Author: Mohini Chaturvedi, Sharda University
In the era of digitization, the security of data is a major concern. The data if allowed to remain accessible to everyone may lead to the breach of the right of privacy of the individual whose interest lies in its removal. Every individual has private information which must be protected. The breach of privacy can also cause social hostility, embarrassment, and even depression. Such unsolicited activities if not barred may have a great repercussion on an individual’s private and professional life. To safeguard privacy, one can exercise the right to be forgotten which can be used to erase the information of an individual retrospectively from the public platforms.
MEANING OF ‘THE RIGHT TO BE FORGOTTEN’-
The ‘right to be forgotten’ is the right to have personal information removed from the internet, searches, databases, websites, or any other public platforms, available in the public domain once the personal information in question is no longer required, or relevant.
The right to be forgotten was recognized in the 2014 decision of the Court of Justice of the European Union in the Google Spain case. In 1995, the European Union Directive on Data Protection recognized this right as a ‘Right’. In 2016, European Union adopted a new General Data Protection Regulation (GDPR) which came into effect in 2018 which explicitly recognizes ‘The right to be forgotten’ as a statutory right.
INDIAN SCENARIO IN RECOGNIZING ‘RIGHT TO BE FORGOTTEN’-
In India, there is no law that is specifically dedicated to the right to be forgotten. However, the Personal Data Protection Bill, 2019[i] recognized this right which is based on the Report of the Justice B. N. Srikrishna Committee. Section 20 of the Bill provides that the data principal have the right to restrict or prevent the continuing disclosure of his personal data where such disclosure has already served the purpose for which it was collected or is not further required or was made with the consent of the data principal under section 11 and such consent has since been withdrawn or was made contrary to the provisions of this Act. The adjudicating officer is to be appointed who would enforce such order. The decision that whether an individual should be allowed to exercise his “right to be forgotten” is in the hands of Adjudicating Officer.
In India, the right to be forgotten doesn’t have legislative sanction yet. However, in the K.S Puttaswamy’s judgment, the Supreme Court held that the right to privacy is a fundamental right under the Indian Constitution. In this judgment, the Apex Court observed that an individual has a right to exercise control over his personal data which includes the right to control the information relating to him on online sites.
CHALLENGES ASSOCIATED WITH THE RIGHT TO BE FORGOTTEN-
· Legal challenge - The right to be forgotten may get into conflict with matters involving public records.
· Information in the public domain is similar to toothpaste out of the tube, once information is leaked, it will never go away.
· Individual v Society- This right creates a dilemma between the right to privacy of individuals and the right to information of society and freedom of the press.
JUDICIAL PRECEDENTS –
In Sri Vasunathan V The Registrar General[ii] (2017), the Karnataka High Court recognized the right to be forgotten in sensitive cases involving women in general as well as highly sensitive cases involving rape or affecting the modesty of a female. The Delhi High Court in case of Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd[iii]recognized the right to be forgotten and the right to be left alone as an integral part of an individual's existence.
In the case of Dharamraj Bhanushankar Dave V State of Gujarat[iv]the High Court rejected the demand for the removal of a judgment acquitting the accused in a kidnapping and murder case, passed by the court.
In Subhranshu Rout V State of Odisha[v] (2020), the High Court stated that the victims of sexually explicit videos or pictures posted on social media platforms by spurned lovers to intimidate, take revenge, and harass women can use the right to be forgotten as a remedy. In another case, Jorawer Singh Mundy v. Union of India, 2021,[vi]the Delhi High Court granted relief to a petitioner seeking the ‘right to be forgotten’ where he was earlier acquitted in a narcotics case but due to the presence of judgment on online search engines, he was denied employment opportunities. Thus, the court’s order ensured an individual’s right to privacy.
Different jurisdictions have varied concepts on right to be forgotten. A major development has been witnessed in the European Union. Other countries are also focusing on the development in this area.
The European Union (EU)
The Data Protection Directive was a European Union directive adopted in 1995 to regulate the processing of personal data within the European Union. Later, in April 2016, the General Data Protection Regulation[vii] (GDPR) was adopted which superseded the 1995 Data Protection Directive. GDPR also imposes certain obligations on organizations situated in any part of the world if they target or collect data related to people in the EU.
The GDPR gives individuals the right to ask organizations to delete their personal data and related information. It is referred to as ‘The right to erasure’.The right to be forgotten appears in Recitals 66 and in Article 17 of the GDPR. It states that the data subject shall have the right to obtain from the controller, personal data’s erasure concerning him or her without undue delay.
However, the request for such erasure may not be entertained in situations such as if the request is in contrast with the right to freedom of expression and information, or when it is against the public interest in the area of public health, scientific, or historical research or statistical purposes.
Google Spain v. AEPD and Mario Costeja case[viii]
In this case, the Court of Justice of the European Union ruled in favor of a Spanish national who had requested Google to remove two links to newspaper articles about him. It held that personal information which is found to be inadequate, irrelevant, or excessive related to the processing purposes should be erased despite being published lawfully.
Google v CNIL[ix]
In this case, the European Court of Justice determined the territorial scope of the right to be forgotten. Here, Google was served notice from CNIL regarding de-referencing links from the search results globally. Google opted to limit its de-listing of links only on search results conducted in the versions of its search engines with domain extensions within the EU and EFTA. It also emphasized the use of geo-blocking. CNIL imposed a penalty on Google of EUR 100.000, against which, Google filed the case. The Court ruled that search engine operators are not required to remove links on all the versions of its search engine worldwide under EU law. The European Court of Justice stated that under EU law, there is no obligation on search engine operators to apply the right to be forgotten globally. Thus, the right applies within the borders of the European Union only.
China in its very recent legislation, Cyber Security Law[x] introduced the concept of a ‘right to correct and delete’, which enables individuals to require ‘network operators’ to delete or correct their personal information, if such information was illegally collected, used, or the content was incorrect. This right is partially related to the right to be forgotten in GDPR. Under Torts Law, people of China have a right to require Internet Service Providers (ISPs) to ‘delete, block or disconnect’ harmful contents. China’s General Provisions of the Civil Law also adds a ‘personal information right’ into the framework of basic civil rights as well.
Striking the right equation between the right to privacy of individuals and the right to information of society and freedom of speech and expression will be key to the development of ‘The Right to be Forgotten’. Data protection requires enormous care and caution which can be attained by exercising the right which must be in the hands of individuals because of the sensitive nature of personal data and also because of its economic value. Personal data is the utmost valuable aspect of the human right of privacy which needs to be secured.
[i] http://18.104.22.168/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf [ii] Petition No.62038 of 2016, Karnataka HC [iii] CS(OS) 642 of 2018 [iv] SCA No. 1854 of 2015, 19.01.2017 [v] BLAPL No. 4592 of 2020, High Court of Orissa [vi]https://www.livelaw.in/pdf_upload/16186364774292021-393948.pdf [vii] https://gdpr.eu/ [viii] Case No. C-131/12 [ix] https://academic.oup.com/grurint/article/69/4/380/5732807 [x]https://www.linklaters.com/en/insights/data-protected/data-protected---prc https://gdpr.eu/right-to-be-forgotten/ https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679 https://www.casemine.com/judgement/in/5cdc5f5a4a93266e55c35b86#10 https://papers.ssrn.com/sol3/papers.cfm?abstract_id=2908993