Recent discussions on the scope of the right to privacy often centre on the ambit of the “right to be forgotten”. Finding significant footing in the EU’s General Data Protection Regulation (“GDPR”), the right to be forgotten substantiates erasure obligations, and requires companies that publicise personal data to erase links to, or copies of, such data in certain circumstances.
Indian jurisprudence on the right to be forgotten has evolved since the Supreme Court’s 2017 decision in Justice K.S Puttaswamy v. Union of India that upheld the right to privacy as a fundamental right. In recent years, decisions of various High Courts have highlighted the need for individuals to exercise this right. The most recent development arises out of a November 2020 decision of the Orissa High Court in Subhranshu Rout @ Gugul v. the State of Odisha.
The case involved an alleged case of sexual assault, in which the perpetrator filmed the assault, created a fake social media profile, and uploaded the content on the social media platform. The High Court of Orissa (“Court”) dismissed the accused’s bail application and noted the lack of effective remedies for victims to seek the removal of objectionable material from the internet. Taking into consideration both rising online harassment as well as unprecedented insensitive behaviour on the internet, along with the lack of a framework to exercise the right to be forgotten, the Court observed that there was a need for wider debate on the implementation of this right.
While denying the accused bail due to the heinous nature of the offence, the Court noted that the lack of appropriate legislation on the right to be forgotten can supplement a victim’s confusion, and regardless of the ongoing criminal proceedings, the victim and the prosecution ought to consider approaching social media platforms to have such content taken down.
Interestingly, in addition to different Indian High Courts’ decisions, the Court also examined European and English decisions on the right to be forgotten in the judgement, including the European Court of Justice’s 2019 decision in Google LLC v CNIL and the Wales High Court’s 2018 decision in NT1 and NT2 v Google LLC, as well as the treatment of this right under India’s proposed data protection legislation.
Under the Personal Data Protection Bill, 2019 (“PDPB”) that is currently under the scrutiny of a Parliamentary Committee, the right to be forgotten enables data subjects to restrict or prevent data fiduciaries (similar to controllers under the GDPR) from disclosing personal data in cases where the disclosure (a) has served the purpose for which it was collected or is no longer necessary for the purpose, (b) was made with the consent of the data subject who has then withdrawn such consent, or (c) was illegal. This right, however, is only exercisable upon the order of an adjudicating officer appointed by the to-be-constituted Data Protection Authority.
While the final contours of the scope of this right under the PDPB remain to be seen, one hopes that an exercise of this right is not “complex, confusing, and intimidating” – allegations that the Orissa High Court levelled on the Indian criminal justice system.