Data Privacy Laws |Right to be forgotten

05 Feb
2021

In today’s world of interest and convenience to its access, the six degrees of separation, as was once known, has now been reduced, perhaps not more than two / three degrees of separation. This is primarily due of so much of data being present in the cyber world and continuous data mining happening every single moment. Once a person’s data is published on the web, it gets difficult to get that data removed in the absence of stringent laws. The data that has been published online becomes publicly available on the web and is potentially harmful for the person’s reputation, his identity, his relationships and his status in society, especially, if the personal information is not authentic or is put on the Internet without the person’s consent. With the concept of right to be forgotten, some succour may be sought to address this data dilemma highlighted above.

What is the right to be forgotten?

The right to privacy and protection of data and the right to be forgotten are the two sides of a coin. It is the right of a person to get his personal information removed from the Internet. The right to be forgotten allows a person to remove his name, pictures, contact details or any other personal information that might hamper his reputation or cause defamation from the search results.^[1] It is also known the right of erasure which means that an individual has a right to get his personal information permanently erased or deleted from the Internet. However, there exists certain limitations to events under which the right to be forgotten can be exercised.

History and Origin

The right to be forgotten stems from the right to privacy. Its origin can be traced to the European nations that have strict policies and laws for personal data protection. Article 8 of the European Convention for Human Rights (ECHR) adopted in 1950 mentions the right to privacy.^[2] The Article gives the right of respect to every person’s private and family life, home life and correspondence life.^[3] The International Covenant on Civil and Political Rights also talks about the right to privacy under Article 17. It states that there should neither be interference with an individual’s privacy nor should there be any unlawful attacks on the person’s honor or reputation.^[4] Under these conventions, the right to be forgotten can be inferred from the right to privacy. In 1955, the European Parliament passed a data protection directive.^[5] In Article 6(1)(e) of this directive, it was mentioned that personal data should be kept in such a form that allows the data to be identified only till the time it is necessary to achieve the purpose for which it was collected. Article 12(b) talks about the erasure or blocking of data that does not comply with the provisions of the directive.^[6] However, people started acknowledging the right to be forgotten in 2014 when the Google Spain decision on the right to be forgotten was decided by the European Supreme Court. In 2016, a new data protection and privacy legislation, the General Data Protection Regulation (GDPR) was adopted by the European Parliament. It includes the right to be forgotten.

Right to be forgotten under GDPR

The right to be forgotten has been codified for the first time in the General Data Protection Regulation. Article 17 of the GDPR lays down provisions for the right to erasure or be forgotten.^[7] As per the Article, the data subject or the person whose data has been collected has the right to demand the erasure of his person data from the data controller in any of the following conditions:

Where the data has already served the purpose for which it was collected and it is no longer necessary to keep the data intact.
If the data subject withdraws their consent to the processing of data.
When the data subject makes an objection to the processing of data and there is no reasonable or legitimate excuse to deny the objection.
If the data of the subject has been processed in an unlawful manner.
Data collection and processing of an individual who is below the age of 16 years is lawful only if the parent or the guardian of such person has provided the consent. When the person attains the age of 16 years, they can exercise their right of erasure.

If any of the above-mentioned conditions are met, the data controller will have to take necessary steps with the help of technology to erase such personal data for which the consent has been withdrawn or has been processed unlawfully. The controller will also inform other controllers that the data subject has withdrawn his content and wants his personal data to be erased.

However, the right to be forgotten under the GDPR is not absolute. It is subject to certain conditions. A data subject cannot exercise his right to erasure in the following cases:

When it is necessary to process personal data to uphold the freedom of expression and the right to information.
When such data is necessary to comply with the legal obligations for a task that is carried out to further public interest.
If it is necessary for public health.
If the data is necessary to conduct scientific, historical or statistical research.
To exercise, establish or defend any legal claims.

The Google Spain Case

The right to be forgotten was established in the landmark case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos (AEPD), Mario Costeja González.^[8] In this case, the European Court of Justice interpreted the relevant provisions of the European Data Protection. Directive and held that the data subjects have the right to ask the Search engines to remove their personal information from appearing on the results when their name is typed. The suit was filed before the court by a Spanish national, Mario Costeja González. He claimed that whenever his name was typed on the Google search engine, a web page from a Spanish newspaper appeared in the results that connected his name with a case of recovery of a social security debt. He filed a complaint with the Spanish Data Protection Agency requesting the removal of the webpage of the Spanish newspaper. Along with that, he also made a request to Google Spain to erase or delink his other personal information from appearing in the search results of the Spanish newspaper’s webpage. The agency did not take an action on the complaint on the grounds that such information was necessary for public interest. However, the request made to Google Spain for hiding the name in the search results was accepted. Google then appealed before the court that data operators or search engines do not come within the ambit of data controllers as specified in the Data Protection Directive. The main question that arose before European National High Court was, whether the data operators can be considered as data processors under the Directive and whether they should be asked to remove or conceal information. The Court had held that the data operators are to be considered as controllers according to the relevant provisions of the directive. Along with that, the data subject also has the right to ask the data operators for removal or concealment of his personal data that obstructs his fundamental rights. The data operator will be obliged to remove the links associated with the data subject. However, while considering this request, it is pertinent that the freedom of expression and right to information are not infringed.^[9]

The judgment received a lot of criticism on several grounds. People argued that the right the privacy was upheld over the right to information. The second point of criticism was the data operators are being given an uncensored right to publish and conceal information.^[10]

Even though the judgment passed in this case was celebrated as the establishment of the right to be forgotten on a superficial level, the actual interpretation of the court was not concerned with the removal of information from the public domain but rather concealing the said information by removing the links that takes an internet user to that web page.

Justice B.N. Krishna Committee

While the GDPR governs the privacy laws in the European Union, there is no specific privacy law regime in India. The Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 govern the protection of data. To frame a specific legislation for data privacy and protection, a ten-member committee was appointed by the Government of India in July 2017 for the purpose of identifying key issues concerning data protection in India and the ways to tackle those issues.^[11]

The Committee was headed by the retired judge of the Supreme Court, Justice B.N. Krishna, and was named as the Justice B.N. Krishna Committee. It prepared an exhaustive report on the same and submitted it in 2018. The Chapter 5 of this report lists down the purported rights of the data principal. Among other rights such as the right to access data, confirmation of processing, the right to object to the processing of data, the Committee also included a standalone right to be forgotten.

It stated that the right to be forgotten included the right to de-link, limit, correct or delete the data principal’s personal information that is available on a public domain online. The information should be irrelevant, misleading or embarrassing. When the data principal’s collected personal information becomes illegal or unwanted after a specific time frame, they have the right to demand that the data should not be disclosed anymore. The data principal also has the liberty to withdraw his consent to publish personal information on a public domain at a later stage. The said information should then be removed from the Internet. The Committee also suggested that the right to be forgotten should be exercised in accordance with the freedom of expression and the right to information.

Right to be forgotten under the Personal Data Protection Bill.

The right to privacy and the right to be forgotten are the two sides of the same coin. The right to privacy was confirmed as a fundamental right under Article 21 of the Indian Constitution in the case of K.S. Puttaswamy v. Union of India.^{^[12]} The apex court states that, “ One aspect of privacy is the right to control the dissemination of personal information. And that every individual should have a right to be able to control exercise over his/her own life and image as portrayed in the world and to control the commercial use of his/her identity.” The Supreme Court said that Privacy is based on the autonomy of an individual. It means the reservation of a private space for the individual. It includes the right to be let alone.

The Justice B.N. Srikrishna Committee recommended the formation of a legislation for the protection of personal data. The Personal Data Protection Bill ^[13] was introduced in the Parliament in 2018. It is yet to become a law. Chapter VI of this Bill stipulates the rights of Data principals. The right to be forgotten is mentioned under Section 27. It states that a data principal shall have the right to restrict the disclosure of personal information by a data fiduciary or to prevent it entirely. The data principal can exercise his right to be forgotten in the following cases:

When the personal data collected has served its purpose and is no longer necessary.
When the data was collected through consent and the data fiduciary withdraws its consent
If the data violates any provisions of the Personal Data Protection Act, or any other law.

However, the right to be forgotten can only be exercised when an Adjudicating Officer appointed under the Act finds that the right to information and the freedom of expression of other people override the right to privacy. To arrive at this conclusion the officer would have to consider several factors such as the sensitivity of information, whether the data is relevant to the public, to what extent is the data disclosed, and the data principal’s role in the public sphere. For this purpose, the data principal will have to file a request to the data fiduciary in writing explaining the identity of the data principal.^[14]

Indian jurisprudence – Right to be forgotten

Despite the fact that the Right to be forgotten is not specifically mentioned under any existing law in India, the courts, at several occasions, have acknowledged the right to be forgotten and given judgments in the favour of the aggrieved person. In the recent case of Subhranshu Rout @ Gugul^{^[15]} v. The State of Odisha, the Odisha High Court refused to grant bail to an accused in a sexual assault case. The accused has recorded the sexual assault on the victim and posted it on social media platform. The Court recognized the right to be forgotten and called for a debate on the same. It was stated objectionable photos and videos of victims of sexual assault on the Internet without any effective mechanism for its removal is a grave concern.

The Delhi High Court has also given a judgment recognising the right to be forgotten. In the case of Zulfiqar Ahman Khan v. Quintillion Business Media and Ors.,^{^[16]} respondents claimed that they had received harassment complaints during the #Metoo movement against the plaintiff (who is a renowned person in the media). As a result, they wrote two articles defaming the plaintiff. The plaintiff filed suit for a permanent and mandatory injunction against the respondents from publishing the articles online. The court recognised the plaintiff’s right to privacy, and stated that the right to be forgotten and the right to be left alone are inherent aspects of the same. The court restrained the republication or circulation of the articles.

In the case of Name Redacted v/s The Registrar General & Ors,^{^[17]} a woman had filed a FIR against her husband on the grounds of forgery, forceful marriage and extortion and filed a suit for rendering the marriage void. A separate injunction suit was also filed against the husband. The father of the woman later approached the Karnataka High Court requesting the removal of her name from all the cases because on searching for her name on Google, several disputes will show up in her name thus tarnishing her reputation and will cause difficulty for a remarriage. The Karnataka High Court accepted the petition and recognized the right to be forgotten. The Court ordered that the name of the women would be redacted from all the cases filed by her.

However, the Gujarat High Court has posed a contrary opinion on the right to be forgotten. In the case of Dharamraj Bhanushankar Dave v. State of Gujarat and Ors.,^[18] the petitioner was an accused for several offences in a case of culpable homicide amounting to murder. Even though he was acquitted and the judgement was made unreportable, it was published by an online Judgement repository. Therefore, the petitioner approached the Gujarat High Court for the restraint on publication of the judgment. The Court dismissed the petition on the grounds that publishing a judgement online does not amount to reporting and that the publication does not amount to the violation of his right to life and liberty. The court refused to acknowledge the right to be forgotten in the present case.

Difficulties in exercising the Right to be forgotten

While the right to be forgotten is enforced in the European Union under the GDPR and has also been acknowledged by the Indian courts, there still springs a debate now and then. There are several points on which the laws are silent.

When the right to be forgotten can be exercised- Does right to be forgotten only includes data that causes defamation or harms the reputation of a person or even in general cases where a person does not wish any of his information to remain in the public domain such as pictures or interviews of celebrities or pictures clicked at any public occasion. Even if the right to privacy is not infringed, whether the right to be forgotten can still be exercised remains unclear.

Data can be traced- Data leaves it traces somewhere or the other. Even if the information is de-linked from the search engines or restricted from disclosure, it is still present on the Internet and can be traced by professionals or hackers. This causes a grave concern for the data principals.

Clash with freedom of expression and right to information- There always lies a conflict between the right be forgotten and the right to information and freedom of expression. The right to be forgotten is not absolute. It can only be exercised to the extent that it does not violate the freedom of expression and right to information of the general public. Under GDPR, the right to be forgotten cannot be exercised if the data has been college for public interest. The Data Protection Bill, 2018 also states that the right to be forgotten will not be exercised if it infringes the freedom of expression or right to information. If the right to be forgotten is exercised, the other person’s right to information will prevail over the former. It does not make the right to be forgotten an absolute right.

The importance of data and relevance on our individual lives, in today’s day and age can certainly not be undermined, as it is often quoted that ‘Data is the new oil’. Data is being used to influence and even determine our behavior, our social standing, our financial standing, etc.

The Data Protection Bill restricts or prevents the disclosure of personal data for which the consent has been revoked. However, in cases where consent has not been provided, there is no mechanism for the removal of personal information. The Bill also does not expressly state the removal of personal data from the Internet. Even if the bill is passed, there will be a lag in proper implementation of the right to be forgotten or removal of data from the public domain.

In the case of Name Redacted v Registrar General,^[19] the order issued by the Karnataka High Court has not been implemented effectively because the name of the woman can be seen on several websites. The courts have time and again recognized the right to be forgotten and also acknowledged the need for a robust mechanism for removal of information from online platforms.

Therefore, while the right of privacy has been recognized as a fundamental right of the citizens, and extension of that also the right to be forgotten, for which the citizens should have unbridled right, subject to equitable and reasonable exceptions .

Sneha Chugh & Anupam Prasad

Sneha is a third-year student of law at the New Law College, Bharati Vidyapeeth University, Pune and has recently interned at the Firm. The Firm acknowledges and expresses gratitude for the efforts put in by Sneha towards this AP Law Series write up.

^[1] Guadamuz, Andrés. (2017). Developing a Right to be Forgotten. 10.1007/978-3-319-64955-9_3.

^[2]https://www.indialawjournal.org/a-hustle-over-protecting-personal-data.php#:~:text=History%20of%20’Right%20to%20be,EC%20(%E2%80%9CDirectives%E2%80%9D)

^[3] Council of Europe, European Convention for the Protection of Human Rights and Fundamental Freedoms, as amended by Protocols Nos. 11 and 14, 4 November 1950, ETS 5, available at: https://www.refworld.org/docid/3ae6b3b04.html [accessed 29 December 2020]

^[4] UN General Assembly, International Covenant on Civil and Political Rights, 16 December 1966, United Nations, Treaty Series, vol. 999, p. 171, available at: https://www.refworld.org/docid/3ae6b3aa0.html [accessed 29 December 2020]

^[5] DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 24 October 1995

^[6] DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 24 October 1995

^[7] https://gdpr-info.eu/art-17-gdpr/

^[8] ECLI:EU:C:2014:317

^[9] Guadamuz, Andrés. (2017). Developing a Right to be Forgotten. 10.1007/978-3-319-64955-9_3.

^[10] https://harvardlawreview.org/2014/12/google-spain-sl-v-agencia-espanola-de-proteccion-de-datos/

^[11] https://www.thehinducentre.com/resources/article24561713.ece

^[12] (2017) 10 SCC 1

^[13] Personal Data Protection Bill, 2018.

^[14] Personal Data Protection Bill, 2018.