The Right to be Forgotten – Examining Approaches in Europe and India

This is a guest post authored by Aishwarya Giridhar.

How far does the right to control personal information about oneself extend online? Would it extend, for example, to having a person’s name erased from a court order on online searches, or to those who have been subjected to revenge pornography or sexual violence such that pictures or videos have non-consensually been shared online? These are some questions that have come up in Indian courts and are some of the issues that jurisprudence relating to the ‘right to be forgotten’ seeks to address. This right is derived from the concepts of personal autonomy and informational self-determination, which are core aspects of the right to privacy. They were integral to the Indian Supreme Court’s conception of privacy in Puttaswamy vs. Union of India which held that privacy was a fundamental right guaranteed by the Indian Constitution. However, privacy is not an absolute right and needs to be balanced with other rights such as freedom of expression and access to information, and the right to be forgotten tests the extent to which the right to privacy extends.

On a general level, the right to be forgotten enables individuals to have personal information about themselves removed from publicly available sources under certain circumstances. This post examines the right to be forgotten under the General Data Protection Regulation (GDPR) in Europe, and the draft Personal Data Protection Bill, 2019 (PDP Bill) in India.

What is the right to be forgotten?

The right to be forgotten was brought into prominence in 2014 when the European Court of Justice (ECJ) held that users can require search engines to remove personal data from search results, where the linked websites contain information that is “inadequate, irrelevant or no longer relevant, or excessive.” The Court recognised that search engines had the ability to significantly affect a person’s right to privacy since it allowed any Internet user to obtain a wide range of information on a person’s life, which would have been much harder or even impossible to find without the search engine. 

The GDPR provides statutory recognition to the right to be forgotten in the form of a ‘right to erasure’ (Article 17). It provides data subjects the right to request controllers to erase personal data in some circumstances, such as when the data is no longer needed for their original processing purpose, or when the data subject has withdrawn her consent or objected to data processing. In this context, the data subject is the person to whom the relevant personal data relates, and the controller is the entity which determines how and why the data would be processed. Under this provision, the controller would be required to assess whether to keep or remove information when it receives a request from data subjects.

In comparison, clause 20 of India’s Personal Data Protection Bill (PDP Bill), which proposes a right to be forgotten, allows data principals (similar to data subjects) to require data fiduciaries (similar to data controllers) to restrict or prevent the disclosure of personal information. This is possible where such disclosure is no longer necessary, was made on the basis of consent which has since been withdrawn, or was made contrary to law. Unlike the GDPR, the PDP Bill requires data subjects to approach Adjudicating Officers appointed under the legislation to request restricted disclosure of personal information. The rights provided under both the GDPR and PDP Bill are not absolute and are limited by the freedom of speech and information and other specified exceptions. In the PDP Bill, for example, some of the factors the Adjudicating Officer is required to account for are the sensitivity of the data, the scale of disclosure and how much it is sought to be restricted, the role of the data principal in public life, and the relevance of the data to the public. 

Although the PDP Bill, if passed, would be the first legislation to recognise this right in India, courts have provided remedies that allow for removing personal information in some circumstances. Petitioners have approached courts for removing information in cases ranging from matrimonial disputes to defamation and information affecting employment opportunities, and courts have sometimes granted the requested reliefs. Courts have also acknowledged the right to be forgotten in some cases, although there have been conflicting orders on whether a person can have personal information redacted from judicial decisions available on online repositories and other sources. In November last year, the Orissa High Court also highlighted the importance of the right to be forgotten for persons who’s photos and videos have been uploaded online, without  their consent, especially in the case of sexual violence. These cases also highlight why it is essential that this right is provided by statute, so that the extent of protections offered under this right, as well as the relevant safeguards can be clearly defined.

Intersections with access to information and free speech

The most significant criticisms of the right to be forgotten stem from its potential to restrict speech and access to information. Critics are concerned that this right will lead to widespread censorship and a whitewashing of personal histories when it comes to past crimes and information on public figures, and a less free and open Internet. There are also concerns that global takedowns of information, if required by national laws, can severely restrict speech and serve as a tool of censorship. Operationalising this right can also lead to other issues in practice.

For instance, the right framed under the GDPR requires private entities to balance the right to privacy with the larger public interest and the right to information. Two cases decided by the ECJ in 2019 provided some clarity on the obligations of search engines in this context. In the first, the Court clarified that controllers are not under an obligation to apply the right globally and that removing search results for domains in the EU would suffice. However, it left the option open for countries to enact laws that would require global delisting. In the second case, among other issues, the Court identified some factors that controllers would need to account for in considering requests for delisting. These included the nature of information, the public’s interest in having that information, and the role the data subject plays in public life, among others. Guidelines framed by the Article 29 Working Party, set up under the GDPR’s precursor also provide limited, non-binding guidance for controllers in assessing which requests for delisting are valid.

Nevertheless, the balance between the right to be forgotten and competing considerations can still be difficult to assess on a case-by-case basis. This issue is compounded by concerns that data controllers would be incentivised to over-remove content to shield themselves from liability, especially where they have limited resources. While larger entities like Google may have the resources to be able to invest in assessing claims under the right to be forgotten, this will not be possible for smaller platforms. There are also concerns that requiring private parties to make such assessments amounts to the ‘privatisation of regulation’, and the limited potential for transparency on erasures remove an important check against over-removal of information. 

As a result of some of this criticism, the right to be forgotten is framed differently under the PDP Bill in India. Unlike the GDPR, the PDP Bill requires Adjudicating Officers and not data fiduciaries to assess whether the rights and interests of the data principal in restricting disclosure overrides the others’ right to information and free speech. Adjudicating Officers are required to have special knowledge of or professional experience in areas relating to law and policy, and the terms of their appointment would have to ensure their independence. While they seem better suited to make this assessment than data fiduciaries, much of how this right is implemented will depend on whether the Adjudicating Officers are able to function truly independently and are adequately qualified. Additionally, this system is likely to lead to long delays in assessment, especially if the quantum of requests is similar to that in the EU. It will also not address the issues with transparency highlighted above. Moreover, the PDP Bill is not finalised and may change significantly, since the Joint Parliamentary Committee that is reviewing it is reportedly considering substantial changes to its scope.

What is clear is that there are no easy answers when it comes to providing the right to be forgotten. It can provide a remedy in some situations where people do not currently have recourse, such as with revenge pornography or other non-consensual use of data. However, when improperly implemented, it can significantly hamper access to information. Drawing lessons from how this right is evolving in the EU can prove instructive for India. Although the assessment of whether or not to delist information will always subjective to some extent, there are some steps that can be taken provide clarity on how such determinations are made. Clearly outlining the scope of the right in the relevant legislation, and developing substantive standards that are aimed at protecting access to information, that can be used in assessing whether to remove information are some measures that can help strike a better balance between privacy and competing considerations.

Right to Privacy: The Puttaswamy Effect

By Sangh Rakshita and Nidhi Singh

The Puttaswamy judgement of 2017 reaffirmed the ‘Right to Privacy’ as a fundamental right in Indian Jurisprudence. Since then, it has been used as an important precedent in many cases, to emphasize upon the right to privacy as a fundamental right and to clarify the scope of the same. In this blog, we discuss some of the cases of the Supreme Court and various High Courts, post August 2017, which have used the Puttaswamy judgement and the tests laid in it to further the jurisprudence on right to privacy in India. With the Personal Data Protection Bill tabled in 2019, the debate on privacy has been re-ignited, and as such, it is important to explore the contours of the right to privacy as a fundamental right, post the Puttaswamy judgement.   

Navtej Singh Johar and ors Vs. Union of India (UOI) and Ors., 2018 (Supreme Court)

In this case, the Supreme Court of India unanimously held that Section 377 of the Indian Penal Code 1860 (IPC), which criminalized ‘carnal intercourse against the order of nature’, was unconstitutional in so far as it criminalized consensual sexual conduct between adults of the same sex. The petition, challenged Section 377 on the ground that it was vague and it violated the constitutional rights to privacy, freedom of expression, equality, human dignity and protection from discrimination guaranteed under Articles 14, 15, 19 and 21 of the Constitution. The Court relied upon the judgement in the case of K.S. Puttaswamy v. Union of India, which held that denying the LGBT community its right to privacy on the ground that they form a minority of the population would be violative of their fundamental rights, and that sexual orientation forms an inherent part of self-identity and denying the same would be violative of the right to life.

Justice K.S. Puttaswamy and Ors. vs. Union of India (UOI) and Ors., 2018 (Supreme Court)

 The Supreme Court upheld the validity of the Aadhar Scheme on the ground that it did not violate the right to privacy of the citizens as minimal biometric data was collected in the enrolment process and the authentication process is not exposed to the internet. The majority upheld the constitutionality of the Aadhaar Act, 2016 barring a few provisions on disclosure of personal information, cognizance of offences and use of the Aadhaar ecosystem by private corporations. They relied on the fulfilment of the proportionality test as laid down in the Puttaswamy (2017) judgment.

Joseph Shine vs. Union of India (UOI), 2018 (Supreme Court)

The Supreme Court decriminalised adultery in this case where the constitutional validity of Section 497 (adultery) of IPC and Section 198(2) of Code of Criminal Procedure, 1973 (CrPC) was challenged. The Court held that in criminalizing adultery, the legislature has imposed its imprimatur on the control by a man over the sexuality of his spouse – in doing that, the statutory provision fails to meet the touchstone of Article 21. Section 497 was struck down on the ground that it deprives a woman of her autonomy, dignity and privacy and that it compounds the encroachment on her right to life and personal liberty by adopting a notion of marriage which subverts true equality. Concurring judgments in this case referred to Puttaswamy to explain the concepts of autonomy and dignity, and their intricate relationship with the protection of life and liberty as guaranteed in the Constitution. They relied on the Puttaswamy judgment to emphasize the dangers of the “use of privacy as a veneer for patriarchal domination and abuse of women.” They also cited Puttaswamy to elucidate that privacy is the entitlement of every individual, with no distinction to be made on the basis of the individual’s position in society.

Indian Young Lawyers Association and Ors. vs. The State of Kerala and Ors., 2018 (Supreme Court)

In this case, the Supreme Court upheld the right of women aged between 10 to 50 years to enter the Sabrimala Temple. The court held Rule 3(b) of the Kerala Hindu Places of Public Worship (Authorisation of Entry) Rules, 1965, which restricts the entry of women into the Sabarimala temple, to be ultra vires (i.e. not permitted under the Kerala Hindu Places of Public Worship (Authorisation of Entry) Act, 1965). While discussing the guarantee against social exclusion based on notions of “purity and pollution” as an acknowledgment of the inalienable dignity of every individual J. Chandrachud (in his concurring judgment) referred to Puttaswamy specifically to explain dignity as a facet of Article 21. In the course of submissions, the Amicus to the case had submitted that the exclusionary practice in its implementation results in involuntary disclosure by women of both their menstrual status and age which amounts to forced disclosure that consequently violates the right to dignity and privacy embedded in Article 21 of the Constitution of India.

(The judgement is under review before a 9 judge constitutional bench.)

Vinit Kumar Vs. Central Bureau of Investigation and Ors., 2019 (Bombay High Court)

This case dealt with phone tapping and surveillance under section 5(2) of the Indian Telegraph Act, 1885 (Telegraph Act) and the balance between public safety interests and the right to privacy. Section 5(2) of the Telegraph Act permits the interception of telephone communications in the case of a public emergency, or where there is a public safety requirement. Such interception needs to comply with the procedural safeguards set out by the Supreme Court in PUCL v. Union of India (1997), which were then codified as rules under the Telegraph Act. The Bombay High Court applied the tests of legitimacy and proportionality laid down in Puttaswamy, to the interception orders issued under the Telegraph Act, and held that in this case the order for interception could not be substantiated in the interest of public safety and did not satisfy the test of “principles of proportionality and legitimacy” as laid down in Puttaswamy. The Bombay High Court quashed the interception orders in question, and directed that the copies / recordings of the intercepted communications be destroyed.

Central Public Information Officer, Supreme Court of India vs. Subhash Chandra Agarwal, 2019 (Supreme Court)

In this case, the Supreme Court held that held that the Office of the Chief Justice of India is a ‘public authority’ under the Right to Information Act, 2005 (RTI Act) – enabling the disclosure of information such as the Judges personal assets. In this case, the Court discussed the privacy impact of such disclosure extensively, including in the context of Puttaswamy. The Court found that the right to information and right to privacy are at an equal footing, and that there was no requirement to take a view that one right trumps the other. The Court stated that the proportionality test laid down in Puttaswamy should be used by the Information Officer to balance the two rights, and also found that the RTI Act itself has sufficient procedural safeguards built in, to meet this test in the case of disclosure of personal information.

X vs. State of Uttarakhand and Ors., 2019 (Uttarakhand High Court)

In this case the petitioner claimed that she had identified herself as female, and undergone gender reassignment surgery and therefore should be treated as a female. She was not recognized as female by the State. While the Court primarily relied upon the judgment of the Supreme Court in NALSA v. Union of India, it also referred to the judgment in Puttaswamy. Specifically, the judgment refers to the finding in Puttaswamy that the right to privacy is not necessarily limited to any one provision in the chapter on fundamental rights, but rather intersecting rights. The intersection of Article 15 with Article 21 locates a constitutional right to privacy as an expression of individual autonomy, dignity and identity. The Court also referred to the Supreme Court’s judgment in Navtej Singh Johar v. Union of India, and on the basis of all three judgments, upheld the right of the petitioner to be recognized as a female.

(This judgment may need to be re-examined in light of the The Transgender Persons (Protection of Rights) Bill, 2019.)

Indian Hotel and Restaurant Association (AHAR) and Ors. vs. The State of Maharashtra and Ors., 2019 (Supreme Court)

This case dealt with the validity of the Maharashtra Prohibition of Obscene Dance in Hotels, Restaurant and Bar Rooms and Protection of Dignity of Women (Working therein) Act, 2016. The Supreme Court held that the applications for grant of licence should be considered more objectively and with open mind so that there is no complete ban on staging dance performances at designated places prescribed in the Act. Several of the conditions under the Act were challenged, including one that required the installation of CCTV cameras in the rooms where dances were to be performed. Here, the Court relied on Puttaswamy (and the discussion on unpopular privacy laws) to set aside the condition requiring such installation of CCTV cameras.

(The Puttaswamy case has been mentioned in at least 102 High Court and Supreme Court judgments since 2017.)