Personal data protection: Time to focus on an individual’s online ‘Right to be forgotten’

This right is not available under India’s current data privacy regime.

Generally, there is a common misconception that data once deleted from any online platform or social media platform shall be deleted permanently, but it is not known to many that the data being uploaded by the user on any online platform or social media might get stored on the server held by the parent company and also there is no surety whether the data would be left untouched or be traded with other third parties involved for the sake of minting profit. In reality, social media and other online open-source platforms are a trap for the users set by the companies to extract information, and they either make use of the information themselves or sell it to other third parties in return to mint money, in the end, it’s the users who become the scapegoat.
In the light of social security and public interest, the right to be forgotten at large should be validated as ignoring this issue might pave the way to exploitation of user data and further other illegal activities. The government needs to change its approach and focus on revamping the legal framework in this regard along with entering into global collaboration efforts to protect the privacy of the individuals for the public at large.
The Personal Data Protection Bill, 2018 (“New Data Protection Act”) introduced the concept of an individual’s “Right to be forgotten” in India. This right is currently not available under India’s current data privacy regime which comes in the form of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“DP Rules 2011”) framed under the Information Technology Act, 2000 (“IT Act 2000”). “Section 27 of the New Data Protection Act,” “which falls under chapter 6 (Data Principal Rights) of the New Data Protection Act,” carves out the “right to be forgotten” in no uncertain terms.
“According to this section, every data principal shall have the right to restrict or prevent continuing disclosure of personal data (relating to such data principal) by any data fiduciary if such disclosure meets 1 of the following 3 conditions, namely the disclosure, withdrawn; (i) has served the purpose for which it was made or is no longer necessary; or (ii) was made based on the data principal’s consent and such consent has since been another law in force. or (iii) was made contrary to the provisions of the New Data Protection Act or any of personal data.”
To make use of the aforementioned rights to limit or prevent the further disclosure of personal data, an application must be filed, in the form and manner indicated, with an Adjudicating Officer, and such Adjudicating Officer must have concluded that at least one of the other three grounds mentioned above applies, as well as that the data principal’s interest and rights in restricting or preventing the prolonged dissemination of personal data outweigh any citizen’s right to freedom of expression and information.
The “right to be forgotten” emanates from a 2014 judgement by the European Court of Justice in the case of Google Spain SL, Google Inc. v. Agencia Espaola de Protección de Datos, Mario Costeja González. In this case, a newspaper published an article in 1998 relating to a forced property sale that was required to be made by Mr Mario Costeja Gonzalez to settle a social security debt.
As a result, the European Court of Justice ruled that European residents have the right to ask metasearch businesses like Google, who collect personal data for business, to erase links to sensitive data when requested, given that such material is no longer relevant. The European Court of Justice determined that the fundamental right to privacy is more important than a commercial firm’s economic interest and, in certain situations, more important than the interest of the public in access to data.
Likewise, in the case of Subhranshu Rout @ Gugul v. the State of Odisha, “the offender allegedly videotaped the rape, established a bogus social media profile, and published the material on the social media site.” The High Court of Orissa (“Court”) denied the accused’s bail motion, citing a lack of adequate remedies for victims seeking to have harmful information removed from the internet. In light of both escalating online abuse and exceptional callous activity on the internet, as well as the lack of a framework for exercising the right to be forgotten, the Court concluded that a broader debate on the execution of this right was required.
In a recent verdict, the Karnataka High Court ordered around 17 media houses to block/redact the names of the acquitted persons in a case who had invoked the “right to be forgotten”. Although Indian laws do not have specific provisions enshrined to protect the rights of the individual under such circumstances, however, the courts under the garb of judicial activism have stressed and taken note of instances where an individual’s right to privacy is in jeopardy. As the release of any sensitive data in the public domain shall lead to mental agony and harm to the reputation of not only that particular individual/group of individuals, but also to their families.
As a corollary, when that comes to the right to be forgotten, advocates essentially argue here that the right to privacy entails the right to be forgotten including people individuals who have been imprisoned or have faced charges and now desire to move forward.
The requirement for personal data or information about past traumatic occurrences of people who have already been punished or prosecuted to stay in the public domain is increasingly being challenged in court. It is a dire need of the hour that the government formulates laws that govern the liabilities of intermediaries and also protect the interests of the public at large.
The author is an independent IP Attorney working with a reputed law firm.