About the Author: Suhani Gupta is a Student of the O.P. Jindal Global Law School, Sonipat.
INTRODUCTION
In the present technology-driven age, control over personal data has become more challenging than ever. With the advent of social media, we all post or share parts of our lives of which we are not proud; thus, later there comes the role of the right to be forgotten or erased. These rights stem from the fundamental right to privacy. It, essentially, means that individuals be empowered to request the removal of their personal information from public resources. However, in the context of Indian law, the application of the right to be forgotten is contentious and vague. This blog unfolds the same with the help of case laws and discusses potential reforms.
Google Spain v AEPD[1] was the first case in 2014 to recognize the right to be forgotten. In this case, Mario sought Google to delete search results referring to publications about a real estate sale of his social security obligation. The pieces were factual but old and exceedingly detrimental to him, he stated. The publication refused to withdraw the text, and therefore, Mario requested Google to remove the links. The Court of Justice, EU (CJEU) disregarded that the premise prejudiced disproportionately the interest of Google. The argument was that search engines are crucial for the accessibility of information and are therefore more invasive in their influence on privacy rights than the primary publisher. Therefore, the task of removing this data is on search engines rather than the website owner.[2] The original information was not erased from the internet but made more difficult to access so this right to obscurity can viewed as not about erasing information but can be looked at as just making it more difficult to locate. Critics, including the House of Lords (HL), U.K. have emphasized the court’s verdict did not take into account the impact on smaller search platforms, unlikely to have resources to process thousands of removal requests. During a hearing before the Select Committee of HL, the witnesses differed on the practicality of implementing the judgment by Google. The report concluded that the right to be forgotten to be as mysterious as its name is deceptive.
THE INCONSISTENT JURISPRUDENCE AROUND THE RIGHT IN INDIA
The milestone ruling in the Puttaswamy case affirmed privacy as a fundamental right.[3] However, this right primarily focuses on protecting personal information from unauthorized dissemination and controlling access to it. The Supreme Court did not specifically include the right to be forgotten within this framework.[4]
The right to be forgotten was initially raised before the Indian Court in the High Court of Gujarat in the case of Dave v State of Gujarat.[5] The petitioner requested the High Court to bar the respondent from publishing a judgment that could adversely impact him despite his acquittal. The Gujarat High Court declined the request, citing the absence of any legal ground to bar the respondents and noting that the facts did not contravene Article 21 of the Constitution.[6] Thus, failing to acknowledge this right.
In the notable case of TV star Ashutosh Kaushik, who petitioned the Delhi High Court in 2021 to erase all posts, videos, and articles containing details of his 2009 driving under the influence arrest and a 2013 altercation in a café in Mumbai under the right to be forgotten.[7] This case brought to life the various challenges individuals face while trying to prevent social media defamation and the heightened need for the erasure of their data.
In another major case Mundy v UoI,[8] a petition was filed by the petitioner seeking the removal of online access to a judgment damaging his reputation. A Single Judge bench of Justice Pratibha M. Singh balanced the right of privacy with that of the public to information. The judgement was passed in favour of the petitioner to remove the damaging judgments from the respondents’ websites, thereby affirming the exercise of the right to be forgotten in certain situations.[9]
LIMITED SCOPE OF THE RIGHT IN ‘DIGITAL PERSONAL DATA PROTECTION ACT, 2023’
In India, the DPDPA[10] endows with limited scope for the Right to be Forgotten. The Act’s Section 12(1) gives data principals (individuals) the authority to correct, complete, update, and erase their personal data for which they have previously given consent.[11] Section 12(3) mandates that data fiduciaries (entities processing the data) erase personal data upon request unless retention is necessary for compliance with existing laws.[12]
However, Personal information made publicly accessible by the data owner is not liable under Section 3(c)(ii) of the Act. For instance, if an individual has publicly parted with personal information on social sites while blogging, the proviso of the act will not apply.[13] Furthermore, Section 17 encapsulates exceptions where the right will not be enforceable such as data needed for legal claims, judicial functions, or for preserving public order and security.[14] Additionally, the Central Government can exempt the Act’s application for specific data fiduciaries or classes of fiduciaries. Thus, the scope of the provision itself is limited to many exceptions and is narrow in applicability.
THE FUTURE OF RIGHTS IN INDIA
The enforcement of this right under the DPDPA, 2023 faces several limitations and ambiguities which can be tackled through clear judicial and legislative precedence and interpretation. Firstly, the scope of the act is unclear regarding publicly available data, and various exceptions can easily dilute the right. Secondly, the balance between the right to information and the right to be forgotten is still in debate and there is no clear judicial precedence regarding it. Third, the act is also unclear about the extent of erasure of data and much depends on the will of the Data fiduciary, which can lead to a lack of implementation as the private entities, lack responsibility for public welfare. Lastly, DPDPA can be made more compatible with other cross-border acts such as the General Data Protection Regulation to tackle cross-border data issues and to implement hefty fine policies to facilitate implementation.
CONCLUSION
The fundamental right to privacy was established by the Indian apex Court in the Puttaswamy case. However, it does not entitle a person to the right to be forgotten. The jurisprudence on this right is inconsistent, while the Digital Data Protection Act, 2023 allows for very limited application of such right. It is good to remember that the right to be forgotten aims to protect people’s reputation and privacy in the digital era, and its implementation and recognition in India are limited and have many exceptions. New digital technologies will only be adopted for future challenges with clear and complete legal frameworks. However, that elusive right to be forgotten also remains under debate within Indian law.
References:
[1] Google Spain SL, Google Inc v Agencia Española de Protecciónde Datos, Mario Costeja González [2014] Case C-131/12
[2] Ibid
[3] Justice K S Puttaswamy (Retd) v Union of India (2017) 10 SCC 1
[4] Ibid
[5] Dharamraj Bhanushankar Dave v State of Gujarat SCA No 1854/2015
[6] Ibid
[7] Ashutosh Kaushik v Union of India WP No 6790/2021
[8] Jorawar Singh Mundy v Union of India WP 3918/2020
[9] Ibid
[10] Digital Personal Data Protection Act 2023
[11] Digital Personal Data Protection Act 2023, s 12(1)
[12] Digital Personal Data Protection Act 2023, s 12(3)
[13] Digital Personal Data Protection Act 2023, s 3(c)(ii)
[14] Digital Personal Data Protection Act 2023, s 17