Informational privacy and the right to be forgotten in India
The globe went berserk with the recent Facebook-Cambridge Analytica data scandal, caused due to the breach of vital personal information of its users, and the contentious issue of informational privacy became a global concern. The aftermath of the data dereliction affected more than 87 million users across the world. This procured data comes under the classification of personally identifiable information, a locution which is legally used in information security or privacy laws. Profiling of data coupled with securing consent in a fraudulent or illegitimate manner is a serious violation of the right of an individual to control the dissemination of information. These innovations and technological metamorphosis have a cynical impact on the lives of an individual as every time someone accesses the World Wide Web, a small amount of information gets accumulated in the data of the portals. Data once uploaded linger in the Internet’s continual memory.
Right to privacy, data protection and the right to be forgotten should go hand in hand to overcome the degeneracies of the data age. The “right to be forgotten” or “the right to be erased” is a universal legal principle which allows an individual to request for removal of his/her personal information online. The roots of this right can be traced back to the French jurisprudence on the ‘right to oblivion’ or droit à l’oubli.
The ‘right to be forgotten’ has gained notability since the case of Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González was referred to the Court of Justice of European Union (CJEU) in 2014 by a Spanish court. In 2016, the European Union published the final version of the General Data Protection Regulation. The new regulation provides for a right to erasure under Article 17, which enables a data-subject to seek deletion of data.
The Supreme Court of India in the historic case of K.S. Puttaswamy v. Union of India (2017) held that “The right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 under Part III of the Constitution.” Informational privacy in India does not deal with a person’s body but deals with a person’s mind. The Indian jurisprudence recognises that an individual may have control over the dissemination of material that is personal to him. Any unauthorised and illegitimate use of such information may, therefore, lead to infringement of this right to privacy. Therefore, it is essential that the individual knows as to what the data is being used for and should have the ability to correct and amend it.
Globally, the boundaries of privacy and data protection laws have been widened to include a “right to be forgotten”. This trend trickled down to India when the Supreme Court of India while interpreting the privacy judgment, led to traces of the birth of a right to be forgotten, domestically. The ruling is a revolutionary footstep towards legally recognising the adverse impact of the Internet and the need to regulate and control the growth of this highly precious invention in order to uphold individual privacy. With the constitutional recognition of privacy as a fundamental right, the judgment also embraced a newer right in the way to creating a digitally safe India – the Right to be forgotten.
Prior to the order of the Apex Court, two Indian High Courts also dealt with this issue, but paradoxically. The point of law in both the cases was the plea to either redact personal information from the text of the judgments available online or removal of the judgments available publicly. The Gujarat High Court dismissed the case, citing two factors: (i) failure on part of the petitioner to show provisions of law which are applicable to the situation, or that a threat lies to the right to life and liberty, (ii) publication on a website does not amount to reporting. On the contrary, the Karnataka High Court favoured the petitioner and ordered the petitioner’s name to be redacted from the text of the judgment.
To secure and guarantee the right to privacy, it is quintessential to have a strong and loophole-free data security regime which not only stands up to the challenges but also provides necessary safeguards for tackling breach of privacy. Data protection law is a set of rules or regulations which aims to prevent the obtrusion into one’s personal or private sphere. The Personal Data Protection Draft Bill, 2018 prepared by on basis of the recommendations of Shri. B.N. Srikrishna Committee Report has laid significant emphasis on obtaining the consent of an individual to process and use personal data, which must be informed, specific and clear, and should be handy and adept of being withdrawn as easily as it was given. The Bill has adopted a separate section on the Right to be forgotten but does not explicitly mention a right to erasure. Section 27 of the bill catalogues out three scenarios in which an individual will have the “right to restrict or prevent the continuing disclosure of personal data” or the right to be forgotten. The prerequisites for the applicability of this provision is when data disclosure is no longer necessary, the consent to use data has been withdrawn or if data is being used contrary to the provisions of the law. The draft bill empowers an adjudicating officer to determine the applicability of one of the three scenarios. The officer in his discretion should also determine that the right of the individual to restrict the use of her data overrides the right to freedom of speech or right to information of any other citizen. However, this right requires controller authorities to juxtapose the subject’s rights to “the public interest in the availability of the data”. The crucial deciding factor that emerges is the interpretation of “public interest”. It arises on a case-by-case basis and the individual’s right must be found to upstage the public’s right to know for the data to be delisted or erased.
Google has received more than 2.4 million requests to take down URLs from its search engine under EU’s right to be forgotten laws since they were introduced in May 2014. The Telecom Regulatory Authority of India’s (TRAI) recent recommendations to Department of Telecom (DoT) on data ownership and privacy, expressly recommended that people should be given the “right to be forgotten”. According to TRAI, the rules and regulations for protecting personal data in the telecom space are inadequate and suggested that the citizens should be given “the rights to consent, data portability, and to be forgotten”. The regulator added that the right to data portability and the right to be forgotten are conditional and restricted rights, and the same should be subject to applicable laws in this regard. It proposed that the existing rules applicable to telecom operators for protection of users’ privacy be made applicable to all the institutions in the digital ecosystem, until a general data protection law is notified by the government.
Despite the fact that section 69A of the IT Act,2000 and the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 hold relevance, there is a paucity of information and clarity about the parameters of an individual’s right to be forgotten and what restrictions can be imposed on such a right. In the absence of a data protection law, addressing the issue of the right to be forgotten, it is primarily enforceable by approaching the court. Alternatively, an individual can resort to requesting the search engine to remove the contentious result. Google has a case-to-case procedure for the same. In the former mechanism, the courts are endowed with an ad-hoc resolution of a probable ‘right’ whose content is amorphous. In the latter, adjudication of fundamental rights, incursions on free speech and public access to information are left to the good judgment and intelligence of a private entity.
In this context, the idea of memory and forgetting for the digital age is a basic right of every person. All forms of personal data should have an additional metadata of expiration date to switch the default from information existing endlessly to having a temporary limit after which it is deleted. But due to the lack of uniformity of international jurisprudence, the implementation of this principle is a distant dream. The right is still in its nascent stage and is often quoted that it infringes the freedom of speech. According to the modern school of thought, the right to be forgotten merely alters results on search engines without deleting the actual source, thus, not curtailing the freedom of expression.
Information if legitimately deployed is a powerful enabler in the spread of innovation and tools of knowledge and, therefore, the need of the hour is a proper implementation mechanism which can maintain a balance between individual right to privacy and right to be forgotten.