PDPB 2019 is already recognized as the requirement by Courts

We recently had an occasion where the Delhi High Court made a reference to “Right to Forget” in respect of an accused who had been acquitted.

Copy of the judgement is available here.

The facts of the case was that the petitioner who is presently residing in USA, visited India in 2009 and while departing back to USA was found to posses Narcotics in the checked in Bags.

The trial examined whether the quantity of the substances required was small or big, whether it was recovered from personal possession or in the baggage, whether the chain of custody of the material after recovery was defective or not and finally acquitted the accused. (Refer earlier judgement here)

The Court first acquitted the charge of possession of 5600 gms of Morphine under Section 50 of NDPS Act under the contention ” In a case of recovery of narcotic drug it is the paramount duty of the prosecution to prove beyond reasonable doubt that the case property allegedly recovered from the accused was kept in safe custody and no tampering was done therewith”. Then in respect of a smaller quantity of 81.1 gms on which tampering allegation could not be sustained, it acquitted the accused stating that the friend of the accused who was supposed to have handed over the subject bags was not examined by the IO, stating  ” In view of the deficiencies in the investigation carried out, I do not find it fit to convict the Respondent even for the possession of 81.1 grams of morphine”

Thus the grounds of acquittal were technical and the fact that more than 5600 gms of morphine was recovered from the checked in baggage due to some body’s action remained unanswered.

However one trial court and the appeal court found that the case was fit for acquittal. This happened in 2013.

Now in 2021, the petitioner who was the earlier accused, tried  and acquitted, prayed for removal of the judgement from the platforms of Google, Indian Kanoon and vLex.in

The Court noted that “The question as to whether a Court order can be removed from online platforms is an issue which requires examination of both the Right to Privacy of the Petitioner on the one hand, and the Right to Information of the public and maintenance of transparency in judicial records on the other hand. The said legal issues would have to be adjudicated by this Court.

Then the judgement referred to the Puttaswamy judgement and the interim order in which it had  said

” recognising the Plaintiff’s Right to privacy, of which the `Right to be forgotten’ and the
`Right to be left alone’ are inherent aspects, it is directed that any republication of the content of the originally impugned articles dated 12th October 2018 and 31st October 2018, or any extracts/ or excerpts thereof, as also modified versions thereof, on any print
or digital/electronic platform shall stand restrained during the pendency of the present suit. “

It also referred to the Orissa High Court order in which the Right to be forgotten had been discussed in the context of a lady who had been victimized by a person who had posted sexually explicit content on the social media.

This judgement acknowledged that there was no statutory provision in India that provides for the Right to be forgotten and made references to GDPR article 17 and recitals 65 and 66. It also referred to a case in England in the Wales High Court where a similar issue of convicted person’s name appearing in Google searches and concluded that Right to Privacy is in sych with the right to privacy which was part of the Puttaswamy judgement. It also stated

“the Ministry of Law and Justice, on recommendations of Justice B.N. Srikrishna Committee, has included the Right to be forgotten which refers to the ability of an individual to limit, delink, delete, or correct the disclosure of the personal information on the internet that is misleading, embarrassing, or irrelevant etc. as a statutory right in Personal Data Protection Bill, 2019”

The order continued to say “The Information Technology (Reasonable Security Practices
and Procedures and Sensitive Personal Data or Information) Rules, 2011, India’s first legal framework recognized the need to protect the privacy of personal data, but it failed to capture the issue of the Right to be forgotten….. This principle is embodied in S.5 of the yet to-be-implemented Personal Data Protection Bill, 2019”.

It further went on to refer to PDPB 2018 to sate

“Section 27 of the draft Personal Data Protection Bill, 2018 contains the right to be forgotten. Under Section 27, a data principal (an individual) has the right to prevent continuing disclosure of personal data by a data fiduciary.”

Further it stated

“Section 10 of the Bill provides that a data fiduciary shall retain personal data only as long as may be reasonably necessary to satisfy the purpose for which it is processed. Further, it imposes an obligation on every data fiduciary to undertake periodic reviews in order to determine whether it is necessary to retain the personal data in its possession. If it is not necessary for personal data to be retained by a data fiduciary, then such personal data must be deleted in a manner as may be specified. “

The above views were expressed in the judgement of Justice S.K. Panigrahi and was dated 23rd November 2020

Our Conclusions and Views

Having gone through all the above judgements at the High Court level, we note that the Indian Judiciary has already taken cognizance of the Personal Data Protection Bill 2019 as if it is an established principle of jurisprudence. Hence those who are arguing that the Act is still not passed and therefore the provisions are not required to be complied with are wrong.

Naavi has repeatedly held that PDPB2018/2019 is a replacement of Section 43A of ITA 2000 and represents the “Due Diligence” required to be followed by organizations. It is with this belief that Cyber Law College and FDPPI started trainings based on the PDPB 2019 and started providing qualification certificates and also established a complete system of Certifiable audit for Compliance in the form of PDPSI (Personal Data Protection Standard of India).

Some of the professionals who are used to such concepts come only from the west, were uncomfortable that some organization in India was providing certifications based on indigenous systems of Certifications. Vested interests tried to discourage the adoption by corporate circles, though FDPPI came through all this and established itself as the premier organization in India in the field of Data Protection.

These judgements vindicate the approach of Naavi and FDPPI in trying to create awareness of PDPB 2019 before it is passed as an Act.

In the light of the controversies surrounding WhatsApp and Twitter, some media persons are questioning why the Government is not pushing the passage of the PDPB 2019 and instead going against Twitter and WhatsApp. The honourable minister of IT Mr Ravi Shankar Prasad in an interview yesterday  assured that PDPB2019 will be pushed for debate during the next Parliamentary session.

While the above leads us to conclude that PDPB 2019 is considered as the “Due Diligence under ITA 2000”, we shall debate further about the Right to forget itself … in the continuation.

The interview of Honourable Minister of IT Mr Ravi Shankar Prasad with Navika Kumar of Times Now live streamed  on 28th May 2021.

See statement at 39.56 minute where Mr Prasad refers to the PDPB2019.

( You can directly go to the part on PDPB 2019 here)



Also Refer:


Three Judgements to follow

Orissa High Court Judgement

Delhi High Court  Trial 29th January 2013

Delhi High Court 12th April 2021

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

1 Response to PDPB 2019 is already recognized as the requirement by Courts

  1. Pingback: Launching the Certification program for Personal Data Protection Auditors |

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.