The need for the Right to be Forgotten is developing in our constantly changing, digital world. With social media or our Chrome search history, artificial intelligence has grown to the point that it can now learn even the slightest facts about our daily lives. The question of how this information might be used against us is a challenge in our daily lives. The phrase Right to be Forgotten can also be used to refer to the ‘Right to Erasure’, which essentially means to remove all traces of any past incident from the internet. It has been referred to as a ‘Right to Privacy’ in the Indian context according to the historic ruling of K.S. Puttaswamy v. Union of India 2017.
Meaning of Privacy
Privacy can be defined as “the state of being alone, or the right to keep one’s personal matters and relationships secret”.[1] Privacy as people understand is the freedom to keep their lives and the events or happening in their lives not known to anyone and everyone, instead to a smaller group of people. The great philosopher, Aristotle has also distinguished between private and public spheres of life where the private sphere is attributed by the oikos, the family which is the realm of self-regulation and the public sphere by the polis, which the government. “Privacy can refer to a sphere separate from government, a domain inappropriate for governmental interference, forbidden views and knowledge, solitude, or restricted access, to list just a few.”[2]
Different categories of Privacy
There are different facets to the privacy rights and they can be broadly classified among the following categories –
- Information Privacy – is the relationship between the collection and dissemination of data, technology, the public expectation of privacy, contextual information norms, and the legal and political issues surrounding them.[3]
- Bodily Privacy – people have the right to make medical decisions and function their body in any way they deem fit without the interference of others. It involves the concept of ‘consent’. In India, Medical Termination of Pregnancy Act 1971 has been declared as a reproductive right wherein the right to legal abortion has been raised from 20 weeks to 24 weeks of gestation, it includes “vulnerable women including survivors of rape, victims of incest and other vulnerable women (like differently-abled women, Minors) etc.”[4]
- Communication Privacy – It includes the right to confidentiality and the ability to communicate without unwarranted surveillance or interception. To protect data and conversations from being used or interpreted by a third party, there are features available on online chatting platforms like WhatsApp, Telegram, etc. of end-to-end encryption mode or VPN.
Background
The French law on the “Right to oblivion,” or Droit a loubli, in 2010 is where this Right first emerged. In its 2014 decision in Google Spain SL and Google Inc. v. Agencia Espaola de Protección de Datos (AEPD) and Mario Costeja González, 2014, the European Union introduced the concept of the ‘Right to be Forgotten’ which is consistent with the General Data Protection Regulation’s (GDPR) provisions for the ‘Right to Erasure’. By prohibiting the dissemination of information about their crimes and criminal lives, this right of forgetfulness helped convicted criminals who had served their prison terms. Mario Costeja Gonz’lez, was facing economic problems and was in dire need of money. As a result, he published a newspaper ad offering a property for auction, which by coincidence appeared online. Unfortunately, the internet did not forget about Mr. Gonz. Moreover, irrelevant information on the sale was searchable on Google long after he had resolved his financial difficulties, leading everyone who looked him up to believe he was bankrupt. This misunderstanding of people led him to file a lawsuit.[5]
International Conventions on Right to Privacy
- Article 12 of the Universal Declaration of Human Rights –
“No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks”.[6]
- Article 17 of the International Covenant on Civil and Political Rights –
1”. No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour and reputation.
2. Everyone has the right to the protection of the law against such interference or attacks.”[7]
- The General Data Protection Regulation
The GDPR is a crucial part of both EU privacy law and human rights law. The transmission of personal data outside the EU and EEA is also covered. The main goals of the GDPR are to make it easier for businesses doing business internationally to comply with regulations and to provide individuals more power and rights around their personal data. The GDPR was adopted on April 14th, 2016, and went into effect on May 25th, 2018. The GDPR is directly applicable and obligatory because it is a regulation rather than a directive, and it also allows for the flexibility of individual member states to modify specific components of the regulation.
The right to be forgotten appears in Recitals 65 and 66 and in Article 17 of the GDPR. It states, “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” if one of a number of conditions applies.[8]
Right to Privacy under Indian Context
The right to privacy has been a contentious issue in India, and without a specific article devoted to it, it was difficult for people to assert it. However, the Supreme Court took the matter into consideration and issued a ruling in 2017 that expanded the scope of Article 21 of the Indian Constitution to include the right to privacy.
“In A.K. Gopalan v. State of Madras (1950), the Supreme Court of India in which the Court ruled that Article 21 of the Constitution did not require Indian courts to apply a due process of law standard. In doing so, the Court upheld the validity of the Preventive Detention Act, 1950, with the exception of Section 14, which provided that the grounds of detention communicated to the detainee or any representation made by him against these grounds cannot be disclosed in a court of law.” [9] This meant that the police were not curbing the Right to Privacy of the man under Article 21 of the Constitution instead it was following the due procedure of law.
In Kharak Singh v. State of Uttar Pradesh (1962), it was determined that the police’s home visits to ‘habitual criminals’ or the people who were likely to become was unconstitutional but the Right to Privacy was unaffected as it was not considered a fundamental right back then.
In Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017), the constitutional nine-judge bench held that the Right to Privacy comes under the ambit of Article 21 of the Indian Constitution which guarantees Right to Life and Personal Liberty. The bench held that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution. It held that the right to privacy may be restricted where such invasion meets the three-fold requirement of
- legality, which postulates the existence of law;
- need, defined in terms of a legitimate state aim; and
- proportionality which ensures a rational nexus between the objects and the means adopted to achieve them.”[10]
This judgment over-ruled the previous judgments of M.P. Sharma v. Satish Chandra and Kharak Singh v. State of U.P. “Informational privacy is a facet of the right to privacy. The dangers to privacy in an age of information can originate not only from the state but from non-state actors as well”[11] Justice Chandrachud continued. He urged the Union Government write legislation that respect an individual’s right to privacy while also removing any obstacles to maintaining national security, conducting criminal investigations, etc.
Data Protection Laws in India
- Personal Data Protection Bill, 2022
The Right to Privacy emphasises on the importance of obtaining informed and voluntary consent from individuals before collecting and processing the data. This bill seeks to incorporate the principles of consent and purpose limitation. As per sec 7(1) [12]of the bill, “Consent of the Data Principal means any freely given, specific, informed and unambiguous indication of the Data Principal’s wishes by which the Data Principal, by a clear affirmative action, signifies agreement to the processing of her personal data for the specified purpose.”[13] According to Sec 13(1) of the relevant statute which addresses the Right to correction and erasure of personal data, “A Data Principal shall have the right to correction and erasure of her personal data, in accordance with the applicable laws and in such manner as may be prescribed.”[14]
The issue of transfer of data and the cross-border flow of the data is addressed by the bill as it imposes restrictions on the transfer of data outside India and requires additional safeguards for such transfers.
· The Information technology Act, 2000
The Act provides a legal framework for electronic governance by giving recognition to electronic records and digital signatures. It also defines cybercrimes and prescribes penalties for them. The Act directed the formation of a Controller of Certifying Authorities to regulate the issuance of digital signatures. It also established a Cyber Appellate Tribunal to resolve disputes arising from this new law.[15] It had major amendment in 2008 where Sec 66A was introduced which penalized sending “offensive messages”, Sec 69 was also introduced which allowed the authorities “interception or monitoring or decryption of any information through any computer resource”.
Section 43A (Compensation for failure to protect data): “Where a body corporate, possessing, dealing or handling any sensitive personal data or information in a computer resource which it owns, controls or operates, is negligent in implementing and maintaining reasonable security practices and procedures and thereby causes wrongful loss or wrongful gain to any person, such body corporate shall be liable to pay damages by way of compensation to the person so affected. Explanation for the purposes of this section,
(i) “body corporate” means any company and includes a firm, sole proprietorship or other association of individuals engaged in commercial or professional activities;
(ii) “reasonable security practices and procedures” means security practices and procedures designed to protect such information from unauthorised access, damage, use, modification, disclosure or impairment, as may be specified in an agreement between the parties or as may be specified in any law for the time being in force and in the absence of such agreement or any law, such reasonable security practices and procedures, as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit;
(iii) “sensitive personal data or information” means such personal information as may be prescribed by the Central Government in consultation with such professional bodies or associations as it may deem fit.”[16]
Sec 72 [17]of the Act makes it an offense to disclose any electronic record or information that was accessed during the course of one’s duties under the Act, rules, or regulations, without the consent of the person involved. If found guilty, the person can be imprisoned for up to two years, or fined up to one lakh rupees, or both.
Sec 72A [18]of the Act states that if someone accesses personal information about another person while providing services under a contract, and then shares that information with someone else without permission or against the terms of the contract, they can be imprisoned for up to three years, fined up to five lakh rupees, or both.
While the Act does control some aspects of how personal data is used on IT networks within India, it does not contain complete rules or restrictions on how personal data is processed or transferred. Instead, it places a greater emphasis on information security than data protection
Data Protection laws in India, including the Information Technology Act, 2000 and the Personal Data Protection Bill, 2022 mandate organizations to implement reasonable security practices and procedures to safeguard personal data. These laws require the adoption of appropriate technical and organizational measures to ensure data security and integrity.
Issues associated with Right to Privacy
- Balancing Privacy with Other Interests –
Right to Privacy is not an absolute right and it must be balanced with other competing interests such as national security, law enforcement, public safety and legitimate business interests. It can be difficult to strike balance between privacy and these objectives.
- Technology Advancements –
Rapid technological advancements present challenges to privacy protection. Technologies like surveillance cameras, facial recognition, data analytics, and artificial intelligence can potentially erode privacy by collecting and analysing vast amounts of personal data. Striking a balance between the benefits of technology and privacy protection becomes crucial in the digital age.
- Right to Privacy v. Right to Information –
The existence of Right to Privacy depends on how other competing rights, such as the right to free expression or other publication rights, are balanced in a particular context.
In order to prevent people from finding specific journalistic pieces about him when they Google him, someone might, for instance, seek to delink information concerning his criminal history.
This puts the individual’s right to privacy, derived from Article 21, in direct conflict with the media’s right to cover stories, derived from Article 19.
- Data Protection issues –
It would be challenging to guarantee information privacy due to the lack of comprehensive privacy legislation, the restricted applicability of data protection standards in the public sector, the narrow definition of personal sensitive data, and the absence of a comprehensive and technically sound consent system.[19]
Conclusion
Data Protection regulations have been significantly impacted by India’s acknowledgment of the right to privacy. The importance of individual autonomy, permission, and control over personal data is emphasized by the right to privacy. Aiming to secure personal data from unauthorized access, misuse and abuse, comprehensive data protection frameworks have been developed as a result of the right to privacy. Additionally, adopting and enforcing a comprehensive data protection legal framework that complies with international standards, reviewing and reforming rules, all licencing agreements, determining the appropriateness of data retention requirements, and all other licencing agreements would aid India in achieving its constitutional aims.
[1] DeCew, J. (2018) Privacy, Stanford Encyclopedia of Philosophy. Available at: https://plato.stanford.edu/entries/privacy/
[2] DeCew, J. (2018) Privacy, Stanford Encyclopedia of Philosophy. Available at: https://plato.stanford.edu/entries/privacy/
[3] Michael, M.G. and Michael, K. (2014) Uberveillance and the social implications of microchip implants: Emerging technologies. Hershey, PA: Information Science Reference.
[4] Reporter, S. (2021) HC allows woman to terminate pregnancy, The Hindu. Available at: https://www.thehindu.com/news/national/hc-allows-woman-to-terminate-pregnancy/article35691790.ece.
[5] Google Spain SL and Google Inc. v. Agencia Espaola de Protección de Datos (AEPD) and Mario Costeja González (2014).
[6] Universal declaration of human rights (no date) United Nations. Available at: https://www.un.org/en/about-us/universal-declaration-of-human-rights
[7] International Covenant on Civil and Political Rights (no date) OHCHR. Available at: https://www.ohchr.org/en/instruments-mechanisms/instruments/international-covenant-civil-and-political-rights#:~:text=Article%2017,-1.&text=No%20one%20shall%20be%20subjected%20to%20arbitrary%20or%20unlawful%20interference,against%20such%20interference%20or%20attacks.
[8] Wolford, B. (2020) Everything you need to know about the ‘right to be forgotten’, GDPR.eu. Available at: https://gdpr.eu/right-to-be-forgotten/.
[9] The Indian Express (1950) ‘Detention Act Except Sec. 14 held valid’, XVIII, 20 May, pp. 1–1.
[10] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017).
[11] Justice K.S. Puttaswamy (Retd.) & Anr. vs. Union of India & Ors. (2017).
[12] The Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology (Nov. 22, 2022), https://www.meity.gov.in/content/digital-personal-data-protection-bill-2022.
[13] The Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology (Nov. 22, 2022), https://www.meity.gov.in/content/digital-personal-data-protection-bill-2022.
[14] The Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology (Nov. 22, 2022), https://www.meity.gov.in/content/digital-personal-data-protection-bill-2022.
[15] Pawar, S. and Kolekar, Y. (2015) Essentials of Information Technology law. Notion Press.
[16] The Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology (Nov. 22, 2022), https://www.meity.gov.in/content/digital-personal-data-protection-bill-2022.
[17]The Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology (Nov. 22, 2022), https://www.meity.gov.in/content/digital-personal-data-protection-bill-2022.
[18] The Digital Personal Data Protection Bill, 2022, Ministry of Electronics and Information Technology (Nov. 22, 2022), https://www.meity.gov.in/content/digital-personal-data-protection-bill-2022.
[19] Puja (2022) [in-depth] right to privacy in India – evolution, concerns and the way forward: UPSC notes, IAS EXPRESS. Available at: https://www.iasexpress.net/in-depth-right-to-privacy-in-india-upsc/
Author: Tanishka Aggarwal
Juris Centre 