The Hon’ble Supreme Court while dealing with the case of Justice K. S. Puttaswami and another Vs. Union of India, wherein a nine Judge Constitutional Bench, while delivering its Judgment on 24th August, 2017, declared “privacy” as a fundamental right under Article 21 of the Constitution of India. Subsequently, on 26th September, 2018, a five Judge Constitutional Bench of the Hon’ble Supreme Court while delivering its final judgment in the above case impressed upon the government to bring out a robust data protection regime.

This paved the way for introduction of a Data Protection Bill in the Parliament, which is pending in both the houses. The Personal Data Protection Bill 2019 was tabled in the Parliament by the Minister of Electronics and Information Technology on 11th December 2019. The bill within its ambit tries to develop a mechanism for protection of personal data and for setting up an authority “Data Protection Authority of India” for the same.

This bill aims to provide for protection of the privacy of individuals relating to their personal data, specify the flow and usage of personal data, create a relationship of trust between persons and entities processing the personal data, protect the rights of individuals whose personal data are processed, to create a framework for organizational and technical measures in processing of data, laying down the norms for social media intermediary, cross-border transfer, accountability of entities processing personal data, remedies for unauthorized and harmful processing, and to establish a Data Protection Authority of India  for the said purposes and for the matters connected therewith or incidental thereto. Among various facets of the bill, an interesting facet is Right to be forgotten.

The Right to be forgotten is distinct from the right to privacy, which constitutes information that is not publicly known, whereas the right to be forgotten involves removing information that was publicly known at a certain time and not allowing third parties to access the information. The Right to be Forgotten allows the individuals to have certain information or data about themselves in the form documents, photographs, videos etc to be deleted from the internet, so that it may not be accessed by internet search engines any further. The grey area lies in the potential undue influence that such results may exert upon a person’s online reputation almost indefinitely if not removed.

This concept has already been put into practice in the European Union and Argentina since 2006. Since in India this will be a relatively new concept therefore I will try to explain its merits and demerits quoting the European Union’s process. To exercise the right to be forgotten and request removal from a search engine, a person requires to complete a form through the search engine’s web sites. Google’s removal request process requires the individual to identify their country of residence, personal information, a list of the URLs to be removed along with the short description of each one, and attachment of legal documents regarding identification. The applicant receives an email from Google confirming the request but the request must be assessed before it is approved for removal. If the request is approved, searches using the individual’s name will no longer result in the content appearing in search results. The content remains online and is not erased. After a request is filed, their removal team reviews the request, weighing              “the individual’s right to privacy against the public’s right to know”, deciding if the website is “inadequate, irrelevant or no longer relevant, or excessive in relation for the purposes for which they were processed”. Google has formed an Advisory Council constituting of various professors, lawyers, governments officials from around Europe to provide guidelines for these decisions. However, the review process is still a mystery to the general public. Google began to take action on this much sooner than that, which allowed them “to shape interpretation to their own ends”. 

Google form asks people to select one of the twenty-eight counties that make up the European Union, as well as Iceland, Liechtenstein, Norway and Switzerland. The form allows an individual to put in a request for the removal of any URLs believed to be a violation of the individual’s privacy. Regardless of who is submitting the form, he is required to submit photo identification of the person for whom the form is being submitted. The purpose of this is to verify the identity of the person for whom the request is being made, and in fact that person approves of the same.

If Google refuses a request to unlink material, individuals can appeal to their local data protection agency. If Google fails to comply with a Data Protection Agency decision, it can face legal action. Google has applied the right to be forgotten since May 2014, when the European Court of Justice first determined that under some circumstances European citizens could force search engines to delist web pages containing sensitive information about them from queries made using their names. 

Indian Perspective: 

As per the data available on google since 2009 out of approximately 8400 requests of data removal, Items broken down by decision taken in requests involving a court order or originating from various government agencies. Prior to 2019, Google published removal percentages based on action taken on requests and not found items, is as under:

Removed Legal 45.6%, Removed owing to Policy 5.1%, Not enough information 27.8%, No action taken 15.4%, Content already removed 4.5%, Content not found 1.6%.

Indian Courts have been alive to this concept, as there have been few instances such as:

In January, 2017 the Hon’ble Karnataka High Court upheld the right to be forgotten, in a case involving a woman who originally went to Court in order to get marriage certificate annulled, claiming to have never been married to the man named in the certificate. After the two parties came to an agreement, the woman’s father wanted her name to be removed from search engines regarding criminal cases in the High Court. The Karnataka High Court approved the father’s request, stating that she had a right to be forgotten. According to the Court, its ruling would align with western countries’ decisions, which typically approve of the right to be forgotten when dealing with cases “involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.” The woman in this specific case was worried that the search results would affect her standing with her husband, as well as her reputation in society. There is another case of similar consequences, which is pending before the Hon’ble Delhi High Court.

The Hon’ble Karnataka High Court considered as follows: “The ‘right to be forgotten’ or ‘the right to be erased’ allows an individual to request for removal of his/her personal information/data online. The origin of this right can be traced back to the French jurisprudence on the ‘right to oblivion’ or droit a l’oubli. The rationale behind it was to allow offenders who had served their sentence to object to the publication of information regarding their crime and conviction in order to ease their process of social integration. It was along these lines that the European Union Data Protection Directive, 1995 acknowledged the right to be forgotten, wherein it was stipulated that the member states should give people a right to obtain from the ‘controller’ the rectification, erasure or blocking of data relating to them, the processing of which did not comply with the provisions of the Directive.”

There are certain limitations, regarding its application in a particular jurisdiction, which may have practical difficulties, including the inability requiring removal of information held by companies, entities, individuals outside the jurisdiction, because of their being no global legal framework to allow individuals control over their online images, documents, videos etc.

There are industry apprehensions that the bill gives a blanket power to the Government to access citizen data and further that the Central Government can exempt any Government agency from the purview of this bill.

The Data Protection Bill, 2019 is in tune with the modern times, and with the growth and boom of internet, social media, and other platforms, this Data Protection Bill, is a must, which should be implemented at the earliest, though with few changes and a little bit of fine tuning in sync with the present times and scenario.