The “Right to be Forgotten” (RTBF) is becoming increasingly important in data privacy, mirroring the rising worries about individuals’ ability to manage their personal information in today’s digital era. The RTBF permits people to ask for their data to be removed from online platforms, preventing outdated or unnecessary information from staying on the internet forever. This particular right, first acknowledged and elaborated in the General Data Protection Regulation (GDPR) of the European Union (EU), has generated extensive worldwide discussion about its impact on privacy, freedom of speech, and the public good.[1] With the growth of digital footprints, it has become evident that tools are needed to help people control their online presence.
In India, the Right to be Forgotten (RTBF) is becoming more popular within the broader talks on improving data privacy safeguards. Currently, the nation is dealing with challenges and possibilities brought on by the digital revolution, in which personal information is now considered a valuable resource.[2] With this context in mind, India is considering the Personal Data Protection Bill (PDPB) to create a thorough data protection and privacy system, such as the Right to be Forgotten, to protect personal rights and promote a favorable atmosphere for digital innovation.[3]
The implementation of PDPB represents a significant achievement in India’s effort to establish strong data privacy laws.[4] Nevertheless, the RTBF in this context brings up several relevant inquiries. What is the best way for India to manage the conflict between individual privacy rights and the public’s rights to information?[5] What duties do data processors and controllers have in ensuring RTBF requests are met?[6] Moreover, how will the RTBF engage with the core principle of freedom of speech protected by the Indian Constitution?[7] These queries underscore the challenges of incorporating the RTBF into India’s socio-legal framework.[8]
This article aims to explore these critical queries, thoroughly examining the RTBF in the context of India’s data privacy framework. This article intends to illuminate the complex nature of the Right to be Forgotten by studying its development, data privacy laws in India, and the details of the Personal Data Protection Bill. Moreover, the article will explore the possible clashes between personal privacy and the greater good, the duties of those handling data, and the consequences of the right to express oneself.[9] The article emphasizes the importance of a balanced approach to data privacy that aligns with worldwide trends but also considers India’s socio-legal environment.
The Evolution of the Right to be Forgotten
The Right to be Forgotten (RTBF) originates from understanding the importance of safeguarding privacy as digital information becomes more widespread. The idea attracted much focus after the notable case involving Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González in 2014.[10] In this situation, the European Court of Justice (ECJ) decided that people are entitled to ask for their data to be deleted from search engine results if it is outdated, irrelevant, or excessive. The decision made the RTBF a crucial aspect of data protection in the EU, setting the stage for its incorporation into the GDPR.[11]
The RTBF was enshrined in Article 17 of the GDPR,[12] which was enforced in May 2018. According to the GDPR, people can ask for their data to be deleted by data controllers if specific criteria can be fulfilled, like when the data is no longer needed for its original purpose or if the individual revokes their consent. The RTBF provisions of the GDPR aim to strike a balance between an individual’s privacy rights and the public’s right to information access.[13] This equilibrium is shown in the exemptions of the RTBF, which covers situations such as when the information meets legal requirements or matters of public interest.
Implementing the RTBF in the GDPR has impacted data privacy regulations globally. Nations such as Argentina and Canada have included similar measures in their laws, acknowledging the significance of allowing people to manage online traces. For instance, in Argentina, the National Directorate for Personal Data Protection has provided instructions that will enable people to ask for their personal information to be removed from search engines and other internet platforms.[14] Likewise, the Office of the Privacy Commissioner in Canada has recognized the Right to Be Forgotten as a developing privacy entitlement, even though it has yet to be officially established in Canadian legislation.
Although the Right to be Forgotten is becoming more widely accepted, it has faced criticism and obstacles. Critics claim that the right to be forgotten may clash with an individual’s fundamental freedom of speech and the public’s right to obtain information. Careful consideration of these conflicting rights is needed to ensure that removing personal data under the RTBF does not excessively limit the dissemination of information for the public good. Furthermore, enforcing the RTBF poses considerable challenges due to technical and practical issues, such as identifying data controllers’ jurisdiction and managing data flows across borders.[15]
The development of the RTBF represents the more significant shift towards acknowledging and improving personal privacy rights in the digital era. As data privacy regulations progress, the Right to be Forgotten is expected to become more significant in allowing people to control their online personal data. Policymakers and regulators must ensure that the Right to Be Forgotten is executed to respect privacy while also upholding other essential rights and interests, creating a digital space that honors individual autonomy and promotes the free flow of information.
The Right to be Forgotten in India
The Right to be Forgotten (RTBF) is becoming a notable element of India’s developing data privacy landscape. The unveiling of the Personal Data Protection Bill (PDPB) in 2019 represents a significant move in setting up thorough data protection regulations in India, reflecting international patterns in acknowledging and safeguarding personal privacy rights.[16] The PDPB, taking cues from the GDPR of the European Union, contains clauses focusing on the RTBF, emphasizing its significance in the broader context of data protection.
The PDPB outlines the RTBF as the right for a data fiduciary to limit or stop the release of personal information if it is no longer needed, has fulfilled its original purpose, or if the individual revokes their consent.[17] The bill allows people to ask for their data to be taken off online platforms as long as specific requirements are fulfilled. These situations involve cases where the data has become outdated, incorrect, or no longer needed for the original processing purposes. Nonetheless, the Data Protection Authority (DPA) closely monitors the enforcement of this right to ensure that the exercise of the RTBF respects the rights of others and complies with legal responsibilities.[18]
Implementing RTBF in PDPB poses multiple challenges. Balancing the RTBF with other fundamental rights, like freedom of speech and expression, is a significant challenge. The rights are protected by Article 19 of the Indian Constitution,[19] and regulations on data must respect these protections to prevent conflicts. Indian courts have already started dealing with these concerns in different cases, as individuals have requested to delete online material they find damaging or insignificant. In a significant decision, the Karnataka High Court acknowledged the Right to Be Forgotten (RTBF) in 2017 by directing the deletion of a person’s name from a public judgment to safeguard their privacy. Instances like these demonstrate how the courts’ perspective on the RTBF is changing and the possible clashes it may have with the public’s access to information.
Moreover, the duties of data processors and controllers in carrying out the RTBF are significant. The PDPB requires data fiduciaries to implement measures to fulfill RTBF requests, which can require substantial technical and administrative work. This involves confirming the authenticity of the requests, pinpointing the appropriate information, and guaranteeing its deletion from all relevant platforms and records.[20] The expenses and operational difficulties linked with these procedures could be significant, especially for smaller businesses and new companies needing more resources from prominent organizations.
The RTBF also has ramifications for the business landscape in India. Businesses in the digital realm, like social media sites, search engines, and online stores, must adjust their data handling methods to adhere to RTBF regulations. This adjustment could involve revising their data policies, investing in new technology for handling data deletion requests effectively and providing compliance training for employees. Although the primary goal of these modifications is to improve personal privacy, they also provoke worries regarding how they might affect business processes and creativity.[21]
India’s social and legal environment adds to the challenges of implementing the RTBF. Due to differences in digital literacy and access levels in the country, implementing RTBF must consider the diverse and ever-changing digital environment.[22] Policymakers must tackle the critical challenge of enabling all individuals to exercise their RTBF, regardless of their digital skills.
In summary, the Right to Be Forgotten (RTBF) in India’s data privacy laws is a vital move towards giving people the power to manage their data in the digital era. Nonetheless, achieving its successful execution necessitates a precise balance between privacy rights and freedom of expression, the creation of solid compliance methods for data trustees, and an awareness of India’s distinct socio-legal atmosphere. As the PDPB undergoes legislative examination, these factors will be crucial in influencing the future of data privacy in India.
Individual Privacy vs. Public Interest
The debate on the Right to be Forgotten (RTBF) in India focuses on the clash between personal privacy and the common good. The central issue in this discussion lies in the struggle to balance individuals’ right to manage their data and society’s right to access information for transparency and knowledge. Privacy for individuals is a primary right acknowledged by the Indian Constitution in Article 21,[23] which ensures the right to life and personal liberty. The Supreme Court confirmed this in essential cases like Justice K.S. Puttaswamy v. Union of India,[24] affirming privacy as a constitutional right. Within this privacy framework, the RTBF permits individuals to ask for the deletion of personal data that is outdated, irrelevant, or harmful. This enables people to safeguard their digital identities and stop the abuse of their data.
On the other hand, public interest includes the shared entitlement to information access, which is necessary for a democratic society to operate effectively. This covers the right to freedom of speech and expression as stated in Article 19(1) (a) of the Indian Constitution.[25] The RTBF might clash with this right by limiting access to information of public importance. For example, knowledge regarding public figures, previous illegal behavior, or historical occurrences can be crucial for open discussion, responsibility, and openness. Deleting this information can hinder the freedom of the press, academic studies, and the public’s right to know.
Achieving a balance between these conflicting interests necessitates a subtle approach. The PDPB aims to tackle this issue by including clauses enabling the RTBF under certain circumstances while safeguarding the right to information.[26] The DPA is essential in balancing the task of analyzing RTBF requests and overseeing that data removal complies with public interest and legal duties.[27]
The balance is also greatly influenced by how the judiciary interprets laws. Courts have started to deal with these conflicts, as demonstrated in several judgments where they have considered the balance between individual privacy and the public’s right to information. These choices emphasize the importance of evaluating each situation individually to avoid disproportionately impacting either right.[28] Ultimately, the relationship between personal privacy and societal benefit regarding the Right to Be Forgotten emphasizes the intricate nature of safeguarding information in today’s digital era, requiring a delicate and fair method to protect privacy and transparency.
Responsibilities of Data Processors
- Compliance with RTBF Requests.[29]
- Data Removal and Deletion.[30]
- Transparency and Communication.[31]
- Documentation and Record-Keeping.[32]
- Collaboration with the Data Protection Authority.[33]
- Technical and Organizational Measures.[34]
- Balancing Rights and Interests.[35]
These responsibilities underscore the critical role of data processors in safeguarding individual privacy while ensuring compliance with legal and regulatory frameworks.
Global Trends and Local Adaptations
The Right to be Forgotten (RTBF) is becoming more popular worldwide as countries find unique ways to incorporate this right into their legal systems. The EU has led the way in RTBF laws through its GDPR. According to the GDPR, people can ask for their data to be deleted if it is no longer needed, processed illegally, or if they no longer give their consent.[36] The GDPR establishes a stringent criterion for safeguarding data, weighing the RTBF against freedom of speech and the public’s access to information.
Countries like Argentina and Canada have also acknowledged the RTBF outside the EU. In Argentina, individuals can ask the National Directorate for Personal Data Protection to delete personal data from search engines and online platforms.[37] Canada recognizes the right to be forgotten as a developing privacy right despite not formally recognizing it, and the Office of the Privacy Commissioner has pushed for enhanced privacy measures that may include elements of the right to be forgotten. These global customs offer a valuable resource for nations seeking to introduce equivalent rights through comparison analysis.
A comparison shows that although the RTBF is well-known, its application differs significantly in different areas. The EU’s strategy is defined by thorough laws and strict enforcement methods, offering strong safeguards for personal privacy. On the other hand, Argentina and Canada have implemented more adaptable structures that highlight the situational use of the RTBF. The range of ways it is implemented provides essential insights for India, underscoring the need to customize the RTBF to suit each nation’s distinct legal and cultural environment.[38]
India can learn several lessons from these international approaches. Establishing clear legal definitions and criteria for the Right to Be Forgotten is crucial to prevent confusion and guarantee uniform enforcement. Effective enforcement methods, such as creating autonomous regulatory agencies like the Data Protection Authority (DPA) outlined in the Personal Data Protection Bill (PDPB), must supervise Right to Be Forgotten requests and weigh them against other vital rights. Finally, as demonstrated in the EU, by enhancing public knowledge and understanding of data privacy rights, individuals can be empowered to utilize their RTBF and other privacy safeguards actively.
Implementing worldwide RTBF principles in regional contexts calls for a sophisticated strategy. The PDPB must consider India’s specific social and economic circumstances and legal environment when addressing the RTBF. For instance, running public awareness initiatives designed for various linguistic and cultural settings can help close the gap in digital literacy. Moreover, the regulatory structure must be tailored to fit the requirements of small and medium-sized enterprises (SMEs) and startups, as they may need more resources to adhere to the strict data protection standards in more advanced economies.
Conclusion
Introducing the Right to be Forgotten (RTBF) in India’s changing data privacy landscape highlights a crucial moment in the trade-off between personal privacy and public interest. While discussing the Personal Data Protection Bill (PDPB), it is essential to carefully consider global examples and India’s specific socio-legal environment when including the Right to Be Forgotten (RTBF). The goal of the PDPB is to establish a robust system for safeguarding data that matches global patterns, specifically the GDPR, which has established a stringent requirement for enforcing the right to be forgotten.
Nevertheless, implementing the RTBF in India presents substantial obstacles. Ensuring a balance between privacy rights, freedom of speech, and public information access is crucial. The judiciary will be essential in interpreting and enforcing these rights amidst this complex terrain. The responsibilities of data processors and controllers emphasize the operational and technical difficulties of meeting RTBF requests, especially for small businesses.
Taking cues from worldwide examples, India should create precise legal definitions and standards for the right to be forgotten, paired with strong enforcement measures. Creating public awareness campaigns that cater to India’s wide variety of languages and cultures is crucial for bridging the digital literacy gap and enabling people to assert their privacy rights effectively. Moreover, the regulatory framework needs to consider the requirements of small and medium enterprises and new businesses, ensuring they can meet the regulations while promoting innovation.
To sum up, the Right to Be Forgotten (RTBF) protects people’s online privacy rights. The key to its effective incorporation into India’s data privacy system lies in maintaining a balanced approach that respects personal autonomy and upholds public interest and freedom of expression. As the PDPB goes through the legislative process, it is essential to carefully consider these factors to develop a data protection regime that is thorough and successful while also acknowledging international norms and local differences.
[1] “European Union. Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), 2016 O.J. (L 119) 1.”
[2] “Justice K.S. Puttaswamy (Retd.) v. Union of India, (2017) 10 S.C.C. 1 (India).”
[3] “Indian Ministry of Electronics and Information Technology. Personal Data Protection Bill, 2019, Bill No. 373 of 2019.”
[4] “Press Release, Indian Ministry of Electronics and Information Technology, Report by the Committee of Experts on Data Protection under the Chairmanship of Justice B.N. Srikrishna (July 27, 2018).”
[5] “Indian Ministry of Electronics and Information Technology. White Paper of the Committee of Experts on a Data Protection Framework for India (2017).”
[6] “European Union Agency for Fundamental Rights. Handbook on European Data Protection Law, Publications Office of the European Union, 2018.”
[7] “Article 29 Data Protection Working Party. Guidelines on the Implementation of the Court of Justice of the European Union Judgement on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12, 2014.”
[8] “Ashwinee Kumar, The Right to Be Forgotten in Digital Age: A Comparative Study of the Indian Personal Data Protection Bill, 2018 & the GDPR, 2 Shimla L. Rev. 45 (2019).”
[9] “Sunil Abraham & Elonnai Hickok. The Right to be Forgotten: An Analysis of the Concept, 10 J. Indian L. & Soc’y 1 (2019).”
[10] “Supra Note 7.”
[11] “Meg Leta Jones, Ctrl Z: The Right to Be Forgotten 11–17 (2016).”
[12] “Council Regulation 2016/679, art. 17, 2016 O.J. (L 119) 1.”
[13] “Martine Reicherts, The Right to Be Forgotten and the EU Data Protection Reform: Why We Must See through a Distorted Debate and Adopt Strong New Rules Soon, European Commission Press Release Database (Aug. 18, 2014).”
[14] “Martine Reicherts, The Right to Be Forgotten and the EU Data Protection Reform: Why We Must See through a Distorted Debate and Adopt Strong New Rules Soon, European Commission Press Release Database (Aug. 18, 2014).”
[15] “S. Bennett, The ‘Right to Be Forgotten’: Reconciling EU and US Perspectives, 30 Berkeley J. Int’l L. 174 (2012).”
[16] “Prashant Mali, The Right to Be Forgotten: A New Privacy Right in India?, 2019.”
[17] “Apar Gupta, a Primer to the Personal Data Protection Bill, 2019.”
[18] “Personal Data Protection Bill, No. 373 of 2019, India.”
[19] “India Const. art. 19.”
[20] “Supra Note 11.”
[21] “Supra Note 18.”
[22] “Freeman, Google Embraces Version of Right to Be Forgotten, N.Y. Times, May 14, 2014, at B1.”
[23] “India Const. art. 21.”
[24] “Supra Note 2.”
[25] “India Const. art. 19, cl. 1(a).”
[26] “Jannah McCarville, Balancing Access and Privacy in Archives: New Challenges in the Face of Canadian Privacy Legislation, 50 Feliciter 149 (2004).”
[27] “International Federation of Library Associations and Institutions, Background: The Right to Be Forgotten in National and Regional Contexts.”
[28] “Carlton, Should There Be a Right to Be Forgotten? Librarians Debate EU Privacy Laws at Midwinter, ALA Midwinter Meeting (2014).”
[29] “General Data Protection Regulation 2016/679, art. 17, 2016 O.J. (L 119) 1 (EU).”
[30] “General Data Protection Regulation 2016/679, art. 28(3) (g), 2016 O.J. (L 119) 1 (EU).”
[31] “General Data Protection Regulation 2016/679, art. 12, 2016 O.J. (L 119) 1 (EU).”
[32] “General Data Protection Regulation 2016/679, art. 30, 2016 O.J. (L 119) 1 (EU).”
[33] “General Data Protection Regulation 2016/679, art. 31, 2016 O.J. (L 119) 1 (EU).”
[34] “General Data Protection Regulation 2016/679, art. 32, 2016 O.J. (L 119) 1 (EU).”
[35] “General Data Protection Regulation 2016/679, art. 28(3) (e), 2016 O.J. (L 119) 1 (EU).”
[36] “Supra Note 29.”
[37] “Eduardo Ustaran, “Global Data Privacy: Argentina,” Data Guidance (2020).”
[38] “David Fraser, “The Right to be Forgotten in Canada,” McInnes Cooper (Oct. 2, 2018)”
Author: Chinmay Oza
Juris Centre 