[Ed Note : In a slightly longer read, Pranay Bhattacharya, a second year student of Maharashtra National Law University (MNLU) Aurangabad talks about the origins and development of the “Right to be Forgotten,”, using this as a background to critically analyze this right as present in India’s Draft Personal Data Protection Bill 2018.]
“Blessed are the forgetful, for they get the better even of their blunders.”
Practically, our whole life at present is online in this new millennium. The chilling part is, it’s going to be that way forever now! This can make anyone feel quite exposed beyond his or her limits of control, isn’t it? What does one do if something goes wrong? What if, the wrong is a mistake? Does it have to stay a mistake or is there a choice to make amends?
Protecting private data is one of the latest buzzwords around the globe. The biggest cyberspace challenge concerning lawmakers in this era of digitalization is data privacy protection. This article dissects the importance of right to be forgotten that foreshadows the rights of individuals to control their personal data without encroaching or transgressing their basic rights of freedom of speech, expression, privacy in the digital domain of social media and protection of their private data in the digital domain.
India’s draft Personal Data Protection Bill, 2018 (hereinafter PDPB) is a comprehensive move towards data protection, trailing in the footsteps of European Union’s General Data Protection Regulation, 2016 (hereinafter GDPR) for protection and preservation of personal data.
The principle of right to be forgotten/erasure originated in and has gained worldwide attention since the Argentine Virginia Da Cunha case (Juez Nacional en lo Civil)  which tackled the issue of civil liability of web search engines (like Google and Yahoo) derived because of results (certain photographs and links) that came up when people searched “Virginia Da Cunha”, an Argentine singer, actress and dancer. In 2006, Da Cunha filed her petition based on the alleged violations of her constitutional rights such as those protecting privacy, dignity, image and honour and the like; and also succeeded in obtaining preliminary injunctions against the said search engines in 2009. These injunctions were however subsequently reversed by an Appellate Court in 2010 by a majority of 2-1, albeit after recognizing the conflict between “Free Expression” and “Privacy Rights” here. In three subsequent cases, namely Virginia v. Yahoo SRL, Maria Belen Rodriguez v. Google Inc. and Lorenzo Barbara v. Google Inc., the Court’s ruling remains the same, viz,
- The search engines did not have any liability for the results that were produced and the use of filters to block search results would amount to prior censorship. The correct action should have been against the third parties producing the content for putting freedom of expression at risk.
- Intermediaries (search engines) become liable only upon obtaining “effective knowledge” of illegal content. In general, only a finding of illegality and relevant notification by a court or other competent authority could place intermediaries on notice. However, the court conceded that in a few cases of “gross and manifest” harm, involving content whose illegality is beyond doubt, a proper notification by the affected party might be sufficient to require intermediaries to act. Such categories may include child pornography, speech that directly endangers the life or physical integrity of others, clear incitement to violence or discrimination, or clearly unlawful publications that grossly violate individual privacy or cause deliberate harm to one’s reputation.
Subsequent to this De Cunha line of rulings, a similar case was filed in 2010 under the framework of the 1995 Data Protection Directive of the EU (which guaranteed a right to be forgotten). In this case, Mario Costeja González, a Spanish national, filed a complaint requesting his name and personal information be removed from a search engine database, arguing that the proceeding for which it had been given had been resolved, rendering the data irrelevant. Contrary to its Argentinean counterpart, here The EU Court of Justice held against the search engine because it was the one who carried out the processing of the data in question and thus had control over it that extended to its removal. This ruling thus enshrined and developed the concept of “Right to be Forgotten” and helped in its codification under EU’s GDPR. Since then, Google has received plenty of requests to delist data and URLs to remove certain results on the basis of person’s name (For further details, please refer to the data available on Google Transparency Report).
Thus, the evolution of the right to be forgotten can be traced through two main events – litigation in Argentina and litigation in Europe. While the former put the right in the limelight. (though it did not uphold it), the latter gave it the previously-lacking dimension of enforceability, paving the way for its future codification in the GDPR.
Under the GDPR, right to be Forgotten (also known as The Right to Data Erasure) entitles the data subject to have the data controller erase his/her personal data, cease its further dissemination and have third parties halt its processing. The conditions for erasure, as outlined in Article 17, include the data no longer being relevant for processing, or the data subject withdrawing consent. It should also be noted that this right requires controllers to compare the subjects’ rights to “the public interest in the availability of the data” when considering such erasure requests. A similar provision can be found Section 27 of the draft Personal Data Protection Bill, 2018.
It is important to note that this right is not absolute. If it contradicts right to freedom of speech, expression and access to information or is against the public interest, it cannot be invoked. The right to be forgotten can thus only be applied if the links with the aforementioned limitations are “inadequate, irrelevant or no longer relevant, or excessive,”.
THE INDIAN JOURNEY: COMPARATIVE ANALYSIS OF RIGHT TO BE FORGOTTEN AND RIGHT TO PRIVACY
In the landmark “Right to Privacy” judgment delivered by the Supreme Court in Justice Puttaswamy v. Union of India, 2017, Justice Sanjay Kishan Kaul opined that the right of privacy was a fundamental right under Article 21 of the Constitution as a part of the right to “life” and “personal liberty. Further; the apex court identified and stretched the principle of “informational privacy”, thereby providing individuals control over the data they upload. This brought the right to be forgotten within the scope of informational privacy. In this regard, Justice Kaul stated, “The right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the internet”.
Thus, though the latter (right to be forgotten) is a subset of the former (the right to privacy) in India, it is important to note that there are fundamental differences between the right to privacy and the right to be forgotten. Under the former, data is never brought into the public domain. In the case of the latter however, it is data which was once known to be in public domain seeks erasure; thus disallowing further access to third parties.
JUDICIAL STAND OF THE RIGHT TO BE FORGOTTEN IN INDIA
The issue of right to be forgotten first arose before the Gujarat HC in the case of Dharamraj Bhanushankar Dave v. State of Gujarat and Ors., 2015. The court dismissed the petition in the absence of any legal provisions making the right justiciable
Further in the landmark judgment passed by the Karnataka HC in the case of Sri Vasunathan v. Registrar General, 2015, the petitioner asked the court for removal of his daughter’s name from past criminal records digitally maintained by the HC., alleging that the same constituted a violation of right to privacy and defamed his daughter. It was the first time here that the court recognized the principle of Right to be Forgotten in India, and granted the petitioner the requisite relief. The court remarked that the ruling is…”in line with the trend in western countries of the ‘right to be forgotten’ in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.”
Other HCs such as the Kerala HC and Delhi HC have also ruled along similar lines in analogous fact situations, thereby cementing the right to be Forgotten in India even in the absence of an express legal provision.
AMBIGUITIES OF RIGHT TO BE FORGOTTEN IN THE PDP BILL
The draft bill talks about the right to be forgotten but limits the scope of this right to restricting and preventing continuous disclosure of personal data of the data subject, but does not stipulate complete erasure of the data. Only in the following cases does the data subject have the right to restrict the data on the discretion of the adjudicating officer –
- Where the data has served the purpose for which it was collected and is no longer necessary.
- Where free consent is withdrawn by the data subject.
- Where the data was collected in violation of the provisions of the draft bill or any other law contrary to the provisions of law made by the parliament or the legislature.
Thus, unlike the GDPR, the PDP Bill does not require the organizations to remove the data completely. The search engine can store the data of the data subject on the virtual data base, even if it doesn’t appear in searches. This is clearly not in sync with the line of jurisprudence under the right.
A comprehensive analysis would mean that even if the data subject has the right to be forgotten, it restricts the right of erasure. Such restriction indirectly allows the data fiduciary to retain the necessary data which may be used for the purpose of processing in future. Hence, it can be said that the right to be forgotten is not absolute and is limited in its scope when it collides with the fundamental right of freedom of speech and expression, and in India, the balance tilts towards the Freedom of Speech and Expression.
Ironically, the bill also provides to maintain a record of the data erased. Therefore, the contention here is – if the data is already forgotten or erased, how the data fiduciary can maintain a record of it!
The Personal Data Protection Bill, 2018 is still a draft in form; an attempt to bring India at par with international standards of data protection and legal framework. It’s a conscious attempt to deal with processing of personal data while delineating rights and obligations of parties in detail. In substance, the right to freedom of speech and expression seems to subordinate the right to be forgotten in the PDP Bill, unlike its jurisprudence in other parts of the world.
On right to be forgotten and data erasure, the framework of language has ambiguities too. Obligation of data fiduciary to maintain data to demonstrate compliance contradicts the essence and purpose of data to be forgotten and erased. Further, there is lack of clarity about when and how the methods of destruction, deletion, or erasure of personal data could be invoked by data subject.
In sum, the “Right to be Forgotten” under the PDP Bill therefore has a long way to go as the principles espoused therein require greater clarity.