This article is written by Pulkit Chaudhary and pursuing an MBA with a Specialisation in Data Protection and Privacy Management from the Swiss School of Management. This article has been edited by Ruchika Mohapatra (Associate, Lawsikho).
This article has been published by Sneha Mahawar.
Table of Contents
Introduction
With the advancement of technology in the last few decades, businesses have reached levels that no one could have thought of. In order to reduce the burden of personnel on miscellaneous tasks such as sending automated emails/calls, bot chats, etc. businesses are now switching to and are deploying AI (Artificial Intelligence) and ML (Machine Learning). In order to carry out these tasks, an enormous volume of data is processed which includes the personal data of the data subjects.
The world of data, data protection, and compliance offer a bundle of rights to the data subjects whose data is collected and processed by the companies for the betterment of the services they offer to data subjects with the ultimate motive of earning huge profits. This can range from improving the product, services, market analysis, and surveys to the sale and purchase of the data as data brokers or information brokers (organizations/individuals who are specialized in collecting and circulating the data for processing).
In order to deal with such a situation and retention of some control over the data by the data subjects, the European Union General Data Protection Regulation (hereinafter “GDPR”) came up with provisions providing substantial protection to the rights of the data subjects against the unauthorized and unlawful use of their personal data which is now has become the benchmark and grundnorm for many data protection legislation around the globe.
Some of the rights of data subjects as stated above are as follows:
Right to access information (Article 15 of GDPR)
This right enables that data subject to access the personal information provided by her to the data controller for the purpose of processing.
Right to rectification of the information (Article 16 of GDPR)
This right enables the data subject to get her information corrected/rectified if incorrectly provided by the data subject or incorrectly recorded by the data controller.
Right to restrict processing (Article 18 of GDPR)
The data subject can also restrict the processing of her personal data in exceptional circumstances such as mentioned below:
- Where there is unauthorized use of the data collected i.e., other than the purpose for which it was initially collected.
- Where the data processing is the inaccurate data
- Where the data is being processed after fulfillment of the purpose for which it was collected.
Right to be informed (Article 12 of GDPR)
The data controllers are obliged to provide the relevant information to the data subjects as and when required (for example in case of a change of privacy policy/data breach etc.) or requested by the data subjects (for example-request to know the status of a complaint made to the DPO).
Right to be forgotten under the EU GDPR
This right can also be termed the “Right to erasure”. The right to be forgotten emerged for the very first time in a decision by the European Court of Justice in the year 2014. The court observed that the data protection law of Europe enables the data subjects to question the web search engines to remove certain personal information relating to the data subjects. There are some relevant factors under which the right to erasure can be enforced by the data subjects.
The Right to be forgotten is defined under Article 17 of the GDPR as:
The right to be forgotten is the most important right available to the data subject where she can oblige the data controller to erase her personal data completely which is collected by the data controller for the purpose of processing. However, this can be exercised in the following circumstances:
- When the data collected by the processor is not required anymore for the purposes of processing
- Where the erasure of personal data is necessary to meet a legal obligation.
- Where the data has been processed unlawfully.
- Where the data subject objects to the processing of her personal data being used for profiling for the purposes of direct marketing.
- When the processing of the personal data overrides legitimate grounds and the rights of the data subjects
- Where the data subject withdraws her consent given for one or more specific purposes of processing within the meaning of Article 6 (1)(a) of GDPR or where the consent is for one or more explicit and specific purposes relating to revealing of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is withdrawn within the meaning of Article 9(1)(a) of GDPR.
Situations where the right to be forgotten cannot be exercised (exceptions)
- Where the data is used for the purpose of exercising the right to freedom of expression and information. (Article 17(3)(1) of GDPR).
- In the case of legal obligations imposed by the state or the union law to which the controller or processor is subject or in the case of processing activities that are undertaken in the interest of the general public or while exercising the official authority vested in the data controller.
- The right to be forgotten cannot be applied to the situation where a special category of personal data is processed in relation to and for the purposes of preventive or occupational medicine, medical diagnosis, the assessment of the working capacity of the employee the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional. (Article 9(2)(h) of GDPR).
- Where the processing of such personal data is necessary for healthcare like protection against cross border health threats or securing/maintaining standards of healthcare products and medical devices in compliance with the union or state laws providing for the measures safeguarding rights and freedoms of the data subjects with emphasis on professional secrecy. (Article 9(2)(i) of GDPR)
- For enforcing and defending the legal claims.
- For the purposes of scientific or historical research or when such processing is necessary for the public interest.
Position in India
During the last few decades, privacy was not an important issue in India. With the evolution of technology and the emergence of smart devices, the amount of personal data which is being processed in order to deal with competitive markets and for providing a better user experience to the data subjects, the dominance of big tech giants/ government agencies against the data subjects and for protection of their rights, the situation called for recognizing the right to privacy as a fundamental right.
Hence, addressing the issue of Privacy in the case of Justice K.S Puttaswamy v. Union of India (2017) 10 SCC 1, the Supreme Court of India came up with the observation of recognizing the right to privacy as a fundamental right as part and parcel of the right to life and personal liberty within the meaning of Article 21 enshrined in Part III of the Constitution of India.
It is pertinent to mention here that the Data Protection and Privacy are not codified as of now but the Personal Data Protection Bill, 2019 (Now Data Protection Bill) was referred to Joint Parliamentary Committee and now after rounds of discussions, the bill can be tabled in the Parliament of India any time soon, most probably in the Monsoon or Winter Session. Therefore, at present, though there is no straight-jacket formula for enforcing the right to privacy or the right to be forgotten in particular, the same is enforced via Writ Petitions before the Constitutional Courts of India. Some of the landmark cases where the different High Courts and Hon’ble Supreme Court dealt with the right to privacy and also enforced the same are as follows:
X v. & Ors. (Delhi High Court)
In the aforesaid case, the Hon’ble High Court of Delhi dealt with two principles of Data Privacy namely data anonymization and the right to be forgotten.
Facts of the case
In this case, the petitioner was approached by a movie production house and she was lured into a movie trailer that consisted of complete frontal nudity, with a promise to give her the lead role. However, the aforesaid movie project failed and was never produced.
The producer of the project after some time uploaded the impugned video on YouTube which was discovered by the petitioner in December 2020 aggrieved by this incident, the petitioner approached the Hon’ble Delhi High Court.
Observations
In the present case, it is explicit videos that are being circulated, having a clear and immediate impact on the reputation of the person seen in the videos in a state of nudity.
“Right to privacy includes the right to be forgotten and the right to be left alone as “inherent aspects”, this Court is also of the opinion that the right to privacy of the plaintiff is to be protected, especially when it is her person that is being exhibited, and against her will.”
W.P.(MD). No.12015 of 2021 (Madras High Court)
Facts of the Case
In this case, the accused was charged with various offenses of the Indian Penal Code, 1860 (IPC) where he was convicted by the trial court and was eventually acquitted by the Appellate Court on merits. However, the petitioner in this instant case was aggrieved by the fact that although he was acquitted from the aforesaid case even then, if anybody types his name on a Google search and is able to access the judgment wherein his name is displayed as accused it has caused damage to his reputation. Hence, the petitioner approached the Hon’ble Madras High Court for adequate relief.
Observations
The Hon’ble High Court in this case observed that, If the essence of this Judgment [(K.S Putthaswamy (supra)] is applied to the case on hand, obviously even a person, who was accused of committing an offense and who has been subsequently acquitted from all charges will be entitled to redacting his name from the order passed by the Court in order to protect his Right of Privacy. This Court finds that there is a prima facie case made out by the petitioner and he is entitled to redact his name from the Judgment passed by this Court in Crl.A. (MD). No.321 of 2011″
The Court also observed that “It is also informed to this Court that a new Right called as Right to be Forgotten is sought to be included in the list of Rights that are already available under Article 21 of the Constitution of India”.
Xxx V. Union Of India And Connected Matters (Kerala High Court)
In a very recent development relating to the Right to be forgotten under the Indian Data Protection Regime and Justice Dispensation System, the Hon’ble Kerala High Court came up with the idea of drafting an Information Management Policy that could resolve the issue of masking parties’ names in its orders and judgments which can lead to infringement to the hard-earned reputation and social status of the parties.
Conclusion
In the present era of the digital world, social media and throat cut competition of businesses including aggressive marketing strategies, expectations from the Indian Personal Data Protection Bill, 2019 (Now Data Protection Bill) are sky-high. Though the general public/ data subjects may not be much aware of the personal data, its misuse, compliance requirements, or their rights relating to personal data, the Data Protection Bill of India, hopefully, will address every data protection and privacy issue extensively like the GDPR. Even without any codified legislation relating to Data Protection and Privacy, the Indian Courts are brilliantly dealing with many sensitive issues of Privacy through their proactive approach towards enforcement of the Fundamental Right to Privacy of the subjects under various circumstances as discussed above.
Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.
LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:
Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.