Right To Be Forgotten: A Detailed Analysis
This Blog is written by Fatema Lightwala from SVKM’s Pravin Gandhi College of Law, Mumbai. Edited by Uroosa Naireen.
The Right to be Forgotten is a right to have private information about an individual to be removed from Internet searches and other directories under certain circumstances. Thus, it enables persons, to demand organizations to delete their personal information from the internet. It is based on the simple idea that each person must have the power to control their data. This right has its roots in the right to privacy and the right to reputation. It first came to light and was recognized worldwide through a 2014, landmark judgement of the European Court of Justice (ECJ), Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González . At present, India’s data privacy regime that includes the Information Technology Rules, 2011 framed under the Information Technology Act, 2000, does not provide for this right. However, the draft of the Personal Data Protection Bill 2019 for the first time introduces this right under the Indian scheme. Since then, this right continues to remain a subject of debate and has faced much backlash from legal scholars and press media, as a tool of censorship, to suppress freedom of speech and expression.
OBJECTIVE OF THE RIGHT
The medium of speech on the internet differs from other mediums on several grounds. Factors such as global reach, access to both literate and illiterate populations, anonymity, ease of search, make the internet a vulnerable platform. Through a click of a button, information can travel at the speed of light and can reach millions of persons all over the globe. Additionally, once posted the internet remembers forever. In such circumstances, even a single article, true or false, can turn to dust the lifelong earned reputation of a person. This information stays and hence denies the person a chance of redemption or self-correction. The whole rationale behind the right to be forgotten is that each individual must be allowed to flourish without being a slave to past events that took place long ago but still continue to, unjustly, haunt their life owing to the internet’s unperishable memory.
Google Spain Case
In this case, a newspaper had published an article pertaining to a Spanish man, Mr. Mario Costeja’s bankruptcy case, in 1998. He contacted the newspaper and requested that his details be removed from the public domain. His request was denied on the grounds that the same was a government-ordered publication. He then requested Google Spain SL (“Google“) to remove the article because search results for his name were redirected to the old article and this created much trouble for him, although he had cleared his debt. The ECJ ruled in his favor stating that the article was no longer relevant and forced Google to not display those search results. The Court, therefore, set a huge precedent and upheld that the European citizens have a right to request tech giant search engines like Google, which accumulate personal data for profit, to remove links to private information when asked to do so. This ruling came to be known as the right to be forgotten and found a place in the data protection laws and regulations of the European Union (EU), particularly the General Data Protection Regulation (GDPR). 
It is also pertinent to note that, recently, in September 2019 the ECJ issued another decision, ruling that Google is not required to delink sites external to the EU. Further, the Court stated that currently, there is no requirement under EU law, for a search engine operator allowing requests for de-linking, to carry out such a delinking on every version of its search engine. Thus, limiting the application of this right to be forgotten to the European Union. 
General Data Protection Regulation (GDPR)
The EU Commission’s new legislation on data protection i.e. GDPR came into force on May 25, 2018. Having an extraterritorial application, it has the power to demand companies not established in EU to comply with its data protection regulations. Article 17 of the GDPR expressly provides for the ‘Right to be Forgotten’. Accordingly, it grants the ‘data subject’ a right against the ‘controller’ to get erased all personal data concerning him or her held by such controller without undue delay on six grounds namely, the storage of personal data stands unnecessary, unlawful processing of personal data, withdrawal of consent or objection to processing by the data subject and or erasure is required to fulfill a statutory obligation under the EU law or the law of the Member States.  However, this Article also provides exceptions to this right wherein the controller is not bound to entertain removal requests. These include any contradiction to the right of freedom of expression and information, or if it stands against public interest in the area of public health, scientific or historical research or statistical purposes etc. 
The importance of informational privacy was emphasized by the Apex Court in K.S Puttuswamy v. Union of India,  which is famously known as the privacy judgment. Privacy and the right to be forgotten are two sides of the same coin. Like the right to privacy in this judgment, Justice S. Kaul stated that the right to be forgotten is not absolute. It cannot be exercised as opposed to public interest, legal obligations, freedom of expression, etc. Several High Courts in the country have adjudicated over the application of this right in India. However, they differ in their views. In Dharmraj Bhanushankar Dave v. State of Gujarat,  the petitioner entered a plea for permanent restraint on a free publication of the judgment and order of the court on the internet. The said judgement was published by the respondent despite it being classified as ‘unreportable’, and was also indexed by Google search and this was causing problems in the petitioner’s personal and professional life. Nevertheless, the Gujarat High Court relying upon rules of the court, failed to recognize the right to be forgotten. In contrast, in Sri Vasunathan v. The Registrar General & Ors.  the petitioner contended that name wise search of her daughter on search engines like google, yahoo, etc. resulted in the appearance of her name in the order in relation to a criminal case filed by her. This had chances to affect her relationship with her husband as well as her reputation in society. Recognizing the right to be forgotten the Karnataka High Court directed the respondent to take necessary steps to cover the name of the petitioner’s daughter. In Zulfiqar Ahman Khan v. M/S Quintillion Business Media,  the Delhi High Court stated that `Right to be forgotten’ and the `Right to be left alone’ are inherent aspects of the Right to privacy. Hence, there continues to be a lack of clarity regarding the current position of this right by the courts.
The Personal Data Protection Bill, 2018 (PDP Bill)
The draft of the bill was issued by the Ministry of Electronics & Information Technology on August 26, 2018. It is formulated on the report submitted by Justice BN Srikrishna Committee and lays much emphasis on acquiring the consent of an individual to process and use his/her personal data. Like the GDPR this bill aims to provide the right to be forgotten in India but unlike Article 17 of the GDPR, it is much narrower in its scope. It only allows data subjects to request data controllers to restrict or prevent continuing disclosure of personal information. However, it does not enable them to request complete erasure of the information all together.
Under S. 27 of the Bill, a data principal has a right to prevent the data fiduciary from using such data or information under three conditions namely, if the data has served the purpose for which it was made and is no longer necessary; if consent, as given in accordance with section 12, has since been withdrawn; if the disclosure is in contravention to the provisions of the Act or any other law made by Parliament or any State Legislature. For exercising the said right, the ‘data principal has to file an application form before the Adjudicating Officer appointed under S. 68. Further, S. 27(2) empowers the adjudicating officer (Data Protection Authority) to decide on the question of disclosure and the circumstances in which he deems fit to allow this right to override the freedom of speech and the citizen’s right to information.
In determining whether the condition in subsection (2) is satisfied, the Adjudicating Officer as per S. 27(3) shall take into consideration conditions such as the sensitivity of the personal data; the scale of disclosure and the degree of accessibility sought to be restricted or prevented; the role of the data principal in public life; the relevance of the personal data to the public; and lastly, the nature of the disclosure and of the activities of the data fiduciary.
Additionally, S. 10 limits the retention of data by the controller. Under this, a data fiduciary can retain personal data only as long as it may be reasonably necessary to satisfy the purpose for which it is processed. Further, it requires them to undertake periodic reviews in order to determine whether it is necessary to retain the personal data in its possession. If not, then such data must be deleted in a manner as may be specified. However, this erasure of data must be viewed as a set of obligations on data fiduciaries and not as rights available to data principals.
47 provides immunity to press and accordingly exempts the processing of personal data which is necessary for, or relevant to, a journalistic purpose. Thus, the right to be forgotten does not apply if the personal data is held by a media organization that is able to show that the processing of personal data is required for a journalistic purposes.
The main controversy that surrounds the exercise of this right is the impact it will have on several other rights such as the right to information, the right to freedom of speech and expression, and freedom of the press that are the very foundation of democracy. If consistent attempts are made by individuals to censor any information concerning oneself, the quality of the internet will drastically diminish. Further, there are chances of misuse by public officials to keep their image clean which will in turn give stimulus to bureaucratic corruption. Such removal can also affect the authenticity, accuracy, and ability to conduct businesses, especially due diligence in commercial activities and customer protection laws.
Moreover, there is a lack of a global framework that allows individuals to have a worldwide control over their online image. Barriers to jurisdiction result in the inability to remove information possessed by companies beyond the limited jurisdiction. 
Apropos of the PDP Bill, it has several shortcomings in relation to this right. The terms in the bill such as “the disclosure of data no longer serve the purpose for which it was collected”, or if the “original consent provided by the data principal has been withdrawn” etc. are ambiguous in nature.
Another issue arises regarding the persons adjudicating the requests for the ‘right to be forgotten’. The Bill leaves this decision to the discretion of the adjudicators who are appointed by the Data Protection Authority, whose top, in turn, is appointed by the government. Further, the procedure to be followed by them is also dictated by the Central Government. In other words, the adjudicators stand the risk of becoming puppets in the hands of the government for the duration of their tenure. Moreover, Section 28(2) of the PDP Bill empowers data fiduciary to charge a reasonable fee when any data principal exercises the rights granted to him under the PDP Bill. However, the PDP Bill does not talk about the criteria for determining such a fee. Hence, this provision can be used to exploit data principals.
Another criticism arises from the fact that there are already in place specific legislation in India that uphold this right with reference to cases of specific persons that need them. For example, the Juvenile Justice (Care and Protection of Children) Act, 2015 provides protection against publication of information concerning children in conflict of law or in need of care and protection. Similarly, both the Indian Penal Code and Code of Criminal Procedure make provision for concealing the identity of women in certain sensitive cases such as rape. Similarly, the Payment and Settlement Systems Act, 2007, the Income Tax Act, 1961, the Census Act, 1948, the Collection of Statistics Act, 2008, the Protection of Children from Sexual Offences Act, 2012 and the Information Technology Act, 2000 and many such legislations already protect the private data of individuals. Hence, it is futile have separate legislation pertaining the same.
The right to be forgotten has to be a right qualified by conditions clearly defined. A balance has to be struck between the exercise of this right and that of other rights in question. A comprehensive data protection law is a need of the hour that addresses and minimizes the conflict between the two fundamental rights under Article 19 and 21 that are a crucial part of the golden trinity of the Constitution of India. The various anomalies of the PDP bill need to be addressed as the bill is yet to undergo the parliamentary process of discussion and approval before it becomes law. Until then the courts of the country have to play their crucial role in establishing a legal basis and setting the scope of this right.
 ILEC 060 (CJEU 2014)
 (2017) 10 SCC 1
 Special Civil Application No. 1854 of 2015
 Writ Petition No. 62038 of 2016
 2019 (175) DRJ 660