[P.S: This is in continuation of the discussion of the proposed Data Protection Act in India and the public comments invited for the Justice Srikrishna report.]
The EU law on Privacy under GDPR recognizes the “Right to Forget” which essentially means that the data subject can demand that his personal information should be erased from the records in the custody of the data processor/data controller once the data subject withdraws his consent.
Enabling “Erasure” of data is not as simple as it looks since data has a tendency to multiply and spread in different systems within the processing organization and it is often difficult to even recognize where all the copies of data are present. With need to back up data for reasons of disaster recovery and different versions of data getting created during the course of relationship of a customer with a data processing entity, when a demand for deletion comes up, it is difficult to ensure the complete erasure of data.
Further, since data is related to National Security and Crime control, there is a legal obligation to “Retain Data” in many circumstances. There will therefore be a conflict of interest between the need to erase data on request and the need to retain data for control of criminal activities. Even the need for Governance such as Direct benefit Transfer with the use of Aadhaar requires data to be retained and not erased at the request of only the data subject.
Even when Privacy is considered as a Fundamental Right, the law provides for exemptions for security purpose and hence the “Right to Forget” or “Right of erasure” is a concept which cannot be considered for the Data Protection Act.