The Right to be Forgotten: Performing Shift + Delete on the Internet
“The right to be forgotten is an idea that attempts to instil the limitations of memory into an otherwise limitless digital sphere”
Justice B.N. Srikrishna Committee[1]
Introduction
Over the past few years, the Internet has seen a radical change wherein it has become a part of almost every single human being’s lifestyle. The Word Wide Web is a never-ending encyclopaedia that offers something to suit everyone’s liking. The Internet is like a genie that can fulfil its master’s most bizarre requests. One can go from reading about the ramifications of the First World War to watching cat videos in less than two clicks. The amount of information stored online is hard to fathom[2] but we do know that there is information about all of us that is available online. This may include information that has either been uploaded by us or by a third person. Either way, you may or may not want such information to be accessible by the world. This right of yours i.e. the right to have information about you removed from the Internet is often referred to as the ‘Right to be Forgotten’.
The Right to be Forgotten finds its roots in French Law which recognises the right of a rehabilitated criminal to object to the publication of the fact of his conviction and imprisonment. This right is known as le droit à l’ oubil or the “right to oblivion”[3]. In modern jurisprudence, this right was established by the Court of Justice of the European Union in Google Spain SL & Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González[4] (‘Google Spain Case’).
The Google Spain Case
In 1998 ‘La Vanguardia’, a Spanish newspaper published two announcements on the sale of properties on account of non-dischargement of social security debts. The announcements were published pursuant to the orders of the Spanish Ministry of Labour and Social Affairs. The editions were subsequently made available on the Internet. One of the properties sought to be auctioned belonged to Mario Costeja González, a Spanish national , who was named in the announcements.
In November, 2009 González, aggrieved by his name appearing in connection with the announcements on Google search, wrote to the newspaper asking them to delete his data as the sale has been completed years ago and was no longer relevant. However, the newspaper refused to delete his data on the ground that the announcements were made pursuant to the orders of a governmental agency. Subsequently, González wrote to Google Spain SL (‘Google Spain’) seeking removal of links relating to the announcement on its search platform. The request was forwarded to Google Inc. by Google Spain on the ground that Google Inc. was the responsible body.
González then filed a complaint before the Spanish Data Protection Agency (Agencia Española de Protección de Datos or AEPD) inter alia seeking that the newspaper be directed to remove the announcements and Google Spain and Google Inc. (collectively ‘Google’) be directed to remove the links. The AEPD, though refused to grant any relief to González against the newspaper, directed Google to remove the links. Google Inc. and Google Spain appealed against the decision of AEPD before the National High Court of Spain. The Hon’ble Court stayed the proceedings and inter alia sought a preliminary ruling from the Court of Justice of the European Union on whether the EU Data Protection Directive[5] establishes the right to be forgotten.
The Hon’ble Court, while placing reliance on the articles of the EU Data Protection Directive[6], held that a data subject is entitled to erasure of information and links concerned in the list of results, when such information appears, having regard to all the circumstances, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing.
Indian Courts and the Right to be Forgotten
The Gujarat High Court was the first court in India to be concerned with the Right to be Forgotten in Dharamraj Bhanushankar Dave v. State of Gujarat & Ors[7]. The Petitioner was acquitted of various criminal offences by the Sessions and the High Court. The judgement acquitting the Petitioner though non-reportable, found its way on various legal portals and on Google search index. Aggrieved by this, the Petitioner filed a writ petition seeking ‘permanent restrain of free public exhibition of the judgement’. The Hon’ble High Court dismissed the Petition while placing reliance on The Gujarat High Court Rules, 1993 to hold that copies of the judgements of the High Court could be given to any party by the order of the Assistant Registrar. The Hon’ble Court further held that the Petitioner had failed to make out any case of violation of his rights guaranteed to him under Article 21 of the Constitution of India, 1950. Thus, the Hon’ble Court did not recognise the right to be forgotten.
Another interesting decision in the journey of evolution of the right to be forgotten in India is that of the Karnataka High Court inthe case of Sri Vasunathan v. The Registrar General [8]. Briefly put, the matter arose out of an earlier dispute between a woman and a man, wherein the woman had filed an FIR against a man alleging commission of offences of forgery, compelling her for marriage, criminal conspiracy and etc. The women also instituted a suit seeking a declaration that there was no marriage between her and the man. The parties ultimately reached a settlement and a Petition under Section 482 to the Code of Criminal Procedure, 1973 was preferred by the man seeking quashing of the criminal case against him (‘482 Petition’). Pertinently, personal details of the woman found their place in the cause title of the 482 Petition and its order.
Subsequently, the women married another man. The father of the women, however, had an apprehension that his daughter’s reputation in the society and her relationship with her husband would suffer harm since a search of his daughter’s name on the internet showed results of the order passed in the 482 Petition. Accordingly, he sought a direction that the Registry be directed to mask her name in the cause title and order and that only the masked copy be made available online. In a contrast to the previously cited case, here the Hon’ble Court partly granted the relief sought and directed the Registry to ensure that any Internet search made in the public domain ought not to reflect the women’s name in the cause title or order passed in the 482 Petition. The Hon’ble Court while granting the above relief, observed as follows:
“This would be in line with the trend in the Western countries where they follow this as a matter of rule “Right to be forgotten” in sensitive cases involving women in general and highly sensitive vases involving rape or affecting the modesty and reputation of the person concerned…”
Lastly, in Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd. & Ors.[9], the Hon’ble Delhi High Court recognised the Plaintiff’s right to be forgotten. In this matter, the Defendant published two articles containing allegations of sexual harassment against the Plaintiff. The Plaintiff sought a decree of seeking permanent restraint from publication and re-publication of the two articles. The Plaintiff had also filed an application seeking temporary its restraint, which was allowed by the Hon’ble Court. Accordingly, the Defendants were restrained from publishing/re-publishing the two articles. While the parties ultimately managed to settle the dispute between themselves, the Hon’ble Court while restraining the Defendant from re-publication of the articles or any of their contents on any print or digital/electronic platform during the pendency of the suitrecognised the Plaintiff’s right to be forgotten.
Personal Data Protection Bill, 2019
The Justice B.N. Srikrishna Committee in its Report (which serves as the foundation for the Personal Data Protection Bill, 2019) enunciates that the right to be forgotten provides to one the right against disclosure of one’s data when the processing of their data has become unlawful or unwanted. The Committee, through its report has sought to safeguard this right by balancing the right to freedom of speech and expression with the right to privacy.
The first challenge facing the Committee was balancing the right with other competing rights and interests i.e. deletion of disclosed or published information, with someone else’s right to free speech and expression and the right to information. The Committee proposed a test with the following criteria to balance the two rights:
- The sensitivity of the personal data sought to be restricted.
- The scale of disclosure or degree of accessibility sought to be restricted.
- The role of the data principal in public life.
- The relevance of the personal data to the public (whether the passage of time or change in circumstances has modified the relevance for the public)
- The nature of the disclosure and the activities of the data fiduciary i.e. entities in charge of deciding the purpose and means of data processing (whether the fiduciary is a credible source or whether the disclosure is a matter of public record; with the right focusing on restricting accessibility and not content creation).
The second challenge facing the Committee was to determine the appropriate authority for approval of such removal requests. The Committee considered the model followed by the European Union, wherein the data fiduciary is given the responsibility of balancing the above-mentioned rights. The Committee rejected this model on the ground that this led to privatisation of regulation and shifts the responsibility of protecting fundamental rights on private entities. The Committee while noting the decision of the Hon’ble Supreme Court in Shreya Singhal v. Union of India[10] proposed that this responsibility should lie with the adjudicatory wing of the Data Protection Authority (“DPA”).
The third and the last challenge facing the Committee was to ascertain the breadth of the order. The Committee noted that EU law the data fiduciary was obligated to inform other data fiduciaries of the request for deletion, but left the question of whether such an obligation should be imposed, with the DPA.
The Right to be forgotten finds its place in Section 20 of the Personal Data Protection Bill, 2019. The section provides a data principal with the right to seek erasure, restriction or prevention of disclosure of his personal data by a data fiduciary when such disclosure has served its purpose or is no longer relevant for the purpose, or consent has been withdrawn or taken in manner contrary to the specific provisions of the Bill or any other law for the time being in force.
The right, however, can be enforced only if the Adjudicating Officer is satisfied that the case meets the five criteria test laid down by the Justice B.N. Srikrishna Committee. A party aggrieved by an order of the Adjudicatory Authority restricting or preventing disclosure of personal data can also apply for a review of the order by the Adjudicating Officer or challenge it in an appeal before the Appellate Tribunal.
Conclusion
It may be said that the right to be forgotten is not one, which emanates out of the data protection regime but rather, from the intrinsic human right of right to privacy. The right to privacy of an individual is one which finds itself being protected under various branches of law, be it criminal, digital, employment or even financial. While inclusion of the right to be forgotten under the proposed new-age data protection regime does not come as a surprise in itself, the extent to which it plays a role in drafting of the Personal Data Protection Bill, 2019 is not only laudable but also imperative.
With the exponential boom of artificial intelligence and ability of the digital tech-bits to store and process our information, our technological devices are no less than a Trojan horse. Our much loved social media websites not only store but gloat about ‘remembering’ our ‘memories’ from more than a decade ago. In-part, it is the fact that one did not intentionally permit such sites to store information for seemingly forever that had triggered the urgency to set in place regulations allowing persons to determine whether and what information of theirs they want to immortalise and announce to the whole world.
The right to be forgotten envisaged under the Personal Data Protection Bill, 2019 is perhaps more wholesome than some of its other international counterparts. The extent of its applicability and recognition has taken a leap from the protection earlier granted to it under existing laws. This leap in evolution is certainly well welcomed.
It is expected that with the implementation of the Bill, the data giants and the smaller players of the digital world would be forced to respect the rights of its users as the individual beings that they are, rather than another statistic adding to the universe of their data servers.
[1] Committee of Experts on a Data Protection Framework for India under the Chairmanship of Justice B.N. Srikrishna in its Report submitted to the Ministry of Electronics and Information Technology on July 27, 2018.
[2] It is estimated that Google, Amazon, Microsoft and Facebook collectively store approximately 1,200 petabytes of data.
[3] The Right to Be Forgotten, Jeffery Rosen, 64 Stan. L. Rev. Online 88
[4] Case No. C-131/12
[5] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“EU Data Protection Directive”)
[6] Article 12(b) and subparagraph (a) of the first paragraph of Article 14 of the EU Data Protection Directive
[7] SCA No. 1854 of 2015, 19.01.2017
[8] W.P. No. 62038/2016, 23.01.2017
[9] CS(OS) 642 of 2018
[10] (2015) 5 SCC 1