October 31, 2019
This is the 21st Century and the ‘digital age’ has dawned on us as we edge towards the ‘Internet of Things’. Every minute, over two-hundred million e-mails are communicated globally, more than seven million photos are shared, and two million eight hundred thousand people react to posts on a plethora of social media platforms across the world. The hyper-connected world is now. A network of increasingly invasive devices – our mobile phone companies, the apps and websites we visit and even the Government – map and record our data. The world has now begun to know more about individuals more through the data collected about them rather than interpersonal interactions. ‘Social media’ platforms are one of the biggest contributors to user data collection. Spurred by the commercialisation of the internet and its mass accessibility to users worldwide, in a mere matter of decades, these seemingly innocent web-based interfaces, initially designed with the motive of “making friends and meeting new people” transformed into “super-connected” (read intrusive) platforms meticulously recording and adapting to every single interaction users have with it – gaining notoriety as untamed beasts possessive of all the potentials of “influencing” how people think – to the extent of manipulating elections in “free and democratic” nation-states. It is no longer a nonchalant matter associated merely with science-fiction that if and once our digital shadow is compromised, we will become less valuable than the data we produce.
In such a digital realm that is categorically programmed to store and dynamically adapt intelligently to such data, the quintessential question for some time now has been whether individuals “own” either data belonging to them or is particular to them – once uploaded to the servers. A probing question was whether this manifested itself in such manner that individuals were bestowed upon the ‘right to control’ or ‘modify’ this data and consequently whether they possess the ‘right to erase’ this data.
The virtually instantaneous speed of transmission of data is a double-edged sword in as much as it helps facilitate the transfer of information to anywhere across the globe (and beyond) in a matter of clicks. However, the fact the data may be transmitted across the globe virtually instantaneously is highly problematic since information that is false or the contents of which are not meant to for the public eye may just as instantaneously be transmitted to the world and would be inconsistent with the ‘right to privacy’.
The free and open accessibility of billions of users worldwide to an individual’s personal information might have ruining ramifications to a person’s reputation. In the Indian context, the foundations of Aristotle’s postulations wherein he impressed upon that “Man is, by nature, a social animal” are well reflected in the Supreme Court of India’s understanding of the issue as – reputation itself was likened to life in the landmark case of Om Prakash Chautala v. Kanwar Bhan in holding that “When reputation is hurt, a man is half-dead. It is dear to life and on some occasions, it is dearer than life … thereby becoming an inseparable facet to the ‘right to life’ envisaged under Article 21 of the Constitution of India.”[1]Thereby an intentional defamatory attack on an individual’s reputation has been held to be tantamount to an attack on the individual’s life itself.[2][3]
In light of the aforementioned circumstances whereby ‘reputation’ has evidently been held in high regard by the Indian judiciary, in certain instances individuals may wish to hide from public domain sensitive information that is ‘irrelevant’, ‘unqualified for the public eye’ or in most cases ‘false’. This desire of invisibility from the public eye has emerged as the ‘right to be forgotten’.[4] The right encompasses the citizens’ rights to approach intermediaries, websites, search engines and social platforms and demand the erasure of certain information regarding them.[5] The ‘right to be forgotten’ in essence, arose from the desires of individuals to “determine the development of their life in an autonomous way, without being perpetually or periodically stigmatized as a consequence of a specific action performed in the past.”[6]
Entrenched in Western traditional liberalistic thoughts, ‘privacy’ was provided solid foundations in theoretical Hobbesian and Lockean liberty – which was subsequently embraced by Anglo-Saxon empiricist philosophy and later adopted by the European Union (hereinafter, abbreviated as ‘EU’) and is prevalent in the rationale behind the effectuation of the ‘right to be forgotten’. In fact, Canada also espouses a similar view wherein individuals may request search engines to remove offensive information about them.[7] Similarly, Singapore and Australia – two highly heterogenous and multicultural countries have also made strides towards extending the same to their citizens. Similarly, the Islamic State of Indonesia has also introduced the same in their legal framework since ‘privacy’ is an important subset of Islam culturally. However, it must be noted that culturally homogenous countries like Japan deny the granting of such right on the grounds of public interest.[8] Drawing from these examples, the conclusion may be drawn that how ‘privacy’ is perceived as culturally, is a vital cog in determining the subsequent jurisprudence pertaining to ‘the right to be forgotten’.[9]
It was only in 1995, with the EU enacting its first legislation on personal data protection viz. Directive 95/46/EC, that inferences could be made to ‘the right to be forgotten’ through an analytical reading of Articles 6(1)(e) and Article 12(b) – which mandated that personally data shall be stored congruently to the time they were collected for and bestowed the right to rectify, erase or block the processing of personal data if the same is not in line with the Directives.
They permitted the petitioner – González’s – plea of removal of the data with the caveat that it may be permissible only when such information becomes “unnecessary and inadequate regarding the purpose it was collected for.”[11] The implied purpose test was thus created, on the satisfaction of which, the plea of erasure can be maintained.[12] For instance, if a person’s name is searched, a string of results displaying links to various web pages containing further information is generated by the search engine operator. Persons aggrieved due to such display of certain information may directly approach operators and have the right to proceed against the intermediaries in case of denial of such services.
The EU Commission legislated the General Data Protection Regulations(hereinafter, abbreviated as ‘GDPR’) in 2018 repealing prior directives. An express provision was stipulated under Article 17 – the ‘right to erasure’ (with the ‘the right to be forgotten’ in brackets) bestowing the ‘data subject’ a right as against the controller for ‘erasure’ of data on grounds such as ‘personal data is no longer necessary to store’, ‘unlawful processing of personal data’, ‘withdrawal of consent by data subject’ etc. Moreover, Article 3(2) of the legislation attempted to widen the scope of legislation by binding even companies based off non-EU member States – however, the territoriality envisaged under the GDPR was subsequently regulated by the European Court of Justice in the Google France case.[13]
Although the European Court of Justice has sanctioned and popularised ‘the right to be forgotten’, its status in the world continues to be largely divided. In fact many European nations recognise this right in terms of the French Principle of ‘le droit á L’Oubli’ or the ‘right of oblivion’[14] wherein a criminal having rehabilitated can object to the publication of facts of his or her conviction.[15]
The landmark judgement of Retd. Justice K.S. Puttaswamy v. Union of India and Ors.[16] expressly granted to the citizens of India, the fundamental ‘right to privacy’. It is interesting to note that India does not expressly recognise the ‘Right to be Forgotten’ or for that matter, have a statute explicitly elucidating the ‘Right to Privacy’ to at least help the facilitation of interpreting the former in terms of the latter. Nonetheless, Indian Courts have prior to this interpreted the ‘right to privacy’ as a “subset of personal liberty”[17], “right to be let alone”[18] [19] and that freedoms and rights in Part III could be addressed by more than one provision.[20] [21]
On the issue of ‘Right to be forgotten’, the Courts have trodden on both paths with the Gujarat High Court[22] having dismissed it and the Kerala High Court,[23] Karnataka High Court[24] and Delhi High Court[25] more recently having entertained requests for erasure of information on the internet in the past.
Notwithstanding the interpretation of the Indian judiciary with regard to the ‘right to be forgotten’ in ordering the takedown wherein deemed necessary, in consonance with a violation of the ‘right to privacy’ as envisaged by Justice D.Y. Chandrachud in the Puttaswamy judgement, the ‘right to be forgotten’ lacked legislative backing. However, in light of growing privacy concerns and the famous Laksh Vir Singh Yadav case[26] demanding the ‘right to be forgotten’,[27] the Ministry of Information Technology and Electronics (hereinafter abbreviated as ‘MeitY’) issued the Personal Data Protection Bill (hereinafter abbreviated as ‘PDP Bill’). Section 27 of the PDP Bill expressly deals with the ‘right to be forgotten’ bestows upon a ‘data principal’ the right to restrict the disclosure of their personal data by the ‘data fiduciary’[28] and stipulates the conditions (akin to Article 17 of the GDPR) it may be exercised under that shall be examined subsequently by an adjudicating officer – who is to take into considerations factors viz. sensitivity of personal data, data principal’s role in public sphere, relevance of personal data to general public etc. Moreover, it is important to note that just as how a ‘data-subject’ is given the right to review his case, third parties may also request for the review of such order. This raises many subsequent questions with regards to who truly “owns” the data then which the MeitY has only once responded to via a research paper recommending that such data should vest with the ‘data-principal’ themselves.[29]
However, notwithstanding the apparent similarities between the European Union’s GDPR and the PDP Bill, they differ crucially with regard to what the ‘right to be forgotten’ entails – Article 17 of the GDPR mandates that upon a ‘data subject’ asking for the erasure of such data whereas the PDP Bill only extends such right to the prevention of continued disclosure of such data.[30]Contrary to the jurisprudence established as an aftermath of Google Spain Case,[31] the ‘full removal’ or ‘erasure of data’ from the database is impermissible under the PDP Bill.
The Puttaswamy case also had the effect of declaring the ‘right to be forgotten’ not to be an absolute right and subjected it to reasonable restriction viz. public interest, compliance with any legal obligation, national security, scientific and historical research etc. Moreover, Justice Sanjay Kishan Kaul was under the impression that the ‘rights of privacy’ of the individual were at crosshairs with the freedom of the press and consequently the public realm of information. It is perhaps therefore, that the drafters limited the scope of the PDP Bill to ‘restriction over disclosure of information’ in lieu of the ‘right to erasure’ awarded under the GDPR.
Nonetheless, the PDP Bill places an obligation upon the ‘data fiduciary’ to delete permanently in cases wherein such data is no longer required to be stored under law as provided under Section 10 – thereby establishing that the deletion of personal data is rather an obligation on ‘data fiduciaries’. Another issue for concern perhaps attributable to poor drafting is that the ‘data fiduciary’ may levy a reasonable fee against ‘data principal’ on exercising their rights. However, it is mute on the quantification of the amount determining such fee and there is a chance that this might be misused in the future by ‘data fiduciaries’ and should be looked into.
Notwithstanding the lacuna with regards to certain aspects pertaining to the drafting of the PDP Bill as highlighted in the aforementioned arguments, the Personal Data Protection Bill must be welcomed with open arms as the first legislation establishing a robust regime of data protection. The lack of a settled position among the different High Courts in the country as is evident from the diverse judgements even when having consensus vis-à-vis the granting of an erasure order shall finally be put to bed with a regulatory statute. Furthermore, India’s position on privacy and the need for a balance to be struck between the ‘rights of the individual’ and the ‘right of free speech’ as mandated by Justice Kaul in the Puttaswamy case has laid out the rubric in as much as future jurisprudence is concerned.
[1] Om Prakash Chautala v. Kanwar Bhan and Ors (2014) 5 SCC 417.
[2] Subramanian Swamy v. Union of India W.P. (Crl) 184 of 2014.
[3] Gian Kaur v. State of Punjab (1996) 2 SCC 648.
[4] Claire Overman, ‘The Right to be Forgotten European Reactions: Part I’ <http://ohrh.law.ox.ac.uk/the-right-to-be-forgotten-european-reactions-part-1/> accessed 27 April 2018.
[5] Vikrant Rana, ‘Will Judiciary Recognize the Emerging “Right to be Forgotten?’ <www.mondaq.com/india/x/ 5782 62/data+protection/Will+Judiciary+Recognize+The+Emerging+Right+To+Be+Forgotten> accessed 15 October 2018.
[6] Alessandro Mantelero, ‘The EU Proposal for a General Data Protection Regulation and the roots of the right to be forgotten’ <https://www.sciencedirect.com/science/article/pii/S0267364913000654?via%3Dihub> accessed 13 October 2018.
[7] A.T. v. Globe24h.com 2017 F.C. 114 (Canada).
[8] DLA Piper, ‘The only exception to the rule is when the private interests supersede the public interest’<http://www.lexology.com/library/detail.aspx?g=37824d3f-3401-4285-8641-8a1ced989cab> accessed 26 October 2019.
[9] The Right to be Forgotten—The EU and Asia Pacific Experience (Australia, Indonesia, Japan and Singapore)
(2019) 1 European Human Rights Law Review 23. UNSW Law Research Paper No. 19-2.
[10] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González C-131/12 ECLI:EU:C:2014:317.
[11] Supra note (10).
[12] Swapnil Tripathi, ‘India and its version of the Right to be Forgotten’ <http://www.sociolegalreview.com/india-and-its-version-of-the-right-to-be-forgotten/> accessed 26 October 2019.
[13] Google France v. Commission Nationale de l’Informatique et des Libertés (CNIL) C-236/08.
[14] Lucie Ranfont, ‘Right to oblivion: the CNIL and Google agree before the Council of State’ <www.lefigaro.fr/secteur/high-tech/2017/02/03/32001-20170203ARTFIG00267-droit-a-l-oubli-la-cnil-et-google-s-accordent-devant-le-conseil-d-etat.php> accessed 26 October 2019.
[15] Emile Laporte, ‘What is the right to oblivion?’ <https://openclassrooms.com/courses/controlez-l-utilisation-de-vos-donnees-personnelles-1/qu-est-ce-que-le-droit-a-l-oubli> accessed 26 October 2019.
[16] Justice K.S. Puttaswamy v. Union of India and Ors W.P.(C) NO.000372/2017.
[17] A K Gopalan v. State of Madras 1950 SCR 88.
[18] R. Rajagopal v. State of T.N (1994) 6 SCC 632.
[19] People’s Union for Civil Liberties v. Union of India AIR 1997 1 SCC 301.
[20] R C Cooper v. Union of India 1970 SCR (3) 530.
[21] Maneka Gandhi v. Union of India 1978 SCR (2) 621.
[22] Dharamraj Bhanushankar Dave v. State of Gujarat SCA No. 1854 of 2015.
[23] Civil Writ Petition No. 9478 of 2018. (Name of parties deleted upon Court order)
[24] Sri Vasunathan v. The Registrar General W.P. No. 62038/2016.
[25] Zulfiqar Ahman Khan v/s Quintillion Business Media Pvt. Ltd. and Ors AIR 2017 SC 4161
[26] Laksh Vir Singh Yadav v Union of India and Ors., WP(C)1021/2016 (Del).
[27] Salman SH, ‘Delhi HC accepts intervention against a Right to be Forgotten case in India’ <https://www.medianama.com/2016/09/223-delhi-hc-right-to-be-forgotten/#targetText=This%20case%20was% 20filed%20againstreported%20and%20circulated%20court%20judgments> accessed 28 October 2019.
[28] Section 27, Personal Data Protection Bill, 2018.
[29] TRAI, Recommendations on Privacy, Security and Ownership of the Data in the Telecom Sector, (2018), Para 3.1 (b) at P. 69, available at, https://main.trai.gov.in/sites/default/files/RecommendationDataPrivacy16072018.pdf
[30] Article 17 General Data Protection Regulations.
[31] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González C-131/12 ECLI:EU:C:2014:317.
Bhrigu A. Pamidighantam 
Leave a comment