INTRODUCTION
In the age of World Wide Web, it has become impossible to truly forget the information posted on the Internet. While such data can be put to multiple uses, it can be detrimental to the data subject if it is used in ways that are harmful to the reputation of the data subject or against its intended use without consent. There can be several adverse effects to unsolicited and unpermitted information floating in the Internet. These unpleasant effects can have wide ranging implications from temporary embarrassment to social hostility and depression. Hence, if the privacy cannot be protected ab initio, then it can be done by bestowing a right upon individuals to retroactively erase that which might be harmful.
The European Court of Justice in a decision in 2014 introduced a new right the “right to be forgotten” which provides the data subject with a right to compel removal of the personal data or information posted on the internet from online databases. It was implicitly recognized as a right for the first time by 1995 European Union Directive on Data Protection. In 2016 E.U. adopted a new General Data Protection Regulation to take effect from 2018 which contains the explicit right to be forgotten.
This right is grounded on the notions of privacy and data protection but at the same time is criticized for being in conflict with freedom of expression. The right to be forgotten has been well received by the masses, however, the criticisms and the concerns against such a right remain valid in the current scenario. It directly contradicts the freedom of speech and the right of the public to know. This is especially true in U.S., where the country’s central values rest in the right of freedom of expression and against censorship.
Moreover, many critiques the erasure right by raising the issue of its irrelevance when defamation and libel laws are already in place in most countries. Even in India, neither the judiciary nor the legislature has categorically expressed its position on this right. The right to privacy judgement, although has been unanimously accepted; answers to greater questions still remain unanswered in the wake of India’s move to digitizing sensitive data, such as credit history, bio-metrics, etc. Thus, the article aims to carry out a comparative analysis of the jurisprudence of the right to be forgotten arising from a landmark decision by Court of Justice of the European Union to development of General Data Protection Regulations by E.U. along with a comparison with the laws of U.S.
At a time when right to privacy has been recently recognized as a fundamental right this article aims to trace the contours of the new right to be forgotten in the Indian legal system.
CURRENT LEGAL FRAMEWORK IN INDIA
The present data protection regime in India, under the Information Technology Act, 2000 and the rules framed thereunder does not recognize an individual’s “right to be forgotten” After an extensive debate and judicial inconsistency on the subject, the Personal Data Protection Bill: 2019 PDP Bill) based on the Report of the Justice B. N. Srikrishna Committee, finally seeks to give statutory recognition to this right. The PDP Bill now seeks to give statutory recognition to this right. This is largely inspired by the ‘right to erasure’ under the General Data Protection Regulation, 2016 (GDPR). Section 20 of the PDP Bill, allows a data principal to prevent or restrict the continuing disclosure of personal data, in three situations i.e. when a) the data has served its purpose or (D) the data principal withdraws his consent for collecting the personal data: or (c) when the disclosure of personal data is in violation of any existing legislation. To exercise the above right the data principal must make an application to the Adjudicating Officer to be appointed by the Central Government under Section 62 of the PDP Bill who shall allow/reject such application subject to the criteria laid down is Section 20(3) of the PDP Bill.
The criteria to be used by the Adjudicating Officers to determine whether or not such right should be exercised, include; the sensitivity of the personal data the scale/ degree of accessibility sought to be restricted, the role of the data principal in public life the relevance of such data to the public and the nature of the disclosure and activities of the data fiduciary.
The decision of whether an individual should be allowed to exercise his “right to be forgotten” vests with the Adjudicating Officer under the PDP Bill. Pertinently this is the only right provided for in the PDP Bill which requires an application before the Adjudication Officer This is also a departure from the approach taken by the GDPR wherein an application for the exercise of a right to erasure has to be made with the controller of such data.
JUDICIAL PRECEDENTS RECOGNIZING RIGHT TO BE FORGOTTEN
Though the ‘Right to be Forgotten’ is not found under Sensitive Personal Data Information (SPDI) Rules but there are some judicial precedents on same in India. For the first time, Orissa High Court an Indian constitutional court brought to the fore the issue of an individual’s right to be forgotten online, advocating for the enforcement of Article 21 of the Indian Constitution relating to Right to Life and Personal Liberty as a remedy to victims whose compromising information was available online.
Denying bail to an accused of allegedly posting sexually explicit content of a female friend without her consent, Justice SK Panigrahi observed that, despite the accused deleting the obscene material, there was no legal mechanism available to the victim to have the content permanently removed from the server of the host platform (social media site) or the web. “It is also an undeniable fact that the implementation of the ‘Right to be Forgotten’ is a thorny issue in terms of practicality and technological nuances.
Orissa H.C. relying on the decision of the Supreme Court on K.S. Puttaswamy (Privacy-9J), Court stated that at present, “…there is no statue which recognizes right to be forgotten but it is in sync with the right to privacy.”
Delhi High Court in the decision of Zulfiqar Ahman Khan v. Quintillion Business Media (P) Ltd. also recognized the “right to be forgotten” and ‘Right to be left alone’ as an integral part of individual’s existence.
Karnataka High Court in Sri Vasunathan v. Registrar General recognized “Right to be forgotten” explicitly, though in a limited sense. Petitioner’s request to remove his daughter’s name from a judgment involving claims of marriage and forgery was upheld by the Court. It held that recognizing the right to be forgotten would parallel initiatives by ‘western countries’ which uphold this right when ‘sensitive’ cases concerning the ‘modesty’ or ‘reputation’ of people, especially women, were involved.
In the matter of Zulfiqar Ahman Khan v/s Quintillion Business Media Pvt. Ltd. and Ors., the Delhi High Court in an order dated 09.05.2019 recognized the plaintiff’s ‘Right to be Forgotten’. The issue arose when two articles containing harassment allegations against the plaintiff during #MeToo campaign, were published by the respondent. The court ordered to restrain the re-publication of the said articles during the pendency of the suit. The court also said that the ‘Right to be Forgotten’ and the ‘Right to be Left Alone’ are the inherent facets of ‘Right to Privacy’.
In Justice Puttaswamy v. Union of India the Supreme Court Justice Sanjay Kishan Kaul held that in its tangible and intangible form as the individuals have the right to put and remove the data from online sources. Kaul stated, “The right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the Internet”.
The right to be forgotten finds its roots in Article 19 and 21 of the Constitution of India which does not provide it as an unfettered and unlimited right and thus, subject to the restrictions such as other fundamental right, abide with legal obligations, public interest and health, archiving, researching and defense of legal claims. Kaul J. held that the past mistakes of individuals should not be used as a weapon against them with the help of the digital footprint and hence, people would be authorized to curb publication of the data in relation to them. The Court relied on the 2016 European Union Regulation (Article 17) that had given birth to the right to erasure.
COMPARATIVE ANALYSIS
The concept of Right to forgotten has evoked mixed responses from various jurisdictions across the globe. Most prominently, the developments have been rapid in the EU. Along with EU, the United States provisions on Right to forgotten have also been discussed.
The European Union (EU) – The European Union, has witnessed several maneuvers to establish the Right to be forgotten in consolidated form. The Data Protection Directive was a European Union directive adopted way back in 1995 to regulate the processing of personal data within the European Union. It is an important component of EU privacy and human rights law. Subsequently the General Data Protection Regulation (GDPR) was adopted in April 2016, which superseded the 1995 Data Protection Directive.
Article 17 provides that the data subject has the right to request erasure of personal data related to them on any one of a number of grounds, including noncompliance with Article 6(1) (lawfulness) that includes a case (f) if the legitimate interests of the controller are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data. Thus, GDPR’s Article 17 has outlined the circumstances under which EU citizens can exercise their right to be forgotten or right to erasure.
The Article gives the EU citizens the right to get personal data erased under six conditions, including withdrawal of consent to use data, or if data is no longer relevant for the purpose, it was collected. However, the request may not be entertained in some situations such as if the request contradicts the right of freedom of expression and information, or when it goes against public interest in the area of public health, scientific or historical research or statistical purposes. Thus, the GDPR of 2016 includes a specific protection in the right to be forgotten in Article 17.
It can be said that it has at least provided for a limited right of erasure in its operating Jurisdiction. In Google Spain v. AEPD and Mario Costeja GonzÁlez the European Court of Justice asked Google to delete “inadequate, irrelevant or no longer relevant” data from its search results, when a member of the public requests so. The ruling has now is popularly known as the “right to be forgotten” and has been critical in reinforcing the data protection laws and regulations in the EU, including EU’s General Data Protection Regulation (GDPR).
The case involved one Mario Costeja GonzÁlez, a Spanish man who was unhappy that searching his name on Google threw up a newspaper article from 1998. When he approached the Newspaper in 2009, to remove the article the latter refused to do so, and Gonzalez then approached Google to not display up the article when his name is searched. The court ruled in favor of the plaintiff. To exercise the right to be forgotten and request removal from a search engine, one must complete a form through the search engine’s website.
Google’s removal request process requires the applicant to identify their country of residence, personal information, a list of the URLs to be removed along with a short description of each one, and attachment of legal identification. The form allows people to submit the name they would like search results removed. If a Search Engine refuses a request to delink material, the EU citizens can appeal to their local data protection agency. As of May 2015, the British Data Protection Agency had treated 184 such complaints, and overturned Google’s decision in about a quarter of those.
If Google objects to a Data Protection Agency decision, it can face legal action. The European Union has focused that delinking requests by the EU citizens to be implemented by Google on all the International Domains.
United States (US) – The United States of America has well developed Legal system that protects the privacy of its citizens. The State of New York became the first to introduce a draft Right to protection bill A05323 in its State Assembly, which was titled “An act to amend the civil rights law and the civil practice law and rules, in relation to creating the right to be forgotten act”. Further in March 2017, New York state senator Tony Avella and assemblyman David Weprin introduced a bill proposing that individuals be allowed to require search engines and online speakers to remove information that is “inaccurate”, “irrelevant”, “inadequate”, or “excessive”, that is “no longer material to current public debate or discourse” and is causing demonstrable harm to the subject.
The bill was largely on lines similar to the European Court of Justice’s decision in Google Spain SL v. Agencia EspaÑola de ProtecciÓn de Datos. Two important cases namely Melvin v. Reid and Sidis v. FR Publishing Corporation are to some degree relevant. In Melvin’s case an ex-prostitute was charged with murder and then acquitted; she subsequently tried to assume a quiet and anonymous place in society. However, the 1925 film The Red Kimono revealed her history, and she successfully sued the producer.
The court reasoned, “Any person living a life of rectitude has that right to happiness which includes a freedom from unnecessary attacks on his character, social standing or reputation.” While in the latter case plaintiff, William James Sidis was a former child prodigy who wished to spend his adult life quietly, without recognition; however, an article in The New Yorker disrupted this. The court held here that there was limits to the right to control one’s life and facts about oneself, and held that there is social value in published facts, and that a person cannot ignore their celebrity status merely because they want to.” However, in spite of these slow developments, the prospects of a Federal law or a Constitutional Amendment providing for a standalone Right to be forgotten are quite dim in the United States, especially the strong opposition on the ground of being inconsistent with the First amendment of the US Constitution that provides the freedom of speech and expression. It is thus contended that the Right will effectively result in new form of Censorship.
However, these criticisms are consistent with the proposal that the only information that can be removed by user’s request is content that they themselves uploaded.
CONCLUSION
The present analysis examined the conception and subsequent development of the right to be forgotten in European Union. Marked by an extensive right to privacy jurisprudence, the sustainability of the right is higher in Europe as compared to India. The right to be forgotten requires harmonisation and balancing of the right to privacy and the right to freedom of expression. The right to privacy, which is a fundamental right in the European context, has been now recently recognized as a fundamental right in India.
However, with judicial pronouncements it has been propounded to have been intrinsic under Article 21 of the Constitution. Though, the right is now being recognised, its development has so far been limited to enforcement against state surveillance. In the absence of any explicit right to privacy and any legislation protecting personal data of citizens on an online forum, the right to be forgotten, if established, would have minimal and insufficient footing in India. Moreover, it is submitted that the free speech jurisprudence in India is evolved sufficiently to trump the right to be forgotten.
The right to be forgotten suffers from many constitutional inconsistencies which make its grounding incompatible in the Indian setting. Article 19 of the Constitution protects the right to expression of the citizens and allows an individual to post content online about another person, as long it is not restricted by a statutory legislation, under Article 19(2). Thus, the broad conception of personal data as defined in the GDPR cannot be protected under the constitution, as it would infringe the right to freedom of expression. Hence, substantively and procedurally, the right to be forgotten, in its present form, would be incompatible in the Indian context.
It is however, submitted that the European version of the right could suitably be to render it compatible in the Indian Constitution. The Right to be Forgotten needs to be established statutorily in Indian jurisprudence and must extend to cover private persons as well as the State, as proposed in the Personal Data Protection Bill, 2019. Further, data protection laws, such as the Information Technology (Intermediary Guidelines) Rules, 2011, which presently form a weak protection for data protection, need to be strengthened and worded specifically. The authority to balance the right to privacy and the right to freedom of speech should be done by an executive body in accordance with Administrative principles against excessive delegation.
References (2017) 10 SCC 1 2019 (175) DRJ 660. Commission Regulation 2016/679, The General Data Protection Regulation. Council Directive 95/46/EC, 1995 O.J. (L 281), 31 (EC). EU Data Protection Directive (Directive 95/46/EC), Whatis.com (Nov 22, 2018 07:30 PM), https://whatis. techtarget.com/definition/ EU-Data-Protection-Directive-Directive-95-46-EC Eugene Volokh, Volokh Conspiracy, The Washington Post (Nov. 23, 2018 11:20 AM), https://www.washingtonpost.com/news/volokhconspiracy/wp/2017/03/15/ n-y-bill-would require -people-to-remove-inaccurate-irrelevant-inadequateor-excessive-statementsabout-others/?utm_ term=. bbb6b2a0ae09.
General Data Protection Regulation 2016/679, Kpmg. com (Nov. 20, 2018 10:12 AM), https://assets.kpmg. com /content/dam/kpmg/be/ pdf/2017/GDPR_Booklet.pdf GLOBAL FREEDOM OF EXPRESSION COLUMBIA UNIVERSITY (Nov. 15, 2018 10:21 PM), https:// globalfreedomofexpression.columbia.edu/cases/ google-spain-sl-v-agenciaespanola-de-proteccion-dedatos-aepd/.
Google Spain v. AEPD, 2014 ECLI:EU:C:2014:317. John Hendel, Why Journalists Shouldn’t Fear Europe’s Right to be Forgotten, The Atlantic (Nov. 23, 2018 12:34PM), https:// www.theatlantic.com/technology/archive/2012/01/ why-journalists-shouldntfear-europes-right-to-beforgotten/251955/.
Melvin v. Reid 112 Cal.App. 285, 297 P. 91 (1931) Personal Data Protection Bill, Clause 20, Bill No. 373 of 2019.
Rebecca Heilweil, How Close Is An American Right-To-Be-Forgotten? Forbes (Nov. 18, 2018 2:43 PM), https://www.forbes. com/sites/rebeccaheilweil1/2018/03/04/howclose-is-an-american-rightto-be-forgotten/#46d62 636626e.
Sidis v. F-R Pub. Corp., U.S. LEXIS 26, 311 U.S. 711, 61 S.Ct. 393, 85 L. Ed. 462 (1940). Sidis v. Fr Publishing Corp, CASE BRIEFS (Nov.20, 2018 10:23 AM), https://www.casebriefs .com/blog /law/torts/ torts-keyed-to-epstein/privacy/sidis-v-f-r-publishingcorp/. Subhranshu Rout v. State of Odisha, BLAPL No. 4592 of 2020. U.S. CONST. amend. I, § 6 Vishu Raj, RIGHT TO BE FORGOTTEN- Is this the right time to include in our Indian constitution as a fundamental right?, Into Legal World, (Nov. 28, 2020), https:// www.intolegalworld.com/ LegalArticles?title=rightto-be-forgotten-is-this-theright-time-to-include-inour-indian-constitution-asa-fundamental-right-. WP (Civil) Nos. 36554- 36555/2017.