Right to be Forgotten: Myth or Reality.
The purpose of Fundamental Rights is to preserve individual liberty and democratic principles, based on equality of all members of society. Dr. Babasaheb Ambedkar said that, the responsibility of the legislature is not just to provide Fundamental Rights but also and rather, more importantly, to safeguard them. Since the inception of independent India, the judiciary in our country has striven to expand the ambits of Part III of our prestigious Constitution. The Supreme Court of India has exercised its powers to include various facets under Article 21, such as the Right to personal life and liberty; interpreted Article 19 to include in its ambit the Right to freedom of speech etc. so meticulously. As such the Supreme Court of India in the landmark judgment of K.S. Puttaswamy v. Union of India[1] added the Right to privacy as a branch of Article 21 of the Constitution of India, and this was done with certain restrictions to it.
In the present fast rapidly booming digital world many stalwarts agree to the statement that ‘privacy is a myth’. Privacy in Black’s Law Dictionary is defined as, “right to be let alone; the right of a person to be free from unwarranted publicity; and the right to live without unwarranted interference by the public in matters with which the public is not necessarily concerned.”
Looking at the current scenario, when you open an email account or fire up a new mobile phone or even download a simple gaming app on your phone, you will observe a small box with about 40 pages written in it, with a heading ‘Terms and Conditions’ and below all that is a tiny ‘AGREE’. More often than not, we never have the time to sit down and read all of the things in the T&C and therefore we go ahead. When we do that we impliedly give the application or the company the permission to access some of the personal data on our electronic device. Which, I agree is necessary to run the application and it’s the need of the hour. However, my problem is what is being done with the data when we no longer use the application. Most of the applications or devices today collect and save sensitive data i.e. bio metric data, health data, bank details, sensitive passwords, sexual preferences, behavioral data etc. and the question of the hour is, after we stop using the application or device what happens to that data that is collected? Does this data now belong to the companies or do we still own the data? Does Article 21 apply in such circumstances here? Do we have the right to be forgotten?
The Right to be Forgotten is one such right which comes under the ambit of Right to be Left Alone or Right to Privacy, which again comes under the ambit of Article 21 Right to Personal Life and Liberty. The Right to be Forgotten according to me is providing every individual the right or ability to erase, limit, delink, and delete personal information on the internet that has been given to or taken by the device or company, with the consent of the information provider.
It was very rightly said by the Hon’ble Supreme Court in the case of K.S. Puttaswamy v. Union of India[2] “The technology results almost in a sort of a permanent storage in some way or the other making it difficult to begin life again giving up past mistakes. People are not static, they change and grow through their lives. They evolve. They make mistakes. But they are entitled to re-invent themselves and reform and correct their mistakes. It is privacy which nurtures this ability and removes the shackles of unadvisable things which may have been done in the past.” The Supreme Court very rightly pointed out that people grow and learn from their mistakes, while 10–15 years ago any information would not stay long in the public’s head but on the other hand, today, every image or every piece of news can be circulated vastly in a matter of seconds and then it remains on the internet forever. Therefore, people don’t get to fix a wrong they committed, it is a cycle that continuously keeps coming back to haunt them although they have fixed that wrong.
Every child today is on some form of a social media platform, where they post things on the internet without thinking twice about the ramifications it might have on them in the future. The sad fact is that these things most of the times are stored forever with these big companies, and what is the guarantee that these big conglomerates, which are as of today the biggest companies in the world, will remove and forget the entire personal data when the provider wants it to be erased. Many people have a very sad and/or a dark past and spend decades to improve their lives, however this ‘dark past’ can be brought up again in just a few seconds, whether it was a small newspaper article written or even a small comment they had made via a post on social media. To this very date there is no law that protects your data in India and hence one does not have any legal stand to claim such a right or protection for the same. There are Bills regarding the same pending in the Parliament, the latest one being Personal Data Protection Bill, 2018.
The Personal Data Protection Bill 2018, which should have been introduced with haste after the Puttaswami case, is still in the shelf waiting to see the light of the day. It has a very apt and direct preamble to it, which talks about data protection and in a way also enshrines the right to privacy and right to be forgotten. It reads:
“WHEREAS the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy;
WHEREAS the growth of the digital economy has meant the use of data as a critical means of communication between persons;
WHEREAS it is necessary to create a collective culture that fosters a free and fair digital economy, respecting the informational privacy of individuals, and ensuring empowerment, progress and innovation;
AND WHEREAS it is expedient to make provision: to protect the autonomy of individuals in relation with their personal data, to specify where the flow and usage of personal data is appropriate, to create a relationship of trust between persons and entities processing their personal data, to specify the rights of individuals whose personal data are processed, to create a framework for implementing organisational and technical measures in processing personal data, to lay down norms for cross-border transfer of personal data, to ensure the accountability of entities processing personal data, to provide remedies for unauthorised and harmful processing, and to establish a Data Protection Authority for overseeing processing activities;”
This Bill if implemented will have a rampant effect on the way and type of data that is collected by the companies for any kind of use. This piece of legislation would place many restrictions on the company collecting the data, like the kind of data that can be collected, how the data should be stored, restrictions on sharing of this data, what the data can be used for, warnings that should be given to the person giving the data, deletion of data after use etc. This legislation also introduces certain authorities to ensure that these new laws are implemented to the point. This will have an immense impact on the right to be forgotten as the companies will have several, well founded restrictions on how they use, store and process the data.
Coming back to the Puttaswamy Case, the Supreme Court very generously keeping the younger generation in mind stated “Children around the world create perpetual digital footprints on social network websites on a 24/7 basis as they learn their “ABCs”: Apple, Bluetooth and chat followed by download, e-mail, Facebook, Google, Hotmail and Instagram. (Michael L. Rustad, Sanna Kulevska, “Reconceptualizing the right to be forgotten to enable transatlantic data flow”, (2015) 28 Harv JL & Tech 349.) They should not be subjected to the consequences of their childish mistakes and naivety, their entire life. Privacy of children will require special protection not just in the context of the virtual world, but also the real world.”[3] This statement once again gives us motive to protect the right to be forgotten and proves to us that the internet always keeps a track and remembers and unless strict data protection laws are implemented with utmost haste, our data will never be forgotten.
The seed of Right to be forgotten was sown in Europe with the landmark judgment of Google Spain SL v. Agencia Española de Protección de Datos[4] where in 1998, La Vanguardia newspaper of Spain published two articles concerning an attachment and garnishment action against one Costeja González. In 2009, he contacted the newspaper, asserting that when his name was entered in Google.com, there was still a reference to the pages of the newspaper concerning the legal action. González argued that the information should be removed because the proceedings were concluded years earlier and that there was no outstanding claim against him. The newspaper, however, denied his demand, claiming that the legal action was published pursuant to an order by Spain’s Ministry of Labour and Social Affairs. Later in 2010, he contacted Google Spain, arguing that the online search results of his name should not make reference to the newspaper’s publication of his legal proceedings.
Upon Google’s failure to comply, González brought a complaint before Spain’s Data Protection Agency against the newspaper, Google Spain, and Google Inc. The Agency dismissed the action against the newspaper, reasoning that the publication was made pursuant to a government order. However, it upheld the complaint against Google and its subsidiary, Google Spain. It was further held that, because the operators of internet search engines process personal data, they are subject to relevant privacy legislation and can be under the obligation to remove information that compromise the fundamental right to privacy.
In conclusion, the EU Court ruled that there exists such a right as ‘Right to be Forgotten’. The Court also put certain restrictions where the right to be forgotten ceases to exist by saying “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person, also in a case where that name or information is not erased beforehand or simultaneously from those web pages, and even, as the case may be, when its publication in itself on those pages is lawful.” The Court also held that individuals whose personal data is publicly available through Internet search engines may “request that the information in question no longer be made available to the general public on account of its inclusion in such a list of results” as their rights to privacy and protection of personal data override not only the economic interest of the operator of the search engine but also the interest of the general public in having access to that information upon a search relating to the data subject’s name.” The Court, however, emphasized that the right to initiate such request may cease to exist when access to personal information “is justified by the preponderant interest of the general public in having, on account of its inclusion in the list of results, access to the information in question.”
The Supreme Court of India expressed its view on how if the right to be forgotten does not exist it diminishes other rights such as freedom of expression, free media etc. The Supreme Court in the case of K.S. Puttaswamy v. Union of India[5] stated “People change and an individual should be able to determine the path of his life and not be stuck only on a path of which he/she treaded initially. An individual should have the capacity to change his/her beliefs and evolve as a person. Individuals should not live in fear that the views they expressed will forever be associated with them and thus refrain from expressing themselves.” On careful scrutiny and by interpreting these lines one can conclude that right to be forgotten should exist otherwise it will hinder the right to change any opinion or their believes, as people will be trying to protect their reputation and could be embarrassed about their newly found ideas or beliefs.
The Apex Court of our country has again warned the law makers to keep in mind the other rights such as freedom of speech and expression, freedom of media etc. while framing the above mentioned Data Privacy Laws. The Supreme Court said “Whereas this right to control dissemination of personal information in the physical and virtual space should not amount to a right of total eraser of history, this right, as a part of the larger right to privacy, has to be balanced against other fundamental rights like the freedom of expression, or freedom of media, fundamental to a democratic society.”[6] Thus the laws cannot in any way hinder these other rights. Considering that one can retract any information about oneself which was made public right away interferes with the right of media to portray any true and public information about anyone. This is still a hot topic of debate ‘if right to privacy or right to be forgotten obstructs freedom of speech and expression?’
The Supreme Court very boldly in the above mentioned judgement stated some scenarios where it would be permissible to breach the right to privacy, by stating that “Such a right (right to privacy/forgotten) cannot be exercised where the information/data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defense of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.” The Hon’ble Apex Court in my opinion has very lightly stated the last sentence of the above-mentioned specific paragraph, wherein it has said that any kind of privacy breach would be justified in cases of public interest, public health, historical research etc. which is acceptable. What the Hon’ble Judges did not mention is that who would decide if the breach was within the ambit of public interest. They completely left it up to the legislature to frame rules and laws regarding that.
Data breach is a very sensitive issue. As mentioned in the above paragraphs it could dismantle someone’s life in matter of seconds. Breach in Black’s Law Dictionary is defined as ‘BREACH: The breaking or violating of a law, right, or duty, either by commission or omission.’ If a law permits anyone to access anyone’s private data it would not be termed as ‘breach of data privacy’ because lawful access does not fall under the term ‘breach’. Interpreting this sentence, any kind of breach would be permissible if it’s done in public interest but the question arises as to what if the breach is already committed and thereafter the courts/authorities decide that the data collected is not in public interest, that will once again cause havoc as the breach was committed without any legal justification.
In my humble opinion, an intrusion into anyones’ private data should be permissible if it is necessary, but only after a proper Court/judicial order where all the principles of laws and natural justice are followed i.e. both the parties are heard, both the parties are given proper representation, the decision is made by a competent authority etc. If that happens, one cannot term it as ‘breach in data privacy’ but simply ‘lawful collection of personal data’. Furthermore, the authority should set up guidelines depending on the case, as to who can access this lawfully collected data and to what extent the collecting authority can use that data. The authority should also pass immediate orders, as to protecting the data which has been sought out by the data requester, the sole reason for this being, the owner of the data does not try to dispose of the data which been sought in public interest. A perfect comparison of this would be a Civil Judge passing a stay order on the immovable property, in order to protect the plaintiffs claim, as to the defendant not selling off the property before the case is decreed. By doing this, the rights of the data holder and the right of the person who is asking for the data remain intact.
Right to be forgotten still remains a myth in most parts of the world, and we live in a world where personal data is no more a concern. What I like to call it is an ‘Open Book Society’, where everyone knows everything about everyone, as we provide these IT Companies access to our data and use it in any way they want to. At times, the computer through Artificial Intelligence(AI) knows more about us and our day than most of our loved ones. All this feels new and very advanced as of now, but considering ten or fifteen years down the line this will get out of hand and become very dangerous. To put it in simpler terms let us imagine someone having all of your personal data of the past decade or so, from the places you’ve visited, people you have spoken to, pictures you have clicked, webpages you have visited etc. These big companies will take or rather already are taking all kinds of information about everyone. They will be and maybe already are making profiles of each of their users, collecting data every minute of every day. Using these profiles they can easily blackmail us or change our opinion or the way we think in a matter of days, by targeted marketing. Do we really want to live in an age where a big company or its AI decides how our day should be or what we should buy or who we should vote for?
Therefore, to conclude, I am in complete support of the Right to be Forgotten. I strongly believe that in addition, we should have the right to tell the companies collecting our data to strike out our data whenever we want to. There should be restrictions imposed on these companies on how they collect the data, how they tend to use the data, how they should destroy the data etc. The term ‘Personal Data’ has the word personal in it for a reason, as it belongs to a singular entity. The provider of the personal data has to be the whole and sole owner and commander of his/her data. These laws on Data Protection should be made strict and should be implemented as soon as possible, without further delay and they should include the data providers right to be forgotten whenever they choose to.
[1] (2017) 10 SCC 1
[2] (2017) 10 SCC 1, page 630 paragraph 632
[3] (2017) 10 SCC 1, page 630 paragraph 633
[4] ECLI:EU:C:2014:317 (Neutral Citation: https://opil.ouplaw.com/view/10.1093/law:ilec/060cjeu14.case.1/law-ilec-060cjeu14)
[5] (2017) 10 SCC 1, page 630 paragraph 634
[6] (2017) 10 SCC 1, page 631 paragraph 635
