AUTHORED BY: MR. NITESH JINDAL & CO-AUTHORED BY: MS. SHIPHALI PATEL, DR. RAM MANOHAR LOHIYA NATIONAL LAW UNIVERSITY.
“Since the beginning of time, for us humans, forgetting has been the norm and remembering the exception.”[1]
ABSTRACT:
With the emergence of Digital Eternity, everybody deserves a second chance into our digital spaces as well as real lives. The Right to be Forgotten provides people with this second chance to move beyond the shackles of their past. The concept of Right to be forgotten has not gained much traction on Indian soil. Indian courts have also been devoid to delve into much with regard to its importance and challenges it may be capable of giving rise to. Recent landmark judgment on Right to privacy does not categorically talk about the Right to be Forgotten but it can be very well inferred from the wording of judgment of Justice Sanjay Kishan Kaul. As a consequence of it, provision of the Right to be Forgotten has been incorporated under the Data Protection Bill, 2018. This provision has called into question the enforcement of various other Fundamental Rights which will be at the loggerheads with each other when the cases will start to knock the doors of the courts. Jurisprudence of Right to be Forgotten has also not developed completely around the globe. European Union and various other countries like Canada, South Africa, United States of America, etc. have also been trying to resolve the altercation between Right to be Forgotten on one side and other fundamental rights on the other side. This paper would analysis the conflict that would emerge between the Right to be Forgotten and various other Fundamental Rights with the emergence of Right to be Forgotten and how these rights will be at loggerheads with each other. This paper argues that balancing statutory test given under section 27 of Data Protection Bill, 2018 goes on to create subjectivity which may result in different outcomes of same facts and situations. This paper would pose various questions which may be helpful in bringing out the objectivity in these criterions by discussing them individually.
1. INTRODUCTION:
The inherent human nature is to forget. Today, due to technological advancements, forgetting has become the exception, and remembering the default.[2] The advent of internet has made these mailboxes, social media and online archives serve as perpetual extensions to our fallible memories.[3] Contrary to the permanency of technology, people change and they grow. Privacy gives them ability to evolve, to reinvent themselves from the shackles of their past.[4]Vivian Reding, EU Justice Commissioner, said that:
“The internet has an almost unlimited search and memory capacity. So even tiny scraps of personal information can have a huge impact, even years after they were shared or made public”.[5]
Before delving further, one question needs to be answered: What is Right to be Forgotten (RTBF)?
A committee of European Parliament in January, 2013 released an Albrecht Report which described the Right to be Forgotten (RTBF) as “the right of the individuals to have their data no longer processed and deleted when they are no longer needed for legitimate purposes.”[6]“The right to be forgotten in the digital sphere refers to the right of individuals to request data controllers to erase any data about them from their systems.”[7]The Right to be Forgotten (RTBF) gives a remedy to data principle against disclosure of one’s personal data whose disclosure is no longer useful or lawful.[8] It is right which allows the data principle to have a control over his sensitive or personal data available online or identifiable to him in the public domain. In the famous privacy article by Samuel Warren and Louis D. Brandeis[9] one aspect of the right to privacy is an individual’s right to control the dissemination of his personal information. Keeping in view the technological improvements, this aspect of Right to Privacy has gained significance. Individuals want to limit their accessibility on the internet to protect their personality, individuality and dignity.[10]As was pleaded in the Gujarat High Court case of Dharamraj Dave v. St. of Gujarat[11]where the petitioner wanted a criminal proceeding to be removed from his name search on Google as it was causing reputational damage to him, the court denied his plea on the ground that people’s Right to Know is greater than his Right to Privacy.
As the right is emerging all over the world, its dissent is getting louder and louder. Google’s global privacy counsel, Peter Fleischer in his blogs vehemently poses this right as a movement to censor content in the name of privacy.[12] The trouble is that one’s Right to Privacy is other’s Right to Know. One’s Right of be Forgotten is other’s Freedom of Speech and Expression or Right to Information.
Therefore it becomes imperative to balance out these various rights which have come at loggerheads with each other with the emergence of RTBF in India. Section 27 (3) of the Data Protection Bill, 2018 provides the adjudicating authority five criterions to decide this conflict. This paper is an attempt to analyse as to how RTBF is at loggerhead with various other rights and how the adjudicating authority will try to shorten subjectivity and increase objectivity in these criterions.
2. HISTORICAL BACKGROUND:
The Right to be Forgotten finds its roots under the French Law, le droit à l’oubli– “Right to Oblivion” a right that allows a convicted criminal who has served his time and been rehabilitated to object to the publication of the facts of his conviction and incarceration.[13] Right to be Forgotten finds its existence under the value of this right. The EU Data Protection Directive, 1995 acted as a legal base to the Right to be Forgotten which talks about it under Article 12(b)[14]. In January 2012, European Commission adopted proposals for the framework of new EU data protection laws which would repeal the Data Protection Directive (DPD) of 1995. The Right to be Forgotten was an important component of the proposed GDPR due to increased personal data processing and high exposure to social networking services.
This right got recognition from the landmark case of Google Spain v. AEPD and Mario Costeja[15]in which the European Court of Justice (ECJ) held that inadequate, irrelevant or excessive data or information in relation to the purposes of the processing to be carried out by the operator of the search engine, such information and links concerned in the list of results must be erased.[16]
On 27th April, 2016 EU got their new data protection law; GDPR[17] which repealed the DPD of 1995. Article 17[18] of this GDPR talks about the Right to be Forgotten as ‘Right to Erasure’. Its clause (1) talks about the right and the grounds on which it can be exercised. It states that the ‘data subject’ can ask the ‘data controller’ to erase his personal data which the ‘data controller’ is obligated to erase, if a) the personal data is no longer necessary, b) the consent for its processing has been withdrawn, c) there are no legitimate grounds to continue the processing after objection, d) the data has been unlawfully processed, e)there is a legal obligation and f) if the data collected is in relation to the offer of informational society services which deals with child privacy.
As no right can be absolute, this right too has been provided with restrictions under Article 17(3)[19]. It says that the Right to be Forgotten won’t come in the way of exercising Freedom of Speech and Expression in complying with any legal obligation, public health, scientific or historical research purposes and establishment, exercise or defence of legal claims.
In India this right got recognition by the famous landmark privacy judgement of K.S. Puttuswamy v. UOI[20]which declared Right to Privacy as a fundamental right. This judgement linked Right to Privacy with the data processing of personal data of an individual. J. Kishan Kaul clearly explains that how knowledge about a person gives one an edge over that person. How it can influence behaviour, choice, preferences and opinion which no democracy can afford.[21] This judgement led to the formation of the B.N. Srikrishna Committee to form a data protection law in India which in turn led to the formation of Data Protection Bill, 2018.
3. INTERNATIONAL PERSPECTIVE:
3.1 EUROPEAN UNION:
This right was first time explicitly recognized by a court in the year2014. European Court Justice (ECJ) in the case of Google Spain SL v. AEPD[22], filed by Costeja, dealt with the problem regarding the two links which used to pop-up on Google on his name search. The links were of articles published by a newspaper a decade ago, which dealt with a property auction as Costeja was not able to pay off his debts.
The appearance of these links, even after years on his Google name search was causing reputational damage to him. Therefore, he asked the Spanish Data Protection Agency to order the newspaper to take the notices down and to order Google to remove links of the articles from the search pages.[23] The newspaper wasn’t hit by the case because it falls under the exception ‘media’ which Google has explicitly opted out of. As the request against Google reached ECJ, the court held that though the information published by the Third Parties (here Google) is lawful and true but at the same time is irrelevant, inadequate and excessive and hence must be erased.[24]
It can be evidently seen how ECJ balances out the two rights, one Freedom of Speech and Expression of Google and other Right to Privacy of Costeja. Though the information gathered was lawful and true, it was causing serious reputational damages to Costeja and though people had a right to know, they need not to know about his years old catastrophe as the information has now become old and irrelevant. Hence, ECJ struck a balance between these rights and kept Costeja’s Right to Privacy or Right to be Forgotten above people’ Right to Know and Google’s Freedom of Speech and Expression. This case was the reason as to why RTBF gained such importance in the framing of new EU data protection laws. The new EU GDPR released in 2016 has explicit provision of RTBF in its Article 17[25], a right which would be granted to all EU countries.
3.2 SOUTH AFRICA:
In South Africa Section 14 of Bill of Rights[26] explicitly talks about right to privacy and in line of it, Justice Harms in National Media Ltd v Jooste[27], defined privacy in the following terms: “Privacy is an individual condition of life characterised by exclusion from the public and publicity. The condition embraces all those personal facts which a person concerned has determined him to be excluded from the knowledge of outsiders and in respect of which he has the will that they be kept private.” It is very evident from just bare reading of interpretation given by Justice Harms is that RTBF, although not explicitly talked about, is a part of Right to privacy and it is the right of the individual to decide the competency of destiny of private facts.
Section 24 of the Protection of Personal Information (POPI) Act provides the data subject to request data fiduciary to correct or delete personal information about the data subject in its possession or under its control that is inaccurate, irrelevant, excessive, out of date, incomplete, misleading or obtained unlawfully[28] and destroy or delete a record of personal information about the data subject that the responsible party is no longer authorised.[29]
Here also POPI Act does not explicitly talks about RTBF, it gives rights to data subject equivalent to RTBF.
3.3 UNITED KINGDOM:
The emergence of this right has not been restricted only to European or civil law countries. Common law countries too seem upfront to accept the Right to be Forgotten. Recently, just 4 months back a High Court in London has granted this right to a businessman in the case of NT1 v. Google LLC[30].
The case was filed two businessmen who were convicted 10 years ago, one for six months imprisonment for conspiring to intercept communications (NT 1) and other for 4 months for conspiring to account falsely (NT 2). They both wanted the links related to their conviction to be removed from Google. While deciding this case, a fair balance had to be managed between the claimant’s right to data protection and privacy and the citizen’s right to freedom of speech and expression and right to know.[31]NT1’s claim was rejected by the court on the ground that he had “not accepted his guilt, had misled the public and, in the instant case, the court, and had shown no remorse over any of those matters.”[32] He was still in business and held the capacity of misleading the public again.[33] Whereas, NT2’s claim was accepted on the ground that he had accepted his guilt after conviction and there is no risk of any kind of repetition of his offence.[34]
Here we can see a fair balance has been struck between the rights of the claimant’s and rights of the citizens. As NT 1 still posed threat to the society and could repeat his offence, people had a right to know about his past before dealing with him. Whereas, NT2 had shown some improvement in his behaviour, he was no longer any threat to the society hence, had a right to privacy so that he can rehabilitate and built his reputation again.
4. EMERGENCE OF THE RIGHT TO BE FORGOTTEN IN INDIA:
4.1 EMERGENCE:
The Right to be Forgotten was not originated in India but emerged by two High Court cases. The first Indian case which ever went close to talking about this right was the Gujarat High Court case of Dharamraj Dave v. St. of Gujarat[35]. In this case the petitioner was involved in charges like culpable homicide not amounting to murder. Although he was acquitted, the easily accessible judgement on the internet by his name search was causing reputational harm to him. The petitioner prayed “permanent restrain of free public exhibition of the judgement and order”[36]. The court rejected this plea saying that High Court is a court of record and all the judgements are available on the High Court website uploaded every day[37]. The High Court of Gujarat kept people’s Right to Know[38]about the judgement above the petitioner’s Right to Privacy[39].
The next case which talked about the Right to be Forgotten is a Karnataka High Court case, Sri Vasunathan v. Registrar[40]. In this case, for the first time this right was recognised by Indian judiciary. A woman X had filed an annulment against her husband. Later she decided to continue with her marriage and quash the charges. The order contained her name and address. Her father came before the honourable High Court of Karnataka with the request to mask his daughter’s name from the order. It was apprehended that a lot of damage would be caused to her reputation and marital life due to the public accessibility of this order.
Though the court decided to make no such changes to the certified copy of the order, but assured that no internet search in the public domain regarding the order would carry her name on it. J. Byrareddy progressively stated:
“This would be in line with the trend in the Western countries where they follow this as a matter of rule “Right to be forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.”[41]
This case upheld a women’s Right to Privacy over people’s Right to Know. There can be seen a recognition of Right of be Forgotten as the information masked, though was true and lawful, was irrelevant to the public and was causing serious damages to the petitioner. Therefore, petitioner’s name was allowed to be forgotten from the judgment.
4.2 RECOGNITION:
This right was recognized in the K.S. Puttuswamy v. UOI[42], the judgement which declared Right to Privacy as a fundamental right. This judgement discussed the Right to be Forgotten in the realm of personal data processing and digital privacy for the first time in India. J. Kishan Kaul in his opinion talked about the devils of internet:
“Humans forget, but the internet does not forget and does not let humans forget.”[43]
He talks about the importance of having a control over existence on internet. He brings in the concept of second chance for whoever is “bound by the shackles of unadvisable things which may have been done in the past.”[44]
The judgement talks about how privacy is a fundamental right and leads to personal autonomy. Personal autonomy has been declared a part of Right to Privacy in the Anuj Garg v. Hotel Assn. of India[45] where the court includes the positive right of individuals to make decisions about their life and its expression under personal autonomy.[46] Hence, it can be said that personal autonomy of a person is control of that person on his life, his information and its public accessibility.
In this age of information it is absolutely necessary for individuals to limit their accessibility.[47]
Kishan Kaul very clearly states:
“The information explosion has manifold advantages but also somemdisadvantages. The access to information, which an individual may not want to give, needs the protection of privacy.”[48]
This is a call to the legislation to bring in India data protection laws. In other words, the accessibility of the personal information of a person also falls under the ambit of Right to Privacy, hence giving validity to RTBF. This judgement led to the formation of B.N. Srikrishna Committee which in turn led to the release of Data Protection Bill on 27th July, 2018.
4.3 DATA PROTECTION BILL, 2018:
Data Protection Bill is a huge step for the patrons of data privacy in India. The proposed law is on lines of EU GDPR but has its own inhibitions. The bill has given a broader aspect to sensitive personal data under section 3(35)[49] including passwords, sexual orientation, biometrics etc., trying to give complete autonomy to data subject on his own data. The proposed bill has made the grounds for processing ‘sensitive personal data’ consent-centric. They have talked about ‘explicit’ consent in section 11 of the proposed law as opposed to the general consent which we often give unknowingly by just checking a box.
The Bill in its section 27 has listed out three conditions on which an individual can exercise his “right to restrict or prevent continuing disclosure of personal data” or the Right to be Forgotten. This will be applicable if data disclosure is no longer necessary, the consent to use data has been withdrawn or if data is being used contrary to the provisions of the law. An adjudicating officer will have to determine the applicability of one of the three scenarios. The officer will also have to determine that the right of the individual to restrict use of her data over-rides the right to freedom of speech or right to information of any other citizen.[50] Although the bill proposed by the government has given a narrow meaning to the Right to be Forgotten. The proposed bill grants “the right to be forgotten” but deceptively defines it as disallowing further disclosure of data. It seems like an attempt to revamp the globally accepted meaning of “forgotten” to “limited recollection”. It shows as if the government is merely posing as an upholder of privacy.[51]
The bill has been widely criticised for various reasons. Firstly, on one hand this bill has provisions for explicit consent of the data principle before processing and on the other hand there are provisions like section 17 and 22 which provide wide discretionary powers to the Data Protection Authority under the Act.[52] Secondly, J. Kishan Kaul in his concurring opinion in Puttuswamy[53]clearly explains how information in the form of data can be used by state against people and how it can influence people’s opinion which can be extremely harmful for any democracy.[54]Yet, the bill doesn’t talk about surveillance. India was hoping that this bill would bring a comprehensive framework on surveillance – in consonance with the international standards. However, the bill doesn’t provide any substantive changes in the surveillance regime in India.[55] Though RTBF has not been originated in India, it is the most upcoming and dynamic fundamental right. It is a new beacon for the upholders of privacy in India. It would be interesting to see in what direction this right would turn after being discussed in the Indian Parliament.
5. RIGHT TO BE FORGOTTEN AT LOGGERHEADS WITH VARIOUS OTHER FUNDAMENTAL RIGHTS:
This paper will analyse the conflict of RTBF with other various rights where both of them are fundamental rights. Firstly, this paper will highlight the conflict between individuals who want to exercise RTBF and individuals who want to exercise Freedom of Speech and Expression under Article 19(1)(a) of the Indian Constitution and secondly the conflict between RTBF and Right to know.
5.1 FREEDOM OF SPEECH AND EXPRESSION:
Freedom of press, in the present era, is the heart of social and political intercourse.[56] Freedom of press got its constitutional sanctity not for the benefit of press but for the benefit of public good.[57] The primary purpose of press is to advance public interest without which a democratic institution like India would not be able to function.[58]
Privacy is the new black in censorship fashions. Previously people used to file cases of libel or defamation whose invoking requires speech not to be true to justify censorship. But now privacy claim will be invoked on the speech which is true.[59] In other words, RTBF would be emerged as a new justification for censorship, a threat to freedom of press, wherein people will bring cases of libel or defamation even when news disseminated is true in nature. Peter Fleischer, Google’s global privacy counsel in his blog titled “Foggy thinking about right to oblivion”[60] made a simple effort to remember rather difficult concept by covering three categories, each of which proposes greater threats to freedom of speech.[61]
First and least controversial one is “if I post something online, should I have the right to delete it again?” If I post a photo, I should be able to delete it or take it down at later point of time after having second-thought over it. Since many social networking sites like Facebook already permits me to do so, mostly it is unobjectionable. However, there is one issue i.e. whether deletion of content from his/her site would amount to deletion of content from the internet?
Moving on to the second and classical category i.e. “If I post something, and someone else copies it and re-posts it on their own site, do I have the right to delete it?” For example, I regret posting a photo having a bottle of beer in my one hand, now I want to delete it and after deleting it, I found that several of friends have downloaded or copied it and reposted it on their sites. What remedy am I left with? Should I ask my friends to delete it but what if they are refusing to do so? Should I ask the platform (e.g. Facebook) hosting the content to delete it? Here comes my privacy claim versus album owner’s freedom of expression. Should such platforms be allowed to arbitrate such entangled dilemmas where they will decide whether to uphold my privacy rights or not? i.e. Either my RTBF or album’s owner Freedom of expression.
Third category mostly relates to the freedom of press which is “If someone else posts something about me, should I have a right to delete it?” This also raises the controversial issue between Right to be forgotten emanating from Right to Privacy versus Freedom of speech and expression.
Suits will be filed against press in the courts even if the information published is true. Karnataka High court in Vasunathancase[62] mentioned about safeguarding the identity of rape victim or women involved in highly sensitive cases like rape where the reputation of the person is at stake.[63] The practical problem would arise in determining the fact that when right to privacy would override Freedom of speech and expression and wouldn’t. A balancing test should be applied for this which authors would be dealing with in the next part.
The issue at hand is that as to what extent the RTBF can be compatible with the right to freedom of speech and expression – whether it will cover one category or two categories or all the categories mentioned by Peter Fleischer.[64] In other words, what should be the parameters where data principal would be able to exercise RTBF over the other person’s freedom of expression? Another issue that will become very evident is whether laws would obligate the third parties (platform hosting the content) to delete information on request of data subjects.[65]
5.2 RIGHT TO KNOW:
Individual desire to forget is an expression of autonomy[66] but it is very imperative to mention that this may impact other individual freedoms like Right to Know. Report of the committee of experts under the chairmanship of Justice B.N. Srikrishna noted that “removing publicly available information takes away from an individual’s right to know at the same time” and this would bring the nature of information with regard to public realm in question.
Hon’ble Supreme Court in the case of Advocates on Record Association v. Union of India[67] while dealing with right to know of the general public on one hand and right to privacy of the individuals on the other hand noted that “the balance between transparency and confidentiality is very delicate and if some sensitive information about a particular person is made public, it can have a far reaching impact on his/her reputation and dignity.”[68]
Human dignity is an integral part of the constitution.[69] RTBF (or privacy) may help an individual to lead a life of dignity by securing the inner recesses of the human personality from unwanted intrusion.[70] When talking about privacy, personal autonomy and liberty need to be taken into consideration. Personal autonomy[71] and liberty[72] being fundamental rights are the responsibility of the state to protect them. Personal autonomy includes both negative right and positive right. In the former sense it means “not to be subject of interference by others” and in the latter sense it means “to make decisions about their life, to express themselves and choose which activities to take part in.”[73]
RTBF linked to the positive autonomy refers to “the ability of individuals to limit, de-link, delete, or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic.”[74] At the same time it may infringe upon the implicit[75] fundamental right “Right to Know” by restricting the general public from acquiring or knowing truthful and rightful information about an individual which would otherwise may prove important or relevant for them.
In light of making people aware about their “right to know”, Right to Information Act, 2005 was passed, arousing a sense of feeling of to be informed. Right to Information is a constitutional right protected under Article 19(1) (a) of the Indian constitution.[76]
Clash between Right to privacy and Right to information was highlighted by Hon’ble Supreme Court in the case of Bihar Public Service Commission v. Saiyed Hussain Abbas Rizwi[77] by noting that “there may be cases where the disclosure has no relationship to any public activity or interest or it may even cause unwarranted invasion of privacy of the individual.”[78]
The real questions are that how the court will resolve this conflict? What factors would be needed to balance out this conflict? Who would be the final authority on definition of the terms ‘misleading’, ‘embarrassing’, ‘irrelevant’ and ‘anachronistic’, despite knowing the inherent and limitless subjectivity present in them?
6. CRITERIONS FOR BALANCING OUT THE CONFLICT OF RIGHT TO BE FORGOTTEN WITH OTHER RIGHTS:
As discussed earlier, RTBF while protecting rights and interest of data subject can override freedom of speech and expression and right of information of other individuals. In that case, Section 27(3) of the Data Protection Bill, 2018 provides adjudicating authority with five criterions to decide the applicability of RTBF. These criterions are sensitivity of personal data[79], scale of disclosure of data and how much accessibility to be restricted[80], role of data principle in public life[81], relevance of data to public[82] and nature of disclosure.[83]
Authors are of the opinion that these criterions possess great subjectivity which may result, while adjudicating, in having different decisions under same facts and situations. This paper poses various questions which an adjudicatory authority may encounter while adjudicating a case. This paper also tries to define contours of otherwise limitless subjective criterions of section 27(3).
6.1 SENSITIVITY OF PERSONAL DATA:
Publication of sensitive information can have far reaching effects and implications. However, answers to questions like what is sensitive and to what extent it will affect the data principle once publication of sensitive data is made are not clear. Who will provide the definition of “what is private”, where its context differs from person to person? There can be two types of information: first, private sensitive and second, public sensitive. Private and confidential medical information is highly sensitive to an individual.[84] In such cases, disclosure of even true information may affect the mental peace of an individual. For instance, court in the case of Mr X v. Hospital Z[85] dealing with the conflict between privacy and medical information noted that “disclosure of even true facts has the tendency to disturb a person’s tranquillity. It may generate many complexities in him and may even lead to the psychological problems.”[86] Therefore, there must be a reasonable basis for disclosure, which must serve a greater public interest as privacy of an individual is at stake here.
Various other examples of “private sensitive information” are intimate sex relationship, extra marital affairs, bank account numbers, Aadhar card number, financial information, health information, information received through interception of cell phones by private and public entities apart from the information received in the “public interest” and other information which will come in limelight with the passage of time as more and more cases will approach the doors of the courts.
Public sensitive information is generally in public interest which often indulges in public discourses. Report of the advisory council of Google on the RTBF[87] highly recommended that information towards a public interest be rarely delisted and should not be subject to much disclosure. Information related to criminal activity, opinions of the public figures (which is in itself highly controversial), public health etc. are in public interest.
Data Protection Bill, 2018 does not talk about surveillance power of the State. The bill provides certain broad exceptions in its Chapter IX. These exceptions are security of the state[88], prevention, detection, investigation, prosecution of contravention of law[89], data processing for the purpose of legal proceedings[90], research purpose[91] and journalistic purpose[92]. Under the garb of these exceptions, the bill has given wide power to the State to keep a watch on the privacy of individuals in ways like interception of cell phones, access to virtually all kind of personal information on social media and internet, etcetera.
Hon’ble Supreme Court in the case of Amar Singh v. Union of India[93] noted that interception of telephonic conversation is invading of the privacy right of person which is a fundamental right protected under the constitution.[94] Therefore, interception must be carried out with sanctity. Absence of any such provision in the Data protection Bill leaves a big gaping loophole which demands immediate attention. Authors are of the opinion that processing of data may go in the wrong hands which will be a huge setback for RTBF for keeping a strong foothold in the Indian jurisdiction. Even Justice Sanjay Kishan Kaul in Puttaswamy[95] noted that knowledge in the hands of “Big Brother” State can be used as tool to exercise control over us.[96]
6.2 SCALE OF DISCLOSURE OF DATA:
Liberty of press must not be misunderstood to mean that press could publish what it wanted. Hon’ble SC in the case of Sanjoy Narayan v. High Court of Allahabad[97] noted that “The unbridled power of the media can become dangerous if check
and balance is not inherent in it.”[98] Therefore, authors are of the opinion that only such information must be put to disclosure which is in public interest and serves some public good, rather than all the information in relation to data principle.
6.3 ROLE OF DATA PRINCIPLE IN PUBLIC LIFE:
In this scenario, virtually all individual will fall under three categories provided by the Google’s advisory committee report. First category would comprise individuals with “clear roles in public life” like politicians, sports and celebrity stars, religious leaders, artists, etc.[99] Second category would comprise those individuals which have not any substantial role in public life. Third and final category would include those individuals with “limited or context specific role in public life.”[100] For instance, individuals who have been thrust into public eye because of some event or leading role they play within their specific community would be a perfect example of the third category.
Authors are of the opinion that disclosure of information of first category individuals would serve greater public interest since public will have an overriding interest.[101] However, wholesale invasion into the lives of prominent public people will be an invasion on their privacy.[102] The real questions that would emerge will be evident from third category. It will be highly controversial as the numbers of individuals in this category will be huge and what will be line where one can say that he or she has become a public figure? News on individuals who are not considered public figures, but they did something in the past that had public importance[103]would pose various challenges before the adjudicating authority.
6.4 RELEVANCE OF PERSONAL DATA TO THE PUBLIC:
Passage of time and change in circumstances of data subject will be some of the criterions to determine the relevancy of the personal data for the public. Information at one point of time may be relevant but with the passage of time, its relevancy may fade away.[104] This relevancy of personal data would play an important role in the criminal matters. Pennsylvania court in a case[105] of 2015 noted that long ago crime did not make the plaintiff a present public figure and “the details about his past likely not newsworthy twenty five years after the fact”[106] Court further noted that his past had “no relation to any public concern.”[107] Time would be of much essence here especially for individuals indulged in minor crime. If their past is published after a period of time, when they are not anymore what they used to be, it may cause serious harm to their reputation and psychological conditions. However there would always be cases which would not lose their relevancy with passage of time like crimes against humanity.[108]
6.5 NATURE OF DISCLOSURE OF PERSONAL DATA AND ACTIVITIES OF DATA FIDUCIARY:
Here adjudicatory authority would take into account various factors like whether data fiduciary is a credible source or not, whether disclosure is a matter of public record, whether information received by the data fiduciary regarding data subject is through lawful means or unlawful means and if by latter then whether data fiduciary remains a credible source or not or whether the information published has good motives and justifiable ends. Where publication is proved to be false and actuated by malice or personal animosity, publisher or data fiduciary in the present context would be liable for damages.[109]
7. CONCLUSION:
This article has conceptualise the conflict between the Right to be Forgotten (RTBF) and other Fundamental Rights like Freedom of speech and expression and Right to Know which have come at crossroads not only in civil law but also in common law countries. RTBF as a concept has not evolved much in the Indian milieu and even Indian courts did not get much opportunity to ponder upon this topic barring few cases. In lieu of this, jurisprudence of RTBF is in its nascent stage around the globe. Some countries like European Union member states generally place RTBF over speech and expression and others like USA generally give impetus to its first amendment rights. In India, after Puttaswamy judgment and Section 27 of Data Protection Bill, RTBF has started to keep foothold on the Indian soil with the possibility of overriding other rights. Statutory balance test given under section 27 to balance out this conflict is very subjective in nature which will give wide powers to adjudicating authorities, so as to whether to entertain RTBF request or not, without keeping checks and balances on it. Exceptions given under chapter IX of the bill has provided “Big Brother” state the power to exercise control on virtually each and every aspect of citizens. It has created a gaping loophole which may result in the infringement of privacy of ordinary citizens. Consent of the data principal for exercising RTBF has been given weightage in the data protection bill. However, regarding the “unfairness” of data the data principle and the Adjudicating Authority may not be on the same page. What may be unfair for data subject may or may not be unfair for adjudicating authority. Where India is adamant on creating the “the new oil of 21st century”, “the world’s largest biometric database” in the form of Aadhaar, seeing data leaks in such system shows the nonchalant attitude of government towards data protection. We need a robust Data Protection system and if we couldn’t manage it then “we Indians are all sitting ducks in the world of data fraud and misuse.”[110]
[1] Viktor Mayer-Schoenberger, Delete: The Virtue of Forgetting in the Digital Age 1 (Princeton University Press 2009).
[2] Id.
[3] Fred K. Nkusi, Is The Right To Be Forgotten Important?, The New Times (Nov. 2, 2018, 3:39 PM), https://www.newtimes.co.rw/section/read/196270.
[4] K.S. Puttuswamy v. U.O.I., (2017) 10 S.C.C. 1, 632.
[5] V. Reding, The EU Data Protection Reform 2012: Making Europe the Standard Setter for Modern Data Protection Rules in the Digital Age, European Commission (Nov. 18, 2018, 9:49 PM), http://europa.eu/rapid/pressReleasesAction.do?reference=SPEECH/12/26&format=PDF.
[6] David Lindsay, Emerging Challenges in Privacy Law 290 (Cambridge University Press 2014).
[7] White Paper Of The Committee Of Experts, Data Protection Framework For India 137 (2018), available at http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf.
[8] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Free and Fair Digital Economy Protecting Privacy, Empowering Indians 78 (2018), available at https://drive.google.com/file/d/1dxgNiWuyHs9eteLbOGfHquEKf-U5XZS4/view.
[9] Samuel Warren & Louis D. Brandeis, The Right to Privacy, 4 Har. L. Rev. 193, 199 (1890).
[10] K.S. Puttaswamy v. U.O.I., (2017) 10 S.C.C. 1, 583.
[11] Dharamraj Dave v. State of Gujarat, 2015 S.C.C. Online Guj. 2019.
[12] Peter Fleischer, Foggy Thinking About The Right To Oblivion, Peter Fleischer: Privacy…? (Nov. 13, 2018, 2:28 PM), http://peterfleischer.blogspot.com/2011/03/foggy-thinking-about-right-to-oblivion.html.
[13] Jeffrey Rosen, The Right To Be Forgotten, 64 Stan. L. Rev. 88, 88 (2012).
[14] Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995 art. 12(b) states that “as appropriate the rectification, erasure or blocking of data the processing of which does 2not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;”
[15] Case C-131/12, Google Spain S.L. and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, [2014] E.C.R. I-317.
[16] Id at 94.
[17] Commission Regulation 2016/679, O.J. (L. 119).
[18] Id at art 17.
[19] Commission Regulation 2016/679, O.J. (L. 119).
[20] K.S. Puttaswamy v. UOI, (2017) 10 SCC 1.
[21] Id 591.
[22] Case C-131/12, Google Spain S.L. and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, [2014] E.C.R. I-317.
[23] Eric Posner, We all have the Right to be Forgotten, Slate (Nov. 14, 2018, 2:23 AM), http://www.slate.com/articles/news_and_politics/view_from_chicago/2014/05/the_european_right_to_be_forgotten_is_just_what_the_internet_needs.html.
[24] Case C-131/12, Google Spain S.L. and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, [2014] E.C.R. I-317.
[25] Commission Regulation 2016/679, O.J. (L. 119).
[26] South African Constitution, 1996 §14.
[27] National Media Ltd. v. Jooste, 1996 (3) S.A. (262) A.
[28] The Protection of Personal Information Act, No. 4 of 2013 §24(1)(a).
[29] Id at §24(1)(b).
[30] NT1 v. Google L.L.C., [2018] E.W.H.C. 799 (Q.B.).
[31] Id 1.
[32] Id 2(VII)(g).
[33] Id.
[34] Id 4V(c).
[35] Dharamraj Dave v. State of Gujarat, 2015 S.C.C. Online Guj. 2019.
[36] Id.
[37] Id 4.
[38] Reliance Petrochemicals Ltd. v. V. Proprieters of Indian Express Newspapers, (1998) 4 S.C.C. 592.
[39] Indian Constitution, 1950 art 21.
[40] Sri Vasunathan v. Registrar, 2017 S.C.C. Online 424.
[41] Id. 9.
[42] K.S. Puttuswamy v. UOI, (2017) 10 S.C.C. 1.
[43] Id. 64.
[44] Id. 65.
[45] AnujGarg v. Hotel Assn. of India, (2008) 3 S.C.C. 1.
[46]Id. 34-35.
[47] K.S. Puttuswamy v. UOI, (2017) 10 S.C.C. 1, 584.
[48] Id.
[49] Data Protection Bill, 2018.
[50] Sheikh Zoaib Saleem, What is the Right to be Forgotten in India, Livemint (Nov. 16, 2018, 12:24 AM), https://www.livemint.com/Money/yO3nlG7Xj4vo2VJsmo8blL/What-is-the-right-to-be-forgotten-in-India.html.
[51] Shashi Tharoor, To Plug the Data Spill, The Indian Express (Oct. 29, 2018, 7:16 PM), https://indianexpress.com/article/opinion/to-plug-the-data-spill-5323759/.
[52] Sheikh Zoaib Saleem, 3 Things To Know About The New Draft Law On The Data Privacy, Livemint (Aug. 29, 2018, 7:37 PM), https://www.livemint.com/Money/DiBBSl9e4ybGBI5Me0bWEI/3-things-to-know-about-the-new-draft-law-on-privacy.htm.
[53] K.S. Puttuswamy v. UOI, (2017) 10 S.C.C. 1.
[54]Id. 591.
[55] Save our privacy team, Initial Satement on Justice Srikrishna Committee Report (Oct. 31, 2018, 6:44 PM), https://saveourprivacy.in/blog/initial-statement-on-justice-srikrishna-committee-report.
[56] Indian Express Newspaper v. Union of India para 32 (1985) 1 S.C.C. 641.
[57] Time Inc. v. Hill, SCC OnLine U.S. S.C 1, 20.
[58] Indian, supra note 56, 32.
[59] Peter Fleischer, Foggy Thinking About Right to Oblivion, Peter Fleischer: Privacy…? (Nov. 13, 2018, 8:21 PM), http://peterfleischer.blogspot.com/2011/03/foggy-thinking-about-right-to-oblivion.html.
[60] Id.
[61] Jeffery Rosen, Right to be Forgotten, SLR (Nov. 15, 2018, 8:25 AM), https://www.stanfordlawreview.org/online/privacy-paradox-the-right-to-be-forgotten/.
[62] Sri Vasunathan v. The Registrar General, 2017 S.C.C. OnLine Kar. 424.
[63] Id.
[64] White Paper Of The Committee Of Experts, Data Protection Framework For India 137 (2018), available at http://meity.gov.in/writereaddata/files/white_paper_on_data_protection_in_india_18122017_final_v2.1.pdf.
[65] Peter Fleischer, Right to be Forgotten or How to Edit, Peter Fleischer: Privacy…? (Nov. 13, 2018, 8:20 AM), http://peterfleischer.blogspot.com/2012/01/right-to-be-forgotten-or-how-to-edit.html.
[66] Committee of Experts under the Chairmanship of Justice B.N. Srikrishna, Free and Fair Digital Economy Protecting Privacy, Empowering Indians 78 (2018), available at https://drive.google.com/file/d/1dxgNiWuyHs9eteLbOGfHquEKf-U5XZS4/view.
[67]Advocates on Record Association v. Union of India, (2016) 5 SCC 1.
[68] Id. 953.
[69] K.S. Puttuswamy v. UOI, (2017) 10 S.C.C. 1, 108.
[70] Id. 127.
[71] NALSA v. UOI, (2014) 5 S.C.C. 438, 72.
[72] Indian Const. Art 21.
[73] NALSA v. UOI (2014) 5 S.C.C. 438, 75.
[74] Michael J. Kelly and Davi.d Satola, The Right to be Forgotten, Uni. of Illi. L. Rev. 1, 1 (2017).
[75] Advocates on Record Association v. Union of India Page (2016) 5 SCC 1 953.
[76] Secretary General, Supreme Court of India v. Subhash Chandra Agarwal, 2010 (2011) 1 S.C.C. 496, 11.
[77] Bihar Public Service Commission v. SaiyedHussain Abbas Rizwi (2012) 13 S.C.C. 61.
[78] Id. 23.
[79] Data Protection Bill, 2018 §27(3)(a).
[80] Data Protection Bill, 2018 §27(3)(b).
[81] Data Protection Bill, 2018 §27(3)(c).
[82] Data Protection Bill, 2018 §27(3)(d).
[83] Data Protection Bill, 2018 §27(3)(e).
[84] NM and others v. Smith, 2007 S.C.C. OnLine ZACC 6, 40.
[85] Mr X v. Hospital Z, (1998) 8 S.C.C. 296.
[86] Id. 28.
[87] Luciano Floridi, Report of the Advisory Council to Google on the Right to Be Forgotten 7-14 (2018), available at https://static.googleusercontent.com/media/archive.google.com/en//advisorycouncil/advisement/advisoryreport.pdf.
[88] Data Protection Bill, 2018 §42.
[89] Data Protection Bill, 2018 §43.
[90] Data Protection Bill, 2018 §44.
[91] Data Protection Bill, 2018 §45.
[92] Data Protection Bill, 2018 §47.
[93] Amar Singh v. Union of India, (2011) 7 S.C.C. 69.
[94] Id. 39
[95] K.S. Puttuswamy v. U.O.I., (2017) 10 S.C.C. 1.
[96] Id ¶591.
[97] Sanjoy Narayan v. High Court of Allahabad, (2011) 13 S.C.C. 155.
[98] Id. ¶6.
[99] Luciano Floridi, Report of the Advisory Council to Google on the Right to Be Forgotten 7-14 (2018), available at https://static.googleusercontent.com/media/archive.google.com/en//advisorycouncil/advisement/advisoryreport.pdf.
[100] Luciano Floridi, Report of the Advisory Council to Google on the Right to Be Forgotten 7-14 (2018), available at https://static.googleusercontent.com/media/archive.google.com/en//advisorycouncil/advisement/advisoryreport.pdf.
[101] Id.
[102] Samuel Warren and Louis D. Brandeis, The Right to Privacy, 4 H.L.R. 193, 216 (1890).
[103] Pere Simón Castellano, The Right to be Forgotten under European Law: a Constitutional debate, 16.1 Lex Electronica, 13 (2011).
[104] Case C-131/12, Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, 94 (2014).
[105] Hartzell v. Cummings, 2015 P.A. D & C., 1.
[106] Id. 4.
[107] Id. 7.
[108] Luciano Floridi, Report of the Advisory Council to Google on the Right to Be Forgotten 7-14 (2018), available at https://static.googleusercontent.com/media/archive.google.com/en//advisorycouncil/advisement/advisoryreport.pdf.
[109] Rajgopal v. State of Tamil Nadu, (1994) 6 S.C.C. 632, 26.
[110] Id.