Kamesh Shekar is a Senior Research Associate at The Dialogue and Fellow at the Internet Society. His area of research covers informational privacy, surveillance technology, intermediary liability, safe harbour, issue of mis/disinformation on social media, AI governance etc. Prior to this, Kamesh has worked as a communication associate at Dvara Research. Kamesh holds a PGP in Public Policy from Takshashila Institution, MA in media and cultural studies and BA in social sciences from the Tata Institute of Social Sciences.
The utilisation of internet applications in India is witnessing tremendous growth. This rise in utilisation of digital means has also led to increased data generation to avail various public and private services and information access through platform businesses, overtop services etc. For instance, individuals moved toward using social media platforms more during the COVID-19 pandemic lockdown to stay connected. The concomitant effect of this development has brought privacy risks and concerns to the forefront, where it is exigent to use these services, the digital traces left behind by the individuals (in return) in the form of data are abiding. In addition to this, any information posted by a third party over the internet also remains permanent. For instance, a news article or a court judgement report remains forever on the internet.
This nature of permanency of our online presence was first contested by Mario Costeja González, who found out that the auction notice of his house from the past remained over Google Spain for a long time, causing inaccuracy in his financial status. The Spanish court referred this case to the Court of Justice of the European Union (CJEU) in 2014, where CJEU held that information that is ‘inaccurate, inadequate, irrelevant or excessive’ can be requested by an individual for removal. This verdict marks the first precedence of the “right to be forgotten” globally, followed by GDPR recognising the same.
Right to be forgotten in India: Status Quo
In India, the various High Courts and Supreme Court have deliberated on the matters related to the “right to be forgotten” in multiple instances. In 2018, the Supreme Court recognised the “right to be let alone” as a postulate of the “right to privacy” through Puttaswamy judgement II with reasonable exemptions. Many High Courts starting from Kerala (Civil Writ Petition No. 9478 of 2016), Karnataka (ABC vs The Registrar General & Ors.), Odisha (Subhranshu Rout @ Gugul vs the State Of Odisha) etc., have also recognised the “right to be forgotten”. In the recent ABC vs Union of India & Ors case, the Bombay High Court recognised the “right to be forgotten” and ordered the removal of the acquittal order from the Court’s website as pleaded. But the Bombay High Court also clarified that this judgement couldn’t set precedence as cases related to the “right to be forgotten” are contextual. In contrast, in the Dharamraj Bhanushankar Dave vs the State of Gujarat case, the Gujarat High Court did not recognise the “Right to be forgotten.”
In the affidavit filed to Delhi High Court (plea), the central government mentioned that the “right to be forgotten” is evolving concept in India and informed that the upcoming data protection regime would have provisions related to the “right to be forgotten”. The latest draft of the data protection bill (Clause 20) vests the “right to be forgotten” to individuals. The “right to be forgotten” is not an absolute right, where the bill provides exceptions and powers to Adjudicatory Officer as a decision authority. On the other hand, Rule 3 of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, mandates intermediaries to respond to user complaints within twenty-four hours and take action against content that exposes users’ private parts. While this rule doesn’t explicitly recognise the “right to be forgotten”, pragmatically, it hints the same.
Therefore, the status-quo evinces the ad-hoc and patchy recognition of the “right to be forgotten” by the judiciary and legislature in India.
Merits and demerits of the right to be forgotten
The “right to be forgotten” has various positive implications where it would help individuals with information permanency issues in the internet applications. While on another side of the coin, the same right could have various negative implications.
From a privacy perspective, the right to be forgotten vests control over personal information in the hand of individuals to frame their digital identity and integrity. For instance, this right would help individuals easily remove unlawful content like intimate information, revenge porn, inaccurate information etc. But there are various existing legal provisions under the Information Technology (Amendment) Act, 2008 to take down explicit content. Moreover, the unchecked control over information vested to individuals could cause various negative implications like misuse to paint positive imaginary.
While most of the information prevailing and collected by internet applications is not of public interest, the right to be forgotten directly impacts the right to freedom of expression and the right of businesses to the legitimate processing of data. The battle of which right prevails over others in given circumstances would cause various negative social impacts. What individuals might consider private information could have cultural and historical value. Besides, information on public figures has additional public interest and value. Therefore, a lack of appropriate safeguards and clarity our the “right to be forgotten” would cause abuse of this right at the cost of other rights.
With the Supreme Court recognising the “right to be let alone” as a postulate of the right to privacy and the central government bringing in provisions for the “right to be forgotten” within the data protection bill, it is ideal to have the following concerns addressed to avoid fall through the cracks.
Differentiating “forgotten” from “de-linking”/ “deindexing” – In most cases, Indian courts have recognised the “right to be forgotten” in terms of de-linking or deindexing from the search index while letting the information remain. Moreover, de-linking/deindexing is not technically forgotten. Therefore, it is essential to differentiate these terminologies for appropriate and proportionate application according to the circumstances.
Demarcating according to data category – The data/information pleaded by the individuals to been forgotten falls within four categories (a) data provided by us (the data principals) such as our personal information, (b) data collected by the firms through other means like data brokers and tracking etc. (c) data hosted by the third party like the search engine. (d) data published by data publishers like media and archived by data repositories like libraries. Process safeguard for exercising the right to be forgotten must be demarcated according to the data categories to ensure proportionality and suitability through law.
Harmonisation in implementation – According to the latest version of the draft data protection bill, the Adjudicatory Officer, as part of envisioned Data Protection Authority (DPA), will decide whether the “right to be forgotten” request can be granted. While an independent authority taking a decision is a step in the right direction. However, some data fall within the ambit of other regulators like RBI and ministries like the MIB, MeitY etc. Therefore, DPA must find a way to coordinate with other respective regulators and ministries while granting requests to ensure other rights are not traded off at the cost of the right to be forgotten and public interest is preserved.
Applicability of right: While de-linking/de-indexing has a limited effect on the right to freedom of expression, removing content at the .com domain level would have an international effect. Similarly, removing data/information from other jurisdictions where it is legal causes geopolitical tension. Therefore, the statute must clarify the limitation of the right to be forgotten in terms of geographical applicability. For instance, in 2014, European Court clarified that the “right to be forgotten” applies only within the boundaries of the EU.