Governance
Right To Be Forgotten
- 24 Oct 2019
- 8 min read
This article is based on “The ‘right to be forgotten’ on the Internet” that was published in The Indian Express on 1/10/2019. It talks about the right to be forgotten in the Indian context.
Recently, the European Court of Justice (ECJ) ruled in favour of the search engine giant Google, which was contesting a French regulatory authority’s order to have web addresses removed from its global database.
The European Union’s highest court ruled that an online privacy rule known as the ‘right to be forgotten’ under European law would not apply beyond the borders of EU member states.
The judgement is an important victory for Google, as now the online privacy law cannot be used to regulate the internet in countries such as India, which are outside the European Union.
What is the ‘right to be forgotten’?
- The right to be forgotten empowers individuals to ask organisations to delete their personal data.
- It is provided by the EU’s General Data Protection Regulation (GDPR), a law passed by the 28-member bloc in 2018.
Note:
- According to GDPR, the data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.
- Under Article 2 of the GDPR, “personal data” means “any information relating to an identified or identifiable natural person (“data subject”)”.
- “Controller” means “the natural or legal person, public authority, agency or any other body which determines the purposes and means of the processing of personal data”.
- According to the GDPR website, “undue delay” is considered to be about a month.
- After a search engine company like Google gets requests under the GDPR to get information deleted, it first reviews and then removes links on country-specific sites within the European Union.
- ECJ observed that the EU cannot enforce the ‘right to be forgotten’ on countries which do not recognize such a right.
What is 'right to be forgotten' under the Indian scheme?
- Justice BN Srikrishna Committee’s draft Personal Data Protection Bill 2018, has introduced a new right called the right to be forgotten, which refers to the ability of an individual to limit, delink, delete, or correct the disclosure of the personal information on the internet that is misleading, embarrassing, or irrelevant.
- According to Section 27 of the Bill, a data principal has a right to prevent the data fiduciary from using such data or information if data disclosure is no longer necessary, the consent to use data has been withdrawn or if data is being used contrary to the provisions of the law.
- Further, section 27(2) says the adjudicating officer (Data Protection Authority) can decide on the question of disclosure, and the circumstances in which he thinks such disclosure can override the freedom of speech and the citizen’s right to information.
- Right to be forgotten is in sync with the right to privacy, which was hailed by the Supreme court as an integral part of Article 21 (right to life) of the constitution in Puttaswamy judgement 2017.
DATA PRINCIPAL
- It is the person, company, or entity whose information is being collected.
- “Data” means information that is represented in a form that is more appropriate for processing.
- “Processing” refers to the operations done to the data, often forms of organisation, searching, combining, and more to glean further information.
DATA FIDUCIARY
- This can be a person, state, company, or any entity that decides why data should be processed and how it should be processed.
What are the issues with India's scheme of 'right to be forgotten'?
- Right to be forgotten gets in conflict with the right to information.
- This can be depicted in the cases where a rape victim has a right that her past is forgotten and at the same time a criminal cannot claim that he has the right to insist that his conviction should not be referred to by the media.
- Whether the data online has to be retained (right to information) or erased (right to be forgotten) from the web, the decision has to be taken by the Data Protection Authority.
- This may turn the right to be forgotten into danger to press freedom as a journalist has to wait for the decision of the adjudicating officer.
- Thus, the freedom to criticise the public personalities for their public policies based on their past statements and activities will be in jeopardy.
- Also, a citizen seeking access to such information will be confused, whether to approach the Central Information Commission or Data Protection Authority.
- The state retains unbridled powers to collect and process data, without the need for consent, for the national interest.
- However, the national interest is nowhere defined, which allows the application of the right to be forgotten under the discretion of the government.
Way Forward
- In order to implement the right to be forgotten, privacy needs to be added as a ground for reasonable restriction under Article 19 (2) by a major amendment to the Constitution.
- There must be a balance between the right to privacy and protection of personal data (as covered under Article 21 of the Indian constitution), on the one hand, and the freedom of information of internet users (under Article 19), on the other.
- A comprehensive data protection law must address these issues and minimize the conflict between the two fundamental rights that form the crucial part of the golden trinity (Art. 14,19 and 21) of the Indian constitution.
Drishti Mains Question
Discuss how the right to be forgotten as proposed by Justice BN Srikrishna Committee, can override the freedom of speech and the citizen’s right to information.