Right to be Forgotten: An evolving fundamental right in the digital age

The Author, Parth Kaushal, is a 3rd Year, BBA.LLB student at Northcap University. He is currently interning with LatestLaws.com.

Introduction

In the age of the internet and social media, an individual’s information, public or personal is just a click away. Not only the way the information is stored, but the kind of information that is stored has also evolved. Personal information available on the internet includes more than just a person’s photograph or government documents. Thus, a data privacy breach or leak has become one of the most crucial issues that a person could face today.

In a recent judgment of the Kerala High Court[1], the division bench of Justice A. Muhamed and Mustaque and Justice Shoba Annamma Eapen observed that the Court cannot prevent the dissemination of case details in the public domain and that in the absence of legislation, the Court may recognise the right on a case to case basis.

So, what is the Right to be Forgotten?

It is the right to have your personal information removed from the public domain such as search engines, libraries etc. This right has been recognised in English Courts as well as in the European Union under the General Data Protection Regulation as a statutory right.

Background

The 1995 EU Data Protection Directive, which sets a framework for the protection of personal data in the EU, is where the right to be forgotten first emerged. This right was first recognised by the European Union’s Court of Justice in the case of Google Spain vs AEPD and Mario Costeja González[2] in which a Spanish man by the name of Mario requested the deletion of certain links related to his past that were no longer relevant. This ruling stirred controversy in different nations due to its implications for privacy laws.

The law allowed individuals to request the removal of certain personal information from search engines and other online databases, seeking to protect user data from being spread without permission. In response, many companies created stringent policies regarding user data and the storage of records. Although the ruling only applies in Europe, it has had a ripple effect throughout the rest of the world.

In April 2016, the General Data Protection Regulation (GDPR) was developed by the European Union (EU) as a regulatory framework. On May 25, 2018, it took effect, replacing the 1995 EU Data Protection Directive. The terms "data controllers" and "data processors" were introduced in the GDPR. Data processors carry out the processing on the data controller's behalf, while data controllers make the decisions regarding how personal data is handled.

The GDP places certain requirements on data processors, such as the need to keep track of their processing operations and put in place the necessary organisational and technical safeguards to ensure the security of personal data. The GDPR’s Recitals 65 and 66 and Article 17 both mention the right to be forgotten[3]. Under Article 17 individuals to whom the data appertains are granted the right to "obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially concerning personal data which are made available by the data subject while he or she was a child or where the data is no longer necessary for the purpose it was collected for, the subject withdraws consent, the storage period has expired, the data subject objects to the processing of personal data or the processing of data does not comply with other regulation".

India’s Stance

In the well-known judgment,  Justice K.S. Puttaswamy v. Union of India[4] decision, the right to be forgotten was acknowledged as a component of the right to privacy. Additionally, it was included in the Justice BN Sri Krishna Committee's proposed Personal Data Protection Bill 2018, which defined the right as the capacity of an individual to limit, erase, or otherwise remedy the disclosure of inaccurate, embarrassing, or irrelevant personal information online. The measure has not yet been passed, though. Although no statutory law provides the Right to be Forgotten, it has been upheld in several instances in Indian Courts.

In the case of Karthick Theodore v. Madras High Court (2021)[5], it was decided that an accused person has the right to have their name removed from judgements, particularly if those judgements are in the public domain.

The Orissa High Court explored the "Right to be Forgotten" as a remedy for the victims of sexually explicit recordings or images frequently put on social media for tormenting the victims in Subranshu Rout v. State of Odisha[6].

In Zulfiqar Ahmad Khan v. Quintillion Business Media Pvt. Ltd.[7], the Delhi High Court upheld a person's "Right to be Forgotten." In that instance, Plaintiff requested a permanent injunction against the Defendants who had written two articles against them as part of the #MeToo movement based on harassment claims that had been made against them. Other websites carried the news pieces in the interim, despite the Defendants' agreement to remove them. The Court ordered that any republishing of the initially challenged articles' text or any excerpts from them, as well as any modified versions of those texts, on any print or digital/electronic platform be prohibited while the current lawsuit is pending. The Plaintiff's Right to Privacy, which includes the "Right to be Forgotten" and "Right to be Left Alone," was noted by the Court.

Challenges and Way Forward

One of the biggest challenges to the implementation of this right is the right to information. Removal of one’s public records while protecting that individual’s privacy would also hamper another individual’s right to access that information, such as a journalist. It would thus affect the freedom of the press in a very significant manner, who would have to wait for the decision of the Data Protection Authority. Just as significant would be the impact on the freedom of speech and expression given under Article 19 of the Constitution of India, of any person that might choose to make any kind of content regarding information which has since been removed from any websites.

Another concern is that a too-broad scope of who can avail of the right would lead to an exponentially high amount of information being requested to be removed which would be highly impractical, for example, the personal information of a rape victim might be removed from the public domain, but what if a person convicted of a crime wants to do the same.

A significant amendment to the Constitution is required to include privacy as a basis for reasonable restriction under Article 19 (2) of the Constitution of India to implement the right to be forgotten. There is an increasing need for a data protection law which harmonizes the right to information and the right to freedom of speech and expression with a person’s right to be forgotten as well as clear guidelines to streamline the implementation of this right. With the unprecedented increase in the vulnerability of an individual’s personal information, citizens need to be given the relief to have information that is personal, or irrelevant information that causes them mental agony removed.