Right to Be Forgotten under Right to Privacy


    In News

    • The Centre told Delhi High Court in a response to a plea that the Data protection Bill has provisions for ‘right to be forgotten’.

    Court’s stand

    • The right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the Internet.

    Right to be forgotten in India (RTBF)

    • RTBF is a fairly new concept. The Ministry of Electronics and Information Technology (MeitY), in an affidavit, stated that the international legal concept of ‘right to be forgotten’ is evolving in India.
    • It is the right to have personal information removed from publicly available sources, including the internet and search engines, databases, websites etc. once the personal information in question is no longer necessary, or relevant
    • The Right to be Forgotten falls under the purview of an individual’s right to privacy, which is governed by the Personal Data Protection Bill that is yet to be passed by Parliament.
    • In 2017, the Right to Privacy was declared a fundamental right by the Supreme Court in its landmark verdict. 
      • The court said at the time that, “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.

    Personal Data Protection Bill

    • It was introduced in Lok Sabha on December 11, 2019.
    • Aim: To set out provisions meant for the protection of the personal data of individuals.
    • Clause 20 under Chapter V of this draft bill titled “Rights of Data Principal” mentions the “Right to be Forgotten.” 
      • It states that the “data principal (the person to whom the data is related) shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary”.
      • It gives an individual the right to restrict or prevent the continuing disclosure of their personal data when such data 
        • Has served the purpose for which It was collected, or is no longer necessary for said purpose; 
        • Was made with the consent of individual, which consent has since been withdrawn; or 
        • Was made contrary to the PDP Bill or any law in force.
      • While assessing the data principal’s request, this officer will need to examine the:
        • sensitivity of the personal data, 
        • the scale of disclosure, 
        • degree of accessibility sought to be restricted, 
        • role of the data principal in public life and 
        • the nature of the disclosure among some other variables.
    • Therefore, broadly, under the Right to be forgotten, users can de-link, limit, delete or correct the disclosure of their personal information held by data fiduciaries. 
      • A data fiduciary means any person, including the State, a company, any juristic entity or any individual who alone or in conjunction with others determines the purpose and means of processing of personal data.
    • Even so, the sensitivity of the personal data and information cannot be determined independently by the person concerned, but will be overseen by the Data Protection Authority (DPA)
      • This means that while the draft bill gives some provisions under which a data principal can seek that his data be removed, his or her rights are subject to authorisation by the Adjudicating Officer who works for the DPA.
    • In the meantime, the Information Technology Rules, 2011 — which is the current regime governing digital data — does not have any provisions relating to the right to be forgotten.

    Global Scenario

    • European Union:
      • The Center for Internet and Society notes that the “right to be forgotten” gained prominence when the matter was referred to the Court of Justice of the European Union (CJEC) in 2014 by a Spanish Court. 
      • It was a case between Search engine Google and a person whose data was shown in the search engine.
      • This ruling was considered an important victory for Google, and laid down that the online privacy law cannot be used to regulate the internet in countries such as India, which are outside the EU.
      • In the European Union (EU), the right to be forgotten empowers individuals to ask organisations to delete their personal data. 
      • It is provided by the EU’s General Data Protection Regulation (GDPR), a law passed by the 28-member bloc in 2018.
        • The General Data Protection Regulation (GDPR) is the toughest privacy and security law in the world. 
        • Though it was drafted and passed by the European Union (EU), it imposes obligations onto organizations anywhere, so long as they target or collect data related to people in the EU.
      • In its landmark ruling, the EU’s highest court ruled in 2019 that the ‘right to be forgotten’ under European law would not apply beyond the borders of EU member states.

    Way Ahead

    • The Right to be Forgotten needs to be established statutorily in Indian jurisprudence and must extend to cover private persons as well as the State, as proposed in the Personal Data Protection Bill, 2019. 
    • The right to be forgotten is necessary to enable individuals to have more and better control of their personal information online.
    • The countries need to think in terms of designing the right constitutive rules of the logical space of online information. 
    • The right to be forgotten could be a remedy for victims of sexually explicit videos/pictures often posted on social media platforms by culprits to intimidate and harass women.

    Source: TH