Cyber LawPrivacy LawRight to Be Forgotten in India – Statutory Developments

The Evolving Landscape of the Right to Be Forgotten in India: A Deep Dive into Case Law and Statutory Developments

 

In our increasingly digital world, information, once published, can remain accessible indefinitely, creating what some call a “permanent atmosphere” of suspicion or prejudice. This permanence often clashes with an individual’s desire to move past old information, mistakes, or past legal proceedings, giving rise to the concept of the “Right to Be Forgotten” (RTBF). In India, this right, though not explicitly codified for a long time, has seen significant legal and statutory evolution, primarily stemming from its connection to the fundamental Right to Privacy.

Judicial Recognition: Paving the Way for the Right to Be Forgotten

The journey of the Right to Be Forgotten in India began with various petitions seeking its application, drawing parallels from cases like Google Spain SL. Early petitions included Parvez Hayat v UOI, Laksh Vir Singh Yadav v UOI before the Delhi High Court, and Sunil Jacob v UOI before the Kerala High Court.

A landmark case in this regard was Zulfiqar Ahman Khan v Quintillion Businessman Media Pvt Ltd, where the Delhi High Court granted interim relief. The plaintiff argued that the republication of two articles irreparably hampered his personal and professional life. The court noted that the original publisher had already agreed to remove the articles and directed that they ought not to be republished on multiple electronic/digital platforms. Crucially, the court recognized the plaintiff’s Right to Privacy, of which the ‘Right to be forgotten’ and the ‘Right to be left alone’ are inherent aspects. The court restrained any republication of the impugned articles or their extracts on any print or digital platform during the suit’s pendency. Furthermore, the plaintiff was permitted to communicate this order to search engines and other platforms to ensure the content was not republished. If platforms failed to remove content within 36 hours, the plaintiff could approach the court or authorities under the Information Technology Act.

Another significant case, Jorawer Singh Mundy @ Jorawar Singh Mundy v UOFS, involved a petitioner acquitted of charges. Recognizing the irreparable prejudice to his social life and career prospects, the court granted interim protection. It directed Respondents 2 and 3 to remove the judgment from their search results, and Indian Kanoon (Respondent No. 4) to block the judgment from being accessed by search engines like Google/Yahoo until the next hearing.

While courts recognized the right, the Subhranshu Rout v State of Odisha case saw the High Court of Orissa noting that there was no statute explicitly recognizing the ‘right to be forgotten’ at the time, though it was in sync with the right to privacy. The court also observed that India’s first legal framework for privacy, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, failed to address the ‘right to be forgotten’. The Karnataka High Court, in an unnamed case, also acknowledged the ‘right to be forgotten’, particularly in sensitive cases involving women or rape, aligning with trends in Western countries. In XXX v UOI, the Kerala High Court directed the Registry to mask the name and address of the petitioner in the cause title of its order.

A powerful argument for the Right to Be Forgotten was articulated by Sanjay Kishan Kaul J in KS Puttaswamy’s case, stating that an individual’s right to control personal data and life encompasses the right to control their existence on the internet. However, this right is not absolute. He highlighted the permanence of information in the digital age, contrasting it with the pre-digital era where mistakes could be forgotten over time. He argued that people evolve and are entitled to reinvent themselves, and privacy nurtures this ability by removing the shackles of past mistakes. He also stressed the special protection required for children’s privacy due to their perpetual digital footprints. Importantly, he emphasized that this right to control personal information should not amount to a total erasure of history and must be balanced against other fundamental rights like freedom of expression or freedom of media, which are crucial for a democratic society. The European Union Regulation of 2016 also recognized RTBF, meaning an individual desirous of their data not being processed should be able to remove it if it’s no longer necessary, relevant, incorrect, or serves no legitimate interest. However, this right cannot be exercised if the information is necessary for freedom of expression, compliance with legal obligations, public interest, or legal claims.

The Delhi High Court, in ABC v State, reinforced that the right to privacy is a fundamental right under Article 21 of the Constitution, and the concept of RTBF is incorporated within it. The court stated that allowing individuals cleared of guilt to be haunted by easily accessible accusations contradicts their right to privacy, which includes RTBF and the right to live with dignity. Accordingly, the registry was directed to remove the names of the petitioner and Respondent No. 2 from records and search results, using masked names like ‘ABC’ and ‘XYZ’ instead. Concerned portals and search engines were also permitted to be approached to mask the judgment regarding the parties’ names.

Statutory Developments: A Roller-coaster Ride

Following the Puttaswamy judgment, legislative efforts began to formalize data protection and the Right to Be Forgotten.

1. Personal Data Protection Bill, 2018: This bill introduced Section 27, specifically titled “Right to Be Forgotten”. It allowed a “data principal” (the natural person to whom personal data refers) to restrict or prevent continuous disclosure if the purpose of disclosure had been served, consent was withdrawn, or it was made contrary to law. This right was enforceable only upon an order from an Adjudicating Officer, who would determine if the data principal’s rights and interests in preventing disclosure override the right to freedom of speech and expression and the right to information. The officer would consider factors like data sensitivity, scale of disclosure, the data principal’s role in public life, the data’s relevance to the public, and the data fiduciary’s activities.
2. Personal Data Protection Bill, 2019: Introduced in Lok Sabha, this bill presented Section 20, also titled “Right to Be Forgotten”. It streamlined some language but maintained similar grounds for restriction (purpose served/no longer necessary, withdrawn consent, or unlawful disclosure). Enforcement still required an Adjudicating Officer’s order, again contingent on the data principal demonstrating that their interest in preventing disclosure overrode the right to freedom of speech and expression and the right to information of others. The factors for consideration by the Adjudicating Officer remained largely consistent.
3. Data Protection Bill, 2021: This re-christened bill proposed an amended Section 20, further extending the scope of the data principal’s right to restrict “continuing processing” of personal data, in addition to disclosure. The conditions for exercising the right and the Adjudicating Officer’s role and considerations remained largely the same, including the crucial balancing act with freedom of speech/expression and information, and the data fiduciary’s right to retain/process data.
4. Digital Personal Data Bill 2022 and DPDP Act, 2023: In a significant shift, the Data Protection Bill, 2021, was withdrawn in July 2022. The subsequent Digital Personal Data Bill 2022 and the Digital Personal Data Protection (DPDP) Act, 2023, made no mention of the ‘right to be forgotten’. Instead, they confined themselves to the ‘right to correction and erasure of personal data’. Section 13 of the draft Bill 2022 (and Section 12 of the DPDP Act, 2023) granted data principals the right to correct inaccurate, incomplete, or outdated personal data, and to erase data no longer necessary for its purpose, unless retention was legally required. This non-inclusion of the ‘right to be forgotten’ in the latest draft and Act is seen as “statutory backtracking”, as previous drafts had consistently treated both ‘right to erasure’ and ‘right to be forgotten’ as enforceable rights. Furthermore, the enforcement mechanism shifted from “adjudication” before an Adjudicating Officer to “grievance redressal” before the Data Protection Board of India.

In conclusion, while Indian courts have consistently recognized and applied the Right to Be Forgotten as an inherent aspect of the Right to Privacy, particularly for individuals seeking to move on from past legal issues or harmful online content, the legislative journey has been more complex. After several attempts to codify it explicitly, the latest data protection law in India has opted for a ‘right to correction and erasure’ instead, leaving the explicit “Right to Be Forgotten” to be navigated primarily through judicial precedents and their interpretation.

Click below to see FAQs on Right to be forgotten