Right to be Forgotten under the Personal Data Protection Bill, 2019: Challenges to Implementation

Radhika Maheshwari[i]

The era of digitization has permeated the use of internet to every possible corner of the globe. The Digital India Campaign is gaining momentum more so now than ever, with businesses, education, shopping, and even court hearings taking place over the internet. The year 2020 saw a record 700 million internet users[ii] across India. The amount of data being generated online in this regard is unfathomable. With this feasibility of access to data also comes the fear of intrusion into one’s private life. The question therefore arises, can an individual legitimately control the removal from the web space of that information which is processed by another entity? The answer to this question is reflected under the new Personal Data Protection Bill (“The Bill”) as a part of “right to be forgotten”. The Bill however, is yet to be passed with its pendency before the Joint Parliamentary Committee. This right prima facie operates as antithesis to the constitutional safeguards of freedom of expression and right to information. Further, with radical developments in the technological sector, the challenges to the right to be forgotten are forthcoming. This article pinpoints the issues and challenges to the implementation of the right to be forgotten.

Right to be Forgotten- An Insight

We as individuals are accorded the freedom to put information over the internet that we consider desirous and necessary. A natural corollary to this would be that it should be our prerogative to remove such information, if it has the potential to cause any encroachment or harm. The “right to be forgotten” (“RTBF”) essentially refers to the right of persons to seek the removal of their information from the websites of the data controllers. The first instance where the RTBF was emphasized was the Google Spain Case[iii], whereby the European Court of Justice stated that individuals have the right to request the removal or erasure of their data from search results when it is no longer necessary. The K.S. Puttuswamy[iv] judgement, the Supreme Court had observed that the right to be forgotten was engrained in the right to privacy in order to serve the legitimate interests of individuals in the digital arena. RTBF has been statutorily recognized under Section 20(1) of the Bill. As per this provision, if the data principal[v] feels that the disclosure of this personal data[vi] by the data fiduciary[vii] (including search engines, social media platforms) is no longer necessary; or the purpose of such disclosure has been fulfilled or; the data principal has withdrawn his consent for making such disclosure; or the disclosure violates any existing law, then upon an application to the Adjudicating Officer duly appointed by law, an order may be passed directing the data fiduciary to remove such personal data from the online portal. The order can be passed only after weighing several parameters as regards the relevancy, sensitivity, accessibility and scale of disclosure of the personal data. The Adjudicating Officer must also take into account the hinderance that may be posed to the data fiduciary’s activities in the event of discontinuation of disclosure of the personal data in question.

The genesis of the RTBF under the present Bill stems from the General Data Protection Regulation (“GDPR”), which came into effect in the year 2018 for the Member States of the European Union. Under the EU GDPR, the decision regarding the exercise of right to be forgotten under Article 17[viii]rests with the data controller and not any designated authority, as opposed to the proposed Bill in India.

Rationale underlying the Right to be Forgotten

There has been a paradigm shift towards the use and dissemination of digital information by state and non-state actors, thus facilitating easy accessibility of the subjects’ personal data. The internet has re-defined “memory” to be limitless and beyond all human capability; digital permanence is the new goal for many, especially with the pioneering blockchain technology. Informational Privacy[ix] as far as an individual’s personal data in the cyberspace is concerned therefore becomes inevitable. The dynamic nature of the human race makes an individual susceptible to changes over time- changes in identify, preferences, behaviour, conduct etc. People may be regretful or embarrassed of certain information regarding themselves that is available on the internet. Therefore, if people have been accorded the freedom to manage what data is put over the internet, it follows that they also have the derivative right to remove/delete it subsequently if it is no longer relevant. This right holds great significance in instances of social media abuses, internet shaming, circulating objectionable content especially without the consent of such person. The right to privacy therefore, cannot be left to the vicissitude and the perennial reach of technology, if one has to sustain the ramifications of digitization.   

The judiciary’s role in recognizing the right to be forgotten as a part of right to privacy has been imminent. In the case of Subhranshu Rout v. State of Odisha,[x] whereby the accused posted videos of the victim being raped on platforms like Facebook, the High Court although taking cognizance of victim’s request to delete such content from the internet, could not pass an order to that effect due to the lack of codified laws on data protection and privacy. The Karnataka High Court in the case of Sri Vasunathan v. Registrar General & Ors.,[xi] allowed the application filed by the petitioner to get his daughter’s name removed from search engines in reference to a case involving the petitioner. The Court while recognizing the principle of right to be forgotten ordered a redaction of the daughter’s name from the records on the reasoning that it had a possibility of affecting the daughter’s reputation in the public sphere. In the matter of Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd. & Ors.,[xii] the Delhi High Court in reference to sexual harassment allegations against the plaintiff as a part of the #MeToo Campaign, ordered the articles containing the allegations not be published or re-published on the concerned platforms till the pendency of the proceedings. The said order was premised on the contours of right to be forgotten and the right to be left alone which in the court’s opinion were integral to the plaintiff’s right to privacy.

Right to be Forgotten at Loggerheads with Freedom of Speech and Right to Information

The RTBF under the proposed is Bill is not absolute and has been statutorily limited. The proviso to Section 20 provides that the data principal has the burden of proving that the continued disclosure of his personal information by the data fiduciary violates his right to privacy and this right to privacy outweighs the right to information, and freedom of speech and expression of any other citizen. The Adjudicating Officer therefore, cannot pass an order under this section if the burden of proof is not discharged by the data principal in showing that the balance of convenience lies in his favour. This restriction limits the extent of control that a data principal may have on his data as far as his personal information in the web space is concerned.

Since the RTBF essentially forms a part of the larger right to life, it is imperative to strike a balance with other fundamental freedoms. For instance, an individual may want to remove certain allegations regarding his criminal conduct from the internet. This essentially obliterates the access of information to the public at large which may be important for maintaining public records or for furnishing data to the people in general. This in turn would also violate the freedom of speech and expression of those penning the facts and opinions on the same. By deduction, if people began exercising the RTBF, it could have far reaching consequences on the availability of information over both public and private domains. “Public Interest” would have to be substantially evaluated keeping in view the future prospects of the relevant information. Although the interpretation of what constitutes public interest is done on a case-to-case basis, privacy rights of individuals are almost always diluted when the question of ‘larger public interest’ is involved. The courts so far have relied on the ‘fair, just and reasonable’ test while determining privacy claims vis-a-vis public interest and state interest. Further, as has also been held by the Supreme Court that right to privacy is subject to reasonable restrictions and must bow down to compelling public interest.[xiii] The enforcement of this right therefore would eventually depend upon a careful scrutinization of all parameters of what may be gained and what may be lost. Deductively, discharging the burden of proof as is contemplated by Section 20 may prove to be extremely onerous and arduous on part of the data principal who is seeking to enforce his RTBF.

The Bill has entrusted the responsibility of adjudging the ‘right balance’ between the rights to the State, i.e., Adjudicating Officer who is appointed by the Data Protection Authority which is ultimately appointed by the government. This raises a concern over the extent of intervention and pervasiveness of State actions in determining the contours of an individual’s privacy in the digital world. There persists an apparent conflict of interest in a situation where the data controllers and the Adjudicating Officer are both extensions of the government. As the doctrine of proportionality entails, that the degree of State intervention and the exercise of a right (right to privacy) must be proportional to one another. Attaining this proportional balance, especially where the right to information of persons is concerned may be a wobbly task. One of the reasons being Section 8(1)(j)[xiv] of the RTI Act, 2005, that creates an exception on disclosure of information if it causes unwarranted invasion of privacy. Therefore, the thresholds of scrutinising requests for RTBF and the right to information in relation to the exceptions they create for each other need be at parity, because in the absence of definitive standards, conflicts are bound to arise. One of the suggestions that the author puts forth is to entrust the powers of enforcing the RTBF to the judiciary so that principles of fairness and equity may be maintained in cases like these which entail a conflict between two fundamental rights.

Right of Erasure different from Right to be Forgotten?

Section 18(1)(d)[xv] entitles the data principal to the “right of erasure” of such personal data which is no longer required to be disclosed. Erasure of personal data would imply its complete destruction or removal from the systems of the data fiduciaries by usage of different erasure mechanisms. A request for erasure has to be made by the data principal directly to the data fiduciary as per Section 21(1) and not to the Adjudicating Officer. Whereas, in order to exercise the RTBF, the application has to be made to the Adjudicating Officer as mentioned above and data fiduciaries have no role in authorizing the removal or destruction of the personal data. This implies that the RTBF has been given a different dimension as compared to the right of erasure under Bill while in technical terms, the process to be followed for achieving the end result, i.e., removal or destruction of data, is the same. Resultantly, data principals may use the right of erasure of their personal data to bypass or avoid the stringent procedure and restrictions under Section 20. This is a potential loophole in the framing of this particular provision. The White Paper on the Committee of Experts on Data Protection Framework for India[xvi] clearly refers to both the rights to mean the same thing. Even under the EU GDPR, the right of erasure and the RTBF have been used synonymously and form a part of a single standalone right. If the Bill is passed in its current form, the RTBF is likely to be misused under the garb of right to erasure.

Yet another gap in the Bill that needs to be tended to is the process that follows after an order has been made by the Adjudicating Officer under Section 20(2). Sub-section 4 to Section 18 imposes a duty on the data fiduciary to inform about the erasure of data to all those persons or entities to whom the data in question has been disclosed, so that such persons may also take the requisite steps needed to erase the data. Section 20 however, does not thrust any such obligation in case of RTBF either upon the data fiduciary or the Adjudicating Officer. This will ultimately operate against the interests of all those data principals seeking to exercise the RTBF, as all the entities to whom the data fiduciary has passed on the personal data may still possess such data due to lack of notice for the same.

Blockchain Technology: A serious hurdle in the way of Right to be Forgotten

Blockchain Technology[xvii] in simple terms is a decentralized, distributed ledger that stores data in a block which can be shared globally among the participants in the network. The key feature of blockchain is its “immutability” implying inability to alter or erase the data once it has been entered in the block. The irreversibility of this process of managing and storing data is a major concern for data privacy and the RTBF in particular. With chunks of personal data being stored on blockchain, its removal or destruction is unachievable, thereby undermining the very essence of this right. The Ministry of Electronics and Information Technology in its ‘Strategy for National Level Blockchain Framework’[xviii] also stated that “the right to be forgotten under the PDP Bill has contradictions with the inherent feature of Blockchain where data cannot be deleted and history of data is always accessible.”[xix] While there still maybe some recourse available in a private blockchain network which has limited participants, it is highly unlikely for a data principal to enforce his right in case of a public blockchain network which has no limit on the number of participants thus making the personal data accessible across borders without any permission or compliance with the rules. 

Concluding Remarks

Right to be forgotten is unarguably a way forward in protecting one’s personal data from being used/misused in the cyberspace. However, scholars believe that this right is a potential threat to free speech and journalistic freedom. The inflating conflict between the RTBF and the right to freedom of speech and information has to be resolved by re-defining its definite contours. As for blockchain technology which has already been put to use by various Banks and state governments across India, data of millions of users may have already been permanently embedded in the systems. The enforcement of this right in practical terms may prove to be unfeasible with discontinuation of disclosure requests from a large number of individuals. The implementation of this Bill is also likely to build huge pressure on the data fiduciaries for compliance with privacy norms.

________________________________________________

[i] The author is a fourth-year BBA-LLB student at Bennett University, Greater Noida. My areas of interest particularly include Intellectual Property Law, Data Protection Laws, and Gender Justice. She can be contacted via mail at [email protected].

[ii] Number of internet users in India from 2015 to 2020 with a forecast until 2025(in millions), Published by Sandhya Keelery on October 16, 2020

available at https://www.statista.com/statistics/255146/number-of-internet-users-in-india/, (last accessed on 23^rd February, 2021).

[iii] Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, C131/12, [2014], ECJ.

[iv] K.S. Puttuswamy v. Union of India & Ors, (2019) 1 SCC 1.

[v] Personal Data Protection Bill, 2019, § 2(13), “data fiduciary” is defined as any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.

[vi] Personal Data Protection Bill, 2019, § 2(28), “personal data” is defined as means data about or relating to a natural person who is directly or indirectly identifiable, having regard to any characteristic, trait, attribute or any other feature of the identity of such natural person, whether online or offline, or any combination of such features with any other information, and shall include any inference drawn from such data for the purpose of profiling.

[vii] Personal Data Protection Bill, 2019, § 2(14), “data principal” is defined as means the natural person to whom the personal data relates.

[viii] General Data Protection Regulation (EU GDPR) 2016/679, Art. 17.

[ix] Her Majesty, The Queen v. Brandon Roy Dyment (1988) 2 SCR 417; See also Data Protection Committee Report by Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, at 5, 10.

[x] Subhranshu Rout v. State of Odisha, BLAPL No. 4592 of 2020.  

[xi] Sri Vasunathan v. Registrar General & Ors, Writ Petition No. 62038 of 2016 decided on January 23, 2017. 

[xii] Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd. & Ors., 2019 (175) DRJ 660; order of Delhi High Court on May 9, 2019.

[xiii] Ritesh Sinha v. State of Uttar Pradesh & Anr., Criminal Appeal no. 2003 of 2012, decided on August 2, 2019. 

[xiv] Right to Information Act, 2005, § 8(1)(j).

[xv] Personal Data Protection Bill, 2019, § 18(1)(d).

[xvi] Ministry of Electronics and Information Technology ‘White Paper on the Committee of Experts on Data Protection Framework for India,’ (2017), Ch.10, 137-141.

[xvii] What is Blockchain? available at https://www.euromoney.com/learning/blockchain-explained/what-is-blockchain#:~:text=Blockchain%20is%20a%20system%20of,computer%20systems%20on%20the%20blockchain (last accessed on February 23, 2021).

[xviii] Ministry of Electronics and Information Technology, Strategy for National Level Blockchain Framework, (January 2021).  

[xix] Ibid, at 19.