by Ira Srivastava
(Ira is a 4th year law student at NLU Delhi)
The Right to be Forgotten (“RTBF”) is a right of a data principal (“DP”) to have their personal data removed or erased in certain circumstances. These typically correspond to situations where consent for data collection is withdrawn or the data collected has been processed or is requested by the DP to be pulled down for various reasons. Because of the ultimate effect of erasure as a remedy for exercising the Right to be Forgotten, this right is also known as the “right to erasure”. The Right is codified under Articles 17 & 19 of the European Union’s (“EU”) General Data Protection Regulation (“GDPR”). India’s Digital Personal Data Protection Act, 2023 lays down the “Right to correction and erasure of personal data” under its Section 12, thus codifying the Right to be Forgotten in India.
This two piece article seeks to trace the evolution of the Right to be Forgotten in India. This is part one of a two piece blog, which focuses on the legislative developments, which have led to the Right in its current form. It goes on to make suggestions on how gaps with respect to the Right can be filled and what steps can facilitate smooth implementation.
390 BCE.
One windy afternoon, in the Acropolis of Athens, two men are in conversation:
Kostas: Forget me Socrates, for I have sinned.
Socrates: What is your sin, my child?
Kostas: I have led a corrupt life in my past life and wish to be forgotten.
Socrates: Let us now join our hands and pray to the Pantheon of Gods.
Prayers begin.
There is an Explosion. Lethe, a river of the Underworld appears as a spring on the ground near the two men. He erases the memory of Kostas’ past life from not only his memory but also the memories of all those who knew him.
Fast forward to 2016, when the General Data Protection Regulation (“GDPR”) was passed. It formally introduced the right to erasure, more popularly known as the “Right to be Forgotten” under its Article 17. The formalisation of the Right to be Forgotten only took place through its codification under the GDPR, although other events complemented its growth.
After the Puttaswamy Judgment, the Justice BN Srikrishna Committee on “A Free and Fair Digital Economy” was constituted in July 2017, which submitted its Report in 2018. The Report had recommended that the right to be forgotten may be adopted based on five-point criteria, including:
- Sensitivity of data
- Scale of disclosure or degree of accessibility
- Role of DP in public life
- Relevance of data to public
- Nature of disclosure and activities of data fiduciary
There existed a gap in the understanding of the RTBF. This stemmed from the conflicting views that on one hand, RTBF forms an essential part of privacy but on the other hand there exists no statutory backing. This called for some form of standardization – which was provided by the Personal Data Protection Bill, 2019 (“PDP Bill”). Clause 20 of the PDP Bill envisaged a “Right to be Forgotten”. It empowered the DP to restrict or prevent continuing disclosure of personal data in certain circumstances. These included when the purpose for collection is served, when consent was withdrawn or was not in accordance with the Act. The biggest hurdle that arose was with respect to enforcement. Clause 20(2) provided for enforcement only by an order of the Adjudicating Officer after following a grievance redressal mechanism, with no specified timeline. Some guidelines were also listed for the Adjudicating Officer to bear in mind while giving such an order.
Some of the key concerns flagged by stakeholders included that the nature and scope of the Right must be specified, enforcement measures to be given, and timeline should be prescribed for Privacy Officer to decide on an application.
The PDP Bill was then referred to a Joint Parliamentary Committee. The Committee, in its deliberations, took note of Article 17, GDPR. It noted that governing only disclosure narrows the scope of Clause 20 and must include data processing and accordingly recommended changes in Clause 20 to include “processing” within its scope. This drew much critique from stakeholders, claiming their key concerns had not been addressed.
The Draft Digital Personal Data Protection Bill, 2022 contained a much watered-down version of this Right in Clause 13. It provided that the DP will have the right to correction and erasure of personal data and enumerated the rights available to the DP including correction of inaccuracies, completion, updating, and erasure of personal data no longer serving the purpose of processing.
The Digital Personal Data Protection Bill, 2023 – which was passed by both Houses of the Parliament – contains the “Right to correction and erasure of personal data” under its Section 12. It, too, lists the rights available to a DP. Additionally, it puts an obligation upon a data fiduciary (“DF”) to comply with requests for correction, completion or updating upon receipt of request from the DP unless necessary for legal compliance. The assumption here seems to be that the DF will comply. However, it must be noted that there is a vast difference in bargaining power, making the fiduciaries extremely powerful and effectively leaving compliance up to their discretion.
It is acknowledged that what works for Europe will not necessarily work in India due to the social, cultural, economic and other differences. However, borrowing from best practices will help in making India a competitive global market. Some of the major reasons for the effective implementation of the GDPR throughout the European Union include the strict measures of enforcement, hefty sums of fines and an efficient dispute resolving mechanism. One such example is seen in €50 million fine on Google by the French data protection authority CNIL, for forcing consent by only giving one option: consent in full to non-specific, poorly explained uses of your data or don’t proceed at all.
At present, the Digital Personal Data Protection Bill, 2023 has been passed by both Houses of the Parliament and received President’s assent to give the Digital Personal Data Protection Act, 2023 (“DPDP Act”). It awaits notification for coming into effect. This intervening time period must be leveraged in order to bridge gaps and address concerns raised by stakeholders. One way that it can be done is by ensuring that the Rules governing the modalities of the Act are comprehensive. That will also ensure smooth implementation, which is key to achieving larger objectives that this Act seeks to achieve in order to make India a competitive global market.
Particularly in the context of the RTBF, the two Rules that can be of use are:
- Specificity
The current version of the RTBF is too vague. The 5-point criteria in the Srikrishna Committee Report must be adopted as a framework for assessing the need for a particular data set to be erased or modified. At the very least, the circumstances listed under the 2019 Bill for when the RTBF could be exercised must be used as guidelines. Some of these circumstances included when the purpose for collection was served or when consent to collect the data was withdrawn or was not in accordance with the Act.
- Ensuring DFs’ proactive actions
The DPDP Act puts much of the compliance burden on DFs. This is a potential pitfall, as discussed above. One action to avoid the ill-effects is to prescribe:
- A timeline within which the RTBF request must necessarily be processed.
This will provide more certainty to the DPs as well. Responding within the timeline should be made compulsory for DFs.
- Hefty fines and penalties for wrongful non-compliance with the request.
A step that can realistically be borrowed from the GDPR is having hefty fines and penalties in place. That will also help bridge the gap of bargaining power between large corporations and individuals.
It has been a long journey from having a Judgment upholding the Right to Privacy to a legislation putting the same into force. The passing of the Bill in both Houses shows a legislative intent and with the President’s assent, a start in the right direction. However, its effectiveness will be seen by way of implementation mechanisms yet to be put into place.
As a country with a population of 1.42 billion, out of which at least 1.2 billion are mobile phone users, there comes a great responsibility to ensure data privacy of citizens, particularly of personal data. The passing of the DPDP Bill is a welcome first step but there is a long way to go. How the Right to be Forgotten clause and other clauses will be implemented is yet to be seen. Putting an individual’s right to data privacy at the core of policy decisions will be fundamental to effectively securing the Right to be Forgotten.