Introduction:
In India, the Personal Data Protection Bill, 2018[1] (“New DP Act”) has come up with an idea of the “right to be forgotten” of a person. Under India’s current data privacy law, this right is not currently available under the Information Technology (Reasonable Security Policies and Procedures and Confidential Personal Data or Information) Rules, 2011[2] (DP Regulations 2011) set out in the Information Technology Act, 2000[3] (IT Act 2000).
The Right to Prevent or Obstruct the continuing Disclosure of Personal Data
Section 27 of the New DP Act[4], which is mentioned under Chapter VI (Data Principal Rights) of the New DP Act, specifies, in certain words, the “freedom to be lost” According to this clause, every data principal shall have the power to limit or prohibit the continued disclosure of personal data (related to that data principal) by any fiduciary data if that disclosure satisfies one of the following three requirements, namely the disclosure of personal data: (i) has been used or is no longer required for the reason it was produced; ii) was granted based on the consent of the data principal and such consent was revoked since then; or (iii) was made contrary to the provisions of the New DP Act or any other law in force.
In order to exercise the above right to regulate or prohibit the continued disclosure of personal data, an application must be sent to the Adjudicating Officer in the type and manner prescribed[5], and that Adjudicating Officer must have found that either of the above three conditions applies and that The data principal’s interests and rights in avoiding or prohibiting the disclosure of continued personal data outweigh the right to information and right to freedom of speech and expression of every individual.
In order to determine, whether the rights and the needs of the data controller outweigh the right to free speech and expression and the right to privacy of every resident to prevention or limitation on ongoing disclosure of personal information, this adjudicator will weigh such factors as: (a) the sensitivity of the personal data; (b) The scope of disclosure and accessibility of data are limited or prevented; (c) the role of the data principal in public life; (d) the public relevance of personal details; and (e) The essence of transparency and the actions of the data guardian, in particular where the fiduciary information provides access to private information on a regular basis and where operations are greatly hindered by restricting or preventing disclosures of a similar nature..[6]
Where a person is of the opinion that the disclosure of personal information which has been limited or prohibited by an order of the adjudicator is no longer in line with the requirements for restraint or prevention, that person can appeal to the arbitrator, as necessary and as a result, for a review of that order in the manner specified by the arbitrator.
Genesis of the Right to be Forgotten
In the case of Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González[7], the right to be forgotten emerged in a decision delivered in 2014 by the European Court of Justice. In this situation, in 1998 a newspaper released an article about a compulsory selling of property by Mr. Mario Costeja González in order to pay off the debt of social security. Mr. Mario Costeja, in 2009 in an old story, he checked his name and addressed in the paper to demand a withdrawal from the public domain of content on coerced land sale properties.
When the journal denied the appeal claiming that it is a government-appealed publication, Mario Costeja Gonzalez ordered the withdrawal of search results by Google Spain SL (‘Google’). Ultimately, EU courts ruled that Google should erase the search results, but that the initial article should not be deleted. The decision provided an important precedent and maintained the freedom to be forgotten as law, with numerous exceptions. The Court of Justice therefore ruled that European citizens are entitled to order business search providers, such as Google, to delete access to privacy on request, provided that such information is no longer relevant. The European Court of Justice found that the human right to privacy is stronger than the economic interest of a private corporation and, in some cases, more than the general interest in information access.[8]
Comparison with GDPR
While this right, contained in article 17 of the GDPR, has a broader significance than that given for in section 27 of the Current DP Act, it is already authorized by the European Union General Data Protection Regulation (“GDPR”). Under GDPR, the data subject can request the controller to remove all personal information about him or her, retained by the controller, without undue pause. The data managers may only forbid or discourage the continuing distribution of personal data in compliance with the New DP Act, as stated before. It is not possible to request the fiduciary to completely delete the personal data. The data subject must be able to explain that to exercise the right to erasure under the GDPR: (i) There are no long explanations why personal data is gathered or processed otherwise; or (ii) The data subject has removed the processing authorization and no other legitimate reason remains for the processing the data subject; or (iii) The data subject has deleted the processing authorization and there is no other valid explanation for the processing; or (iv) unauthorized processing of the data subject’s personal data; or (the deletion of sensitive details in order to comply with the ethical requirements of the data controller; or (vi) The compilation of personal data relating to the distribution of information society services specifically to the child.[9]
However, the right to be forgotten under GDPR does not apply insofar as it is appropriate to gather personal data: (a) for the exercise of the right to information and right to freedom of speech ; (b) for the execution of a lawful obligation or for the execution of a public service mission; (c) for public health reasons; (d) for general interest archival purposes, science, history or for comparative purposes, where the exercise of the right to perdition is likely to hinder or obstruct the purposes of the archiving.; or (e) The establishment of legal claims, practice or defense.
The GDPR helps the data receiver to enter the controller to delete personal data in comparison with the new DP Act. The data subject may only request redress from a supervisory authority if the data controller refuses to comply with the order. Article 58(2) of the GDPR provides that a supervisory body has, inter alia, the power to rectify, delete and control personal data in accordance with Article 17 of the GDPR.[10]
Impact of the Right to be Forgotten
Internet Searches
After complete enforcement of the New DP Act, a citizen whose personal data was searched on the Internet may order a judge demanding the removal of such personal data from a public domain by one or more search-engines provided that the conditions set out in section 27 of the New DP Act was met, i.e. that the continued disclosure of the data is no longer needed. In the interests of the individual whose personal data has been deleted, the balance of concern between such exclusion and the freedom of speech and expression, or the right of every other citizen to privacy, needs to be balanced As mentioned earlier, however, such a person would not be able to request the removal of such personal information and such private information may remain on servers and other storage spaces.[11]
Further disclosure under section 27 of the New DP Act, as stated above, may also be limited by personal data kept in various other ways. Therefore, pressuring an employer not to reveal information relating to ex-employees may use the right to forget if it can be seen that such information is no longer important or relevant, say a past act of discipline.[12]
Restricting Disclosure of Data held by a Public Authority
In the event of the data fiduciary who owns or maintains personal information, the right under section 27 of the New DP Law will be applicable for forgetting. In this case, a public body might be a university or government-operated bank or hospital. Does the trustee of data constitute a public official count against the data key to balance the interest between such exclusion and the right to freedom of speech and expression and the rights of other people to their privacy? Note: the presence or character of the fiduciary information is unchanged, particularly because in section 27 of the New DP Act elements such as the right to freedom of speech and expression and the rights of other persons to information have been added.[13]
Journalistic Exemption
Section 47 of the New DP Act exempts from a variety of provisions of the New DP Act the processing of personal data necessary by or related to a journalistic function, including, inter alia, section 10 and section 27. Therefore, the right to be lost and the constraint of data storage legislation does not extend if the personal data is owned by a media organization who can show that the gathering of personal data is needed for a journalistic reason. ‘Journalistic intent’ means any activity aimed at disseminating factual storeys, analysis, views , opinions or documentaries related to I reporting, recent or current events in print , electronic or other media; or (ii) any other information deemed by the data trustee to be important to the public or to any easily discernible class of the public. In other words, it could be a matter of public interest to either add confidential information to national coverage, or to enforce this right. In addition, such processing should also be consistent with any code of ethics issued by the Indian Press Council or any media self-regulatory body for journalistic purposes.[14]
As provided for in section 47 of the new DP Act, the GDPR would not have an exception. However, Article 85 of the GDPR (Processing and Free Speech and Information) allows Member States, whether for journalistic and academic, artistic or literary purposes, to balance the right to the protection of personal data with the right to freedom of expression and knowledge. Member States shall allow for derogations or exemptions from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or foreign bodies) for processing to be carried out for literary or intellectual creative purposes or for journalistic purposes.
Conflict between the Right to Privacy in respect of Personal Data and the Right to Information
As may be anticipated, there are no contradictions between the right to privacy of personal information and the right to information as enshrined in the 2005 Right to Information Act (“RTI Act”). The RTI Act sets out a practical mechanism for Indian citizens to maintain publicly controlled access to data. In the RTI Act, democracy calls for democratic citizenship and the disclosure of important information, which entails coercion, government obligations, and regulated instruments. This also implies that information transparency in actual practice can conflict with other public interests, including government production, the efficient use of weak budgetary instruments, and security from confidential secrecy. The goal of the RTI Act is to harmonize these rivals and to maintain a democratic ideal underlying them.
The provisions of section8 of the RTI Act provide for a variety of exemptions for information affecting or within the authority of public bodies from declaration by a public information officer. No one shall reveal any details as to whether the publishing of such data will adversely affect India’s sovereignty and integrity, or whether the court order barring the disclosure or publishing of such data will lead to a breach of parliamentary or state legislative rights, or whether such details contain business secrets or is infringed by the information. Section 8 of RTI’s sub-section (j)[15] Provides safeguards from public access for confidential information because the term “staff documents” does not apply. In compliance with Article 8(1)(j), if the publication of such specific data does not affect public practices or desires, or if it may contribute to an unqualified violation of the privacy of the individual involved, it is not obliged to reveal citizens’ information on “personal information” (sic), unless officials are created and empowered under RTI law, such as the Law.
Overlap between section 8(1)(j) of the RTI Act and the right to be forgotten under the New DP Act
The only distinction between the right, under Section 8(1)(j) of the RTI Act, to privilege (against exposure) and the right, under Section 27 the Current DP Act, to be forgotten is that the data officer can, by petitioning the adjudicator, take proactive steps to curtail or forbid the further exposition of his or her personal data. The former can be refused to make such information accessible on the basis of the exemption set out in Article 8 (1)(j) of the RTI Act by a public official (such as the Central Public Information Officer, the State Public Information Officer, and the Appeal Authority), who has been sought some information from it.
Section 11 of the RTI Act, which has been read pursuant to Section 7(7) of the RTI Act, stipulates that before any information relating to a third party have been released under Section 6 of the RTI Act, a written notice is issued, and the request is made The third party who demanded or sought that information (in writing or orally). This submission from a third party must be taken into account before determining if the information is transmitted. Instead of the option to send a report as necessary, the third party has little to no discretion in revelating content.
Proposed amendment of section 8(1) (j) of the RTI Act by the New DP Act
The New DP Act[16] introduces changes to the above subsection (j) in section 8 of the RTI Act[17]. The modifying language of the second order is given to the New DP Act and includes terms related to the language of the New DP Act. The proposed amendment specifies that sensitive details shall not be disclosed in compliance with the RTI Act if such exposure is probable, through promising openness and honesty in the activity of public officials, to trigger ‘dain’ to a private citizen if the damages outweigh the public interests in accessing such details due to the popular value. The proposed amendment also states that the current DP Legislation must attribute the significance to terms like ‘personal data,’ ‘data principal’ and ‘damage.’
In compliance with the New DP Act, the term ‘effect’ is fairly large and encompasses the lack of reputation or embarrassment, limitation or explicitly or implicitly enforced on or suffered from actions arising from a fear of supervision or control. In comparison, the revised exemption exists where there is a clear incentive to make sensitive information ‘hazardous’ to persons. In the present exception, a mere probability of injury is not acceptable. In fact, the disclosure will lead to an unjustified breach of the corresponding individual’s privacy.[18]
The plan to amend the RTI Act greatly extends the scope of the existing exception under Section 8(1)(j) of the RTI Act and provides information officers with wider leeway to deny the information disclosure order. This amendment would, if enforced, weaken the right of people to know.
Conclusion
The Right to be forgotten is an important right that still needs to be recognized through legislation and precedents in India.
References:
[1] Personal Data Protection Bill, 2018, S. 27.
[2] Information Technology (Reasonable Security Policies and Procedures and Confidential Personal Data or Information) Rules, 2011.
[3] Information Technology Act, 2000.
[4] Personal Data Protection Bill, 2018, S. 27.
[5] Personal Data Protection Bill, 2018, S. 68.
[6]Vinay Joseph & Deeya Ray, The Right To Be Forgotten – Under The Personal Data Protection Bill 2018 – Privacy – India www.mondaq.com (2019), https://www.mondaq.com/india/privacy-protection/860598/the-right-to-be-forgotten–under-the-personal-data-protection-bill-2018 (last visited Aug 31, 2020).
[7] Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González,ILEC 060 (CJEU 2014)
[8] Shaikh Zoaib Saleem, What is the right to be forgotten in India https://www.livemint.com (2018), https://www.livemint.com/Money/yO3nlG7Xj4vo2VJsmo8blL/What-is-the-right-to-be-forgotten-in-India.html.
[9] Vinay Joseph & Deeya Ray, The Right To Be Forgotten – Under The Personal Data Protection Bill 2018 – Privacy – India www.mondaq.com (2019), https://www.mondaq.com/india/privacy-protection/860598/the-right-to-be-forgotten–under-the-personal-data-protection-bill-2018 (last visited Aug 31, 2020).
[10] Vinay Joseph & Deeya Ray, The Right To Be Forgotten – Under The Personal Data Protection Bill 2018 – Privacy – India www.mondaq.com (2019), https://www.mondaq.com/india/privacy-protection/860598/the-right-to-be-forgotten–under-the-personal-data-protection-bill-2018 (last visited Aug 31, 2020).
[11] The “Right to be Forgotten”: Remembering Freedom of Expression (30th August 2020, 9:30 PM), https://www.article19.org/data/files/The_right_to_be_forgotten_A5_EHH_HYPERLINKS.pdf .
[12] The “Right to be Forgotten”: Remembering Freedom of Expression (30th August 2020, 9:30 PM), https://www.article19.org/data/files/The_right_to_be_forgotten_A5_EHH_HYPERLINKS.pdf .
[13] The “Right to be Forgotten”: Remembering Freedom of Expression (30th August 2020, 9:30 PM), https://www.article19.org/data/files/The_right_to_be_forgotten_A5_EHH_HYPERLINKS.pdf .
[14] The “Right to be Forgotten”: Remembering Freedom of Expression (30th August 2020, 9:30 PM), https://www.article19.org/data/files/The_right_to_be_forgotten_A5_EHH_HYPERLINKS.pdf.
[15] Right to Information Act, 2005, S. 8 (i)
[16] Personal Data Protection Bill, 2018.
[17] Right to Information Act, 2005, S. 8 (i) (j)
[18] Vinay Joseph & Deeya Ray, The Right To Be Forgotten – Under The Personal Data Protection Bill 2018 – Privacy – India www.mondaq.com (2019), https://www.mondaq.com/india/privacy-protection/860598/the-right-to-be-forgotten–under-the-personal-data-protection-bill-2018 (last visited Aug 31, 2020).
0 Comments