We live in a time when everything we buy, from the people we deal with to the items we buy, are validated based on their internet ratings. Because of this, if there is even one negative review or slanderous article, one could lose a customer or, worse still, prevent them from living the life they want. Many occurrences of fraudulent information and phoney goods and services have increased as a result of the growing demand for making goods, services, and information accessible online. For instance, a businessman may be involved in a bankruptcy case but later be found not guilty. As a result, when he attempts to close new business transactions with clients, they may not be interested since they have read reports that he is bankrupt. Given the hardships the person has experienced, it would be unfair and unjust for him to be unable to freely practise his trade. The Honourable SC stated in the K. S. Puttaswamy case that “Information on the internet is permanent as a result of the effects of the digital age. Although people have a tendency to forget, the internet does not and will not allow this to happen.”
What is Right to be forgotten?
The right to be forgotten (RTBF), also known as the “right to erasure,” is a developing concept in India where a person may seek to remove or delete online posts that are open to the public and contain any picture, video, or news article mentioning their personal information that may harm their reputation in any way if the details are judged to be insufficient, irrelevant, no longer relevant, or excessive.
Development of RTBF in EU
It was in the year 2014 when the European court of justice acknowledged the right to be forgotten for the first time in the case of, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, it was held that “Processing of personal data carried out by the operator of a search engine is liable to affect significantly the fundamental rights to privacy and to the protection of personal data when the search by means of that engine is carried out on the basis of an individual’s name, since that processing enables any internet user to obtain through the list of results a structured overview of the information relating to that individual that can be found on the internet — information which potentially concerns a vast number of aspects of his private life and which, without the search engine, could not have been interconnected or could have been only with great difficulty — and thereby to establish a more or less detailed profile of him. That is all the more the case because the internet and search engines render the information contained in such a list of results ubiquitous. In the light of its potential seriousness, that interference cannot be justified by merely the economic interest which the operator of such an engine has in that processing. A fair balance must be sought in particular between the legitimate interest of internet users in access to information and the data subject’s fundamental rights under Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.”[1]
The Court determined that users have the right to request that specific results for searches including their names be removed from search engines like Google under European data protection law. Search engines must decide what to delist by evaluating if the material is “inaccurate, inadequate, irrelevant, or excessive,” as well as whether the public would benefit from the content still appearing in search results.
In the European Union, efforts have been undertaken to strengthen the right to be forgotten. A European Union directive known as the Data Protection Directive was adopted in 1995 to control the exclusion of personal data inside the EU. It is an essential component of EU privacy and human rights legislation. The Data Protection Directive, 1995 was then replaced in April 2016 by the General Data Protection Regulation (GDPR).
“The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay,” according to Article 17 of the General Data Protection Regulation (GDPR), if one of a number of circumstances apply. A month is seen as a “undue delay”.
The GDPR describes the exact conditions in which the right to be forgotten applies in Article 17. A person has the right to have their personal information deleted if:
- The personal data is no longer required for the purposes for which it was originally obtained or processed by the organisation.
- An individual whose consent was used by an organisation as the legitimate ground for processing data revokes that consent.
- There is no compelling legitimate interest for an organisation to continue processing personal data where the individual objects to the processing and the organisation relies on legitimate interests as its reason.
- A person objects to a company’s use of their personal information for direct marketing purposes.
- Personal information about a person was unlawfully processed by an organisation.
- To comply with a court order or other legal requirement, an organisation must delete personal data.
- A company processed a child’s personal information in order to provide information society services.
However, an organization’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:
- The data is being used to exercise the right of freedom of expression and information.
- The data is being used to comply with a legal ruling or obligation.
- The data is being used to perform a task that is being carried out in the public interest or when exercising an organization’s official authority.
- The data being processed is necessary for public health purposes and serves in the public interest.
- The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional that is subject to a legal obligation of professional secrecy.
- The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing.
- The data is being used for the establishment of a legal defence or in the exercise of other legal claims.
Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if the organization can justify that the request was unfounded or excessive.[2]
Google may face legal action if it objects to a data protection agency decision. The European Union has requested that Google implement delinking requests from EU citizens across all domains[3].
Development of RTBF in the USA
The United States of America has a sophisticated overall body of laws that upholds the protection of its citizens. A draught “right to be forgotten” bill, A05323, titled “An act to alter the civil rights law and the civil practise law and rules, in relation to developing the right to be forgotten act,” was quickly introduced in the State Assembly of New York.
Right to be forgotten in the United States are very faint, particularly regardless of the solid resistance in light of the fact that it is conflicting with the first amendment to the United States Constitution, which ensures freedom of speech and expression. Thus, it is contended, the right will viably bring about another type of restriction.[4]
Evolution of RTBF in India
The “right to be forgotten” is one of the many dimensions of the right to privacy, which was declared a fundamental right by the Honourable SC in 2017 by its ruling in KS Puttuswamy v. UOI.
According to Section 43A of the Information Technology Act of 2000, businesses that have sensitive personal data but fail to keep it secure enough to prevent loss or unjust benefit to anybody may be required to make restitution to the victim.
In “Jorawer Singh Mundy vs Union of India”, an American citizen approached the Delhi High Court in 2021 seeking the removal of all publicly available records of a case registered against him under the Narcotics Drugs and Psychotropic Substances Act, 1985. He argued that although the trial court acquitted him back in 2011, he was unable to find a job in the United States on account of a quick Google search showing the judgment in his case.[5]
The Kerala High Court in the case of Virginia Shylu v. Union of India opined that search engines like Google cannot claim to be mere intermediaries with no control over the content that appears in search results.
In V. v. High Court of Karnataka, the Karnataka High Court recognized the right to be forgotten. The purpose of this case was to remove the name of the petitioner’s daughter from the cause title since it was easily accessible and defame her reputation. The court held in favour of the petitioner and ordered that the name of the petitioner’s daughter to be removed from the cause title and the orders. The court held that “this would be consistent with the trend in western countries, where the ‘right to be forgotten’ is applied as a rule in sensitive cases concerning women in general, as well as particularly sensitive cases involving rape or harming the modesty and reputation of the individual concerned”.[6]
The Justice BN Srikrishna Committee’s 2018 draught Personal Data Protection Bill proposed this right, which would empower a person restrict, delink, erase, or amend the disclosure of inaccurate, embarrassing, or irrelevant personal information online. However, the Ministry of Electronics and Information Technology of India (‘MeitY’) has reintroduced the Bill and has asked the pertinent stakeholders to submit their opinions and ideas regarding the Bill.
In addition, clause (d) of sub-section 2 of section 13 says that a data fiduciary shall erase the personal data of a data principal upon receiving a request for such correction and erasure from a data principal if the data is no longer required for the purpose for which it was processed, unless retention is required for a legal purpose. Section 13 of the Digital Personal Data Protection Bill, 2022, provides for the Right to Correction and Erasure of Personal Data.
Conclusion
It was stated by the Hon’ble SC in the case of K S Puttaswamy v. UOI that, “privacy, in its simplest sense, allows each human being to be left alone in a core which is inviolable. Yet the autonomy of the individual is conditioned by her relationships with the rest of society. Those relationships may and do often pose questions to autonomy and free choice. The overarching presence of state and non-state entities regulates aspects of social existence which bear upon the freedom of the individual. Right to privacy is an integral part of right to life. This is a cherished constitutional value, and it is important that human beings be allowed domains of freedom that are free of public scrutiny unless they act in an unlawful manner.”[7]
The importance of the right to be forgotten cannot be overstated, especially where the information is unduly interfering with a person’s ability to live a dignified life. But, if the information is in the public interest, then the interests of society must take precedence over those of an individual.
[1]https://curia.europa.eu/juris/document/document.jsf?text=&docid=163494&pageindex=0&doclang=en&mode=req&dir=&occ=first&part=1&cid=10850128
[2] https://gdpr.eu/right-to-be-forgotten/
[3] https://www.scconline.com/blog/post/2022/01/27/the-evolution-of-right-to-be-forgotten-in-india/
[4] https://www.scconline.com/blog/post/2022/01/27/the-evolution-of-right-to-be-forgotten-in-india/
[5] Khadija Khan, Plea In Delhi High Court: What Is The ‘Right To Be Forgotten’?, February 25, 2023
[6] https://www.scconline.com/blog/post/2022/01/27/the-evolution-of-right-to-be-forgotten-in-india/
[7] K S Puttaswamy (Retd.)V Union Of India And Ors., 2017