In an era where the right to privacy is protected as a fundamental right, the
right to be forgotten is the inevitable next development. Emerging from the
French adaptation of the same, Droit a l'oubli, or the right to be forgotten
relates to the concept of online privacy. The right to be forgotten codifies
that, individuals are vested with the right to ask businesses and organisations
to erase their personal information from the systems and servers. The right to
be forgotten invokes scrutiny from articles 19, codifying protection of certain
rights regarding freedom of speech, and 21, codifying protection in respect to
conviction of offences.
Before we dive into the Indian context of the right to be forgotten let's
understand the international happenings which led to India's recognition and
passing of the Personal Data Protection (PDP) bill in 2019.
Turkey passed its data protection law on a directive but did not have any
regulations on the right to be forgotten until June of 2015 when a verdict was
delivered on a key case. The case law acknowledged the right to be forgotten as
a personal right and a precedent decision was also developed. In this case, the
plaintiff was the victim of sexual assault and had filed legal action against
the same and a decision had been given for the crime, however, this judgement
had been published in a criminal law book including the plaintiff's legal name.
She then claimed that having her name used without a pseudonym in a criminal law
book constituted an attack against her personal rights and requested
After a number of appeals, the Supreme Court Assembly of Civil Chambers said:
The right to be forgotten provides an individual with the right of "controlling
his/her past", "requesting certain matters to be erased from his/her past or not
be recalled", while vesting obligations on the addressee of the data to take
measures for avoiding the recall of the information of the individual or to
prevent the use of such information by third parties.
It is accepted that such right provides the right to compel third parties to
erase the content related to the individual such as photos and internet blogs
and the right to demand the removal of information with respect to past
punishments or information and photos which may cause unfavourable comments on
the individual." The judgement then, concluded that the publication of the
plaintiff's name without a pseudonym was in violation of the rights to be
forgotten as well as the privacy of the individual.
The Chamber considered the protection of personal data as closely related to
human rights and as being associated with personhood stating that disclosing
personal data may violate privacy and also offend various other associated
rights. The Chamber defines the right to be forgotten as a right to request the
erasure and the prevention of the transmission of personal data which is not
preferred to be known by third parties and as a right to request the data to be
forgotten which may be related to a negative past instance stored in digital
In 2018 The General Data Protection Regulation (GDPR) bill was passed in the EU
granting statutory recognition to the right to be forgotten in the form of the
right to erasure under Article 17, Recitals 65 and 66. The bill stated that the
individual or the 'data subject' is granted the right to ask the 'controller',
the body responsible for the processing of their personal data, to erase the
private data without undue delay, approximately a month. This position, however,
remains unclear as to whether an individual in the EU can request search engine
operators to remove links beyond the territorial scope or not.
This confusion mainly arises from the ruling by the Court of Justice for the
EU in Google v. CNIL
(2019). The judgement, in this case, was pronounced in
favour of Google, stating that such a request for erasure will not bind the
operator to de-link the data on all versions of its search engine worldwide. The
GDPR bill also outlines as per Articles 6,7 and 13(1)(c) that the organisations
must provide a lawful basis for collecting the personal data of any data
subject. If this lawful basis is no longer deemed applicable, then the data
subject may request the erasure of their personal data. The GDPR then puts the
onus on the data controller to defend their maintenance of the personal data of
data subjects as well as to verify that the person who requests the erasure, is
in fact the person to whom said data concerns.
It is then also understood that the right to be forgotten is a qualified right
subject to limitations. Some possible limitations include; if the data is being
stored and processed is, in compliance with the current laws, in the interest of
the public or public health, as a significant part in academic research where
the lack of said data will greatly hamper the research, integral to a legal
claim or defence, or the request is unfounded or excessive as deemed so by an
Information Commissioner. If for any reason, the controller decides not to
comply, they are mandated to inform the data subject about the reasoning
allowing the data subject recourse to complain before a supervisory board or
court against such decision of the controller.
In 2017, after the EU began recognising these concerns and the Justice
Puttaswamy judgement was passed, the Indian government started the process to
create data protection laws. They established a committee, headed by a retired
Supreme Court Judge, Justice BN Srikrishna, to deliberate over the IT laws and
the data privacy regime of the country. The committee proposed the Personal Data
Protection (PDP) bill which went on to be passed by voice vote on Dec 2nd of
The PDP bill is consent centric meaning that lawful consent must be obtained
before the data subject their data can be processed and made the deployment of
privacy vital by design. The bill also changed the terminology making "data
subjects", "data principles" and "data controllers", "data fiduciaries". The
bill acknowledges the right to be forgotten as the right against continued
disclosure to be granted with regard to the extent of the data principle's
personal information being revealed. This right was granted under section 27 of
the bill so as to "limit, delete or correct the disclosure of the personal data
on the internet". These regulations are proposed to be monitored and regulated
by the Data Protection Authority as per section 27(2) of the bill which is to be
set up as an autonomous regulatory body.
The Joint Parliamentary Committee was of the view that non-personal data should
be accorded the same level of protection as personal data since it is possible
to get the details of individuals through analytical processes and any future
development in this field may lead to identification and correlation of data
leaving the data principle totally exposed. The JPC also noted that data
localisation, restricting the flow of data from one country to another, is
essential. In the Indian context, data localisation will make it mandatory for
companies collecting critical consumer data to store and process it in data
centres within India's borders.
Social media platforms have been given clear guidelines to ensure compliance
failing which they would be held liable for penalty. As part of these
guidelines, the bill introduced Standardisation Testing and Quality
Certification (STQC) aimed at ensuring high-quality, reliable software and
hardware to protect from concealed backdoors being embedded in them which allow
remote access to resources.
The bill also outlined the fact that the right to be forgotten is not an
absolute right and is subject to exemptions. For example, in instances of
national security. These exemptions allow the government to process data in the
interest of maintaining the sovereignty and integrity of the nation. Government
agencies are allowed to obtain consent from the data principle to undertake this
processing but there are situations when even this may not be feasible. Such
instances have been outlined in sections 12, 13 and 14.
While the right to be forgotten has been codified in law there are still some
debates surrounding its constitutionality and the consequences that come with
certain sections of the PDP bill. One debate surrounds the Articles, 19 and 21.
In the justice Puttaswamy judgement, the Supreme Court of India declared the
right to privacy as a natural right essential to enjoy a dignified life paving
the way for the right to be forgotten to be read into the constitution. Article
19 on the other hand grants freedom of speech and expression as well as the
right to information, to all citizens, this then creates a constitutional
dilemma. Does the right to be forgotten, infringe on the right to information?
Another issue surrounds the exemption made in the bill allowing a competent
authority to retain or remove pieces of information. The decisions made by this
body will have a significant impact on the freedom of the press in the nation.
Procedural confusion may also arise regarding the correct authority to approach
in order to gain access to particular pieces of information.
The right to be forgotten then is a qualified right that is essential in
allowing citizens their right to privacy, however, it is tricky to implement.
The PDP bill is the first step towards realising the right to be forgotten in
India, aiming to strike the delicate balance honouring Articles 19 and 21. The
right to be forgotten of Indian citizens, however, extends beyond the bounds of
India requiring a look into international laws governing the same. This is
crucial in order to maintain the sanctity of the right to be forgotten.
- Navin Kumar Jaggi
- Dhriti S. Somasundar