Friday, November 22, 2024
154,225FansLike
654,155FollowersFollow
0SubscribersSubscribe

The Vanishing Act

The Court will have to settle the law on the right to be forgotten after an acquitted man in a sexual assault case wanted a judgment on him to be erased. This is in conflict with the right to information

By Dr Swati Jindal Garg

American businessman, investor and philanthropist Warren Buffet was right when he said: “It takes twenty years to build a reputation and five minutes to ruin it.” This is especially true in this age of digitalisation.

In a recent appeal to the Supreme Court of India by Indian Kanoon, a law search engine, the question to be answered was whether the right to be forgotten includes taking down judgments that reveal an acquitted person’s identity? Chief Justice of India (CJI) DY Chandrachud said: “We will have to settle the law.” 

Indian Kanoon had moved the Supreme Court against a Madras High Court direction asking it to take down a judgment copy in a sexual assault case as it had the name of the accused who was finally acquitted. The man was constrained to move the High Court claiming protection under his right to be forgotten as he was denied Australian citizenship because his name appeared in the judgment.

Staying the High Court direction, the Supreme Court issued notice on the plea. The CJI said that “once a judgment is delivered, it is part of the public record” and wondered how the High Court could have directed pulling down the entire judgment even assuming there was an acquittal. Terming it “far-fetched”, he then issued notice saying that the law will have to be settled.

In India, the right to be forgotten is an extension of the right to privacy that is enjoyed by an individual. Basically, the “right to be forgotten” or “right to be erased” provides a right to an individual to request for removal of his/her personal data from the internet. The simple rule behind data erasure is that whoever is using the data has volunteer consent from the data owner. So, when the consent is withdrawn, the owner has a right to have his data erased.

Also when the data controller has no legal right to process the data, the data should be erased. In case of data erasure, whoever has the data access or whoever is processing the data has to erase it and has to remove any links, copies or replication of it. 

The origin of this right is traced from French jurisprudence on the “right to oblivion”, which was to make social integration easy for offenders who had served their sentence on the basis of the publication of information of their crime. Based on French jurisprudence, European Union Data Protection Directive, 1995 acknowledged the right to be forgotten by introducing Article 12, which specifies that the member state should provide people the right to control, ratify, erase or block data related to them. 

In India, the right to be forgotten is governed by the Personal Data Protection Bill that is yet to be passed by Parliament. The right to privacy was declared a fundamental right by the Supreme Court in 2017 in the landmark Puttaswamy case. The Court had said at the time that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.

Justice BN Srikrishna Committee’s Draft Personal Data Protection Bill was introduced in the Lok Sabha on December 11, 2019 and aimed to set out provisions for the protection of personal data of individuals. According to Section 27 of the Bill, a data principal has the right to prevent the data fiduciary from using such data or information if  disclosure is no longer necessary, the consent to use data has been withdrawn or if data is being used contrary to the provisions of the law. Further, Section 27(2) says the adjudicating officer (Data Protection Authority) can decide on the question of disclosure, and the circumstances in which he thinks such disclosure can override the freedom of speech and the citizen’s right to information.

Therefore, under the right to be forgotten, users can de-link, limit, delete or correct the disclosure of their personal information held by data fiduciaries. A data fiduciary is any person, including the State, a company, a juristic entity or an individual who alone or in conjunction with others determines the purpose and means of processing of personal data.

However, it cannot be construed that the sensitivity of personal data is solely determined by the concerned person. The same is overseen by the Data Protection Authority.

It can, therefore, be said that while the person whose data is in question is given the protection of some provisions under the Draft Bill, ultimately his rights are still subject to the approval/authorisation by the adjudicating officer who works for the Data Protection Authority. It is he who will need to decide and scrutinise the level of sensitivity of the personal data, the degree of accessibility sought to be restricted, the role of the data principal in public life and the nature of the disclosure.

This right was first established in May 2014 in the European Union as the result of a ruling by the European Court of Justice. The Court found that the European data protection law gives individuals the right to ask search engines like Google to remove certain results for queries related to a person’s name. In deciding what to remove, search engines must consider if the information in question is “inaccurate, inadequate, irrelevant or excessive” and whether there is a public interest in the information remaining available in search results.

In furtherance of this, in 2018, the EU adopted the General Data Protection Regulation that sets out a right to erasure. This protection, however, is available only to individuals and not to corporations and other legal entities. Requests for delisting of personal information though usually come from the affected person, but can also come from someone acting on his behalf, provided he has the legal authority to do so.

Recently, the European Court of Justice ruled in favour of Google, which was contesting a French regulatory authority’s order to have web addresses removed from its global database. The European Union’s highest court ruled that an online privacy rule known as the “right to be forgotten” under European law would not apply beyond the borders of EU member states. The judgment was an important victory for Google, as now the online privacy law cannot be used to regulate the internet in countries such as India, which are outside the EU.

An individual has the right to have his personal data erased if:

  • The personal data is no longer necessary for the purpose an organization originally collected or processed it.
  • An organisation is relying on an individual’s consent as the lawful basis for processing the data and that individual withdraws their consent.
  • An organisation is relying on legitimate interests as its justification for processing an individual’s data and the individual objects to this processing.
  • An organisation is processing personal data for direct marketing purposes and the individual objects to this.
  • An organisation processed an individual’s personal data unlawfully.
  • An organisation must erase personal data in order to comply with a legal ruling or obligation.
  • An organisation has processed a child’s personal data to offer their information society services.

However, an organisation’s right to process someone’s data might override their right to be forgotten. Here are the reasons cited in the General Data Protection Regulation that trump the right to erasure:

  • The data is being used to exercise the right of freedom of expression and information.
  • The data is being used to comply with a legal ruling or obligation.
  • The data is being used to perform a task that is being carried out in the public interest or when exercising an organisation’s official authority.
  • The data being processed is necessary for public health purposes.
  • The data being processed is necessary to perform preventative or occupational medicine. This only applies when the data is being processed by a health professional who is subject to a legal obligation of professional secrecy.
  • The data represents important information that serves the public interest, scientific research, historical research, or statistical purposes and where erasure of the data would impair or halt progress towards the achievement that was the goal of the processing.
  • The data is being used for the establishment of a legal defence or in the exercise of other legal claims.

Furthermore, an organization can request a “reasonable fee” or deny a request to erase personal data if it can justify that the request was unfounded or excessive. Each request will have to be evaluated individually. 

In the Indian scenario, the “right to be forgotten” is in conflict with the “right to information”. This is especially so when a rape victim has the right to have her past be forgotten. At the same time, a criminal cannot claim that he has the right to insist that his conviction should not be referred to by the media. As the final decision depends on the Data Protection Authority, it may turn the right to be forgotten into a danger for the freedom of press as a journalist has to wait for the decision of the adjudicating officer. 

This will further put the freedom to criticise public personalities for their public policies based on their past statements and activities in jeopardy. Another problem is that even though the State retains unbridled powers to collect and process data, without the need for consent for the national interest, the term national interest itself has nowhere been defined. 

In order to implement the right to be forgotten, privacy needs to be added as a ground for reasonable restriction under Article 19(2) by a major amendment to the Constitution. There must also be a balance between the right to privacy and protection of personal data (as covered under Article 21 of the Constitution), and the freedom of information of internet users (under Article 19). A comprehensive data protection law must address these issues.

Justice Sanjay Kishan Kaul of the Supreme Court had once delivered his opinion on the right to forgotten. He stated: “The right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the Internet.” In contrast, the Gujarat High Court in Dharamraj Dave vs State of Gujarat had said that there was no law to remove a judgment from Google. 

These cases demonstrate the lack of legal framework and the inability of the judiciary in interpreting the right to be forgotten. In the Puttaswamy’s case, the Supreme Court had recognised the right to be forgotten by considering that people change and every individual should be able to move forward in life and not be stuck by a mistake done in past. Every individual should have the capacity to change his beliefs and improve as a person. The individual should not live in fear for a view expressed by them which will stay with them forever. Beliefs or thoughts expressed by one must be allowed to fade away in the sands of time if one so wishes.

—The writer is an Advocate-on-Record practicing in the Supreme Court, Delhi High Court and all district courts and tribunals in Delhi

Previous article
Next article
spot_img

News Update