THE RIGHT TO BE FORGOTTEN


This blog is authored by Harshit Chauhan a first-year law student at Gujarat National Law University


Introduction

A very large spectrum of the Right to Privacy revolves around the idea of consent and confidentiality, and from this, evolves the Right to be Forgotten. With rapid technological advancements, the amount of traceable data generated daily is massive. However, not every piece of information is deemed to be necessary. It is after this point that a particular data or piece of information is no longer required and thereby, its presence in a public domain could attract malign activities and lead to misuse of information.


Here comes the role of the Right to be Forgotten. The idea behind its enforcement is to guarantee that an individual’s information is subjected to privacy and such information is forgotten or removed when not deemed to be necessary. Further, as put forth by the Justice BN Srikrishna committee, this right must be balanced with the freedom of speech. With the rapid transformation in data sharing and artificial intelligence, it becomes rudimentary to expand the scope of this right and include the right to confirmation, access, and correction in the data protection laws.


Evolution


The Right to be forgotten, was derived from a 2014 case Google Spain SL, Google Inc v Agencia Española de Protección de Datos, Mario Costeja González. In this case, the European Union’s highest court adjudged that the citizens held the right to request private organizations like Google to remove private information gathered by them on demand since the information was no longer relevant. It was observed that the fundamental right to privacy is greater than the commercial interest of private organizations.


Hence, this right refers to the ability of the individuals to delete or correct the disclosure of or limit the dealing in personal information on the internet that is misleading, embarrassing, irrelevant, or outdated. Such disclosure may or may not be the consequence of unlawful processing by the data fiduciary.


In the General Data Protection Regulation (GDPR), this right has been guaranteed in addition to the Right to Erasure under Article 17. Under this provision, “the personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing


Article 17(2) of GDPR lays down the Right to be Forgotten. Under this provision, the controller, who made the personal data public, is obliged to erase the personal data and the controller must take reasonable steps, including technical measures, to inform controllers who process the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.


Indian Laws and Conflicts


In India, this right came to the limelight in a Karnataka High Court judgement in the case Sri Vasunathan v. Registrar General where the petitioner demanded the Right to Erasure. Further, it was also emphasized upon by Justice Kaul in the famous case of Justice K. S. Puttaswamy (Retd.) and Anr. vs Union Of India And Ors. However, in the absence of a Data Protection Framework, this right remains ambiguous.


The Data Protection laws in India are largely based on the GDPR. However, there seems to be disagreement on what the right to be forgotten should mean. The Justice BN Srikrishna committee which submitted its report on “Data Protection Framework” was of the view that the right to be forgotten should not be an extension to the right to erasure, unlike what can be found in the GDPR. Rather, there could be a restrain on the disclosure of such information if certain benchmarks are met and the Data Protection Authority may adjudicate on the issue.


However, there are several conflicting rights. On one hand, there is the right of the Data Principle (the one who provided the information) to restrict the disclosure of information provided while on the other hand, the consumers hold the right to information and the right to freedom of speech and expression.


Regardless of the conflicts, the need for this right is felt time and again. For instance, Justice SK Panigrahi of the Odisha High Court in Rout v. the State of Odisha emphasized the need for a legal framework to exterminate the malicious practice of ‘Revenge Porn’. It is in cases like these, where a majority of the victims are women, that we find the need to recognize the Right to be Forgotten. Similarly, men who face malicious prosecution due to false accusations must have this right to maintain dignity and honor in society, as a part of their Right to Life guaranteed under Article 21 of the Constitution.


Working and Limitations


The execution of this law is such that it can be used against Data Fiduciaries only. Unlike the European practice, in India, it has been suggested by the Justice BN Srikrishna Committee in its report to establish a Data Protection Authority. Therefore, any request regarding this will have to go through the DPA official before a Data Fiduciary is obligated to take down certain data or a piece of information.


Moreover, the search engines and data fiduciaries including tech giants like Google and Microsoft have raised the concern that this practice might lead to global censorship and restrict the Right to Information and Freedom of Speech and Expression. To prevent this, certain parameters have been laid down to streamline the requests before such an obligation is passed down. These include :

• Role of the Data Principle

• Sensitivity of the Data/Information

• Scale of Disclosure

• Relevance of the Data to Public

• Nature of the disclosure/ Activities of the Data Fiduciary


Therefore, the Data Protection Authority here acts as a quasi-judicial office laying down several barriers to entry. This provision has both pros and cons. The upside being that frivolous requests to take down information can be verified against the given parameters thereby, protecting the Right to Information and Freedom of Speech and Expression.

However, search engines are usually burdened with these obligations and hence it becomes necessary to verify whether the information indexed with a search engine without relating it to a specific individual or whether it is a data fiduciary in that context. This makes the process not only time-consuming but also raises the requirement of professionals with the knowledge and specific skill set.


Conclusion


The jurisprudence on this right is still evolving and the complexities of every case have to be adjudged carefully considering that there is a fine line between public data and private data. To its relief, the judicial determination by quasi-judicial bodies like DPA provides a measure of safeguard before passing an obligation. Further, the jurisprudence on the Right to Information has to be balanced between the public and private interests.

Considering that the Right to Reputation is at stake in cases of marital disputes, it becomes discretionary for the judges to make court records available in the public domain. Though such records cannot be permanently deleted, those found to be irrelevant can certainly be taken down.


It is crucial to keep in purview the issue of homogeneity while dealing with cases related to the Right to be Forgotten. The formation of a judicial body adjudging cases on fixed parameters can help overcome the problem of subjectivity when dealing with such cases. Further, objectively dealing with the conflicts of rights through a holistic approach can also help.


Moreover, the loopholes of this Right must be taken care of. For example, the members holding political offices or the candidates contesting in Elections must not be allowed to misuse this right and remove the relevant information available in the public domain such as past criminal records or cases, for personal needs. Lastly, this right should be narrowly interpreted to prevent the stifling of free speech and must not be confused with the taking down of illegal data and content.

 
ga('require', 'ipMeta', { serviceProvider: 'dimension1', networkDomain: 'dimension2', networkType: 'dimension3', }); ga('ipMeta:loadNetworkFields'); ga('send', 'pageview');