The much awaited Draft Personal Data Protection Bill, 2018 (“PDP Bill”) was issued by the Ministry of Electronics & Information Technology (“MeitY”) on August 26, 2018 for public consultation along with Justice B.N. Srikrishna committee report on ‘A Free and Fair Digital Economy – Protecting Privacy, Empowering Indians’ (“Data Protection Committee Report”). The said PDP Bill contains a lot of hot issues which have created a sensation among the industries and individuals who are going to be affected by it. One such issue which has drawn a special attention of industries and general public is ‘Right to be Forgotten’. The said right has been incorporated in the PDP Bill on verge of European Union’s data protection regime i.e. General Data Protection Regulation (“GDPR”) with some modifications.
The ‘Right to be Forgotten’, as envisage under Section 27 of PDP Bill, gives ‘data principal’1 a right to restrict or prevent continuing disclosure of his/ her personal data by ‘data fiduciary’2 . Though the language of the said right under PDP Bill is not exactly similar to that contained under GDPR but the genesis of the same has been taken from GDPR. The ‘Right to be Forgotten’ does not exist in India’s current data protection framework i.e. Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (“SPDI Rules”) which are issued under Information Technology Act, 2000.
The ‘Right to be Forgotten’ has been originated in the western countries. Its history can be traced back to the year 1995 when European Union (“EU”) enacted its first legislation on personal data protection i.e. Directive 95/46/EC (“Directives”). Though the said right was not expressly codified in the Directives but a combined reading of Article 6(1)(e) and Article 12(b) gave an inference of ‘Right to be Forgotten’. Article 6(1)(e) mandated member states that personal data shall be “kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed” while Article 12(b) gave data subject the right to rectify, erase or block the processing of personal data if the same is not in line with the Directives. The bare language of Article 12(b) is read as “Member States shall guarantee every data subject the right to obtain from the controller as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data”.
The foundation of the ‘Right to be Forgotten’ was laid down by the European Court of Justice in the case of Google Spain SL v/s Agencia Española de Protección de Datos & Mario Costeja Gonzalez3 (“Google Spain Case”). The dispute in the said case arose in the year 2010 when Mr. Costeja Gonzalez lodged a complaint against a newspaper publisher and Google with Spanish data protection agency. The case of Mr. Costeja Gonzalez was that whenever an internet user enters his name on the Google search page, link of two pages of La Vanguardia newspaper dated Jan. 19 and March 09, 1998 appears on the result page. These pages contained personal information of Mr. Costeja Gonzalez relating to an attachment proceeding for recovery of social security debt which was later resolved. In the complaint made to the data protection agency, Mr. Gonzalez requested that La Vanguardia and Google shall remove or take measures to conceal the personal data concerning him. In response, the data protection agency rejected his compliant relating to La Vanguardia newspaper as the information published was legally justified but upheld the complaint against Google as the operators of search engines were subjected to the Directives. In an appeal by Google, the European courts and the European Court of Justice held that the operators of search engines fall under the definition of ‘controller’ as envisaged under Article 2(d) of the Directives. Further, the courts also confirmed the individual’s ‘Right to be Forgotten’ if the personal data concerning him/ her is no longer needed for which it was collected.
On May 25, 2018, the EU Commission’s new legislation on data protection i.e. GDPR came into force which repealed the Directives. As per Article 3(2), the GDPR has an extra territorial application which binds some companies not being established in EU but to comply with its regulations. As opposed to the Directives, the GDPR expressly included a provision relating to the ‘Right to be Forgotten’ under Article 17 which grants ‘data subject’4 a right against the ‘controller’5 to get erased his personal data on grounds like personal data is no longer necessary to store, unlawful processing of personal data, withdrawal of consent by ‘data subject’ etc.
Though the ‘Right to be Forgotten’ is not found under SPDI Rules but there are some judicial precedents on same in India. The Gujarat High Court and the Karnataka High Court have taken a different view on ‘Right to be Forgotten’. In Dharamraj Bhanushankar Dave v/s State of Gujarat & Ors.,6 the Gujarat High Court denied any such right. In this case, the petitioner through a writ petition under Article 226 of the Constitution7 prayed before the court for restricting the disclosure of a hon‘ble court’s judgment dated 30.10.2007 published by the respondent on the internet. The case of the petitioner was that initially he was an accused of offences like criminal conspiracy, murder etc. in a complaint filed before the Jamnagar Police Station. Later on, the Sessions Court acquitted the petitioner and the same was upheld by the Division Bench of Gujarat High Court vide judgment dated 30.10.2007. Though the said judgment was non-reportable, the respondent published it on the internet which is hampering the petitioner’s personal and professional life. Referring to its rules, the Gujarat High Court held that copies of the judgment of High Court can be given to any party by the order of Assistant Registrar. Further, the court also held that the petitioner has failed to prove any violation of Article 21 of the Constitution8 and in such way the Gujarat High Court did not recognize the ‘Right to be Forgotten’.
On contrary, the Karnataka High Court on Jan. 23, 2017 in the matter of Sri Vasunathan v/s The Registrar General & Ors.,9 recognized the ‘Right to be Forgotten’. The prayer of the petitioner was to direct respondent for removal of his daughter’s name from an order dated 15.06.2015 in the digital records maintained by the respondent. The said order was in line with an FIR filed by the petitioner’s daughter against a man for offences relating to compelling her for marriage, forgery etc. and a civil suit for annulling the marriage certificate as there was no legal marriage between them. Subsequently, the parties entered into a settlement on a condition that the criminal case against the man shall be withdrawn by the petitioner’s daughter. Pursuant to that, the man filed an application under Section 482 of Code of Criminal Procedure, 1973 for quashing the said FIR and the Hon’ble High Court vide order dated 15.06.2015 allowed the application. The said order recorded the petitioner’s daughter as respondent no. 2 with her name and identity details. The petitioner contended before the court that the name wise search on search engines like google, yahoo etc. may reflect the order dated 15.06.2015 on the result page. Further, there is a high chance that the said order may affect his daughter’s relationship with her husband as well as her reputation in public domain. Considering the arguments of the petitioner and recognizing the principle of ‘Right to be Forgotten’, the Karnataka High Court directed respondent to take necessary steps to mask the name of the petitioner’s daughter in the order dated 15.06.2015. However, such request of the petitioner cannot be undertaken in case of a certified copy of the said order is applied for. Justice Anand Byrareddy disposed of the petition by concluding that:
“This would be in line with the trend in the Western countries where they follow this as a matter of rule “Right to be Forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.”
In a pending suit in the matter of Zulfiqar Ahman Khan v/s Quintillion Business Media Pvt. Ltd. and Ors.,10 the Delhi High Court in an order dated 09.05.2019 recognized the plaintiff’s ‘Right to be Forgotten’. The issue arose when two articles dated 12.10.2018 and 31.10.2018, containing harassment allegations against the plaintiff during #MeToo campaign, were published by the respondent. The court vide order dated 19.12.2018 directed respondent to take down these articles from the internet as they might cause massive injury to the plaintiff. The court also ordered that these articles would not be republished by any other person. However, it was pointed out by the plaintiff that the content of the said articles have been republished by another platform. Based on this grievance, the court ordered to restrain the re-publication of the said articles during the pendency of the suit. The court also said that the ‘Right to be Forgotten’ and the ‘Right to be Left Alone’ are the inherent facets of ‘Right to Privacy’.
Though the ‘Right to be Forgotten’ is not a settled law in India but it has been incorporated under the PDP Bill. Section 27 of the PDP Bill deals with ‘Right to be Forgotten’ which gives ‘data principal’ a right to restrict the disclosure of his/ her personal data by ‘data fiduciary’. The ‘data principal’ can exercise the ‘Right to be Forgotten’ on the grounds if (a) his personal data has served the purpose for which it was collected; or (b) he withdraws his consent for collecting his personal data; or (c) the disclosure of his personal data is in violation of any existing legislation. For exercising the said right the ‘data principal’ shall have to file an application form before the Adjudicating Officer appointed under Section 68. The power to make rules, regarding the manner in which the application is to be filed, vests with the Central Government.11
The ‘Right to be Forgotten’ under PDP Bill can only be exercised if the Adjudicating Officer satisfies that the said right overrides the Right to Freedom of Speech & Expression and the Right to Information of other citizens of India. The factors to be taken into account by the Adjudicating Officer before making any such order are sensitivity of personal data, data principal’s role in public sphere, relevance of personal data to general public etc. Further, sub-section 5 of Section 27 gives right to any person to apply for review of order of the Adjudicating Officer if it is no longer satisfying the grounds for exercising the ‘Right to be Forgotten’.
The ‘Right to be Forgotten’ has been a debated topic since the MeitY issued the PDP Bill. There are several issues that have been highlighted by the legal scholars and industrial experts with the said right. The PDP Bill has been drafted on the verge of GDPR but the meaning assigned to the ‘Right to be Forgotten’ under PDP Bill is different from that contains under GDPR. Under GDPR a ‘data subject’ can ask for erasure of his/ her personal data from the ‘controller’ on the grounds mentioned therein while such right is restricted only to prevent the continuing disclosure of personal data under PDP Bill. The ‘data principal’ under PDP Bill cannot enjoy the full removal of his/ her personal data from the database of the ‘data fiduciary’ which seems to be in contrary to the jurisprudence of the ‘Right to be Forgotten’ and Google Spain Case.
However, there is a mixed kind of opinion over deletion of personal data under ‘Right to be Forgotten’. Justice Sanjay Kishan Kaul in the case of Justice K.S. Puttaswamy (Retd.) & Anr. v/s Union of India & Ors.,12 which is also known as ‘Right to Privacy Judgment’ said that if India is to recognize ‘Right to be Forgotten’ on the verge of GDPR, it cannot be an absolute right. Such right cannot be exercised if the personal data is needed for the purpose of public interest, compliance with any legal obligation, national security, scientific and historical research etc. These conditions are exceptions to the right to privacy, including data privacy. Even the Data Protection Committee Report states that removing the information available to the public at large would infringe the individual’s right to know as well as freedom of press. Granting such absolute right may affect the public realm of information if the information is totally removed. Such right may also involve the deletion of information from private storage which might create a hurdle in publishing the information later on. Therefore, there must be a distinction between the deletion of information and restriction over disclosure of information and only the later one is possible to grant to an individual.
Though the ‘Right to be Forgotten’ does not envisage the right to erasure of personal data but Section 10 of PDP Bill puts an obligation on ‘data fiduciary’ to delete the personal data if such data is no longer required to be stored. Section 10 talks about data storage limitation and envisages that ‘data fiduciary’ shall only retain the personal data as long as it is necessary to store or for such longer period as mandatory under any law. When the purpose of processing such data is achieved then the ‘data fiduciary’ must delete the data. This provision clears the stand of PDP Bill that the deletion of personal data is not a matter of right for ‘data principal’ but it’s an obligation on ‘data fiduciaries’.
Further, ‘controller’ governing under GDPR has an obligation to inform other ‘controllers’ about exercising of ‘Right to be Forgotten’ by ‘data subject’. Such obligation comes into picture when the principal ‘controller’ makes the personal data public and other ‘controllers’ process the same. In that case, if the ‘data subject’ exercises the ‘Right to be Forgotten’ then the principal ‘controller’ shall inform the other ‘controllers’, who are processing the personal data of ‘data subject’, about deletion of any link, copy etc. of personal data.13 The same obligation is not provided under the PDP Bill. Therefore, if one of the ‘controllers’ in the above situation happens to be an Indian party, who is governed under both the GDPR and PDP Bill, then such ‘controller’ may not be able to act upon the request of the other ‘controller’. This may affect the principle of cross border transfer of personal data under GDPR and India may not be seen as a country having an adequate level of data protection by European Commission under Article 45 of GDPR.
Another issue that has come up under the PDP Bill is that for exercising the ‘Right to be Forgotten’ a ‘data principal’ has to file an application form before the Adjudicating Officer which is not the same with the other rights available to ‘data principal’. This provision has made the process of exercising the ‘Right to be Forgotten’ as lengthy and time consuming. Even in the GDPR, the ‘data subject’ can exercise the said right by simply asking the ‘controller’ to erase or remove his/ her personal data and when the ‘controller’ refuses then the ‘data subject’ can approach the ‘supervisory authority’14. Further, this provision has also created confusion over the ownership of personal data as the final decision with respect to exercising of ‘Right to be Forgotten’ remains with Adjudicating Officer.
Talking about the ownership over personal data, Section 27 under PDP Bill also gives right to a third party to apply before the Adjudicating Officer for reviewing his order granting ‘Right to be Forgotten’. Any person, who thinks that such order is not satisfying with the conditions mentioned under Section 27(1), may ask the Adjudicating Officer to review his order. This provision has also created a buzz among the individuals and the industry over the unanswered question i.e. who owns the personal data? On July 16, 2018, the Telecom Regulatory Authority of India released a recommendation paper on “Privacy, Security and Ownership of the Data in the Telecom Sector” whereby it recommended that the ownership of the data or personal information shall vest with its user and the entities controlling or processing such information are merely guardians.15 Despite these recommendations, the PDP Bill does not talk about the ownership over personal data.
Further, Section 28(2) of PDP Bill empowers ‘data fiduciary’ to charge a reasonable fee when any ‘data principal’ exercises the rights granted to him under the PDP Bill. However, the PDP Bill does not talk about the criteria for determining such fee. Such an exclusive authority to the ‘data fiduciary’ may end up in misusing the provision of this section and charging the high fee from the ‘data principal’. Therefore, there is a need to specify the criteria for determining fee under this sub-section and hopefully the final draft of Personal Data Protection Bill may address this issue.
Though the PDP Bill has been welcomed by the stakeholders as India does not have a robust data protection regime but the ‘Right to be Forgotten’ has been a point of discussion from the beginning. Currently, India does not have a settled positon over what constitutes a ‘Right to be Forgotten’ but Supreme Court has made a stand that it cannot be an absolute right. The various High Courts of the country have different views on the subject. Considering all the factors as discussed above, Data Protection Committee Report has made a point that granting right to erasure under ‘Right to be Forgotten’ can hamper the other rights of the people of India like right to know, freedom of press etc. which is to an extent is a correct position in a country like India. But as said, ‘data is a new oil’, the updated draft of Personal Data Protection Bill shall address the issues regarding ownership over the personal data, criteria for determining fee by ‘data fiduciary’ etc. otherwise it can emerge as a new arena of war.