‘RIGHT TO BE FORGOTTEN’ IN INDIA

This content is researched and drafted by Akella Poornima, IIIrd Year LL.B (2018-2021) student at Symbiosis Law School, Pune, India.

Introduction

The ‘Ministry of Electronics and Information Technology’ issued a draft bill on Personal Data Protection (PDP) in 2018 under the guidance of the B.N. Srikrishna Committee. The Bill (hereinafter known as the PDP Bill) introduced the term ‘Right to be Forgotten’ for the first time to its citizens. It was incorporated through the European Union Data Protection Regime called as ‘General Data Protection Regulation’.

Section 27 of the PDP Bill envisages the said right by providing the right to prevent or discontinue from sharing the personal data of a person, which are utilized by agencies for whatever purposes. It also covers the content which is related to personal information on the internet that is misleading, false, obscene or embarrassing, or even irrelevant.

Two terms are wisely incorporated in the Bill namely ‘Data Principal’ and ‘Data Fiduciary’. Data Principal means any person or identity to which the data or the personal information belongs whereas the latter means the organization or the party that has the access to that personal data.  Section 27 descriptively provides any Data Principal with a right to obstruct or prevent data fiduciary from using any of his personal information which is irrelevant or unimportant.  As per the Section, every Data Principal has been given with this right to restrict or prevent the continuation of disclosure of his/her data by any data fiduciary if such disclosure fulfills at least one of the following three conditions, namely, such disclosure of personal data:

• has served the purpose of its existence or is found to be no longer necessary; or
• was made by taking the consent of the Data Principal whereas such consent has afterwards been withdrawn; or
• was made contrary to the provisions of the Act or any other law in force.

To avail the aforementioned right, it is required to file an application in the form and manner as prescribed in the Act to an Adjudicating Officer, who after thoroughly researching has concluded that any one of the three grounds mentioned above is applicable.  Parallel to that, it is also important for the Adjudicating Officer to check whether the rights and interests of the Data Principal in preventing his personal information overrides the right to freedom of speech and expression and the right to information of any citizen or not. In an attempt to check whether it overrides or not, the adjudicating officer has to determine the following factors namely,

(a) the sensitivity of the personal information or data of the Data Principal;

(b) the scale of disclosure and the degree of accessibility in restricting or preventing;

(c) the role of the Data Principal in public life;

(d) the relevance of the personal data to the public; and

(e) the nature of such disclosure and the activities of the data fiduciary under whose control the disclosure is.

Data principal is not required to approach Data Fiduciary.

Section 27 of the Act removes any kind of obligation for Data Principal to communicate or request Data Fiduciary to help in restricting/preventing or removing personal data from the platform before approaching the Adjudicating Officer for ensuring his rights.

On the other hand, Section 28 of the Act details the conditions and procedures for the exercise of rights and purposefully, it does not apply to the aforementioned Section 27 from meeting the procedural requirements mentioned under Section 28.

Section 28 states that the exercise of any right under the Act shall only be based on a request made in writing to the Data Fiduciary with reasonable information to satisfy the Data Fiduciary of the identity of the Data Principal making the request and hence, the Data Fiduciary to acknowledge the receipt of such request within such time as may be specified.

Here in this regard, the lawmakers felt it was important to keep any petition enforcing the right to be forgotten to be taken to the Adjudicating Officer directly without giving the Data Fiduciary a chance to do the task on its own. One such possible reason in keeping consecutive sections independent and improvising an Adjudicating Officer as a judge in between is to avoid the uncontrollable repercussions and to keep a track on the data which is being removed from a public domain.

Background

The concept of protecting an individual’s private information belongs to Western Countries. European Union in the year 1995 brought its first legislation on data protection. Though the right was not expressly codified but put in together Article 6(1)(e)[1] and Article 12(b)[2] provided a reference to it.

In 2014, the European Court of Justice laid down the roots through an important case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González.[3] The case arose out of a newspaper published article in 1998 which was related to a forced property sale that was made by X to settle a social security debt. In 2009, Mr. X contacted the newspaper requesting them to remove the article from the public domain as searching for his name brought up this old article every time. When the newspaper denied the request stating that the same was a government-ordered publication, Mr. X requested Google Spain SL (“Google“) to remove the search result. The courts in the European Union then ruled that Google would be required to remove the search results whereas the newspaper would not have to remove the original article. This ruling effectively established the precedence for “the right to be forgotten” and validated it as law. The European Court of Justice further held that the European citizens have a right to request any commercial search firms like Google which gathers personal information for profit-making, to remove links of private information when asked by the Data Principal, provided that such information is not relevant. By upkeeping this right as law and by setting precedence worldwide, the Court of Justice found that the fundamental right to privacy is greater than the monetary interests of any commercial firm and, in some cases, perhaps greater than the public interest as well in accessing to information.

GDPR v/s PDP Bill

Article 17 of the European Union General Protection Regulation (GDPR), providing the right to be forgotten, has a wider scope of its application and implementation in comparison to the PDP Bill. GDPR provides the Data Subjects[4] with a right to erase the personal information through a Controller[5] without delay whereas, under the PDP Bill, the Data Principals can only restrict or prevent the disclosure of personal information. The PDP Bill does not authorize the Data Principals to delete their data from the Data Fiduciary’s platforms whereas under GDPR, to avail such as the right to erase, the data subject must be able to prove that:-

• the purposes for which the personal data was collected or processed no longer exists; or
• the data subject has withdrawn such consent based on which the information was processed, and there is no other legal ground for the processing; or
• the data subject is entitled to object to the processing of his data; or
• the data subject’s data has been unlawfully processed; or
• the personal data is required to be erased for compliance with a legal obligation to which the controller is subjected to; or
• the personal data has been collected in relation to the offer of information society services directly to a child.

However, the GDPR ensures that the right to be forgotten is not available as a right or a remedy when the processing of personal data is necessary for the following purposes:

(a) to avail right to freedom of expression and information;

(b) for complying with a legal obligation or for the performance of such task carried out in the interests of the public;

(c) for public health and awareness about it;

(d) for scientific or historical research purposes; or

(e) for the establishment, exercise, or defense of legal claims.

Also, GDPR directs the data subject to approach the Controller for the erasing of personal data. Only in a condition where the Data Controller refuses to comply with such request, the data subject can approach a supervisory authority for redressal whereas, under PDP Bill, an Adjudicating Officer is set up in between Data Principal and Data Fiduciary in such condition where some personalized data is required to be restricted or prevented from the public reach.

Judicial Precedents in India

In the initial case of Dharamraj Bhanushankar Dave v. State of Gujarat & Ors[6]., the Gujarat High Court denied the existence of any such right. This case occurred where the Petitioner prayed before the court to restrict the disclosure of a court’s judgment which was published by the Respondent on the internet. The Gujarat High Court held that copies of the judgment of High Court can be given to any party by the order of Assistant Registrar and therefore, it is not possible to restrict its publication on any platform.

On the other hand, the Karnataka High Court in the case of Sri Vasunathan v. The Registrar General & Ors.[7] recognized the ‘Right to be Forgotten’. The Petitioner prayed to direct the Respondent to remove his daughter’s name from an order in the digital records maintained by the Respondent. The said order was wrt to an FIR filed by the Petitioner’s daughter against a man who compelled her to marry, forge, etc. Subsequently, the parties entered into a settlement on a condition that the criminal case against the man shall be withdrawn by the Petitioner’s daughter. The Petitioner contended that the said order may affect his daughter’s relationship with her husband as well as her reputation in the public domain. Considering the arguments, the Karnataka High Court recognized the principle of ‘Right to be forgotten’ and directed the respondent to mask the name of the Petitioner’s daughter. Justice Anand Byrareddy disposed the petition by concluding that:

“This would be in line with the trend in the Western countries where they follow this as a matter of rule “Right to be Forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.”

In a recent matter of Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd. and Ors.,[8] the Delhi High Court recognized the Plaintiff’s ‘Right to be Forgotten’. The issue arose when two articles, containing harassment allegations against the Plaintiff during the #MeToo campaign, were published by the Respondent. The court directed the Respondent to take down these articles from the internet as they might cause massive injury to the Plaintiff. The court also said that the ‘Right to be Forgotten’ and the ‘Right to be Left Alone’ are the inherent facets of ‘Right to Privacy’.

Conclusion

The PDP Bill has been welcomed in India after decades of debates and hardships. Recognizing the right to privacy concerning the data protection of personal information is a win-win situation for us. Though the PDP Bill has been welcomed in the Parliament, it is still in a long process to become settled law. The Supreme Court in this regard has already confined itself by saying that it will not recognize right to be forgotten as an absolute right. Other rights such as the right to know, freedom of the press, etc. should not be hampered in an attempt to recognize the right to be forgotten, which perhaps is the biggest dilemma for the lawmakers.

References

• Right to be Forgotten in India: A Hustle over Protecting Personal Data, written by Kunal Garg, available at (https://www.indialawjournal.org/a-hustle-over-protecting-personal-data.php#:~:text=Though%20the%20’Right%20to%20be%20Forgotten’%20is%20not%20a%20settled,data%20by%20’data%20fiduciary’.)
• Right To Be Forgotten- article, available at (https://www.drishtiias.com/daily-updates/daily-news-editorials/right-to-be-forgotten-2)
• India: The Right To Be Forgotten – Under The Personal Data Protection Bill 2018, written by Vinod Josephand Deeya Ray, available at (https://www.mondaq.com/india/privacy-protection/860598/the-right-to-be-forgotten–under-the-personal-data-protection-bill-2018 )
• PDP Bill 2018 pdf, available at (https://www.meity.gov.in/writereaddata/files/Personal_Data_Protection_Bill,2018.pdf)

[1] Mandated Member States that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed”

[2] “Member States shall guarantee every data subject the right to obtain from the controller as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular, because of the incomplete or inaccurate nature of the data”.

[3] ILEC 060 (CJEU 2014)

[4] Is defined as ‘data principal’ in PDP Bill.

[5] Data Fiduciary in PDP Bill is termed as controller in GDPR

[6] Dharamraj Bhanushankar Dave v. State of Gujarat & Ors, 2015 SCC OnLine Guj 2019.

[7] Sri Vasunathan v. The Registrar General & Ors., 2017 SCC OnLine Kar 424.

[8] Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd. & Ors., 2019 (175) DRJ 660.