Right to be Forgotten under Indian Law.. Participate in the Discussion

Posted on January 27, 2023 by Vijayashankar Na

Right to be Forgotten was a distinct feature of GDPR and a concept discovered by  the EU Court of Justice.

In the case against Google, CJEU found the GDPR law required a halt to online publication of results that were no longer relevant after a certain amount of time had passed and the individual wanted them removed. Google was found to be a data controller that had to respect the right of the individual to control their own data.

This arose out of an interpretation of Article 17 of GDPR which states as follows:

Article 17:Right to erasure (‘right to be forgotten’)

1. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
(e) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society services referred to in Article 8(1).

2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1 to erase the personal data, the controller, taking account of available technology and the cost of implementation, shall take reasonable steps, including technical measures, to inform controllers which are processing the personal data that the data subject has requested the erasure by such controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:

(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) in so far as the right referred to in paragraph 1 is likely to render impossible or seriously impair the achievement of the objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

In India , PDPB 2019 specified under Section 20 that Right to be forgotten could be exercised with the order of an Adjudicating Officer. The section stated as follows.

20. Right to be forgotten.

(1) The data principal shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary where such disclosure—

(a) has served the purpose for which it was collected or is no longer necessary for the purpose;
(b) was made with the consent of the data principal under section 11 and such consent has since been withdrawn; or
(c) was made contrary to the provisions of this Act or any other law for the time being in force.

(2) The rights under sub-section (1) may be enforced only on an order of the Adjudicating Officer made on an application filed by the data principal, in such form and  manner as may be prescribed, on any of the grounds specified under clauses (a), (b) or clause (c) of that sub-section:

Provided that no order shall be made under this sub-section unless it is shown by the data principal that his right or interest in preventing or restricting the continued disclosure of his personal data overrides the right to freedom of speech and expression and the right to information of any other citizen.

(3) The Adjudicating Officer shall, while making an order under sub-section (2), having regard to—

(a) the sensitivity of the personal data;
(b) the scale of disclosure and the degree of accessibility sought to be restricted or prevented;
(c) the role of the data principal in public life;
(d) the relevance of the personal data to the public; and
(e) the nature of the disclosure and of the activities of the data fiduciary, particularly whether the data fiduciary systematically facilitates access to personal  data and whether the activities shall be significantly impeded if disclosures of the relevant nature were to be restricted or prevented.

(4) Where any person finds that personal data, the disclosure of which has been restricted or prevented by an order of the Adjudicating Officer under sub-section (2), does not satisfy the conditions referred to in that sub-section, he may apply for the review of that order to the Adjudicating Officer in such manner as may be prescribed, and the Adjudicating Officer shall review his order.
(5) Any person aggrieved by an order made under this section by the Adjudicating Officer may prefer an appeal to the Appellate Tribunal.

In the DPDPB2022, there is a section 13 which states as follows:

13. Right to correction and erasure of personal data

(1) A Data Principal shall have the right to correction and erasure of her personal data, in accordance with the applicable laws and in such manner as may be prescribed.

(2) A Data Fiduciary shall, upon receiving a request for such correction and erasure from a Data Principal:

(a) correct a Data Principal’s inaccurate or misleading personal data;

(b) complete a Data Principal’s incomplete personal data;

(c) update a Data Principal’s personal data;

(d) erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose.

Additionally DPDPB 2022 (as well as PDPB 2019) recognized the right of a search engine to present data as part of public interest and deemed consent.

Hence it appears that India has not endorsed the EU Court’s view that a Right to Forget exists automatically.

Whether Section 13 of DPDPB 2022 has to interpreted as restricted to the “Erasure” of data for further processing only or extends to the sending the identifiable data to the “Oblivion” is a point that is not clear.

Followers of GDPR would interpret that Section 13 of DPDPB 2022 is both a Right to Erase and Right to be forgotten. But Followers of PDPB 2019 may interpret that India wanted to distinguish Right to be forgotten from Right to erasure and hence created two sections in PDPB 2019 but decided to completely drop Right to Be Forgotten in the DPDPB 2022.

There have been a few High Court decisions in the past where Courts have agreed to redact the names of the acquitted accused persons in published judgements. Whether this has created the law for “Right to be forgotten” in India is a moot point.

Recently the Kerala High Court had an opportunity to analyse the law in depth and has come up with a very elaborate analysis of the Right to be forgotten.

These details have already been presented at Naavi.org over the following five articles:

Hats off to the Kerala Judgement on Right to Forget-5: Evolution of the Right to be forgotten
Hats off to the Kerala Judgement on Right to Forget-4: Need for Transparency in Judiciary
Hats off to the Kerala Judgement on Right to Forget-3: Right to Forget is not Right to Anonymity..
Hats off to the Kerala Judgement on Right to Forget..2: Ratio Decidendi in Puttaswamy Judgement
Hats off to Kerala High Court for it’s treatise on Right to Forget

As a part of the Privacy Day Activities, FDPPI is conducting a webinar on 28th January 2023 at 4.00 pm IST which consists of a Moot Court discussion on the Right of litigants of Court cases to request for redaction of their names from the published judgements and the publication of the judgements in Indi Kanoon data base or Google Search.

Interested persons can register for this Zoom Webinar at

Register in advance for this webinar here

Naavi

 

About Vijayashankar Na

Naavi is a veteran Cyber Law specialist in India and is presently working from Bangalore as an Information Assurance Consultant. Pioneered concepts such as ITA 2008 compliance, Naavi is also the founder of Cyber Law College, a virtual Cyber Law Education institution. He now has been focusing on the projects such as Secure Digital India and Cyber Insurance
This entry was posted in Cyber Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.