Open Access Research Article
BALANCING SILENCE AND EXPRESSION: Analysing The Right To Be Forgotten In India
Published Paper
Article Details
BALANCING
SILENCE AND EXPRESSION
Analysing The Right To Be Forgotten In India
AUTHORED BY - ASTHA BHUMISH SHAH
INTRODUCTION
As we enter into the digital era, we
have become more aware of how and where our personal information is being used.
It is in the light of this that there have been multiple proposals by many
lawyers, scholars, and High Court judgments to include the Right to be Forgotten
as a Fundamental Right under the ambit of the Fundamental Right to Privacy.
Recently the Government passed the Digital Personal Data Protection Act, 2023,
through which for the first time, the Right to be Forgotten has been
statutorily recognised. However, multiple challenges emerge with enforcing this
right. Along with the task to evaluate between the greater importance of public
welfare through the Right to Information and safeguarding the rights of an
individual by allowing them to remove certain essential information of
themselves from the public domain, this right emerges as a contradiction to the
constitutionally guaranteed Right to Free Speech and Expression. Presently,
there exists a divided and contradictory opinion across various High Courts in the
Country with respect to this right.
This paper therefore delves into this
debate of the Right to be Forgotten versus the Right to Free Speech and
Expression through an analysis of case laws along with a comparative study of
Data Privacy Laws of The European Union and The United States of America with
Indian Laws. Further, it will highlight the shortcomings in the present Indian
Law and will conclude with providing suggestions to make the same more
comprehensive and accessible.
WHAT IS THE RIGHT TO BE FORGOTTEN?
Simply put, the Right to be Forgotten
is “the right to have publicly available personal information removed from []
internet search, databases, websites or any other public platforms, once the
personal information in question is no longer necessary, or relevant[1]”.
This right emerged from the French Right of Obliviousness. The first case to
discuss this was Google Spain v. Mario Costeja González[2]
where a Spaniard, Mario Costeja González had put out an internet advertisement
to auction some of his property in order to come out of financial distress.
However, this information was available online long after he improved his
financial status, and this prevented him from getting employment and other
opportunities since everyone who looked him up online found this advertisement
and assumed he was bankrupt. This led to a severe damage to his reputation and
leading him to take the matter to Court. The European Court of Justice while
recognising the Right to be Forgotten for the first time held that “under
certain circumstances, European Union residents could have personal information
removed of deleted from search results and public records databases[3]”.
The first case where this right was
discussed in Indian jurisprudence was in Dharamraj Bhanushankar Dave v.
State of Gujarat[4]
before the Gujarat High Court. Here, the petitioner had been accused of some
criminal activities but was later acquitted. He had prayed that the Court
remove all the matter regarding this case from all online platforms as it was
damaging his personal and professional life. Taking a narrow view, the Court
rejected this prayer and denied the petitioner their Right to be Forgotten.
This right was yet again brought up in Jorawar Singh Mundy v. Union of
India[5] before
the Delhi High Court where the petitioner had a false claim under Narcotics
Drugs and Psychotropic Substances Act, 1985 against himself but was acquitted.
However, information regarding this case and texts from the judgment was still
freely available on the internet. He was faced with prejudice while trying to
secure employment and was excluded from social circles. The relief sought was
to remove the judgment from the respondent online websites. The legal issue in
dispute here essentially becomes a conflict between “[the] petitioner’s Right
to Privacy [on one hand] and, on the other hand, the public’s Right to
Information and the preservation of transparency in judicial records[6]”.
The Court ruled in favour of the petitioner “accordingly recognising the
Plaintiff’s Right to Privacy, of which the ‘Right to be Forgotten’ and the
‘Right to be Left Alone’ are inherent aspects[7]”
and directed the respondent websites to remove said content from their domains.
A major breakthrough for privacy laws
in the country was from the revolutionary case of Justice K.S. Puttaswamy
v. Union of India[8],
where the Supreme Court recognised the Right to be Forgotten as a part of Right
to Life under Article 21 of the Constitution. Privacy in its most basic sense
means being left alone, this is the core principle of the Right to be
Forgotten. It is however subject to certain restrictions where it would be
trumped by other Fundamental Rights. These include the following –
1. Exercise of the Right to Freedom of
Expression and Information
2. Fulfilment of legal responsibilities
3. Execution of duty in the public
interest or public health
4. Protection of information in public
interest
5. For the purpose of scientific or
historical study, or for statistical purposes
POSITION OF
LAW
(a) INDIA
Post the landmark judgment of the Puttaswamy
Case, many Standing and Parliamentary Committees recommended and
“emphasised [a] need for specific regulations on data protection and privacy[10]”.
In May 2018, the Justice B.N. Srikrishna Committee submitted a draft of
a new Data Protection Bill which included provisions for the Right to be
Forgotten. Subsequently, in December 2019, “Ravi Shankar Prasad, Minister of
Electronics, and Information Technology, submitted The Personal Data Protection
Bill to the Lok Sabha[11]”.
This was the law maker’s first attempt at codifying this right. Some of the salient features of the Bill
included – creation of different categories of data as personal data, sensitive
personal data and critical personal data, each having its own regulatory
requirements. Digital Platforms would be obligated to share with its users/
subscribers how and where their data would be used. “In essence, the [B]ill
gave consumers the right to access, correct and erase their data.[12]”
Thus empowering them under the Right to be Forgotten. But it created an
exemption for Government agencies from being included under the ambit of the
Bill. “The Government also [had] the power to demand non-personal data and
anonymised personal data from data fiduciaries for the benefit of various
Government services.[13]”
As a result, the bill was met with strong opposition from many tech companies.
Ultimately, it was referred to a Joint Parliamentary Committee which proposed
81 amendments to the same. It was withdrawn in August 2022 to give way to a
more comprehensive law for data protection and privacy in the country. This
Bill was once again tabled in 2023 and was passed in August as the Digital
Personal Data Protection Act, (DPDPA) 2023. It is scheduled to be enforced form
1st January 2024.
Before the enactment of DPDPA,
individuals filed complaints for breach of personal data under the following
provisions. Firstly, Section 43A of the Information Technology Act 2000,
provides that if a website fails to keep personal sensitive data gathered
secure, resulting in some unlawful loss to the individual or a wrongful gain
for itself or any other third party they are required to the compensate the
individual. Secondly, Rule 11 of the Information Technology (Intermediary
Guidelines and Digital Media Ethics Code) Rules 2021, require intermediaries to
appoint a Grievance Redressal Officer who will serve as the point of contact
for all data breach, ethics and privacy related issues.
The Right to be Forgotten has not
been mentioned explicitly in any statute or even the Constitution. However,
Section 12 of the Digital Personal Data Protection Act, 2023 in some ways
provides for this. Titled, “Right to correction and erasure of personal data[14]”,
it allows an individual to correct, complete, update or erase personal data
which they had previously given consent to for processing. Accordingly, the
data fiduciary upon request is required to correct or remove inaccurate or
misleading, complete incomplete and update personal data. However, all of this
may only be carried out if it is not in conflict or violation of any other
enforceable law. It can therefore be seen that without proper data protection
laws there is no basis for this right to even become a fundamental right.
Strong data protection laws need to exist to compliment this right. Through the
discussion in the following sections, it will be shown that the current laws
are not strong enough to enforce this right.
(b) EUROPEAN UNION
The European Union has been able to
consolidate and effectively establish the Right to be Forgotten in their
privacy laws making it an integral part of human rights law as well. “The Data
Protection Directive was a [] directive adopted way back in 1995 to regulate
the processing of personal data within the European Union.[15]”
Presently, the law applicable is the General Data Protection Regulation (GDPR)
of 2016. Article 17 of this legislation provides that “the data subject shall
have the right to obtain from the controller the erasure of personal data
concerning [them] without undue delay and the controller shall have the
obligation to erase personal data without undue delay[16]”.
It is to be noted that this right not an absolute one, the Article lays down
certain situations where an individual may request the data collector to erase
information.
1. When the organisation no longer needs
the data they had collected
2. When the individual withdraws their
consent for sharing information
3. Unlawful processing of an
individual’s data
4. Erasure of information to comply with
other legal requirements
5. When the individual objects to
marketing of their data
6. When “[a]n organisation has processed
a child’s personal data to offer their information society services[17]”.
This article also lays down
situations where the need to process data overrides their Right to be
Forgotten. Some of them include – when the data is collected to exercise the
Right of Freedom of Expression and Information, compliance with legal
regulations, tasks in public interest and public health purposes.
(c) THE UNITED STATES
Different states in the U.S. have
different stances and provisions with respect to individual’s privacy and the
Right to be Forgotten. Presently however, only the state of California
substantially recognises this law. Firstly, under the California Eraser Law of
2015, a minor can “remove or request and obtain removal of content or
information they posted on an operator’s website, application or online service[18]”.
This statute promotes and protects a minor’s speech and expression from sharing
personal information online giving them an opportunity to remove social media
posts “that would otherwise follow them throughout their [entire] adult life[19]”.
Secondly, the California Consumer Privacy Act of 2018 was amended in 2023 to
include provisions to enable the Right to be Forgotten. Along with the already
existing provision to request for removal of personal data collected, the
amendment includes “[t]he right to correct inaccurate personal information that
a business has [collected][20]”
and “[t]he right to limit the use and disclosure of sensitive personal
information collected[21]”.
When this is compared to the Indian
law, it can be seen that the GDPR provisions as well as the Californian Privacy
laws are much more comprehensive as it lays down certain defined situations
where this right may be applicable. This aids both organisations and
individuals to know what information they can collect and share respectively.
It also clearly specifies where this right would be trumped by public interest
and welfare requirements, showing that this right isn’t an absolute one.
Ultimately this prevents the whole debate and confusion pertaining to when an
individual’s right to privacy would prevail over an organisation’s need to
share data for public information.
JUDICIAL DISCOURSE
“The Right to be Forgotten has not
been in dictum held by the Supreme Court as a Fundamental Right.[22]”
Even in Puttaswamy, while the Court did recognise this right to be a
facet of the Right to Privacy, it “chose not to enforce it as a standalone
Fundamental Right[23]”.
Today, this right may be interpreted and applied by Courts as per their
discretion. This has led many High Courts to pass contradictory judgments
regarding the same, furthering the debate of the enforceability of this right.
The Karnataka and Kerala High Courts have taken the progressive stance and
passed judgments in favour of upholding this right while the High Court of Gujarat
has taken a contrary view ruling against the existence of the same.
In the case of Vasunathan v.
Registrar General[24]
filed before the High Court of Karnataka, a plea was made under Article 226 of
the Constitution to remove the Petitioner’s daughter’s name who had been
impleaded as a party to the suit from online search results on the grounds that
it would be damage her reputation and her relationship with her husband. As the
case had been filed against her husband and both the parties had reconciled
their differences since. “The petition was to erase all digital information or
at least [be] made unavailable to for the viewing of the general population[25]”
and was held by the High Court that the daughter’s name should be hidden in the
judgment and not be made available in online searches for the judgment.
However, these changes were not to be made in the official copy of the judgment
as well as on the High Court Website. This struck a balance between the
Petitioner’s Right to be Forgotten and the public’s larger Right to Information
about the outcome of the said judgment.
Further, In Zulfiqar Ahman Khan
v. Quintillion Business Media Pvt. Ltd. & Ors[26]
which was filed before the Delhi High Court, the petitioner prayed for an
injunction against republication of two articles written by the defendant
against the plaintiff during the #MeToo movement for being baseless allegations
and causing “enormous torture and personal grief[27]”.
The plaintiff argued that they should have been given prior notice of the
publication of these articles, and by not doing so, “the defendants published
one-sided accounts which resulted in tarnishment of [the plaintiff’s]
reputation[28]”.
Recognising the Plaintiff’s Right to be left alone, the Court directed a
restrainment of republication and modification of the alleged articles during
the pendency of the said suit. Finally, in Sredharan T v. State of Kerala[29],
the High Court of Kerala while recognising this right, allowed the petitioner’s
prayer of removing the name and personal information of the rape victim from
search engines in order to protect her identity. It directed an interim order
for the enactment of the same. Taking a more positivist approach, the Gujarat
High Court in Dharamraj Bhanushankar Dave v. State of Gujarat[30],
as already discussed in the earlier sections of this paper, denied the
petitioner their right to be forgotten on the ground that “in the absence of
necessary legislative backing, it could not declare [the alleged] publication
as being violative of the petitioner’s fundamental rights[31]”.
It can be seen that recently Courts
have been more inclined towards the recognition of this right by granting the
prayers of the petitioners for being ‘forgotten’ giving the Right to Privacy a
more wholistic application. However, to solidify the application of this right,
statutory and legislative backing is imperative.
WHAT OF FREEDOM OF SPEECH AND EXPRESSION?
The inherent controversy occurs when
“an individual is looking to enforce and exercise his Right to be Forgotten
which is an inherent aspect of the Right to Privacy and on the other hand,
there exists the Right to Freedom of Speech and Expression of the public at
large which encompasses in its fold, the Right to Information and the Right to
Know[32]”.
This right in the very essence of what it stands for seems to be contradictory
to the already established Fundamental Right of Free Speech and Expression as
well as the Right to Information as under the Right to Information Act, 2005.
The Right to free speech allows an individual to voice their opinions under
Article 19 (1) (a) of the Constitution provided that they do not fall under the
restrictions as mentioned under mentioned in the exhaustive list under Article
19 (2). The Right to be Forgotten does not feature here making it reasonable to
assume that this right would have the potential to curtail the free speech.
Similar to the Right to Privacy, this
right lacks legislative backing which will make its enforcement comparatively
tougher. An argument may also be made that without proper and strict guidelines
for enforcement, if implemented in its current form, could have the potential
of ‘chilling effect of freedom of speech’. Its current from is so broad that
“its application is bound to reach broad areas of privacy where individuals
interpret certain personal data as unnecessary, irrelevant or inaccurate on the
internet which might be right and under the purview of the grounds mentioned
[under the Digital Personal Data Protection Act, 2023], but the public might
not concur with the same[33]”.
In such scenarios it is unclear as to what steps to take to determine which of
the two rights would take precedence – Article 19 (2) or the DPDPA.
The abovementioned judgments have
been criticised on the grounds of imposing additional censorship on search
engines and online information platforms. Just imposing large amounts of fines
on data regulators does not guarantee compliance. In order to circumvent the
fine, these regulators would not properly investigate every request and would
just remove all kinds of information even if it went against public interest
and welfare. “This would lead to a chilling effect on speech as the search
engine would [comply with all the requests] and deleting [] data that might not
strictly be protected under the Right to be Forgotten.[34]”
Additionally, this would restrict journalists from disseminating accurate and
unbiased information because of the new rules of disclosure with respect to
personal information as per the DPDPA. It might lead to a delay in circulation
of news as journalists would have to wait for the decision of the adjudicating
officer (data protection officer) with regards to disputed personal
information.
Privacy laws in India are still
evolving. They are not fully developed yet to give effect to the Right to be
Forgotten. In the light of these limitations, if this right is implemented in
its current form, it would most definitely lead to curtailing the Right to Free
Speech.
SUGGESTIONS AND WAY FORWARD
The internet does not forget. With
the increase in our digital footprint, we need to become more aware about the
information we share online. The ease of circulation of personal information
has increased manifold and is accessible through simple web searches. As easy
as it is to share information online, it is not that easy to take it down, this
right therefore comes in handy for those individuals who want to start afresh.
Privacy laws in the country are still at its nascent stage. The question we as
individuals, data fiduciaries and legislators as a part of this digital
ecosystem must be asking is whether “it would be a good idea for us to reserve
the Right to be Forgotten[35]”.
The analysis through this paper
reveals that there are still many grey areas in this law that need to be
addressed. “The right to be forgotten has to be harmoniously constructed with
the right to information and the freedom of expression.[36]”
To make the law more comprehensive, inspiration could be taken from the
European Union’s GDPR, which provides that the Right to be Forgotten as not an
absolute Right. There are certain situations where an individual’s right to
privacy needs to be put above the public’s right to information and vice versa.
Specific guidelines as to in what type of situations this right would become
enforceable should be laid down. Until there is a clear answer and complete
rest to this debate, courts should have the discretion to evaluate this in a
case-to-case manner.
BIBLIOGRAPHY
(a) Table of Cases
Dharamraj Bhanushankar Dave v. State of Gujarat & Others 2015 SCC Online Guj 2019.
Google Spain SL v. Agencia Espafiola de Proteccion de Datos (AEPD) 2014 E.C.R. 317.
Jorawar Singh Mundy v. Union of India MANU/DE/0954/2021.
Justice K.S. Puttaswamy v. Union of India (2017) 10 SCC 1.
Vasunathan v. Registrar General (2017) SCC Online Kar 424.
Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd.
& Ors. AIR 2019
Del. 132.
Sredharan T v. State of Kerala Writ Petition No. 9478 of 2016.
(b) Table of Legislation
Digital Personal Data Protection Act 2023
(c) List of References
Ahmad Z, ‘Right to be Forgotten’ (Manupatra, 23 August
2022)
accessed on 18 October 2023
Aswani N, ‘The Right to be Forgotten and Its Enforcement in
India’ (2020) 6 (3) Int. j. leg. dev. allied issues
Bonta R, ‘California Consumer Privacy Act (CCPA)’ (State
of California Department of Jusitce, updated on 10 May 2023)
accessed on 18 October 2023
‘Centre withdraws Personal Data Protection Bill, 2019: Will
present new legislation, says IT Minister’ (Times of India, 3 August
2022)
accessed on 18 October 2023
Dalmia V P, ‘India: Right To Be Forgotten: An Analysis Of The
Indian Position’ (Mondaq, 13 December 2022) <
https://www.mondaq.com/india/data-protection/1257164/right-to-be-forgotten-an-analysis-of-the-indian-position>
accessed on 18 October 2023
Jamal U and Srinath P, ‘Right To Be Forgotten: Meaning,
Evolution, And Its Legality In India’ (Live Law, 17 August 2022) <
https://www.livelaw.in/lawschoolcolumn/right-to-be-forgotten-k-s-puttaswamy-and-anr-v-uoi-european-union-general-data-protection-regulation-kashmir-university-jindal-global-university-206773>
accessed 18 October 2023
Kapoor S, ‘Is The ‘Right To Be Forgotten’ a Fundamental
Right?’ (Times of India, 13 April 2023)
accessed on 10 October 2023
‘State Right to be Forgotten Policy’ (Epic.org)
Vashishtha S, ‘The Evolution of Right to be Forgotten in
India’ (2022) SCC OnLine Blog Exp 7
accessed on 10 October 2023
Wolford B, ‘Everything
you need to know about the “Right to be forgotten”’ (GDPR.EU)
[1] Sanjay Vashishtha, ‘The Evolution
of Right to be Forgotten in India’ (2022) SCC OnLine Blog Exp 7
accessed on 10 October 2023
[3] Sanjay Vashishtha (n 1).
[4] Dharamraj Bhanushankar Dave v.
State of Gujarat & Others 2015 SCC Online Guj
2019.
[5] Jorawar Singh Mundy v. Union of
India MANU/DE/0954/2021.
[6] Samriddhi Kapoor, ‘Is The ‘Right
To Be Forgotten’ a Fundamental Right?’ (Times of India, 13 April 2023)
accessed on 10 October 2023
[7] Vijay Pal Dalmia, ‘India: Right To
Be Forgotten: An Analysis Of The Indian Position’ (Mondaq, 13 December
2022) < https://www.mondaq.com/india/data-protection/1257164/right-to-be-forgotten-an-analysis-of-the-indian-position>
accessed on 18 October 2023
[8] Justice K.S. Puttaswamy v.
Union of India (2017) 10 SCC 1.
[9] Sanjay Vashishtha (n 1).
[10] Samriddhi Kapoor (n 6).
[11] Ibid.
[12] ‘Centre withdraws Personal Data
Protection Bill, 2019: Will present new legislation, says IT Minister’ (Times
of India, 3 August 2022)
accessed on 18 October 2023
[14] Digital Personal Data Protection
Act 2023, Sec. 12
[15] Zubair Ahmad, ‘Right to be
Forgotten’ (Manupatra, 23 August 2022)
accessed on 18 October 2023
[16] Ben Wolford, ‘Everything you need
to know about the “Right to be forgotten”’ (GDPR.EU)
[17] Ibid.
[18] ‘State Right to be Forgotten
Policy’ (Epic.org)
[19] Ibid.
[20] Rob Bonta, ‘California Consumer
Privacy Act (CCPA)’ (State of California Department of Jusitce, updated
on 10 May 2023) accessed on 18 October
2023
[21] Ibid.
[22] Nikhil Aswani, ‘The Right to be
Forgotten and Its Enforcement in India’ (2020) 6 (3) Int. j. leg. dev. allied
issues
[23] Ibid.
[24] Vasunathan
v. Registrar General (2017) SCC Online Kar
424.
[25] Ibid.
[26] Zulfiqar
Ahman Khan v. Quintillion Business Media Pvt. Ltd. & Ors. AIR 2019 Del. 132.
[27] Ibid.
[28] Ibid.
[29] Sredharan T v. State of Kerala
Writ Petition No. 9478 of 2016.
[30] Dharamraj Bhanushankar Dave
(n 4).
[31] Ummar Jamal and Prerana Srinath,
‘Right To Be Forgotten: Meaning, Evolution, And Its Legality In India’ (Live
Law, 17 August 2022) < https://www.livelaw.in/lawschoolcolumn/right-to-be-forgotten-k-s-puttaswamy-and-anr-v-uoi-european-union-general-data-protection-regulation-kashmir-university-jindal-global-university-206773>
accessed 18 October 2023
[32] Nikhil Aswani (n 22).
[33] Ibid.
[34] Ibid.
[35] Sanjay Vashishtha (n 1).
[36] Vijay Pal Dalmia (n 7).
Article Information
BALANCING SILENCE AND EXPRESSION: Analysing The Right To Be Forgotten In India
Authors: ASTHA BHUMISH SHAH
- Journal IJLRA
- ISSN 2582-6433
- Published 2024/01/09
- Issue 7
About Journal
International Journal for Legal Research and Analysis
- Abbreviation IJLRA
- ISSN 2582-6433
- Access Open Access
- License CC 4.0
All research articles published in International Journal for Legal Research and Analysis are open access and available to read, download and share, subject to proper citation of the original work.
Disclaimer: The opinions expressed in this publication are those of the authors and do not necessarily reflect the views of International Journal for Legal Research and Analysis.