The right to be forgotten is an extension of the Right to Privacy that is enjoyed by an individual. The same is governed by the Personal Data Protection Bill that is yet to be passed by Parliament. As has already been discussed in this column before, the Right to Privacy was declared a fundamental right by the Supreme Court of India in 2017 in the Landmark verdict of Puttaswamy case. The court had said at the time that, “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.
The Personal Data Protection Bill was introduced in Lok Sabha on December 11, 2019 and it aims to set out provisions meant for the protection of the personal data of individuals.
Clause 20 under Chapter V of this draft bill titled “Rights of Data Principal” mentions the “Right to be Forgotten.” It states that the “data principal (the person to whom the data is related) shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary”. Therefore, broadly speaking, under the Right to be forgotten, users can de-link, limit, delete or correct the disclosure of their personal information held by data fiduciaries. A data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
Having said all this, it cannot be construed that the sensitivity of the personal data is solely determined by the concerned person. The same is basically overseen by the Data Protection Authority. It can therefore be said that while the person whose data is in question is given the protection of some provisions under the Draft Bill under which he may seek to get the sensitive information removed but ultimately his rights are still subject to the approval/authorization by the adjudicating officer who works for the Data Protection Authority. It is the officer who will need to decide and scrutinize the level of sensitivity of the personal data, the degree of accessibility sought to be restricted, the role of the data principal in public life and the nature of the disclosure among some other factors.
The right to be forgotten also appears in Recitals 65 and 66 and in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies. “Undue delay” is considered to be about a month.
This right is basically a common name for a right that was first established in May 2014 in the European Union as the result of a ruling by the European Court of Justice. The Court found that European data protection law gives individuals the right to ask search engines like Google to remove certain results for queries related to a person’s name. In deciding what to remove, search engines must consider if the information in question is “inaccurate, inadequate, irrelevant or excessive,” and whether there is a public interest in the information remaining available in search results. In furtherance of this, in the year 2018, the EU adopted the General Data Protection Regulation that sets out a right to erasure. This data protection however, is available only to individuals and not to Corporations and other legal entities. The requests for delisting of personal information though usually comes from the effected person himself, it may also come from someone acting on his behalf provided that the said person has the legal authority to do the same.
How to submit the request for removal of sensitive information from the web
Fill out a webform that is available on the web to submit a request. There are certain things that are required to be submitted along with the form:
• The specific URL(s) for the content that you want delisted.
• A description of how the content is related to you, and why we should delist it from Google search results.
• The search query for which you’d like the authorities to delist the content, i.e., your full name. You may also be able to ask them to delist content for a different name, for example a nickname. In this case, it is required to inform the authorities as to how this name is linked to your identity.
• An email address where you can be reached.
It’s always helpful to provide as much background information as is necessary for the authorities to effectively evaluate your request by looking at all information available. Sometimes they need more information to decide on your request. If that is the case then usually the person concerned will get an email and more information shall be required from him before the authorities act on his request.
There are also various circumstances that guide the authorities in determining whether the request for removal of the data concerned shall be acceded to or not. Asper Article 17, the GDPR outlines the specific circumstances under which the right to be forgotten applies.
An individual has the right to have their personal data erased if:
? The personal data is no longer necessary for the purpose an organization originally collected or processed it.
? An organization is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.
? An organization is relying on legitimate interests as its justification for processing an individual’s data, the individual objects to this processing, and there is no overriding legitimate interest for the organization to continue with the processing.
? An organization is processing personal data for direct marketing purposes and the individual objects to this processing.
? An organization processed an individual’s personal data unlawfully.
? An organization must erase personal data in order to comply with a legal ruling or obligation.
?An organization has processed a child’s personal data to offer their information society services.
However, an organization’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:
? The data is being used to exercise the right of freedom of expression and information.
? The data is being used to comply with a legal ruling or obligation.
? The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
? The data being processed is necessary for public health purposes and serves in the public interest.
? The data being processed is necessary to perform preventative or occupational medicine. This only applies ?when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
? The data represents important information that serves the ?public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.
? The data is being used for the establishment of a legal defense or in the exercise of other legal claims.
Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if the organization can justify that the request was unfounded or excessive. All in all, there are many variables at play and each request will have to be evaluated individually. Add to that the technical burden of keeping track of all the places an individual’s personal data is stored or processed and it is easy to see why the GDPR’s new privacy rights can be a significant compliance burden for some organizations.
In the Indian scenario, the Right to be forgotten also gets in a major conflict with the Right to Information. This can be depicted in the cases where a rape victim has a right that her past is forgotten and at the same time a criminal cannot claim that he has the right to insist that his conviction should not be referred to by the media.
As the final decision as to whether the online data has to be retained or erased from the web depends on the Data Protection Authority, it may turn the Right to Forgotten into a danger for the Freedom of Press as a journalist has to wait for the decision of the adjudicating officer. This will further put the freedom to criticize the public personalities for their public policies based on their past statements and activities in jeopardy.
Another problem is that even though the state retains unbridled powers to collect and process data, without the need for consent, for the national interest, the term national interest itself has nowhere been defined. In order to implement the right to be forgotten, privacy needs to be added as a ground for reasonable restriction under Article 19 (2) by a major amendment to the Constitution and there must be a balance between the right to privacy and protection of personal data (as covered under Article 21 of the Indian constitution), on the one hand, and the freedom of information of internet users (under Article 19), on the other.
A comprehensive data protection law must address these issues and minimize the conflict between the two fundamental rights that form the crucial part of the golden trinity (Art. 14,19 and 21) of the Indian constitution so that both may coexist in harmony and the presence of one does not threaten the existence of the other.