By: Anamika Kundu
In 2014, The Court of Justice of the European Union (‘CJEU’) decided a landmark judgement which sparked heated discussion on the future of search engines and personal data. Prior to this, the internet was seen as a place of permanent memories. The European Union (‘the EU’) has vociferously put forth and implemented data protection laws in the past decade because of their overarching ideals of privacy. As India transitions into a connected twenty-first century where citizens’ choices are informed and influenced by the internet, there is a mounting incumbency upon the judiciary to protect its citizens’ rights. But it is on a very preliminary stage to construct a comprehensive data protection framework which can incorporate the Right to be Forgotten (‘the RTBF’). In order to initiate such laws, the need of such a right has to be weighed against the existing legal structure and socio-political environment. The Indian legislature and judiciary have time again brought up the issue of privacy but with little success.
INTRODUCTION
Contrary to popular belief, the Right to be Forgotten (‘the RTBF’) is not a modern concept. The notion of information related to a former convict’s imprisonment being harmful to his or her rehabilitation is a codified principle in French concept of droit d’oubli and British Law[1] whereby a free individual bore the right to remove information pertaining to their served sentences when seeking employment. Broadly, the modern form of RTBF comprises of two components i.e. the right to de-list or oblivion which entails search engines such as Google to remove requested URLs and that of erasure which obligates websites to delete personal information from their databases.
THE EUROPEAN UNION’S FRAMEWORK OF THE RIGHT TO BE FORGOTTEN
The Data Protection Directive adopted in 1995 implicitly gave way to the RTBF with its primary objective of protecting the Fundamental Rights (‘the FRs’) without hindering the free flow of data[2]. Subsequently, in Google Spain v. AEPD and Mario Costeja González[3], the CJEU held that according to the Directive, search engines fall within the ambit of “controller”[4] and their activities is what ‘processing of personal data’[5] entails. Further, the “data subject”[6] could request for the removal of URLs from certain search engines that contain personal information which is “inaccurate, inadequate, irrelevant or excessive” for the processing of data.[7] The justification provided by the court was that an individual’s right to data protection outweighs the economic interest of a search engine.
Following the judgement, the Article 29 Working party started the process of revamping the directive in order to adjust it to the current digital age. The RTBF in the upcoming General Data Protection Directive[8] (‘GDPP’) has been limited only to the right of erasure but in actuality is a mixture of both erasure and de-listing. Erasure is meant to control the data shared by an individual and restrict nonconsensual storing of data whereas de-listing is to protect one’s reputation in the age of ‘search engines’ by the way of limiting search results in association to one’s identity. For example, when one creates an email ID and is no longer in use of it, he/she can request the website to delete all information related to her/him. This is a case of the right to erasure. Whereas, through de-listing, one could request Google or any other search engine to remove search results regarding a particular incident on searching his/her name on the search engine. The directives are ambiguous on the conceptual delineation of the two components which have led to a lot of confusion and misuse. It is thus imperative for the EU to distinguish passive or transactional data and active or expressive data as both schemes work quite differently and involve separate complexities.[9]
Further, the CJEU has expressly stated that in no way will the RTBF be used in a manner that will infringe upon other fundamental rights, namely, the freedom of expression and media. It has been confirmed that there would be reasonable restrictions placed and applied to data that is outdated which would not tantamount to deletion of content.[10] Vivane Reding, The Vice President of the European Commission and the European Union justice commissioner has clarified that a European citizen is entitled to both freedom of expression and privacy, and thus it is necessary to have the ‘right of the creation of the content and the benefits of the content’.[11] However, a case has come forward in the Conseil de’Etat, France’s Supreme administrative court, regarding automatic de-listing due to the presence of “sensitive data” which has raised serious concerns with regard to the elevation of the rights of individuals against the broader public interest.[12] If this is ruled, it can be a serious problem as removal without a public interest balancing test could lead to the deletion of important data from the internet.
Although the EU’s policy on the RTBF has exemplified protection of one’s data, the courts’ vague guidance on what kind of removal requests should be allowed has inevitably lead to curtailment of access to lawful and public information. Furthermore, the burden to assess each request has been placed on companies. This has incentivized them to process each request positively in order to minimize the cost of taking on expensive lawsuits. It has also furthered the removal of content, regardless of its nature and is facilitating a blockage in the global network of data.
DOES THE RIGHT TO BE FORGOTTEN HAVE A FUTURE IN INDIA?
Since the inception of the Constitution, the country has seen numerous cases with regard to the right to privacy which is embodied in Article 21 of the Constitution.[13] It was first noted in the dissent of Kharak Singh case[14] that privacy serves as an ingredient of personal liberty and is not in contravention of Article 19.[15] Both the articles can co-exist with each and one isn’t sculpted out of the other. Since then, there have been numerous cases with lower benches that have upheld the right to privacy as an inherent right.
The RTBF was an unknown concept in our country till 2015, when a case came up in the Gujarat High Court (‘HC’) dealing with the removal of a non-reportable judgement on a website. The HC held that there can be no removal of such data as it will still be present on the HC databases regardless. Although this case had no mention of the RTBF, it implicitly gave way to discussion of this new concept. The Karnataka HC has mentioned the RTBF in passing by calling it a ‘trend of western countries’.[16] Additionally, a writ in the Kerala HC has favoured the petitioner towards the removal of the name from certain websites with minimal reasoning.
In today’s socio-political conditions, it is imperative to understand that a data protection legislation mirroring the EU directives will not serve the needs of our country. This is due to the following reasons; Firstly, the privacy jurisprudence in India is starkly different from the EU. By this, I mean that privacy as an ideal in India is seen under a different light as compared to western countries mainly due to the variance in culture. The EU in particular give greater importance to the concept of “individualism” while we are an inherently “collective” society. Indians value both the individual and social aspect of privacy entrenched in a strong culture of trust.[17] Therefore, the meaning attached to privacy cannot be applied to both regions in the same sense.
Secondly, mere acknowledgement of the fact that RTBF exists doesn’t make the stance of the judiciary concrete. There is no implication that the State will now look at it as a forthcoming legislative requirement. Through the years, various bills regarding privacy and data protection, in particular, have been pending before the houses of the Parliament. However, none of these made through as Acts. Recently too, an MP moved a private member’s Bill in the Lok Sabha in consonance with the ongoing privacy hearings.[18] However, blind application of laws of another country will result in poor enforcement by the judiciary.
Thirdly, giving all powers to third parties to adjudicate on whether particular information should be removed or not will undermine the role of the State. The third parties will act as private administrative bodies even though they are profit-making organisations. This might lead to obfuscation, thereby diminishing the right to information which is crucial to the Indian society.
Lastly, many countries in the EU are now lobbying to remove links from the global domain in addition to the region-specific domains. For instance, France is now asking Google to remove particular links not only from google.fr but also from google.com which is an obstruction to other jurisdictions. At this juncture, India is in an economically thriving position and this kind of hegemonic behaviour can have grave repercussions on trade and development.
The Delhi HC has added Google Inc and Google India to a suit involving the de-listing of a link which indicated the involved the petitioner’s wife in a criminal case. The petitioner didn’t want to be associated with a case that could affect his prospective employment.[19] This case will be an important hearing in predicting the future of a data protection framework. In anticipation, I hope that the legislators take this opportunity to crystallise the RTBF in a truly Indian way.
CONCLUSION
In conclusion, I would like to say that although Indian judges have at several occasions, reverted to the EU directives, it is impractical to apply them to the Indian context due to the arguments advanced in this paper. Thus, the status quo requires the recognition of the right to privacy as an inherent right, only after which the legislature may bring up the matter of data protection laws.
[1] Rehabilitation of Offenders Act, 1974 (U K).
[2] Directive 95/46/EC Of The European Parliament And Of The Council Of 24 October 1995 On The Protection Of Individuals With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data, art 12(b), art 14.
[3] C-131/12 Google Spain SL, Google Inc v Agencia Española de Protección de Datos (AEPD), Mario Costeja González ECLI:EU:C:2014:317.
[4] ibid (n 2), art 2(d).
[5] ibid (n 2), art 2(b).
[6] ibid (n 2), art 2(b).
[7] ibid (n 3), para 93.
[8] Regulation (EU) 2016/679 Of The European Parliament And Of The Council Of 27 April 2016 On The Protection Of Natural Persons With Regard To The Processing Of Personal Data And On The Free Movement Of Such Data, And Repealing Directive 95/46/EC (General Data Protection Regulation), art 17.
[9] Center for Democracy & Technology, ‘Comments to the European Commission in the Matter of Consultation on the Commission’s Comprehensive Approach on Personal Data Protection in the European Union’ <https://cdt.org/files/pdfs/CDT_DPD_Comments.pdf> accessed on July 29 2017.
[10] ‘Press Release of Court of Justice of European Union’ <https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-05/cp140070en.pdf> accessed on July 29 2017.
[11] John Hendel, ‘Why Journalists Shouldn’t Fear Europe’s Right to be Forgotten’ The Atlantic (Washington DC) <https://www.theatlantic.com/technology/archive/2012/01/why-journalists-shouldnt-fear-europes-right-to-be-forgotten/251955/> accessed on July 29 2017.
[12] Julia Fioretti, ‘EU judges to tackle ‘right to be forgotten’ again’ Reuters (Canary Wharf, London) <http://www.reuters.com/article/us-google-privacy-court-idUSKCN18C1QX> accessed on July 29 2017.
[13] The Constitution of India, 1950, art 21.
[14] Kharak Singh v State of UP 1963 AIR 1295.
[15] The Constitution of India, 1950, art 19.
[16] Sri Vasunathan v The Registrar General Writ Petition No 62038/2016.
[17] Subhajit Basu, ‘Policy-Making, Technology and Privacy in India’ 6 Indian J. L. & Tech (2010) 65, 88.
[18] The Data (Privacy and Protection) Bill, 2017, 100 of 2017.
[19] Laksh Vir Singh Yadav v Union of India WP (C) 1021/2016.
(Anamika is currently a student at West Bengal National University of Juridical Sciences, Kolkata)
The RMLNLU Law Review Blog 