This article has been authored by Afifa Sherin, a second year student at Campus Law Centre, Faculty of Law, University of Delhi
The “RIGHT TO FORGET” refers to the already intensively reflected situation that a historical event should no longer be revitalized due to the length of time elapsed since its occurrence. The “Right To Be Forgotten” reflects the claim of an individual to have certain data deleted so that other persons can no longer trace them. Therefore, the right to be forgotten is based on the autonomy of an individual becoming a right holder in respect of their personal information on a time scale; the longer the origin of the information goes back, the more likely personal interests prevail over public interests.
The Right To Be Forgotten was recognized for the first time in India through the judgment delivered by Karnataka High Court in the matter of Sri Vasunathan vs The Registrar-General in 2017. A decade ago, however, a similar term, namely the “Right To Forget,” was already a topic of debate. But viewed precisely, the active and the passive side of the “Forget” medal are not identical, and the right to be forgotten should not be confused with the right to forget as happens frequently in discussions.
Essentially, the “RIGHT TO BE FORGOTTEN” or the “RIGHT TO BE ERASED” provides a right to an individual to request for removal of their personal data floating around the Internet. The simple rule behind data erasure is that whoever is using the data has volunteer consent from the data owner. So, when the consent is withdrawn, the owner has a right to have his data erased. Further, when the data controller has no legal right to process the data, the data should be erased. In case of data erasure, whoever has the data access or whoever is processing the data has to erase it and have to remove any links, copies, or replication of data. The origin of this right can be traced back to the French jurisprudence on the “Right To Oblivion,” which was to make social integration easy for offenders who had served their sentence on the basis of the publication of information of their crime. Based on French jurisprudence, European Union Data Protection Directive, 1995, acknowledged the right to be forgotten, by introducing Article 12, which specifies that the member state should provide people to control, ratify, erase or block data related to them.
The significant technical challenge for the implementation of the “RIGHT TO BE FORGOTTEN” is defining “personal data”. According to Article 17 of European Union (EU) Directives, the term “personal data” means any information relating to the individual. Such a definition raises ambiguities on issues like collective information - information which may not identify any person individually but pointed out towards the family. The identification of personal data becomes more complicated when it comes to the erasure of derived data about individuals used in statistics or in another form of aggregated information. Once there are reasonable grounds for data erasure, it is not clear, practically, how this erasure will be enforced. According to the EU, every individual has a right to control their private data, especially if they are not public eminence.
Right to Be Forgotten Under EU Directives
To make the “right to be forgotten” enforceable, the EU introduced (Directive 95/46/EC) in 1995. In the EU, in particular, this “right to be forgotten,” was gaining increasing traction as a potential foundation of privacy regulation (Bennett, 2012). According to the Vice President of the European Commission, Vivean Reding, the EU data protection reform, which was well overdue, should include provision for removal of online personal information. In 2014, the Court of Justice of the European Union (CJEU) established the ‘RIGHT TO BE FORGOTTEN’ and accordingly stated, “Every individual has the right under certain conditions – to ask search engines to remove links with personal information about them.” As of March 2017, Europeans had submitted over 715,000 requests to deactivate two million URLs. Google has deleted over forty-three percent of those, approximately 732,000 links. In fact, according to the EU Regulations, social media networks also need to erase personal data of individuals when asking under laws allowing people the “Right to be Forgotten”. At the same time, the Court’s decision has stirred debates focused on the decision raised between a person’s right to privacy and freedom of expression. The CJEU offered little guidance in determining when personal information is subject to mandatory erasure due to irrelevance or inadequacy. The opinion on the “right to be forgotten” differs immensely between America and EU countries. According to America, transparency, the right to freedom of speech and expression is a priority. The publication of truthful information about individual or corporation is favored by America. On the contrary, the European court of justice legally freezes the “RIGHT TO BE FORGOTTEN” as a human right in the Costeja case against Google.
In 2010, Mr. Costeja filed a complaint against Google and Spanish Newspaper at National Data Protection Authority of Spain. In his complaint, he mentioned that when he searches his name on Google, the search results shows a link of news paper article about a property sale made by him to replay his personal debts. The authority dismissed the complaint against newspaper as they had the legal obligation to publish the property sale information. But, authority allowed the complaint against Google. In this matter, Google argued that as no physical server in Spain held the data and the data is processed outside the European Union, it does not come under European Data Protection Directives. As a matter of practice, when Google receives a takedown notice for linking to infringing content, it removes those links from all of its sites across the world, so could the same not be done for private information?
The Court of Justice of EU finally stated that: The search engine companies are controllers of their services and whoever promotes and markets their services within EU, the Data Protection Directives (“DPD”) applies to them and consumers have the right to request such search engine companies to remove links or information associated with them. Later, the matter came back to the Court of Justice of EU for removing the links from global domains rather than geo-limiting delinking. After this decision, other search engine companies like Bing have already begun implementing the decision in Europe.
Another case of Europe against Facebook, which does not talk about the “Right To Be Forgotten” but it gives an approach for erasing data. This case explains erasing data by not displaying it to anybody. this case was filed by Max Schrems, who asked Facebook to provide him all his personal information that they had stored. Initially, he received a PDF file of more than 1000 pages. This file also includes information, which he thought was deleted. Therefore, he decided to file a complaint against Facebook Ireland to the Irish Data Protection Commissioner. Initially, he had filed 22 complaints against Facebook, which includes subjects such as shadow profiling, excess personal data, not removing data, and face recognition.
Additional complaints were filed in the year of 2011related to subjects such as: tracking user’s location via like button, picture link deletion, and frequently changing policies. The main issue, in this case, was that the data, i.e., posts, pock, chat messages, friends, were not deleted by Facebook even though they had been deleted by the complainant. Instead of removing the data from a server, Facebook had converted the data into an “invisible” mode. Even images were not deleted, only links of the images were removed. After a long legal battle, the procedure ended in 2014 with the decision of the petitioner, to withdraw the 22 complaints made initially.
Following the withdrawal of the complaint, an Austrian style class action lawsuit was started against Facebook in August 2014 with the aim “to make Facebook finally operate lawfully in the area of data protection”. This complaint has mainly focused on the following points:
1. The Data use policy of Facebook, which is not legally valid under EU law.
2. There is no effective consent to types of data use.
3. Support of the NSA’s ‘PRISM’ surveillance programme.
4. Tracking Internet user’s actions on external websites.
5. Monitoring and analyzing users through “Big data techniques”.
6. Unlawful introduction of ‘Graph Search’
7. Unauthorized transfer of user data to external applications.
On 1st of July 2015, the Court of Vienna rejected the case on procedural grounds, because Max Schrems used his Facebook account for commercial promotions of his publications. The case was transferred to higher tribunal, and Max Schrems said he wanted to file an appeal against the decision. This suit is still pending before the Austrian Supreme Court.
In the Facebook case, the interesting part is that Facebook has shown two different approaches to erase data from public domain:
1) Making data invisible, and
2) deleting only the links to a file.
Facebook just removes the links or makes data invisible to users who want to delete it. The same logic applies to everyone who was accessing or had permission to access such data. For example, if the user’s profile is a public profile then people from public domain has access to that profile, or if the profile is private then his friends can access such profile. Once the user erases the data, Facebook still has the access to the data, as the data is not originally deleted from the Facebook database. Thus, if we think from the perspective of the users who had access to the data before deletion, the data is deleted. However, the data is only removed from the access domain.
Right to Be Forgotten In India
In India there are no specific data protection laws, so ad-hoc judicial attention of the court is sought. In the writ petition Sri Vasunathan vs The Registrar-General before the Karnataka High Court, the Court observed that, “this would be in line with the trend in western countries of the 'Right To Be Forgotten' in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.” Hence, the Court directed its registry that petitioner’s daughter’s name should not reflect in the case-title of the order or in the body of the order in the criminal petition. The woman’s father had approached the High Court for seeking the directions to remove the woman’s name from the earlier Order passed by the High Court. The petitioner had stated that his daughter’s relationship with her husband and her reputation in society will be affected if her name remains associated with her earlier case.
Similarly, Justice Sanjay KishanKaul delivered his opinion on right to forgotten and stated, “the right of an individual to exercise control over his personal data and to be able to control their own life would also encompass their right to control their existence on the Internet”.
In contrast with the above-mentioned opinion, the Gujarat High Court in Dharamraj Dave v. State of Gujarat pointed out that there is no attracted law to remove judgment from Google search or Indian Kanoon and petitioner does not have sufficient arguments to prove “uploading judgment on the Internet is a violation of Article 21 of the Constitution.” These cases demonstrate the lack of legal framework and the inability of the judiciary in interpreting the right to be forgotten. Therefore, India requires specific Data protection Laws to protect the right to be forgotten.
In 2017, in Justice K S Puttaswamy’s case, the “Right To Be Forgotten” as defined by The European Union Regulations, 2016, has been recognized. The following are the considerations made by the Supreme Court:
1. Children around the world have access to the digital media. They are constantly making their footprints on social media networking. They are passing the data with chat, Bluetooth, web downloading, Emails, Facebook, Google, Hotmail, and Instagram. They should not be affected by their childish mistake or naivety their entire life. So, the parents of such children or the person can request for the removal of data or personal information regarding their childhood or their children.
2. People change and every individual should be able to move forward in life and should not be stuck by the mistake done in the past. Every individual should have the capacity to change their beliefs and improve as a person. The individual should not live in the fear that the view expressed by them will stay with them forever.
3. Whereas this right to control the dissemination of personal information does not amount to total erasure history, as this right is a part of right to privacy and should be balanced against other fundamental rights like right to freedom of expression, or freedom of media.
4. Thus, the RIGHT TO BE FORGOTTEN means, when the data of any person is no longer required, or ]if a person expects that their personal data will be no longer stored or processed, then, they should be able to remove it from the system where the information is no longer necessary, relevant, is incorrect, or is illegitimate. But, the Right to be forgotten does not mean to remove data or personal information, which is necessary for exercising the right of freedom of expression and information, for the performance of the task carried out in public interest, in public interest in the area of public health, scientific or historical research purpose, exercise or defense for legal claim.
As a part of privacy, every individual should be able to control their personal data and to be able to control their life encompasses their right to control their existence on the Internet. This does not mean that a criminal can obliterate his past, but there are various degrees of mistake, small or big, and it cannot be said that a person could be profiled to the extent many times more than his mistake. After the Justice K.S Puttaswamy judgment, Government of India decided to constitute a committee of Experts to regime Data Protection Laws in India. Under the chairmanship of former Supreme Court Justice Shri B N Srikrishna ,a committee has released a white paper on Data Protection Framework for India on November 27, 2017.
According to the white paper, the consent should be one of the grounds for data processing. But, here, the consent should be valid. As the Committee observed that one out of three Internet users across the world is achild under the age of 18 years, a data protection law must be efficient to protect their interests, while considering their vulnerability and exposure to risks online.
The Committee has also commented on the Purpose of Data Collection. According to the White Paper, there should be some specific purpose for personal data collection. The collected personal data should be erased once the purpose is fulfilled. The Committee also mentioned in the report that, the person should have a right to confirm, access, and rectify their own data.
The white paper also talks about the issues with right to be forgotten provisions under data protection law. Accordingly, the right to be forgotten should not conflict with the freedom of speech and expression and while formulating a right to be forgotten, it is necessary to identify the third party can be held liable for failing to comply with erasure request or not.
“Right to be forgotten” is becoming very important for the legal aspect as well as technical aspect. Due to technical complications, legal provisions for such right are also getting increasingly complex. Now, as the “RIGHT TO BE FORGOTTEN” is being viewed as a part of the right to privacy. When we talk about the “RIGHT TO BE FORGOTTEN”, the information will be considered true so the right to free expression and publication could not be overshadowed by the “RIGHT TO BE FORGOTTEN”. In India, this debate still continues as India does not have any specific provision for providing such a “Right to be forgotten”. India is still dependent on ad-hoc jurisprudence to access this right. As the Union Government of India is making laws for Data Protection and the Committee has recognized this right in Chapter 10 of White paper, it is expected that there will be provisions for such a right in the upcoming law on data protection. We, as a nation are better off at this moment without this right if at all the power to adjudicate and approve the requests is in the hands of the State. Privacy is now part of the right to life and hence is inalienable.