Interlegal’s next General Assembly Meeting, hosted by Odeon Avocats, will be held from November 6th to 10th, 2024, in Paris

37392-main

Right to be forgotten: The Indian scenario

Gaurav Bhalla

Ahlawat and Associates

17.04.23


In most jurisdictions, the ‘right to be forgotten’ forms part of their respective data protection statutes. In India, the extant law governing protection of personal data of individuals is the Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011, read with the Information Technology Act, 2000. As the title suggests, these statutes were enacted quite some years ago, when the awareness of the right to be forgotten was minimal, and accordingly the aforementioned statutes don’t contain any specific provision which provides for the right to be forgotten in India. However, there have been some judicial pronouncements through which the ’right to be forgotten’ has been recognized as a right bestowed on users.

Development of Privacy Law in India

On a general level, the landmark judicial development of privacy law in India was with the recognition of the ‘right to privacy’ as a fundamental right under the Constitution of India by the Supreme Court of India in the case of Justice K.S. Puttaswamy (Retd.) and Anr. vs Union of India1. To give a background, Article 21 is one of the fundamental rights in India and is coveted as one of the most valuable rights extended to the citizens, which reads as – ‘No person shall be deprived of his life or personal liberty except according to a procedure established by law’. It is within this broadly worded right (under Article 21) that the Supreme Court includes the ‘right to privacy’ by holding that – ‘The right to privacy, which is an intrinsic part of the right to life and liberty…the right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the Internet.’

Expansion of the “right to privacy” to include the “right to be forgotten”

It is with this foundation that the other judicial bodies in India took a step further to recognize the ‘right to be forgotten’ in various judgments as a part of the ‘right to privacy’ of individuals.

Jorawer Singh Mundy v. UOI

For instance, the High Court of Delhi, in Jorawer Singh Mundy v. UOI2 had directed the removal of judicial pronouncements from Google, India Kanoon and another judicial judgment publishing website. The petitioner in this case was aggrieved owing to the presence of his name in a judgment which was freely available over the internet. The petitioner argued for removal of such judgments on the ground that he had since been acquitted from the charges.

  • Writ Petition (Civil) No. 494 Of 2012
  • W.P.(C) 3918/2021

The court, in light of this information, directed the removal of the judgment by recognizing the petitioner’s right to privacy under Article 21 of the Constitution of India.

Zulfiqar Ahman Khan v. M/S Quintillion Business Media

In yet another case of Zulfiqar Ahman Khan vs M/S Quintillion Business Media3, the Delhi High Court recognized a petitioner’s right to privacy under Article 21 when a petitioner approached the High Court pleading the removal of articles published on a popular news publishing website – TheQuint. The petitioner was aggrieved by the articles wherein it was alleged that he had committed sexual misconduct against certain individuals. The court recognizing the petitioner’s right to privacy directed the publisher to take down the content.

Subhranshu Rout v. State of Odisha

Further, in Subhranshu Rout v. State of Odisha4, the Odisha High Court, while examining the ‘right to be forgotten’ as a remedy to be given to victims of sexually explicit pictures/pornography, stated that – “…information in the public domain is like toothpaste, once it is out of the tube one can’t get it back in and once the information is in the public domain it will never go away”. The court recognized the right to be forgotten in such cases and recognized the need to protect the privacy of individuals in the era of internet.

X vs HTTPS://www.youtube.come/watch?v=IQ6K5Z3ZYS0

In another recent case titled X vs https://www.youtube.come/watch?v=IQ6K5Z3ZYS0 & Ors.5, the High Court of Delhi was approached by an actress requesting the removal of explicit videos portraying her. The Court (in its order dated August 23, 2021) granted protection to the victim and held that a woman has the unbridled right to be forgotten and she is fully entitled to protection of privacy from invasion by strangers.

Virginia Shylu v. Union of India

Lastly, in the recent-most case on this subject is the judgment by the Kerala High Court in the case of Virginia Shylu v. Union of India6 wherein the Court balanced the right to be forgotten with the reasonable restrictions that would be factored in while deciding upon a matter concerning erasure of data. The court held in this case that – “a claim for the protection of personal information based on the right to privacy cannot co-exist in an open court justice system.” It went on to hold that – “It is for the Legislature to fix grounds for the invocation of such a right. However, the Court, having regard to the facts and circumstances of the case and duration involved related to a crime or any other litigation, may permit a party to invoke the above rights to de-index and to remove the personal information of the party from search engines. The Court, in appropriate cases, is also entitled to invoke principles related to the right to erasure to allow a party to erase and delete personal data that is available online.”

  • CS (OS) 642/2018
  • BLAPL No.4592 OF 2020
  • CS(OS) 392/2021, I.As.10543/2021, 10544/2021, 10545/2021 & 10546/2021
  • W.P.(C).Nos. 26500/2020, 6687/2017, 20387/2018, 7642/2020, 8174/2020, 21917/2020, 2604/2021, 12699/2021 & 29448/2021

Legislative Developments on the “Right to be Forgotten”

As regards the legislative development in India (both at a general level pertaining to data protection laws in India as well as specifically pertaining to the right to be forgotten), there has been some development as regards the introduction of various draft legislations over the past some years. However, due to several challenges and shortcomings with the drafts, they haven’t seen the light of day until now. The latest amongst these is the bill titled the ‘Digital Personal Data Protection Bill, 2022’ (“Bill”) which has been drafted by the Ministry of Electronics and Information Technology and was released for public comments in late 2022.

Right to correction and erasure of personal data

The Bill provides for right of data subjects in Chapter 3 and Section 13 specifically deals with the ‘Right to correction and erasure of personal data’ as follows:

  • A Data Principal shall have the right to correction and erasure of her personal data, in accordance with the applicable laws and in such manner as may be prescribed.
  • A Data Fiduciary shall, upon receiving a request for such correction and erasure from a
    Data Principal:

    • correct a Data Principal’s inaccurate or misleading personal data;
    • complete a Data Principal’s incomplete personal data;
    • update a Data Principal’s personal data;
    • erase the personal data of a Data Principal that is no longer necessary for the purpose for which it was processed unless retention is necessary for a legal purpose

Conclusion

While the Bill does recognize a provision for erasure of personal data, the current Bill has diluted the data principal’s ‘right to be forgotten’ (vis-à-vis the previous versions of the draft statute) in the sense that it the exercise of this right is subject to certain factors. For instance, the Bill states that upon receiving such a request from a data principal, the data fiduciary shall erase such data that is ‘no longer necessary for the purpose for which it was processed unless such retention is necessary for legal purposes’. Accordingly, the completion of erasure (of personal data) is contingent upon the fact that the data is no longer necessary for the purpose for which it was collected, which shall mean that the data principal in order to claim such a right will have to forgo their right to claim any service/good that would require the data fiduciary to retain such data.
It remains to be seen what comes through in the final text once the draft bill is adopted as a legislation by the Parliament. Until then, the judiciary is expected to take up specific instances on a case-to-case basis to analyze whether or not a particular case warrants the grant of the ‘right to be forgotten’ on a particular individual.

Related Articles

Join our Legal Network

Interlegal