We live in a time when everything we buy, from the people we deal with to the items we
buy, are validated based on their internet ratings. Because of this, if there is even one
negative review or slanderous article, one could lose a customer or, worse still, prevent them
from living the life they want. Many occurrences of fraudulent information and phoney
goods and services have increased as a result of the growing demand for making goods,
services, and information accessible online. For instance, a businessman may be involved in
a bankruptcy case but later be found not guilty. As a result, when he attempts to close new
business transactions with clients, they may not be interested since they have read reports
that he is bankrupt. Given the hardships the person has experienced, it would be unfair and
unjust for him to be unable to freely practise his trade. The Honourable SC stated in the K. S.
Puttaswamy case that “Information on the internet is permanent as a result of the effects of
the digital age. Although people have a tendency to forget, the internet does not and will not
allow this to happen.”
What is Right to be forgotten ?
The Right to be Forgotten (RTBF), also known as the “Right to Erasure“, is a developing
concept in India where a person may seek to remove or delete online posts that are open to
the public and contain any picture, video, or news article mentioning their personal
information that may harm their reputation in any way if the details are judged to be
insufficient, irrelevant, no longer relevant, or excessive.
Development of RTBF in EU
It was in the year 2014 when the European court of justice acknowledged the right to be
forgotten for the first time in the case of, Google Spain SL and Google Inc. v Agencia
Española de Protección de Datos (AEPD) and Mario Costeja González, it was held that
“Processing of personal data carried out by the operator of a search engine is liable to affect
significantly the fundamental rights to privacy and to the protection of personal data when the
search by means of that engine is carried out on the basis of an individual’s name, since that
processing enables any internet user to obtain through the list of results a structured overview
of the information relating to that individual that can be found on the internet — information
which potentially concerns a vast number of aspects of his private life and which, without the
search engine, could not have been interconnected or could have been only with great
difficulty — and thereby to establish a more or less detailed profile of him. That is all the
more the case because the internet and search engines render the information contained in
such a list of results ubiquitous. In the light of its potential seriousness, that interference
cannot be justified by merely the economic interest which the operator of such an engine has
in that processing. A fair balance must be sought in particular between the legitimate interest
of internet users in access to information and the data subject’s fundamental rights under
Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.” 1
The Court determined that users have the right to request that specific results for searches
including their names be removed from search engines like Google under European data
protection law. Search engines must decide what to delist by evaluating if the material is
“inaccurate, inadequate, irrelevant, or excessive,” as well as whether the public would
benefit from the content still appearing in search results.
In the European Union, efforts have been undertaken to strengthen the right to be forgotten.
A European Union directive known as the Data Protection Directive was adopted in 1995 to
control the exclusion of personal data inside the EU. It is an essential component of EU
privacy and human rights legislation. The Data Protection Directive, 1995 was then replaced
in April 2016 by the General Data Protection Regulation (GDPR).
“The data subject shall have the right to obtain from the controller the erasure of personal
data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay,” according to Article 17 of the General Data
Protection Regulation (GDPR), if one of a number of circumstances apply. A month is seen
as a “undue delay”.
The GDPR describes the exact conditions in which the right to be forgotten applies in
Article 17. A person has the right to have their personal information deleted if:
The personal data is no longer required for the purposes for which it was originally
obtained or processed by the organisation.
An individual whose consent was used by an organisation as the legitimate ground for
processing data revokes that consent.
There is no compelling legitimate interest for an organisation to continue processing
personal data where the individual objects to the processing and the organisation
relies on legitimate interests as its reason.
A person objects to a company’s use of their personal information for direct marketing
purposes.
Personal information about a person was unlawfully processed by an organisation.
1 https://curia.europa.eu/juris/document/document.jsf?text=&docid=163494&pageindex=0&doclang=en&mode=
req&dir=&occ=first&part=1&cid=10850128
To comply with a court order or other legal requirement, an organisation must delete
personal data.
A company processed a child’s personal information in order to provide information
society services.
However, an organization’s right to process someone’s data might override their right to be
forgotten. Here are the reasons cited in the GDPR that trump the right to erasure:
The data is being used to exercise the right of freedom of expression and information.
The data is being used to comply with a legal ruling or obligation.
The data is being used to perform a task that is being carried out in the public interest
or when exercising an organization’s official authority.
The data being processed is necessary for public health purposes and serves in the
public interest.
The data being processed is necessary to perform preventative or occupational
medicine. This only applies when the data is being processed by a health professional
that is subject to a legal obligation of professional secrecy.
The data represents important information that serves the public interest, scientific
research, historical research, or statistical purposes and where erasure of the data
would likely to impair or halt progress towards the achievement that was the goal of
the processing.
The data is being used for the establishment of a legal defence or in the exercise of
other legal claims.
Furthermore, an organization can request a “reasonable fee” or deny a request to erase
personal data if the organization can justify that the request was unfounded or excessive. 2
Google may face legal action if it objects to a data protection agency decision. The European
Union has requested that Google implement delinking requests from EU citizens across all
domains 3 .
Development of RTBF in the USA
The United States of America has a sophisticated overall body of laws that upholds the
protection of its citizens. A draught “right to be forgotten” bill, A05323, titled “An act to alter
2 https://gdpr.eu/right-to-be-forgotten/
3 https://www.scconline.com/blog/post/2022/01/27/the-evolution-of-right-to-be-forgotten-in-india/
the civil rights law and the civil practise law and rules, in relation to developing the right to
be forgotten act,” was quickly introduced in the State Assembly of New York.
Right to be forgotten in the United States are very faint, particularly regardless of the solid
resistance in light of the fact that it is conflicting with the first amendment to the United
States Constitution, which ensures freedom of speech and expression. Thus, it is contended,
the right will viably bring about another type of restriction. 4
Evolution of RTBF in India
The “right to be forgotten” is one of the many dimensions of the right to privacy, which was
declared a fundamental right by the Honourable SC in 2017 by its ruling in KS Puttuswamy
v. UOI.
According to Section 43A of the Information Technology Act of 2000, businesses that have
sensitive personal data but fail to keep it secure enough to prevent loss or unjust benefit to
anybody may be required to make restitution to the victim.
In “Jorawer Singh Mundy vs Union of India”, an American citizen approached the Delhi
High Court in 2021 seeking the removal of all publicly available records of a case registered
against him under the Narcotics Drugs and Psychotropic Substances Act, 1985. He argued
that although the trial court acquitted him back in 2011, he was unable to find a job in the
United States on account of a quick Google search showing the judgment in his case. 5
The Kerala High Court in the case of Virginia Shylu v. Union of India opined that search
engines like Google cannot claim to be mere intermediaries with no control over the content
that appears in search results.
In V. v. High Court of Karnataka, the Karnataka High Court recognized the right to be
forgotten. The purpose of this case was to remove the name of the petitioner’s daughter
from the cause title since it was easily accessible and defame her reputation. The court held
in favour of the petitioner and ordered that the name of the petitioner’s daughter to be
removed from the cause title and the orders. The court held that “this would be consistent
with the trend in western countries, where the ‘right to be forgotten’ is applied as a rule in
sensitive cases concerning women in general, as well as particularly sensitive cases
involving rape or harming the modesty and reputation of the individual concerned”. 6
4 https://www.scconline.com/blog/post/2022/01/27/the-evolution-of-right-to-be-forgotten-in-india/
5 Khadija Khan, Plea In Delhi High Court: What Is The ‘Right To Be Forgotten’?, February 25, 2023
6 https://www.scconline.com/blog/post/2022/01/27/the-evolution-of-right-to-be-forgotten-in-india/
The Justice BN Srikrishna Committee’s 2018 draught Personal Data Protection Bill
proposed this right, which would empower a person restrict, delink, erase, or amend the
disclosure of inaccurate, embarrassing, or irrelevant personal information online. However,
the Ministry of Electronics and Information Technology of India (‘MeitY’) has reintroduced
the Bill and has asked the pertinent stakeholders to submit their opinions and ideas
regarding the Bill.
In addition, clause (d) of sub-section 2 of section 13 says that a data fiduciary shall erase the
personal data of a data principal upon receiving a request for such correction and erasure
from a data principal if the data is no longer required for the purpose for which it was
processed, unless retention is required for a legal purpose. Section 13 of the Digital Personal
Data Protection Bill, 2022, provides for the Right to Correction and Erasure of Personal Data.
Conclusion
It was stated by the Hon’ble SC in the case of K S Puttaswamy v. UOI that, “privacy, in its
simplest sense, allows each human being to be left alone in a core which is inviolable. Yet the
autonomy of the individual is conditioned by her relationships with the rest of society. Those
relationships may and do often pose questions to autonomy and free choice. The overarching
presence of state and non-state entities regulates aspects of social existence which bear upon
the freedom of the individual. Right to privacy is an integral part of right to life. This is a
cherished constitutional value, and it is important that human beings be allowed domains of
freedom that are free of public scrutiny unless they act in an unlawful manner.” 7
The importance of the right to be forgotten cannot be overstated, especially where the
information is unduly interfering with a person’s ability to live a dignified life. But, if the
information is in the public interest, then the interests of society must take precedence over
those of an individual.