Privacy in the Age of Permanent Memory: Analysing the Delhi High Court’s Right to Be Forgotten Judgment

This is a guest post from  M.G. Kodandaram, IRS.

Introduction

The internet was conceived as an unparalleled repository of information, a medium capable of preserving knowledge indefinitely and making it universally accessible. While this technological advancement has transformed governance, commerce, education and public discourse, it has simultaneously created an unprecedented challenge for constitutional democracies. Unlike human memory, which naturally fades with the passage of time, digital memory is virtually permanent. Information once uploaded to the internet can remain searchable, replicable and retrievable indefinitely, irrespective of whether it continues to serve any legitimate public purpose.

This phenomenon has fundamentally altered the relationship between PRIVACY AND INFORMATION. In the pre-digital era, judicial proceedings, newspaper reports and public records were undoubtedly accessible, but practical obscurity often limited their reach. Access generally required a deliberate search through physical archives or official repositories. Today, however, sophisticated search engines, algorithmic indexing and digital legal databases have eliminated this natural limitation. A person’s entire litigation history may appear within seconds merely by typing their name into a search engine, regardless of the outcome of the proceedings or the passage of time.

The permanence of digital memory has consequently transformed reputation into a perpetual burden. Individuals who have been acquitted of criminal charges, discharged from prosecution, parties to matrimonial disputes that have long since been resolved, or persons whose names appeared only incidentally in judicial proceedings often continue to suffer adverse professional, social and personal consequences because search engines relentlessly reproduce historical records without regard to their present relevance. Employers, financial institutions, educational institutions and even prospective matrimonial alliances frequently rely upon internet searches, allowing past litigation to overshadow an individual’s present identity.

This technological reality presents a profound constitutional question. Does the constitutional guarantee of life and personal liberty under Article 21 of the Constitution merely protect an individual’s physical existence and informational privacy, or does it also protect the individual’s right not to be perpetually judged by digital records that have lost their contemporary relevance? Stated differently, can constitutional privacy coexist with an internet that never forgets?

These questions lie at the heart of what has come to be known globally as the “Right to Be Forgotten”(herein after ‘RTBF’ for brevity). Far from being a right to erase history, it represents an attempt to reconcile technological permanence with the constitutional values of dignity, autonomy and rehabilitation. It seeks to ensure that individuals are not forever defined by events that the law itself has recognised as concluded, resolved or legally insignificant.

The importance of these issues has increased exponentially with the rapid digitisation of judicial records. Courts across India have embraced electronic filing, digital case management systems and online publication of judgments to enhance transparency and improve access to justice. Simultaneously, commercial search engines and private legal databases have indexed these judicial records, making them instantly discoverable through simple name-based searches. While these developments have undoubtedly strengthened the principle of open justice, they have also exposed individuals to a form of perpetual digital visibility that traditional legal systems never anticipated.

Against this backdrop, the Delhi High Court, in its landmark judgment dated 29 May 2026 in W.P.(C) No. 1021 of 2016 and connected matters, has delivered what is arguably the most comprehensive judicial exposition of the RTBF in Indian constitutional jurisprudence. Deciding a consolidated batch of more than thirty writ petitions, Justice Sachin Datta has crafted a detailed constitutional framework that seeks to harmonise competing constitutional values, such as – privacy, dignity, open justice, freedom of speech and the public’s right to know.

The significance of the judgment extends far beyond the individual petitions before the Court. For the first time, an Indian constitutional court has comprehensively examined the concepts of de-indexing, masking of judicial records, intermediary obligations, algorithmic amplification and proportionality in determining when personal information should continue to remain readily accessible through internet search engines. More importantly, the judgment recognises that the constitutional debate is no longer between privacy and transparency alone; it is equally about the consequences of technology transforming public records into permanently searchable digital identities.

This article critically analyses this landmark decision, its constitutional foundations, the legal principles formulated by the Court, the balancing framework adopted for competing rights, and its likely implications for individuals, intermediaries, courts and policymakers.

The Evolution of the Right to Be Forgotten

Although the expression ” RTBF” has gained prominence only during the last decade, the underlying principles are deeply rooted in constitutional notions of privacy, dignity and individual autonomy. The right does not originate from any desire to rewrite history or suppress truthful information. Rather, it recognises that every individual should have the opportunity to move beyond past events when continued digital dissemination no longer serves any legitimate public interest.

The philosophical foundation of the right may be traced to the broader concept of informational self-determination, i.e., the principle that individuals should possess a reasonable degree of control over the dissemination and accessibility of personal information concerning them. As digital technologies increasingly blurred the distinction between public information and permanent public exposure, courts across several jurisdictions began to recognise that unrestricted digital accessibility could itself become an invasion of privacy.

Internationally, the concept acquired prominence through the judgment of the Court of Justice of the European Union in Google Spain SL v. Mario Costeja González (Case C-131/12), where the Court recognised that individuals may, in appropriate circumstances, require search engines to remove links connecting their names with outdated or irrelevant information. Subsequently, the European Court of Human Rights, particularly in Hurbain v. Belgium (Grand Chamber, Application No. 57292/16), further explored the balance between privacy, freedom of expression and the preservation of historical archives. English courts likewise examined these competing interests in NT1 & NT2 v. Google LLC, [[2018] EWHC 799 (QB)] demonstrating that the right is inherently contextual and dependent upon proportionality rather than absolute entitlement.

Indian constitutional jurisprudence, however, has developed along an independent trajectory. The turning point was the celebrated nine-Judge Constitution Bench decision in Justice K.S. Puttaswamy (Privacy-9J.) v. Union of India, [(2017) 10 SCC 1], which unequivocally recognised privacy as an intrinsic component of Article 21. While the majority judgments primarily addressed informational privacy and decisional autonomy, Justice Sanjay Kishan Kaul’s concurring opinion made a particularly significant observation regarding digital permanence. He recognised that unlike ordinary human memory, the internet retains information indefinitely and that constitutional privacy may, in appropriate circumstances, require recognition of a limited ” RTBF.”

Justice Kaul’s observations proved remarkably prescient. As digitisation accelerated, several High Courts were confronted with petitions from individuals seeking removal or anonymisation of judicial records available on digital platforms. The Kerala High Court in Vysakh K.G. v. Union of India [2022 SCC OnLine Ker 7337] acknowledged the emerging significance of the doctrine, while the Karnataka High Court in XXXX v. High Court of Karnataka [2024 SCC OnLine Kar 18] considered requests for anonymising judicial records in appropriate circumstances. Although these decisions recognised the importance of privacy, they largely addressed individual factual situations and stopped short of evolving a comprehensive constitutional framework.

Meanwhile, Parliament enacted the Digital Personal Data Protection (DPDP) Act, 2023. Although the legislation recognises a right to erasure in certain circumstances, it does not comprehensively address the unique issues arising from judicial records, public archives, search engine indexing or the constitutional principle of open justice. Consequently, significant gaps remained regarding the extent to which constitutional privacy could limit the digital accessibility of court records.

It was against this evolving constitutional landscape that the Delhi High Court was called upon to determine whether the RTBF could be meaningfully operationalised within the Indian legal system.

Digital Privacy Challenge Before the Delhi High Court

The petitions before the Delhi High Court arose from a common, yet increasingly widespread grievance. The petitioners belonged to diverse backgrounds, but each faced continuing hardship because judicial records bearing their names remained readily accessible through internet search engines and legal databases.

Some petitioners had been acquitted after criminal trials. Others had obtained discharge, quashing of criminal proceedings or compounding of offences. Several petitioners had been parties to matrimonial disputes that had been amicably resolved years earlier. In certain cases, individuals were not even parties to the litigation but found themselves identified within judicial orders because of incidental references.

Although the legal proceedings had concluded, internet searches continued to retrieve these judicial records prominently. The petitioners contended that the resulting digital permanence had adversely affected employment opportunities, professional advancement, educational prospects, matrimonial alliances, personal relationships and social standing. They argued that the constitutional protection of dignity under Article 21 should prevent individuals from being indefinitely burdened by historical litigation that no longer possessed any contemporary public significance.

The respondents reflected the multidimensional nature of the dispute. Besides the Union of India through the Ministry of Electronics and Information Technology (MeitY), the proceedings involved Google LLC and its Indian entities, Indian Kanoon (iKanoon Software Development Private Limited), X Corp., media organisations and other intermediary platforms responsible for indexing or disseminating judicial records.

Accordingly, the litigation extended well beyond conventional constitutional adjudication. It simultaneously involved questions relating to informational privacy under Article 21, intermediary liability under the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, freedom of speech and expression under Article 19(1)(a), the constitutional principle of open justice, and the responsibilities of digital platforms in the age of algorithmic search.

Unlike earlier decisions that had addressed isolated factual scenarios, the Delhi High Court was confronted with the need to formulate a principled and operational framework capable of governing future disputes. The Court therefore recognised that the real issue was not whether judicial records should remain public, they undoubtedly should, but whether unrestricted name-based digital searchability constituted an inevitable and constitutionally protected consequence of the principle of open justice.

It is this distinction that ultimately became the intellectual foundation of one of the most significant privacy judgments delivered by an Indian constitutional court.

Reconciling Privacy, Open Justice and Digital Searchability

The Delhi High Court’s judgment is remarkable not merely because it recognises the RTBF, but because it constructs a carefully calibrated constitutional framework capable of balancing multiple competing rights and public interests. Rather than treating privacy as an absolute entitlement or open justice as an inflexible doctrine, the Court adopts a nuanced proportionality-based approach that seeks to preserve both constitutional values while acknowledging the transformative impact of digital technology.

The judgment proceeds on the premise that the constitutional challenge presented by the digital age is fundamentally different from those encountered in the era of physical records. Judicial proceedings have always been public, and court records have historically remained accessible. What has changed is not the openness of judicial proceedings but the technological ability of commercial search engines to retrieve, aggregate and amplify personal information instantly through simple name-based searches. Consequently, the Court’s analysis centres not upon whether judicial records should remain public, but whether unrestricted digital searchability constitutes an indispensable component of the constitutional principle of open justice.

Informational Privacy as a Constitutional Right

The Court commences its analysis by reaffirming the constitutional status of informational privacy under Article 21 of the Constitution. Relying extensively upon the nine-Judge Bench decision in Justice K.S. Puttaswamy (Retd.) v. Union of India, the Court observes that privacy is no longer confined to physical spaces or bodily autonomy. It extends equally to an individual’s control over the collection, dissemination and accessibility of personal information.

Informational privacy recognises that personal data constitutes an extension of individual personality and dignity. Every person possesses a legitimate expectation that information relating to his or her life will not be disseminated indefinitely without adequate justification. This expectation assumes even greater significance where technological developments have rendered information permanently accessible through digital platforms.

The Court accepts the observations of Justice Sanjay Kishan Kaul in Puttaswamy that while human memory naturally fades with time, the internet possesses no comparable mechanism of forgetting. Search engines preserve and reproduce historical information indefinitely, frequently without regard to subsequent developments or changes in legal status. Consequently, an acquitted individual may continue to be publicly associated with criminal allegations long after the judicial process has conclusively established innocence. Similarly, matrimonial disputes resolved years earlier may continue to dominate internet search results, despite having lost all contemporary significance.

The Court therefore holds that the RTBF is not an independent constitutional right but a natural extension of informational privacy. It enables individuals, in appropriate circumstances, to seek protection against disproportionate and continuing digital dissemination of personal information that no longer serves a legitimate public interest.

Importantly, however, the Court emphasises that this right does not authorise the rewriting of history or the destruction of public records. Constitutional privacy protects individuals against unnecessary digital perpetuation of past events; it does not extinguish historical truth or erase judicial decisions from the public domain.

Privacy and Open Justice

One of the judgment’s most significant doctrinal contributions lies in its rejection of the commonly assumed conflict between privacy and open justice.

The respondents argued that judicial proceedings are public proceedings and that judgments, once pronounced, become part of the public record. Since open justice constitutes a fundamental principle of constitutional democracy, any attempt to restrict public access to judgments would undermine judicial transparency and public confidence in the administration of justice.

The Court accepted the central importance of open justice but rejected the premise that unrestricted digital searchability is synonymous with public access.

Historically, judicial records were accessible because courts-maintained archives that could be inspected by parties, lawyers, researchers and members of the public having a legitimate interest. Accessibility required a conscious effort. The practical limitations of physical archives created what scholars have often described as “practical obscurity”, i.e. information remained public but was not effortlessly discoverable.

The digital revolution has fundamentally altered this equilibrium. Court judgments are now uploaded on official websites, reproduced by commercial legal databases, indexed by search engines and made retrievable globally within seconds. Algorithmic indexing has effectively transformed every individual’s name into a permanent search key capable of revealing an entire litigation history.

The Court therefore draws a distinction of enduring constitutional significance: Open justice requires that judicial records remain available and accessible. It does not require that every person’s name should permanently function as a universal digital identifier through which all past litigation may be instantly retrieved by anyone, anywhere in the world.

This distinction reshapes the constitutional debate. The issue is no longer whether judicial records should remain public. Rather, it is whether commercial search engines should indefinitely amplify those records through algorithm-driven name searches when such amplification serves little or no continuing public interest.

The Court eloquently observes that open justice is satisfied so long as judgments remain accessible through conventional legal identifiers such as case numbers, citations, names of parties, dates or the concerned court. Restricting searchability by personal names does not impair judicial transparency because the judgment itself continues to exist and remains available for legal, academic and public purposes.

This analytical distinction between public availability and algorithmic discoverability constitutes perhaps the most enduring contribution of the judgment.

Commercial Logic of Search Engines

An important aspect of the Court’s reasoning concerns the role played by commercial search engines in shaping public perception.

Search engines do not merely locate information; they prioritise it. Their algorithms determine which results appear first, how frequently they are displayed and how prominently they influence public perception. These algorithms are designed primarily to maximise relevance, engagement and user interaction rather than constitutional values.

The Court observes that algorithmic amplification may distort reality by perpetually highlighting historical allegations even after judicial exoneration. Search results seldom distinguish between accusation and acquittal with equal prominence. Consequently, the architecture of digital search may effectively undermine the legal presumption of innocence by ensuring that allegations continue to dominate an individual’s online identity.

Thus, the Court recognises that technology itself has become constitutionally relevant. The challenge is no longer confined to publication of information but extends to the mechanisms through which technology perpetuates and amplifies that information indefinitely.

Maintainability of Writ Petitions Against Private Intermediaries

One of the preliminary objections raised by Google LLC, Indian Kanoon and other private respondents related to the maintainability of the writ petitions under Article 226.

It was contended that search engines and legal databases are private entities that neither perform public functions nor qualify as “State” within the meaning of Article 12. Consequently, constitutional writ jurisdiction could not ordinarily be invoked against them.

The Court carefully considered this objection in light of contemporary constitutional jurisprudence.

Relying upon the Supreme Court’s decision in Kaushal Kishore v. State of Uttar Pradesh, the Court recognised that certain fundamental rights possess a horizontal dimension and may, in appropriate circumstances, operate against private entities where the infringement of constitutional rights cannot otherwise be effectively remedied.

The Court also emphasised that the Union of India, through the Ministry of Electronics and Information Technology (MeitY), was already before the Court. As the authority responsible for administering the Information Technology Act, 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Government possessed statutory powers to regulate intermediary obligations.

Consequently, the directions ultimately issued to Google, Indian Kanoon and other intermediaries were framed within the statutory framework established by Rule 3(1)(d) of the Information Technology Rules, 2021, thereby providing a clear legal basis for compliance.

The judgment therefore demonstrates that constitutional remedies remain available even where violations occur through technologically powerful private intermediaries whose activities substantially affect the exercise of fundamental rights.

De-indexing and Masking: Distinct Constitutional Remedies

A significant contribution of the judgment lies in its careful differentiation between de-indexing and masking, concepts that are often incorrectly treated as synonymous.

The Court explains that de-indexing operates primarily at the level of search engines. It prevents specified judicial records from appearing in response to searches conducted using an individual’s name. Importantly, the underlying judicial record is neither deleted nor modified. It continues to exist on official websites and remains accessible through citations, case numbers, dates and other conventional legal identifiers.

Masking, by contrast, operates at the level of the judicial record itself. It involves replacing the name of an individual with anonymised references in the publicly accessible digital version of the judgment while preserving the complete original record in the court’s archives. Only names and personal identifiers are concealed; the legal reasoning, factual discussion and precedential value of the judgment remain entirely unaffected.

The Court accordingly holds that the two remedies are complementary rather than mutually exclusive. De-indexing limits algorithmic discoverability, whereas masking protects personal identity within publicly accessible judgments. Together they strike an appropriate balance between constitutional privacy and judicial transparency.

The Seven-Factor Proportionality Framework

Recognising that no universal rule can govern every factual situation, the Court formulates a contextual seven-factor proportionality test for determining whether de-indexing should be granted. Rather than adopting rigid categories, the Court requires a holistic evaluation of competing constitutional interests.

  • The first consideration is the nature of the information. Information relating to intimate personal life, matrimonial disputes or purely private matters ordinarily deserves greater constitutional protection than information concerning public functions or official conduct.
  • The second factor is the passage of time and continuing relevance. As years pass, historical information may gradually lose its legitimate public value. The Court recognises that perpetual accessibility cannot be justified merely because information was once lawfully published.
  • Thirdly, the Court examines the public role of the individual. Public officials, elected representatives and persons exercising significant public influence necessarily attract greater public scrutiny than private citizens. Nevertheless, even public figures retain privacy concerning matters unrelated to their public responsibilities.
  • The fourth factor concerns accuracy and completeness. Information that is outdated, misleading, incomplete or incapable of conveying subsequent legal developments presents a weaker justification for continued unrestricted accessibility.
  • The fifth consideration is the impact upon dignity, reputation and personal autonomy. Courts must assess whether continued digital dissemination inflicts disproportionate harm upon an individual’s ability to lead a normal personal, professional and social life.
  • The sixth factor addresses the degree of digital accessibility and algorithmic amplification. Information that remains technically public but is effectively obscure differs fundamentally from information that appears instantly through every internet search. The Court expressly recognises that technological amplification itself may intensify constitutional harm.
  • Finally, the Court considers the impact upon freedom of expression, open justice and public interest. Relief cannot be granted where it would undermine judicial transparency, impede legitimate public debate or suppress information whose continued accessibility serves an overriding democratic purpose.

The Court makes it abundantly clear that these factors are neither exhaustive nor mechanical. They constitute elements of a proportionality inquiry in which the weight assigned to each factor necessarily varies according to the facts of the individual case.

Categories Where Relief Would Ordinarily Be Granted

Applying these principles, the Court identifies certain situations in which constitutional privacy ordinarily outweighs continued digital dissemination.

Persons acquitted after criminal trials constitute the clearest example. The Court reasons that the constitutional presumption of innocence would be rendered largely illusory if internet searches continue indefinitely to foreground accusations while relegating acquittals to obscurity. Judicial exoneration must carry meaningful consequences in the digital sphere. Similarly, persons discharged from criminal proceedings or whose proceedings have been quashed are generally entitled to comparable protection, particularly where continuation of digital visibility serves no identifiable public purpose.

The Court also accords significant protection to matrimonial disputes and other intensely private civil proceedings. Such disputes frequently involve deeply personal information that bears little relevance to public accountability. Once these disputes have been resolved, continued algorithmic dissemination may unjustifiably intrude upon personal dignity and family life. These observations underscore that the Court’s objective is not to erase judicial history but to ensure that constitutional privacy evolves alongside technological realities.

The Limits of the RTBF

The Delhi High Court was acutely conscious that recognition of the RTBF could not become an instrument for rewriting history or suppressing information that society has a legitimate interest in accessing. Equally, the Court recognised that privacy cannot be sacrificed merely because information was once lawfully published. The constitutional challenge, therefore, lay in identifying where privacy must yield to competing public interests and where technological amplification of personal information becomes constitutionally disproportionate.

Accordingly, after formulating the seven-factor proportionality framework governing de-indexing and masking, the Court proceeded to identify situations in which relief would ordinarily be refused, prescribed detailed compliance obligations for intermediary platforms, and laid down an operational mechanism capable of balancing constitutional rights in the digital ecosystem. These aspects of the judgment elevate it from an adjudication of individual disputes to a comprehensive constitutional framework for governing digital memory in India.

Categories Where Relief is Unavailable

One of the most notable features of the judgment is that it expressly recognises that the RTBF is not an absolute right. Privacy under Article 21, though fundamental, must coexist with other constitutional values, including freedom of speech and expression, transparency in public administration, democratic accountability and the principle of open justice.

The Court therefore identifies certain categories where constitutional privacy must necessarily yield to overriding public interest.

Convictions for Offences Against Women and Children

The first category concerns persons convicted of offences involving women or children. The Court observes that such offences involve continuing concerns relating to public safety and societal protection. Information regarding convictions for sexual offences, offences against children and similar crimes serves a legitimate public purpose that extends beyond the individual criminal proceeding. Continued accessibility enables employers, educational institutions, child-care organisations and society at large to make informed decisions concerning persons who may occupy positions involving trust or responsibility.

The Court therefore concludes that persons convicted of such offences cannot ordinarily invoke the RTBF to restrict public access to judicial records. The public interest in transparency substantially outweighs the individual’s claim to digital privacy.

This categorical exclusion underscores that the RTBF is designed to protect dignity where continued dissemination no longer serves a constitutional purpose; it is not intended to shield offenders from the consequences of judicially established criminal conduct.

Convictions Involving Public Trust

A second category identified by the Court concerns convictions involving breach of public trust. Public servants, elected representatives, constitutional functionaries and individuals occupying fiduciary positions discharge responsibilities that directly affect public confidence in governance and public institutions. Misconduct committed in such capacities possesses enduring public significance because democratic accountability requires that citizens remain informed regarding abuse of official power.

The Court therefore holds that convictions involving corruption, breach of public trust, abuse of official position or comparable misconduct cannot ordinarily be removed from public searchability through de-indexing or masking. Transparency regarding the exercise of public authority constitutes an essential component of constitutional democracy. The judgment thus recognises that privacy cannot become a means of insulating public officials from legitimate public scrutiny.

Public Figures and Continuing Public Interest

Beyond these categorical exclusions, the Court also considers the constitutional position of public figures. The judgment carefully avoids creating a blanket rule that public personalities possess diminished privacy rights. Instead, it adopts a more nuanced approach by distinguishing between conduct performed in a public capacity and matters belonging to an individual’s private life.

Where litigation concerns the discharge of public functions, exercise of political authority or conduct that has become part of legitimate public discourse, continued public accessibility ordinarily serves a constitutional purpose. Journalistic scrutiny and democratic accountability require that such information remain available.

Conversely, the Court recognises that public figures do not forfeit every aspect of personal privacy merely because they occupy positions of influence. Matrimonial disputes, family relationships and other matters unrelated to public responsibilities continue to attract constitutional protection. This distinction reinforces the Court’s central theme that proportionality, rather than rigid categorisation, remains the governing constitutional principle.

Case-Specific Refusal of Relief

Applying the proportionality framework to the facts before it, the Court declined relief in certain petitions despite recognising the constitutional basis of the RTBF.

In one instance, a well-known public figure sought removal of internet material relating to conduct that had received extensive public attention. The Court held that the petitioner had voluntarily assumed public prominence and that the material related to conduct that legitimately formed part of public discourse. Mere passage of time could not extinguish continuing public interest in such information.

In another petition, a public figure sought relief after criminal proceedings involving allegations of sexual offences had been quashed on the basis of settlement. The Court distinguished settlement-based quashing from judicial exoneration. Since the criminal proceedings had not culminated in an adjudication of innocence, and considering the petitioner’s public position together with the seriousness of the allegations, the Court concluded that public interest continued to outweigh the claim for privacy.

These decisions demonstrate that proportionality operates not through rigid formulae but through careful evaluation of competing constitutional considerations. The outcome depends upon the cumulative effect of all relevant factors rather than the presence or absence of any single circumstance.

Operational Directions to Search Engines and Intermediary Platforms

Perhaps the most practically significant aspect of the judgment lies in the detailed operational directions issued to intermediary platforms.

Previous litigation concerning the RTBF had often encountered practical difficulties because search engine operators maintained that they lacked legal authority to remove indexed material in the absence of specific judicial directions. The Delhi High Court addressed this obstacle by issuing explicit and enforceable directions under the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021.

Google LLC, Google India Private Limited and other search engine operators were directed to de-index specified judicial records from searches conducted using the petitioners’ names within the period prescribed by the Court. Importantly, the Court clarified that the obligation extended only to name-based searches. The judgments themselves were neither removed nor rendered inaccessible. They continued to remain available through case numbers, citations, dates and other recognised legal identifiers. The Court thereby ensured that constitutional privacy could be protected without impairing legal research, judicial transparency or access to precedent.

Directions to Indian Kanoon

Separate directions were issued to Indian Kanoon, one of India’s most widely used legal databases. The Court recognised that legal databases perform an indispensable role in promoting legal research and access to justice. At the same time, unrestricted name-based searching could produce precisely the form of perpetual digital visibility that lay at the heart of the petitions.

Accordingly, Indian Kanoon was directed to disable or appropriately restrict name-based search functionality in respect of records covered by the Court’s directions while continuing to preserve access through conventional legal identifiers such as case citations, court names and case numbers.

This approach is particularly significant because it demonstrates that constitutional privacy need not undermine public access to judicial decisions. What is moderated is the mode of discovery, not the existence of the judicial record itself.

The Court also directed Indian Kanoon to strengthen mechanisms for preventing disclosure of the identities of victims of sexual offences in future uploads, thereby addressing a broader systemic concern extending beyond the individual petitions.

Role of the Ministry of Electronics and Information Technology (MeitY)

The Court recognised that effective enforcement of the RTBF cannot depend solely upon isolated judicial directions issued in individual cases. Accordingly, the Ministry of Electronics and Information Technology (MeitY) was directed to communicate the Court’s directions to intermediary platforms and ensure compliance with the obligations arising under the Information Technology Rules, 2021. The Ministry was also required to file an affidavit regarding compliance within the time stipulated by the Court.

This direction reflects an important institutional dimension of the judgment. It places responsibility upon the regulatory framework itself rather than treating intermediary compliance as a matter solely between individual litigants and technology companies.

De-indexing Does Not Mean Erasure

Throughout the judgment, the Court repeatedly emphasises an important conceptual distinction that is likely to influence future privacy jurisprudence.

  • Neither de-indexing nor masking amounts to deletion of judicial records.
  • The judgments continue to exist.
  • They continue to possess precedential value.
  • They continue to remain available for academic research, legal practice, judicial accountability and historical reference.
  • Only unrestricted discoverability through personal name searches is moderated.

This distinction enables the Court to reconcile two constitutional values that might otherwise appear irreconcilable. Judicial transparency remains fully preserved because court records are neither destroyed nor concealed. Simultaneously, individual dignity receives meaningful protection because search engines no longer perpetually associate individuals with historical litigation that has lost contemporary relevance.

In many respects, this distinction represents the intellectual cornerstone of the entire judgment.

Broader Implications for Individuals and Litigants

The judgment carries significant implications extending far beyond the parties before the Court.  For individuals, particularly those acquitted of criminal charges, discharged from proceedings or involved in concluded matrimonial disputes, the judgment provides a coherent constitutional basis for seeking relief against disproportionate digital exposure.

For the first time, litigants possess a structured judicial framework identifying both the circumstances in which relief may be granted and the factors likely to influence judicial discretion.

The judgment also recognises that de-indexing and masking are complementary remedies. Individuals obtaining one form of relief remain free to seek the other wherever circumstances justify additional protection.

Implications for Courts

For the judiciary, the decision introduces a practical mechanism for harmonising privacy with open justice.  Future courts are no longer required to approach requests for anonymisation or de-indexing on an entirely ad hoc basis. Instead, the proportionality framework provides an analytical template capable of ensuring greater consistency across jurisdictions.

The judgment may also encourage courts to develop standardised procedures governing anonymisation, digital publication and privacy-sensitive judicial records.

Technology Companies and Media Organisations

Technology companies and search engine operators are perhaps the most immediate institutional stakeholders. The judgment clarifies that intermediary platforms cannot indefinitely rely upon uncertainty regarding their legal obligations. Judicial directions requiring de-indexing constitute enforceable directions under the Information Technology Rules, thereby removing much of the ambiguity that previously surrounded intermediary responsibility.

At the same time, the Court deliberately avoids imposing disproportionate burdens upon digital platforms. It does not require redesign of search algorithms, removal of archives or alteration of judicial databases. Compliance is confined to specifically identified records and name-based discoverability.

Although the Court refrained from directing media organisations to remove published reports, it nevertheless made important observations regarding responsible digital journalism. The judgment encourages publishers to consider anonymisation or appropriate editorial moderation where individuals have subsequently been acquitted or where continued publication of personal identifiers serves little legitimate public interest.

While these observations are not binding, they indicate an emerging expectation that responsible journalism should account for the constitutional values of dignity and rehabilitation in the digital age.

For Regulators and Policymakers

The judgment is equally significant for legislators and policymakers. The Digital Personal Data Protection Act, 2023, recognises certain rights relating to erasure of personal data but does not comprehensively address judicial records, search engine indexing or the interaction between privacy and open justice.

The Delhi High Court’s judgment therefore fills an important normative gap pending comprehensive legislative intervention. At the same time, it is likely to influence future statutory reforms concerning intermediary liability, digital archives and informational privacy.

A Landmark in Indian Constitutional Jurisprudence

The Delhi High Court’s decision represents one of the most important developments in Indian privacy jurisprudence since the Supreme Court’s decision in Justice K.S. Puttaswamy (Retd.) v. Union of India. Whereas Puttaswamy constitutionalised privacy, the present judgment operationalises informational privacy in the context of digital technology.

Its greatest contribution lies in recognising that the constitutional problem is not public records themselves but the unprecedented power of digital technology to convert those records into permanent, globally searchable personal identities. By distinguishing between public availability and algorithmic discoverability, the Court has offered a principled reconciliation of privacy and open justice that is both constitutionally persuasive and technologically realistic.

The judgment is equally significant for its institutional pragmatism. Rather than treating privacy as a basis for erasing history, it adopts proportionate remedies that preserve judicial transparency while mitigating unnecessary and continuing harm to individual dignity. In doing so, it acknowledges that constitutional rights must evolve alongside technological transformation.

Whether this framework ultimately receives affirmation from the Supreme Court, or is subsequently refined through legislation under the Digital Personal Data Protection Act, 2023, remains to be seen.

In an era where the internet seldom forgets, the judgment affirms a fundamental constitutional truth: while history should indeed be preserved, human dignity should not remain indefinitely imprisoned by the permanence of digital memory.

By M.G. Kodandaram, IRS.
Assistant Director (Retd.)
ADVOCATE and CONSULTANT

Posted in Privacy | Leave a comment

FDPPI and Mysore Royal Academy School of Business to jointly Certify DPOs and Data Auditors

The prestigious FDPPI certifications have become even more valuable with the Mysore Royal Academy School of Business, an AICTE approved management institution jointing hands in Joint Certification of the Courses.

This is the first joint Academic and Professional Institutions joining hands to bring Certifications for the Data Protection Professionals.

Watch out for the dates and Venue.

Naavi

Posted in Privacy | Leave a comment

This Day 12 Years Back: From Simple Phishing Emails to the Looming Shadows of Synthetically Generated Fraud

Looking back at the archives of Naavi.org from exactly twelve years ago—July 11, 2014—is a stark reminder of how rapidly the cyber threat landscape moves, and yet, how the fundamental vulnerabilities of human nature and systemic governance remain strikingly unchanged.

On that single Friday in 2014, two major warnings were published on this site that beautifully capture the “infancy” of the challenges we were trying to wrap our legal brains around. Let’s look at what was keeping us awake at night back then, and where we stand today on July 11, 2026.

The 2014 Baseline: Phishing Emails and Compromised PKI

Twelve years ago today, we highlighted two distinct security breakdowns:

  1. The Rs 1.72 Samsung Galaxy Bait: We analyzed a trending phishing campaign where users were lured with emails promising a brand-new Samsung Galaxy phone for a mere ₹1.72. The underlying link silently dropped trojans (detected by Kaspersky Pure 3.0 at the time) designed to steal banking credentials.

    • The 2014 Takeaway: We noted back then that basic bank warnings (“We never ask for your password”) were becoming obsolete because attackers didn’t even need to spoof the bank’s name anymore; they just hijacked the user’s machine. Crucially, we warned that new-generation trojans were beginning to defeat Two-Factor Authentication (2FA), and urged banks to drastically rethink their access mechanisms.

  2. Bogus National Informatics Centre (NIC) Digital Certificates: Simultaneously, Google detected and blocked several fraudulent SSL certificates issued by India’s own NIC, which were subsequently blocked by the Controller of Certifying Authorities (CCA). It highlighted the vulnerability of our Public Key Infrastructure (PKI) system when administrative or cryptographic keys are poorly guarded.

The Evolution: The Current 2026 Reality

Fast forward twelve years to today, July 11, 2026. The primitive “trojan in a scam email” and “compromised SSL certificate” have evolved into highly weaponized, multi-layered techno-legal crises.

1. From Stealing 2FA to Defeating Identity Entirely (AI-Driven Fraud)

In 2014, we worried about a trojan bypassing 2FA. In 2026, the threat isn’t just a hidden file on your desktop; it is Synthetically Generated Information (SGI). Attackers today utilize deepfake audio and real-time video cloning via advanced generative models to completely mimic corporate executives or family members, bypassing traditional biometric and knowledge-based verification. Fraudsters no longer need to promise a smartphone for ₹1.72; they manipulate the entire contextual reality of the user.

2. The Liability Paradigm Shift: The Rise of the DPDPA

In the 2014 post, we noted a crucial safety net: “…customer liability is now limited to Rs 10000/-.” Banking regulations tried to absorb the impact of consumer-side negligence.

Today, the responsibility has shifted completely onto the enterprise and the Data Fiduciary. With the Digital Personal Data Protection Act (DPDPA) looming large, data valuation is no longer about monetization; it is about mitigating toxic statutory liability. If a company fails to protect personal records today, they aren’t looking at small, isolated losses or a localized banking limit. They are facing compliance penalties reaching up to ₹250 crores per instance. Data is no longer a passive asset—if poorly secured, it is an active balance sheet liability.

3. Intermediaries: From Neutral Pipelines to Proactive algorithmic Gatekeepers

The compromised NIC certificates of 2014 were fixed by simple revocation lists and browser blocks. Today, the concept of intermediary safe harbor under Section 79 of the IT Act has been completely rewritten. As seen in our recent legal assessments this month, platforms are no longer viewed as neutral pipelines. Tech intermediaries are now legally required to actively deploy metadata tagging, AI tools, and persistent labels to police synthetic media and trace the provenance of information. Compliance windows that used to span a leisurely 72 hours have compressed into 2-to-3-hour operational mandates for high-risk content.

The Naavi Perspective

If there is one lesson to extract from looking 12 years into our own past, it is that security mechanisms are always a temporary shield. What we considered an advanced trojan in 2014 is elementary script-kiddie material today.

As we debate the deployment of framework standards like the DGPSI (Data Governance and Personal Data Protection Standard of India) and try to wrap our heads around managing complex enterprise ecosystems, we must remember that the core objective remains exactly what it was in 2014: protecting the integrity of the data and ensuring that technology serves trust, rather than exploiting human vulnerability.

The threats have grown sharper, the penalties astronomical, and the tools more complex—but the fight for a robust Cyber Jurisprudence in India goes on.

Naavi

Posted in Privacy | Leave a comment

DGPSI-Hospital open for Public Comments

Dear Friends

The DGPSI-Hospital, a suggested framework for DPDPA compliance for Hospitals under the DGPSI umbrella is now available for public comments. Kindly go through and send me your feedback and comments.

The link to the video presentation is here:

Naavi

Posted in Privacy | Leave a comment

Exploring the Concept of Intermediary and Intermediary Regulation in India-2026-2

(This is a continuation of the previous article)

When the Information Technology Act, 2000 came into force on 17 October 2000, the Internet was still in its infancy in India.

The Act introduced the concept of an Intermediary under Section 2(1)(w).

The original definition covered persons who merely received, stored or transmitted electronic records or provided related services.

Typical intermediaries contemplated in 2000 included

    • Internet Service Providers
    • Network Service Providers
    • Web Hosting companies
    • Search Engines
    • Cyber Cafés
    • Telecom infrastructure providers

The intermediary was viewed largely as a technical conduit, not as an active participant in online communication.

Under the original Section 79, intermediaries enjoyed absolute immunity for third-party content as long as they functioned purely as passive network pipelines and had no data-modifying role. The scope of defined intermediaries was narrow, focusing primarily on network and internet service providers.

The intermediary escaped liability only if it could prove that the offence occurred

    • without its knowledge, or
    • despite due diligence.

The burden was therefore on the intermediary.

2008 Amendment

Prompted by systemic gaps and high-profile litigations (such as Avnish Bajaj v. State), Section 79 was completely overhauled. It introduced conditional immunity, establishing that safe harbor depends on the intermediary exercising due diligence and acting immediately to remove content upon receiving “actual knowledge” of an unlawful act.

The new Section 79 declared that an intermediary shall not be liable for third-party information provided it

    • merely provides access,
    • does not initiate transmission,
    • does not select the receiver,
    • does not modify the transmitted information,
    • observes due diligence,
    • complies with Government directions.

The amendment also expanded the statutory definition of intermediary to expressly include entities such as:

    • telecom service providers,
    • network service providers,
    • internet service providers,
    • web-hosting providers,
    • search engines,
    • online payment sites,
    • online auction sites,
    • online marketplaces,
    • cyber cafés.

The philosophy shifted from “liable unless proved innocent” to “immune unless statutory conditions are violated.”

2011 Intermediary Guidelines

The Information Technology (Intermediaries Guidelines) Rules, 2011 were notified under Section 87(2)(zg). They were India’s first comprehensive due diligence rules for intermediaries. They required intermediaries to:

  • publish terms of use,
  • prohibit specified categories of unlawful content,
  • appoint grievance officers,
  • remove unlawful information within prescribed timelines after obtaining actual knowledge,
  • cooperate with Government agencies.

The prohibited-content list included obscenity, defamation, copyright infringement, hate speech, malware and similar categories.

For the first time, the concept of “due diligence” acquired operational meaning.

Shreya Singhal case

The Supreme Court fundamentally reinterpreted “actual knowledge” under Section 79(3)(b). The court ruled that an intermediary is only obligated to take down content upon receiving a court order or a direct government directive, preventing private citizens from forcing platforms to remove content arbitrarily.

Intermediary Rules of 2021

The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 replaced the 2011 rules. The Government explained that the objective was to increase transparency, accountability and user protection while extending the regulatory framework to digital media and OTT platforms.

These rules introduced a tiered system separating standard intermediaries from Significant Social Media Intermediaries (SSMIs).

Key mandates included appointing India-resident compliance officers, monthly compliance reporting, and tracing the “first originator” of automated/encrypted messages.

The intermediary was no longer viewed as merely a passive conduit.

Instead, different categories of intermediaries acquired different compliance obligations.

New concepts introduced included:

    • Social Media Intermediary (SMI)
    • Significant Social Media Intermediary (SSMI)
    • Resident Grievance Officer
    • Chief Compliance Officer
    • Nodal Contact Officer
    • Monthly Compliance Reports
    • Traceability requirements for significant messaging platforms
    • Automated content detection for specified categories
    • Digital Media Code of Ethics

This marked the transition from safe harbour to safe harbour with accountability.

Amendment of 2022

This amendment introduced government-appointed Grievance Appellate Committees (GACs). Users gained a formal state-backed mechanism to appeal an intermediary’s internal content moderation or account suspension decisions, shifting oversight outward from the platforms.

Amendment of 2023

MeitY introduced a framework empowering a central Fact-Checking Unit (FCU) to flag “false or misleading” information concerning the business of the Central Government, directing intermediaries to remove such flagged content to maintain safe harbor.

Major additions included

    • Online Gaming Intermediaries,
    • Self-Regulatory Bodies,
    • Permissible Online Games,
    • Online Real Money Games.

The definition of intermediary was effectively enlarged to include gaming platforms with specialised obligations.

Amendment of 2025

Notified to regulate Rule 3(1)(d), this amendment reformed the “actual knowledge” pipeline.

Instead of relying solely on court orders or government notifications in the earlier form, it introduced structured procedures requiring authorised officers, reasoned written intimations, and additional safeguards intended to make takedown decisions more transparent and accountable.

It mandated that executive takedown orders must be written and reasoned, issued by senior personnel (not below Joint Secretary rank), and subjected to a mandatory monthly review by an officer at the Secretary level to ensure proportionality.

Amendment of 2026-1 (Synthetically generated content)

Recognizing the dangers of “Deepfake”, an amendment was introduced for strict liability for Synthetically Generated Information (SGI) or deepfakes. Intermediaries must prominently label AI-generated content, embed non-removable metadata, and dramatically compress response windows—requiring the removal of non-consensual intimate imagery within 2 hours and other prohibited synthetic data within 3 hours.

The intermediary is no longer merely regulating user-generated content. It is now expected to regulate AI-generated content.

Major innovations include:

New statutory concepts

    • Audio-visual information
    • Synthetically Generated Information
    • AI-generated content
    • Metadata
    • Provenance
    • Persistent labels

New duties

Intermediaries must

    • identify synthetic content,
    • label AI-generated content,
    • preserve provenance,
    • deploy technical safeguards,
    • verify user declarations,
    • prevent unlawful deepfakes,
    • use automated detection tools where appropriate.

The Rules also clarify that references to “information” include synthetically generated information and introduce specific due diligence obligations for intermediaries that provide AI generation capabilities.

Structural Progression

The structural progression reveals a clear, permanent shift in the techno-legal architecture:

  • From Passive to Proactive: Intermediaries are no longer viewed as neutral conduits. They are now legally required to deploy algorithmic tools, verification systems, and metadata tagging to police synthetic media.

  • Compression of Compliance Timelines: Turnaround windows for grievance resolution and content blocking have shrunk from the original 72 hours down to urgent 2-to-3-hour operational mandates for high-risk content.

  • Erosion of Safe Harbor Certainty: Safe harbor is no longer a static shield; it functions as an active compliance standard. Any operational failure to uphold the evolving due diligence rules results in an automatic forfeiture of statutory immunity under Section 79, exposing platforms directly to prosecution under applicable penal codes.

The intermediary has therefore evolved into an AI governance participant.

In effect, the intermediary has evolved from a “carrier of information” to a “co-regulator of the digital ecosystem.” While Section 79 continues to provide the legal foundation for safe harbour, the conditions attached to that immunity have expanded substantially, reflecting the increasing expectation that intermediaries actively contribute to maintaining a safe, accountable, and trustworthy online environment.

Proposed Amendment 2026-2

In the amendments proposed now after 21st April 2026 for which public comments were available till May 7, 2026, Government wants the display of notice that a video was synthetically generated to be available through out the duration of the content in a visual display.

This is the amendment which the Government has cited for asking extension of time for its response in the Delhi High Court.

Subsequent to these developments, two more developments have hit the relationship between WhatsApp/Meta and the Government of India.

First was that WhatsApp proposed that it wants to allow users to use a chosen user name like a domain name and the public display of the phone number would be stopped. Government felt that this could hurt the identification of users, allow impersonation and asked WhatsApp to stop the implementation until further orders.

This provision would affect the earlier intermediary guidelines which requires WhatsApp to identify a “Originating user” of a message notified as objectionable by the Government. WhatsApp was contending that this identification was not possible because of “End-to-end Encryption”. FDPPI had in its intervention petition pointed out that this was incorrect since the phone number should be available for disclosure.

Now WhatsApp may even say that it has no means of identifying the phone number and provide only the user name as picked by the user. This would make it even more difficult for the law enforcement to identify the user.

Hence Government has a reason to include in its response this new development.

Yet another change that has happened is that Instagram has been accused of running ads which abuse children. Meta says it has removed the ads now but the controversy about what due diligence is expected of Meta in this regard lingers on. This controversy has impact on the use of “AI” in creating the ads.

Hence Government has a reason to include this also in its response.

It is a reasonable expectation that one or more of the petitioners may sooner or later launch another litigation again claiming that the Intermediary guideline is unconstitutional even after a decision is taken on the current dispute in the Delhi High Court.

Hence it is necessary for the Court to ensure that this does not become a continuing dispute that prevents the Government from proceeding further with its functions of regulation and put an end to the dispute.

More discussions will follow. Viewers can send their reactions.

Naavi

Naavi’s Presentation on the Intermediary Guidelines -July 2026 version is available here:

Posted in Privacy | Leave a comment

Exploring the Concept of Intermediary and Intermediary Regulation in India-2026-1

India started its journey in Cyber Law with Information Technology Act 2000. The Act originated as a draft in 1998, became a Bill in 1999 and an act on 17th October 2000. Naavi entered the world of Cyber Law with the Draft E commerce Act 1998 and has evolved along with the ITA 2000.

In 2008, a major amendment brought in Section 43A and the concept of Personal Data Protection into the ITA 2000 framework.

In 2023, DPDPA 2023 took over the responsibilities under Section 43A and introduced an entirely new law for “Personal Information Governance”.

In the near future we will have another major change coming up in the form of regulation of AI.

In this journey, the concept of Intermediaries has also evolved from 2000 to 2023 from a “Network Service Provider” to “Data Fiduciary/Data Processor”.

The Intermediary Guidelines which surfaced under Section 79 as a safe harbor provision also evolved into a complete Code by itself regulating a very large part of the industry.

In 2021, the codification of the Intermediary Guidelines was structured in the form of Digital Media Rules. This raised a huge opposition from the industry and is under continuous challenge in the Courts leading upto the current stage where Delhi High Court is sitting on a dispute between Meta (WhatsApp, FaceBook and Instagram) and the Union of India.

FDPPI has filed an intervention petition in this case the next hearing of which is due on July 14/15.
We shall have a complete review of the evolution of the Intermediary Guidelines to refresh ourselves, through a series of articles.

The reference material for this at present is

a) The last order of Delhi High Court posting the next hearing to July 14/15

b) The most recent amendment proposed as draft regarding continuous display of disclaimer on synthetic content

c) The notice of MeitY for public comments dated 21st April 2026

d) Intermediary Guidelines with Consolidated proposed amendments

I request other observers of ITA 2000 to correct me if there are any inaccuracies.

….Continued

Naavi

Posted in Privacy | Leave a comment