under Article 2 of the GDPR, is granted the right to ask the “controller” to erase the private data without undue delay. The “controller”, as mentioned above, is the body that is responsible for processing the personal data. The ‘undue delay’ is deemed to be approximately a month as per the GDPR website.
Case laws that dealt with the right to be forgotten Internationally
This right has gained limelight after the case of Google Spain v. AEPD & Mario Costeja (2014) (Google v. Spain), in which Mr. Costeja objected to the data that was being processed and displayed by the tech giant Google when his name was entered on their search engine on the ground that it is irrelevant in contemporary times and is harming his reputation in the society. The European Court of Justice held that Google will have to delete the object data or links that are being displayed as a result of a simple name search of Mr. Costeja, thereby ruling in favour of recognising a right to be forgotten. However, this right is incomplete in the sense that the said data will not be displayed when Mr. Costeja’s name is searched on Google’s search bar, but that does not mean that the said data has been deleted from the internet. It is still very much present and lingering around and may pop up in some other search result or as internet archives.
However, the position is still dicey when it comes to whether an individual in the EU can request the search engine operator to remove a link beyond the territorial scope or not. This confusion has risen from the ruling of the Court of Justice for the EU in Google v. CNIL (2019), where the judgement was pronounced in favour of Google that such a request for erasure will not bind the operator to de-link the particular data on all versions of its search engine worldwide.
The GDPR puts forth the idea that continuing to disclose personal information is a matter of individual choice and the individual should have control over it with regard to its erasure from the internet. It tries to create a fine balance between information and oblivion. It is also in harmony with Article 15 of the GDPR that grants the data subjects to know what information is being processed by the controller. If the data subject feels that a particular data should not be processed or kept by the controller, he can exercise his right to be forgotten by requesting deletion of the same. The controller, on the receipt of such request, will also have to inform 3rd parties with whom such data has been shared that erasure of that data has been requested. If it has been published online in the public domain, then reasonable steps must be taken to remove the links to or replicate that data. However, as mentioned earlier, it is a qualified right and is subject to limitations.
As per Articles 6, 7 and 13(1)(c) of the GDPR, the organisations have to provide a lawful basis for collecting the personal data of any data subject. It may be express consent, legitimate interests, essential for a binding contract, public interest, or for any legal duties towards the State. So, if the lawful basis claimed is no longer applicable, then the data subject may make a request to the organisation for the erasure of his personal information. For instance, if the user withdraws consent, or objects to the processing of his personal data for marketing materials, the organisation cannot continue to use his data for those purposes. In case any private data is being processed unlawfully, it will not only be a breach of the law but will also be a ground to request erasure. If the data has become irrelevant, unlawful or unnecessary to store for the organisation, it may be deleted at the request of the data subject. Also, the onus is upon the organisation or data controller to confirm that the identity of the person who requests deletion matches with the person to whom the particular data corresponds.
Limitation of the right to be forgotten
However, the right to be forgotten is a conditional right and the organisation may reject the request for the erasure of data in the following conditions:
- If the data is being stored or processed in compliance with any law currently in force, or in the interest of the public and public health; or
- If the data is a significant part in scientific, historical, or statistical research, etc. wherein deletion of that data will greatly hamper the research; or
- If the data is important information in a legal claim or defence; or
- If the request is unfounded and excessive, and the same can be justified with reasons before an Information Commissioner.
If the organisation decides not to comply with the request for deletion, it should inform the data subject about the reasons for not doing so, and such data subject shall have recourse to complaining before a supervisory body or the court against such decision of the organisation.
The Indian approach
India’s cyber regime is primarily governed by the Information Technology (IT) Act which was passed in the year 2000. It does not talk about any such right that a person may have which empowers him to ask the organisations to delete his data and be forgotten. However, after the EU began recognising it and there was an ongoing debate, especially after the Justice Puttaswamy judgement in 2017, the Indian government decided to establish a committee in order to deliberate over the IT laws and the data privacy regime of the country. It was headed by a retired Supreme Court Judge, Justice BN Srikrishna and this committee report suggested the draft Personal Data Protection (PDP) Bill which is currently before the house of the parliament awaiting to be passed.
Insight into Personal Data Protection (PDP) Bill
The PDP Bill is consent centric in the way that lawful consent must be obtained from the data subject before his/her personal data can be processed. It makes the deployment of privacy by design vital for the functioning of data processors. Unlike the EU GDPR, the PDP Bill does not use the term “data subjects” or “data controllers”, instead uses “data principles” and “data fiduciaries” in place of them respectively.
This draft Bill acknowledges the right to be forgotten, as the right against continued disclosure, which should be granted to individuals with regard to the extent of their personal information that is being revealed on the internet. People should have a right to demand delinking of their present life with the misleading or embarrassing events that might have occurred at some point in their past, especially if it is irrelevant in the present day. This right has been granted to the data principal against the data fiduciary under Section 27 of the PDP Bill to “limit, delete or correct the disclosure of the personal data on the internet”. The monitoring and enforcement of these regulations are proposed to be performed by the Data Protection Authority, as per Section 27(2) of the PDP Bill, which is to be set up as an autonomous regulatory body.
However, the right to be forgotten is not an absolute right. Section 62 of the PDP Bill requires the union government to appoint an Adjudicating Officer for monitoring all such requests about personal data disclosure or deletion.
In 2014, an Indian citizen, for the first time, cited the judgement of the EU Court in Google v. Spain to request an Indian website to erase certain links as an application of his right to be forgotten. However, the website, Medianama.com, refused to comply with the request stating that the judgement was not binding on India and there is no such provision to request deletion under the current IT rules.
The Constitutional quandary
The right to be forgotten falls under the ambit of the right to privacy, which itself is covered under the umbrella of the right to life and personal liberty under Article 21 of the Indian Constitution. The right to privacy has been read into Article 21 by the infamous judgement of Justice K.S. Puttaswamy v. Union of India (2017), wherein the Supreme Court of India declared privacy as a natural right that is essential to enjoy a dignified life. Every individual has a right against anyone who tries to breach his/her privacy without a legitimate reason or a legal basis. This right also entails withholding certain information about oneself if it is too revealing, misleading, private or sensitive data. Naturally, if this data has been made accessible to any third party or to the public, then the individual should also have a right to be forgotten in order to protect his privacy.
Of course, this right cannot be absolute and certain data cannot be requested to be deleted which are of public importance or of national security. For instance, one cannot ask the union government to delete one’s Aadhar information. It will not be done so because it is national data collected by the government for the purposes of efficient administration of its citizens. Data collected, stored or being used for national interest overrides any lack of consent or the right to erasure. So, the right to be forgotten is limited in nature and requires approval by the competent authority for it to be enforced.
However, on one hand, where Article 21 paves the way for the right to be forgotten to be read into the Constitution, on the other hand, Article 19 stands as a hindrance. Article 19(1)(a) talks about the freedom of speech and expression that has been granted to all citizens of the country. So, the right to be forgotten is essentially stepping over somebody else’s right to speech and expression. Also, all citizens have the right to information that has been read into Article 19, whereby every citizen has the right to know the information that is in the public interest. The conflict arises when a heinous crime victim claims his/her right to be forgotten about the data that links him/her to that incident, and on the other hand, the convict of that crime cannot claim his right to be forgotten by the media. So, this proves that the right is qualified in nature and is not equally available to all at the same time.
The decision of the competent authority to retain or remove a particular piece of information from the internet will also have a significant impact on the freedom of the press in the nation. The media has a tendency to compare and contrast the behaviour or statements of people who are in the public eye with their previous behaviours or statements. The right to be forgotten will be a threat to such activities.
Also, procedural confusion may arise about whom to approach, the Central Information Commission or the Data Protection Authority, in case a citizen wants access to particular information.
The right to be forgotten is a qualified right, and a rather difficult one to implement. It requires permission from the competent authority who is at a discretion to grant or not grant such a request, based on what they consider to be or not to be in ‘public interest’. There is an overlap between privacy and transparency. The internet cannot be asked to remove all the undesirable data about an individual in order to ensure his right to be forgotten. In that case, all the accessible information will forever be only partly true. A line must be drawn between the information that can be kept private and removed on request and the information that is necessary to be disclosed in the public interest.
However, to guarantee this right under the Constitution of India, there needs to be an amendment made into Article 19(2), which states the limitations over the right to freedom of speech and expression, to include privacy as a ground. The PDP Bill shall strive at striking a balance between Article 21 and Article 19 by harmoniously construing one’s right to privacy and others’ right to information. The confusion regarding the competent authority should also be resolved. Conflicts must be minimized by the judiciary as well, so that uniform precedents can be set for the right to be forgotten matters. Also, this right will have no significance if the data in question is not erased globally. For this extraterritorial application, the international law on data protection should be expanded to include the right to be forgotten which will then be implemented universally in order to ensure the real essence of this right.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join: