The Right to be Forgotten – Examining Approaches in Europe and India

This is a guest post authored by Aishwarya Giridhar.

How far does the right to control personal information about oneself extend online? Would it extend, for example, to having a person’s name erased from a court order on online searches, or to those who have been subjected to revenge pornography or sexual violence such that pictures or videos have non-consensually been shared online? These are some questions that have come up in Indian courts and are some of the issues that jurisprudence relating to the ‘right to be forgotten’ seeks to address. This right is derived from the concepts of personal autonomy and informational self-determination, which are core aspects of the right to privacy. They were integral to the Indian Supreme Court’s conception of privacy in Puttaswamy vs. Union of India which held that privacy was a fundamental right guaranteed by the Indian Constitution. However, privacy is not an absolute right and needs to be balanced with other rights such as freedom of expression and access to information, and the right to be forgotten tests the extent to which the right to privacy extends.

On a general level, the right to be forgotten enables individuals to have personal information about themselves removed from publicly available sources under certain circumstances. This post examines the right to be forgotten under the General Data Protection Regulation (GDPR) in Europe, and the draft Personal Data Protection Bill, 2019 (PDP Bill) in India.

What is the right to be forgotten?

The right to be forgotten was brought into prominence in 2014 when the European Court of Justice (ECJ) held that users can require search engines to remove personal data from search results, where the linked websites contain information that is “inadequate, irrelevant or no longer relevant, or excessive.” The Court recognised that search engines had the ability to significantly affect a person’s right to privacy since it allowed any Internet user to obtain a wide range of information on a person’s life, which would have been much harder or even impossible to find without the search engine. 

The GDPR provides statutory recognition to the right to be forgotten in the form of a ‘right to erasure’ (Article 17). It provides data subjects the right to request controllers to erase personal data in some circumstances, such as when the data is no longer needed for their original processing purpose, or when the data subject has withdrawn her consent or objected to data processing. In this context, the data subject is the person to whom the relevant personal data relates, and the controller is the entity which determines how and why the data would be processed. Under this provision, the controller would be required to assess whether to keep or remove information when it receives a request from data subjects.

In comparison, clause 20 of India’s Personal Data Protection Bill (PDP Bill), which proposes a right to be forgotten, allows data principals (similar to data subjects) to require data fiduciaries (similar to data controllers) to restrict or prevent the disclosure of personal information. This is possible where such disclosure is no longer necessary, was made on the basis of consent which has since been withdrawn, or was made contrary to law. Unlike the GDPR, the PDP Bill requires data subjects to approach Adjudicating Officers appointed under the legislation to request restricted disclosure of personal information. The rights provided under both the GDPR and PDP Bill are not absolute and are limited by the freedom of speech and information and other specified exceptions. In the PDP Bill, for example, some of the factors the Adjudicating Officer is required to account for are the sensitivity of the data, the scale of disclosure and how much it is sought to be restricted, the role of the data principal in public life, and the relevance of the data to the public. 

Although the PDP Bill, if passed, would be the first legislation to recognise this right in India, courts have provided remedies that allow for removing personal information in some circumstances. Petitioners have approached courts for removing information in cases ranging from matrimonial disputes to defamation and information affecting employment opportunities, and courts have sometimes granted the requested reliefs. Courts have also acknowledged the right to be forgotten in some cases, although there have been conflicting orders on whether a person can have personal information redacted from judicial decisions available on online repositories and other sources. In November last year, the Orissa High Court also highlighted the importance of the right to be forgotten for persons who’s photos and videos have been uploaded online, without  their consent, especially in the case of sexual violence. These cases also highlight why it is essential that this right is provided by statute, so that the extent of protections offered under this right, as well as the relevant safeguards can be clearly defined.

Intersections with access to information and free speech

The most significant criticisms of the right to be forgotten stem from its potential to restrict speech and access to information. Critics are concerned that this right will lead to widespread censorship and a whitewashing of personal histories when it comes to past crimes and information on public figures, and a less free and open Internet. There are also concerns that global takedowns of information, if required by national laws, can severely restrict speech and serve as a tool of censorship. Operationalising this right can also lead to other issues in practice.

For instance, the right framed under the GDPR requires private entities to balance the right to privacy with the larger public interest and the right to information. Two cases decided by the ECJ in 2019 provided some clarity on the obligations of search engines in this context. In the first, the Court clarified that controllers are not under an obligation to apply the right globally and that removing search results for domains in the EU would suffice. However, it left the option open for countries to enact laws that would require global delisting. In the second case, among other issues, the Court identified some factors that controllers would need to account for in considering requests for delisting. These included the nature of information, the public’s interest in having that information, and the role the data subject plays in public life, among others. Guidelines framed by the Article 29 Working Party, set up under the GDPR’s precursor also provide limited, non-binding guidance for controllers in assessing which requests for delisting are valid.

Nevertheless, the balance between the right to be forgotten and competing considerations can still be difficult to assess on a case-by-case basis. This issue is compounded by concerns that data controllers would be incentivised to over-remove content to shield themselves from liability, especially where they have limited resources. While larger entities like Google may have the resources to be able to invest in assessing claims under the right to be forgotten, this will not be possible for smaller platforms. There are also concerns that requiring private parties to make such assessments amounts to the ‘privatisation of regulation’, and the limited potential for transparency on erasures remove an important check against over-removal of information. 

As a result of some of this criticism, the right to be forgotten is framed differently under the PDP Bill in India. Unlike the GDPR, the PDP Bill requires Adjudicating Officers and not data fiduciaries to assess whether the rights and interests of the data principal in restricting disclosure overrides the others’ right to information and free speech. Adjudicating Officers are required to have special knowledge of or professional experience in areas relating to law and policy, and the terms of their appointment would have to ensure their independence. While they seem better suited to make this assessment than data fiduciaries, much of how this right is implemented will depend on whether the Adjudicating Officers are able to function truly independently and are adequately qualified. Additionally, this system is likely to lead to long delays in assessment, especially if the quantum of requests is similar to that in the EU. It will also not address the issues with transparency highlighted above. Moreover, the PDP Bill is not finalised and may change significantly, since the Joint Parliamentary Committee that is reviewing it is reportedly considering substantial changes to its scope.

What is clear is that there are no easy answers when it comes to providing the right to be forgotten. It can provide a remedy in some situations where people do not currently have recourse, such as with revenge pornography or other non-consensual use of data. However, when improperly implemented, it can significantly hamper access to information. Drawing lessons from how this right is evolving in the EU can prove instructive for India. Although the assessment of whether or not to delist information will always subjective to some extent, there are some steps that can be taken provide clarity on how such determinations are made. Clearly outlining the scope of the right in the relevant legislation, and developing substantive standards that are aimed at protecting access to information, that can be used in assessing whether to remove information are some measures that can help strike a better balance between privacy and competing considerations.

C for Commercial, D for Data

Written By Joshita Pai

A visibly agitated man once entered the American retail giant Target to inquire why his teenage daughter had been receiving coupons of baby products. A few days later, when the manager of the store called up the man to apologize to him, the father replied that his daughter was infact pregnant. Following the incident,  New York Times reported that Target assigns each shopper a unique code, internally known as the Guest ID number which is connected to e-mails sent by the store to its customers, and the store further tracks website visits by its customers. Target, like several shopping portals customarily analyzes data, alongwith demographic information and maps out behaviour information of its customers. Customized services and tailormade offers to customers are  definitely a few benefits of  rigorous data mining mechanisms, and clicks with many as a successful marketing strategy.

Commercial Value in Transfer of Data

Neil Robinson describes personal data as the lifeblood of information economy. Collecting personal data of consumers and trading it for commercial purposes, is a common practice amongst  companies, as was observed by the Data Security Council of India. Uber, Google, Twitter, Facebook and Zomato, independently engage in customized data collection at the time of installation of these applications. These platforms have notoriously been in news for flouting data protection standards. Consumer privacy has been central to the debate on using information as a currency of exchange. Commercial relationships between Google and several companies such as Amazon, Flipkart exist in the name of tailoring better and personal services to customers. It is relevant to note that processing and collection of the data is admittedly easier when services are accessed through applications on mobile phones. Twitter  for instance, demands at the time of installation, information ranging from details of the contacts enlisted on the phone to permission to access photos/media/files saved on the external storage, the device id and call information.

 Jane Bambaueur refers to data as ‘speech‘ since it carries informational value, and on the basis of this notion, she argues that transfer of data should be protected under commercial speech. This notion has found favour with the Courts. The Supreme Court of the United States in 2011, held that the sale of personal data is protected within the ambit of first amendment, and is commercial speech. The Court invalidated a statute that prohibited pharmaceutical stores and companies from selling data obtained through prescriptions of individual doctors. Extending the First Amendment protection to such transfers, the Court reasoned that government agencies collect and store data and this practice cannot be deemed illegal when applied to pharmaceutical companies only on the grounds that the latter have vested commercial interests. The statute in question banned prescription drug companies from obtaining patients’ personal information for marketing purposes without the prescribing physician’s consent. What remained on either side of the battle was the right of the companies to privately sell the data against the State’s claim that data of such nature is not speech. The decision was a victorious one for first Amendment rights but disrupted the notion of medical and consumer privacy.

Commercial Transfer of Data in the India

In India, the judicial development of commercial speech under article 19(1), is yet to touch upon commercial transfer of data. The Delhi High Court dealt with disclosure and publication of confidential information while deciding on the Petronet case in 2009, however,  sale of personal information is yet to be explored in India.

That being said, the IT Act has made scattered but able attempts at securing data by formulation of rules on principles of consent and purpose limitation at the time of collection of data. Rule 4 of the IT (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011 provides that:

The body corporate or any person who on behalf of body corporate collects, receives, possess, stores, deals or handle information of provider of information, shall provide a privacy policy for handling of or dealing in personal information including sensitive personal data or information and ensure that the same are available for view by such providers of information who has provided such information under lawful contract.”

Rule 3 enlists information which could be constituted as sensitive personal data and attaches an exception that it ceases to remain sensitive if the information in question is already in public domain or can be furnished under the Right to Information Act, 2005.

All privacy policies provide disclaimers stating that they will or will not extract personally identifiable information such as health records and sexual preferences or gender specific information, and a few provide disclaimers about dispatching cookies for collection of nuanced data. The policy statements are almost always drawn up on accepted privacy standards under the Information Technology Act, 2000 since there is no well laid regulatory framework to monitor the free flowing data.

Scattered provisions on data protection visibly exist in India and can be worked with temporarily. The issues on transfer of data however, do not necessarily end on commercial contours. Sharing of collected information with government agencies and procurement of data upon request by the government have found their way in the IT Act and are prescribed as clauses to be included in a company’s privacy policy. Such related concerns are by no means secondary, and the need of the hour dictates that concrete and formalized regulatory structures be put in place.

  Joshita Pai was a Fellow at the Centre for Communication Governance from 2015-2016