April 28, 2022
Pulkit Chaudhary
RIGHT TO BE FORGOTTEN
Introduction
With the advancement of technology in last few decades, the businesses have reached levels which no one could have thought of. In order to reduce the burden of personnel on the miscellaneous tasks such as sending automated emails/calls, bot chats etc. the businesses are now switching to and are deploying AI (Artificial Intelligence) and ML (Machine Learning). In order to carry out these tasks, an enormous volume is data is processed which includes the personal data of the data subjects.
The world of data, data protection and compliance offer a bundle of rights to the data subjects whose data is collected and processed by the companies for betterment of the services they offer to data subjects with the ultimate motive of earing huge profits. This can range from improving the product, services, market analysis and surveys to sale and purchase of the data as data brokers or information brokers (organizations/individuals who are specialized in collecting and circulating the data for processing).
In order to deal with such a situation and retention of some control to the data by the data subjects, the European Union General Data Protection Regulation (hereinafter as “GDPR”) came up with the provisions providing substantial protection to the rights of the data subjects against the unauthorized and unlawful use of their personal data which is now has become the benchmark and grundnorm for many data protection legislations around the globe.
Some of the rights of data subjects as stated above are as follows:
? Right to access information (Article 15 of GDPR) This right enables that data subject to access the personal information provided by her to the data controller for the purpose of processing.
? Right to rectification of the information (Article 16 of GDPR): This right enables the data subject to get her information corrected/rectified if incorrectly provider by data subject or incorrectly recorded by the data controller.
? Right to restrict processing (Article 18 of GDPR): The data subject can also restrict the processing of her personal data in exceptional circumstances such as mentioned below:
i) Where there is unauthorized use of the data collected i.e., other than the purpose for which it was initially collected.
ii) Where the data processed is the inaccurate data
iii)Where the data is being processed after fulfilment of the purpose for which it was collected.
? Right to be informed (Article 12 of GDPR): The data controllers are obliged to provide the relevant information to the data subjects as and when required (for example in case of change of privacy policy/data breach etc.) or requested by the data subjects (for example-request to know the
status of complaint made to the DPO).
RIGHT TO BE FORGOTTEN UNDER THE EU GDPR
This right can also be termed as the “Right to erasure”. The right to be forgotten emerged for the very first time in a decision by European Court of Justice in the year 2014. The court observed that the data protection law of Europe enables the data subjects to question the web search engines to remove certain personal information relating to the data subjects. There are some relevant factors under which the right to erasure can be enforced by the data subjects.
The Right to be forgotten is defined under Article 17 of the GDPR as:
Right to be forgotten is the most important right available with the data subject where she can oblige the data controller to erase her personal data completely which for collected by the data controller for the purpose of processing. However, this can be exercised in the following circumstances:
i) When the data collected by the processor is not required anymore for the purposes of processing
ii) Where the erasure personal data is necessary to meet a legal obligation. iii)Where the data has been processed unlawfully.
iv) Where the data subject objects to the processing of her personal data being used for profiling for the purposes of direct marketing. v) When the processing of the personal data overrides legitimate grounds and the rights of the data subjects
vi) Where the data subject withdraws her consent given for one or more specific purposes of processing within the meaning of Article 6 (1)(a) of GDPR or where the consent is for one or more explicit and specific purposes relating to revealing of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is withdrawn within the meaning of Article 9(1)(a) of GDPR.
SITUATIONS WHERE THE RIGHT TO BE FORGOTTEN CANNOT BE EXERCISED (EXCEPTIONS)
I. Where the data is used for the purpose of exercising right to freedom of expression and information. (Article 17(3)(1) of GDPR)
II. In the case of legal obligations imposed by the state or the union law to which the controller or processor is subject to or in the case if processing activities which are undertaken in the interest of general public or while exercising the official authority vested in the data controller.
III. The right to be forgotten cannot be applied to the situation where a special category of personal data is processed in relation to and for the purposes of preventive or occupational medicine, medical diagnosis, for the assessment of the working capacity of the employee the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional. (Article 9(2)(h) of GDPR)
IV. Where processing of such personal data is necessary for healthcare like protection against cross border health threats or securing/maintaining standards of healthcare products and medical devices in compliance with the union or state laws providing for the measures safeguarding right and freedoms of the data subjects with emphasis on professional secrecy. (Article 9(2)(i) of GDPR)
V. For enforcing and defending the legal claims
VI. For the purposes of scientific or historic research or when such processing is necessary for public interest.
POSITION IN INDIA
During the last few decades, privacy was not an important issue in India. With the evolution of technology and emergence of smart devices, the amount of personal data which is being processed in order to deal with competitive markets and for providing better user experience to the data subjects, the dominance of big tech giants/ government agencies against
the data subjects and for protection of their rights, the situation called for recognizing right to privacy as a fundamental right.
Hence, addressing the issue of Privacy in the case of Justice K.S Puttaswamy v. Union of India (2017) 10 SCC 1, the Supreme Court of India came up with the observation of recognizing right to privacy as a fundamental right as part and parcel of right to life and personal liberty within the meaning of Article 21 enshrined in Part III of the Constitution
of India.
It is pertinent to mention here that the Data Protection and Privacy is not codified as of now but the Personal Data Protection Bill, 2019 (Now Data Protection Bill) was referred to Joint Parliamentary Committee and now after rounds of discussions, the bill can be tabled in the Parliament of India any time soon, most probably in the Monsoon or Winter Session.
Therefore, at present, though there is no straight jacket formula for enforcing right to privacy or right to be forgotten in particular but the same is enforced via Writ Petitions before the Constitutional Courts of India. Some of the landmark cases where the different High Courts and Hon’ble Supreme Court dealt with the right to privacy and also enforced the same, are as follows:
1) X v. HTTPS://WWW.YOUTUBE.COM/WATCH?V=IQ6K5Z3ZYS0 & Ors. (Delhi High Court)
In the aforesaid case, the Hon’ble High Court of Delhi dealt with two principles of Data Privacy namely data anonymization and right to be forgotten.
Facts of the Case
In this case, the petitioner was approached by a Movie production house and she was lured into a movie trailer which comprised of
complete frontal nudity, on promise to give her the lead role. However, the aforesaid movie project failed and was never produced. The producer of the project after some time uploaded the impugned video on YouTube which was discovered by the petitioner in December, 2020 and aggrieved by this incident, the petitioner approached Hon’ble Delhi High Court.
Observations
In the present case, it is explicit videos that are being circulated, having a clear and immediate impact on the reputation of the person seen in the videos in a state of nudity.
“Right to privacy includes the right to be forgotten and the right to be left alone as “inherent aspects”, this Court is also of the opinion that the right to privacy of the plaintiff is to be protected, especially when it is her person that is being exhibited, and against her will.”
2) W.P.(MD). No.12015 of 2021 (Madras High Court)
Facts of the Case
In this case, the accused was charged with various offences of Indian Penal Code, 1860 (IPC) where he was convicted by the trial court and was eventually acquitted by the Appellate Court on merits. However,
the petitioner in this instant case was aggrieved by the fact the although he was acquitted from the aforesaid case even then, if anybody types his name on Google search is able to access the judgment wherein his name is displayed as accused is caused damage
to his reputation. Hence, the petitioner approached Hon’ble Madras High Court for the adequate relief.
Observations
The Hon’ble High Court in this case observed that, If the essence of this Judgment [(K.S Putthaswamy (supra)] is applied to the case on hand, obviously even a person, who was accused of committing an offence and who has been subsequently acquitted from all charges will be entitled for redacting his name from the order passed by the Court in order to protect his Right of Privacy. This Court finds that there is a prima facie case made out by the petitioner and he is entitled for redacting his name from the Judgment passed by this Court in Crl.A. (MD).No.321 of 2011"
The Court also observed that, “It is also informed to this Court that a new Right called as Right to be Forgotten is sought to be included in the list of Rights that are already available under Article 21 of the Constitution of India"
3) XXX V. UNION OF INDIA AND CONNECTED MATTERS (Kerala High Court)
In a very recent development relating to Right to be forgotten under the Indian Data Protection Regime and Justice Dispensation System, the Hon’ble Kerala High Court came up with the idea of drafting Information Management Policy which could resolve the issue masking parties names in its orders and judgments which can lead to infringement to the hard -earned reputation and social status of the parties.
CONCLUSION
In the present era of digital world, social media and throat cut competition of businesses including aggressive marketing strategies, expectations from the Indian Personal Data Protection Bill, 2019 (Now Data Protection Bill) are sky high. Though the general public/ data subjects may not be much aware of the personal data, its misuses, compliance requirements or their rights relating to personal data but the Data Protection Bill of India, hopefully will address every data protection and privacy issue extensively like the GDPR. Even without any codified legislation relating to Data Protection and Privacy, the Indian Courts are brilliantly dealing with much sensitive issues of Privacy by their pro-active approach towards enforcement of Fundamental Right to Privacy of the subjects under various circumstances as discussed above.
