Introduction
With an increase in cyber activity, people have started to use the internet for various purposes. The rampant adoption of internet-based systems and mechanisms has expedited analytical processes and assisted individuals and businesses. This development has given rise to several concerns such as data protection, privacy, protection of one’s identity etc. Many companies have been involved in unscrupulous practices with respect to customer data. Recently, some car companies like Tesla and Nissan were involved in tracking their customers’ sexual activity using car tech. Other companies such as Barclays and Facebook are involved in selling the personal data of their customers. Such activities have fostered a sense of insecurity in the customers with respect to how their personal data is being used by the companies. The UDHR recognised the Right to Privacy in 1948 by way of Article 12. Since then, legislation and precedents have been contributing to the development of privacy jurisprudence worldwide. The privacy discourse has led to the recognition of the Right to be Forgotten as an inherent part of the Right to Privacy. In this blog, we shall discuss the Right to be Forgotten and its development.
What is the Right to be Forgotten?
The Right to be Forgotten basically means the right of the individual to get his/her personal data deleted from the internet. This right was first recognised in the case of Google Spain v. Agencia Espanola de Proteccion de Datos and Mario Costeja Gonzalez. In 1998, Mario Costeja was facing financial problems and was in need of money. Due to this necessity, he advertised a property for auction in the newspaper. The advertisement subsequently ended up being published on the internet. The advertisement was searchable on Google long after the sale which tarnished Mario’s image. This case gave birth to the ‘Right to be Forgotten’. The European Court of Justice ruled against the search engine Google, declaring that under certain circumstances, European Union residents have the right to get their personal information removed or deleted from search results and public records databases.
In 2016, the General Data Protection Regulation (GDPR) statutorily incorporated the Right to be Forgotten. Article 17 of the GDPR empowers the data subject to get his/her data deleted and mandates the controller to delete the data without undue delay. Data controllers are required to develop efficient mechanisms and address such requests within a reasonable time period. The data controllers must have the appropriate technology in order to comply with the provisions of the GDPR.
The grounds for deletion of data are: when the personal data is no longer necessary; when data subject withdraws consent; when data has been unlawfully processes and when data has to be erased for legal compliance. The GDPR enlists some exceptions which restrict the exercise of the Right to be Forgotten: freedom of speech and expression; compliance with legal obligations; public interest; scientific, historical research or statistical purposes; establishment, exercise or defence of legal claims.
Entry of Right to be Forgotten in the Indian Judicial Discourse:
For the first time in India, the Right to be Forgotten was recognised in Vasunathan v. Registrar General, High Court of Karnataka. The court held in favour of the petitioner and ordered that the name of the petitioner’s daughter to be removed from the cause title and the orders. The court held that this would be consistent with the trend in western countries where the ”Right to be forgotten” is applied as a rule in sensitive cases concerning women in general, as well as particularly sensitive cases involving rape or harming the modesty and reputation of the individual concerned. The court further discussed the right to be forgotten in the Aadhaar judgement i.e. K.S. Puttasawamy v. Union of India in which the right to privacy was declared a fundamental right. The court said that the Right to be Forgotten was an inherent aspect of right to privacy. The court observed that right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the internet.
The court has invoked this right in cases where the person was subject to some disadvantage due to the presence of online content. In Zulfiqar Ahmad Khan v. Quintillion Business Media, the media house published two articles against Khan. Khan approached the court for the removal of the articles stating that they were baseless and defamatory. The court ordered the media house and other search engines to remove the articles and recognised the petitioner’s Right to be Forgotten. In Jorawar Singh Mundy v. Union of India, the court granted relief to an American citizen of Indian origin who was tried under the NDPS Act and was subsequently acquitted. On his return to America, he faced a lot of problems due to the presence of his judgment on the internet. Court directed ‘Indian Kanoon’ to block the judgment from being accessed by search engines. In SJ v. UOI, the court invoked the Right to be Forgotten and ordered the removal of online articles which jeopardised the future prospects of the petitioner.
Indian judiciary has also granted relief in cases which adversely affect the modesty of women. A landmark judgement in this regard is Subhranshu Raut v. State of Odisha. In this case, intimate images of a girl were posted on a fake social media profile. The court said that if the Right to be Forgotten is not recognised in matters like the present one, any accused will surreptitiously outrage the modesty of a woman. In Jorawar Singh Mundy v. Union of India, the court granted relief to an American citizen of Indian origin who was tried under the NDPS Act and was subsequently acquitted. On his return to America, he faced a lot of problems due to the presence of his judgment on the internet. Court directed ‘Indian Kanoon’ to block the judgment from being accessed by search engines. Similarly, in XXXX v. YYYY, the court ruled in favour of the petitioner who was subject to social stigma due to the public display of her name with respect to offences committed against the modesty of women and STDs. The court ordered the Registry of the Supreme Court to mask the details of the petitioner. In X v. Union of India, explicit images of the petitioner were uploaded on various pornographic websites. The court said that the right to informational privacy includes the individual’s Right to be Forgotten.
Statutory Recognition
Recently, the Parliament passed the Digital Personal Data Protection Act, 2023.The Act has recognised the Right to be Forgotten, thereby giving it a statutory standing in India. Section 8 (7) of the Act imposes an obligation upon the data fiduciary to erase the personal data of the data principal upon the withdrawal of consent or when the data no longer serves the intended purpose.
Section 12 of the Act which deals with correction, completion, updating and erasure of personal data also recognises the Right to be Forgotten. Clause (3) of the section empowers the data principal to make a request for the erasure of her personal data. Upon receiving such a request, the data fiduciary is obliged to delete the data unless retention of the same is necessary for compliance with any law.
Many researchers have concluded that the Act does not formally recognise the Right to be Forgotten. The main reason behind this proposition is that clause (1) of the Section 12 explicitly states that the data principal has the right get that personal data deleted for which she had previously given consent. This lexical loophole may create problems when the data has been processed unlawfully without obtaining the consent of the data principal. But even if this particular point is ignored, though the Act does not specifically mention the Right to be Forgotten, but the concept is clearly enshrined in Section 12 of the Act.
Conclusion
We have seen that how the Right to be Forgotten emerged as an inherent aspect of the Right to Privacy and how it gained prominence in the Indian judicial discourse. The Right to be Forgotten is invoked in several instances such as cases related to defamation, modesty of women and the presence of online judicial records. Right to be Forgotten has been held to be a fundamental right under Article 21 in the case of Kaushal Kishore v. State of Uttar Pradesh.
With the introduction of the Digital Personal Data Protection Act, 2023, the Right to be Forgotten has gained statutory recognition in the Indian legislative landscape. Researchers and lawyers have expressed speculative concerns as the Act recognises prior consent of the data principal as the pre-condition to erasure.
We hope that judicial interpretation of these provisions will clear the air in some time. But it would be wrong to conclude that just because the phrase ‘Right to be Forgotten’ is not mentioned in the Act, it has not been recognised in its entirety. Indeed, the right finds a place in the new Act, but we are yet to see how it is implemented and interpreted in the Indian legal system.
