Vol. 12 No. 1 ISSN: 0976-3570 39 Integrating the Right to be Forgotten in the Indian Legal Framework in the Light of Experiences from the European Union Dr.Jyoti J. Mozika 1 Abstract The right to be forgotten was brought under the spotlight in the Google Spain case, which held that individuals have the right to seek erasure or delinking of certain information about them. However, its apparent conflicting nature vis-à-vis the right to freedom of speech and expression has created a hindrance in its acceptance and development across the world. This Article outlines the development of this right, traces the practical legal issues vis-à-vis the freedom of speech and expression that have arisen during its implementation, and proposes a test that may be helpful in overcoming this barrier. The article also examines the recognition of the right in the Indian context. Key words: Privacy, Data Protection, Right to be Forgotten. I. Introduction Advancements in technology have rendered information on the internet ubiquitous and permanent. This has drastically altered the way in which people remember and recall information about other people. However, the internet, being decentralized, cannot be regulated, and this leads to the publication of various types of information about people. This information may be outdated, false, or no longer relevant due to changed circumstances, but permanently remain on the internet and only a click away. This may cause harm to individuals and threaten their dignity and autonomy. The “right to be forgotten” is a remedy that enables individuals to demand search engines to de-list or erase information about them which appears when a search of their name is conducted. It is aimed at giving individuals a right to determine for themselves the extent to which information about them can be published or retained on the internet. The right to be forgotten, which is a part of the right to privacy, was brought under the spotlight by the decision of the Court 1 Professor, Department of Law, North Eastern Hill University, Shillong, Meghalaya, India. jyotijmozika@gmail.com:: jjmozika@nehu.ac.in INDIAN JOURNAL OF LAW AND JUSTICE 40 of Justice of the European Union in the Google Spain case,2 where it concretised a (limited) right of individuals to erase, limit, delink, delete, or correct personal information on the internet that is misleading, embarrassing, irrelevant, or anachronistic. Although the direct impact of this decision was limited to countries belonging to the European Union, it was realized that this “right” has existed in many forms around the world. The right, however, has faced key underlying policy considerations as well as practical difficulties in implementation. In particular, its apparent conflicting nature vis-à-vis the right to freedom of speech and expression has created a hindrance in its acceptance and development across the world. Courts have been asked multiple times to balance privacy rights with those of free speech, and there is no uniform approach being followed across countries. Civil law jurisdictions give greater weight to privacy concerns in striking this balance, while common-law jurisdictions tend to give greater weight to the freedom of expression. II. Privacy The right to privacy is, in its most simple sense, a right “to be let alone”.3 Broadly, the idea of privacy consists in the right to prevent access to our person.4 It has been invoked to seek protection against unauthorized circulation of portraits of private persons,5 invasion of privacy by newspapers, and unreasonable searches and seizures. As far back as in 1890, Samuel Warren and Louis Brandeis advocated it as “the right to protect one’s self from pen portraiture”.6 They argued that the law should recognize the right to an “inviolate personality,” deriving the idea of a right “to be let alone” from an 2 Google Spain SL v. Agencia Espanola de Proteccion de Datos, Case-131/12 (CJEU, May 13, 2014) [hereinafter “Google Spain”]. 3 Judith Jarvis Thomson, “The Right to Privacy” 4(4) Philosophy & Public Affairs 295 (1975). 4 Mark Alfino and G. Randolph Mayes, “Reconstructing the Right to Privacy” 29(1) Social Theory and Practice 4 (2003). 5 K. Gormley, “One Hundred Years of Privacy” 92 Wis L Rev 1335 (1992). 6 Samuel D. Warren And Louis D. Brandeis, “The Right To Privacy” 4(5) HARVARD LAW REVIEW 1 (1890). Vol. 12 No. 1 ISSN: 0976-3570 41 English common law case called Prince Albert v. Strange.7 While the case revolved around the law of confidentiality, rather than privacy, Warren and Brandeis argued that the law of privacy already existed, and that they had not invented but merely discovered the right. Legal commentator Nicole Moreham describes privacy as control over “desired inaccess” or freedom from the “unwanted access” of others to oneself or one’s personal information.8 It has also been referred to as a right to quietly congregate in public places and enjoy one’s own reflections and the conversation of one’s friends.9 Thus, the phrase has amassed different meanings in different contexts.10 However, what is common between all these uses is that the right ultimately helps to protect an individual against unwarranted intrusion upon a sphere of life.11 Privacy is a broad concept that deals with the protection of individual autonomy, and the relationship of an individual with other individuals, companies, and governments. It is considered essential in protecting an individual’s ability to develop ideas and personal relationships. In today’s digital age, the right to privacy has progressed to address issues relating to the collection, use, and dissemination of personal data in information systems.12 The right to privacy is seen as a core right that reinforces the dignity of humans and other values such as the freedom of expression.13 It has been recognised in several international human rights treaties14 and almost every national 7 Prince Albert v. Strange, (1849) 47 ER 1302. 8 Nicole Moreham, “Privacy in Public Places” 65 CLJ 617 (2006). 9 Howard B. White, “The Right to Privacy” 18(2) Social Research 171 (1951). 10 Ibid. 11 Ibid. 12 G.A. Res. 68/167, ¶4 (Jan. 21, 2014). 13 Human Rights Committee, General Comment No. 16 to Article 17, The Right to Respect of Privacy, Family, Home and Correspondence, and Protection of Honour and Reputation, HRI/GEN/1/Rev.9 (Vol. I) (Apr. 8, 1988); Human Rights Council, Report of the Special Rapporteur on the promotion and protection of human rights and fundamental freedoms while countering terrorism (SR on HR and countering terrorism), A/HRC/13/37 (Dec. 28, 2009). 14 G.A. Res. 217 (III) A, Universal Declaration of Human Rights, art. 12 (Dec. 10, 1948); International Covenant on Civil and Political Rights, 999 U.N.T.S. 171, art. 17 (1966); INDIAN JOURNAL OF LAW AND JUSTICE 42 constitution,15 and has also been legally protected through provisions in national civil and criminal codes.16 However, the right to privacy is not an absolute right. It is subject to the three-part test of legality, necessity, and proportionality.17 III. The Right to be Forgotten Soon after the right to privacy was recognized, the need was felt to enhance and liberalize its interpretation so as to afford citizens protection of a wider import. One such subset of the right to privacy is the right to be forgotten. The right to be forgotten refers to the right of an individual to erase, limit, or alter past records that can be deceptive, redundant, outdated, disconcerting, or contain irrelevant data associated with the person, so that those past records do not continue to hamper present-day perceptions of that individual.18 Under the law of human rights, the idea of the right to be forgotten is commonly positioned within the realm of the right to privacy.19 Behind the inception of the idea of such a right lies the enormous expansion in the availability and accessibility of information in the digital world of the internet.20 Because of the permanent nature of information availability in the European Convention on Human Rights and Fundamental Freedoms, ETS 5, art. 8 (1950). 15 US Department of State, 2010 Country Reports on Human Rights Practices (April 2011). 16 US Department of State, 2010 Human Rights Report; Charles J. Glasser Jr. (ed.), International Libel and Privacy Handbook: A Global Reference for Journalists, Publishers, Webmasters, and Lawyers (Bloomberg Press, New Jersey, 3 rd edn.). 17 Handyside v. the United Kingdom, Appl. No. 5493/72, ¶ 48-49 (ECtHR, Dec. 7, 1976). 18 Cecile De Terwangne, “The Right to be Forgotten and Informational Autonomy in the Digital Environment”, in AlessiaGhezzi et al. (eds.), The Ethics of Memory in a Digital Age: Interrogating the Right to be Forgotten 83-84 (2014). 19 Xanthoulis, “The Right to Oblivion in the Information Age: A Human Rights Based Approach” 10 US-CHINA LAW REVIEW 84 (2013). 20 La Rue, Report of the Human Rights Council’s Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/HRC/17/27 (May 16, 2011). Vol. 12 No. 1 ISSN: 0976-3570 43 digital age, memory has become infinite.21 Thus, how an individual is perceived based on this information has also become permanent. This is aggravated by the fact that the internet is decentralized, and cannot, therefore, be effectively or meaningfully regulated.22 This led to the advocacy of a right to control such information. The right guarantees an individual the authority “in principle to decide for himself whether or not his personal data should be divulged or processed”23 and thus allows their protection against data processing entities, such as advertisers, insurers, big pharma, and data brokers. The idea of a right to be forgotten is not, however, new. In Europe, the idea of the right to be forgotten can be found in French law, which recognizes le droit à l’oubli—or the “right of oblivion”. This refers to a right granted to a convicted criminal who has been rehabilitated to object to the publication of the facts of his conviction and imprisonment. In fact, several countries in their domestic laws recognise that after a period of time, criminal records of offenders should be expunged in order to enable their reintegration into society.24 European courts have long recognised a right of citizens to informational self- determination.25 This term was first used by the German Federal Constitutional Court in the context of unwanted collection of personal information as part of the national census.26 The Court here held: 21 Viktor Mayer-Schonberger, Delete- The Virtue of Forgetting in the Digital Age (Princeton University Press, Oxfordshire, 2013). 22 M. E. Price & S. Verhulst, “The concept of self-regulation and the internet,” in J. Waltermann& M. Machill (eds.), Protecting our children on the internet: Towards a new culture of responsibility 133 (2000). 23 Eibe Riedel, “New Bearings in German Data Protection-Census Act 1983 Partially Unconstitutional” 5 HUMAN RIGHTS L. J. 69 (1984). 24 Article 19, The “Right to be Forgotten”: Remembering Freedom of Expression (2016) available at https://www.article19.org/data/files/The_right_to_be_forgotten_A5_ehh- _hyperlinks.pdf (visited on 8 July, 2020). 25 Giancarlo F. Frosio, “The Right to Be Forgotten: Much Ado about Nothing” 15 Colo. Tech. L.J. 313 (2017). 26 BVerfGE 65, 1 vom 15.12.1983 (Volkszahlungs-Urteil); GerritHornung& Christoph Schnabel, “Data Protection in Germany I: The Population Census Decision and the Right to Informational Self-determination” 25(1) Comput. Law & Security Review 84 (2009). INDIAN JOURNAL OF LAW AND JUSTICE 44 “[...] in the context of modern data processing, the protection of the individual against unlimited collection, storage, use and disclosure of his/her personal data is encompassed by the general personal rights of the German constitution. This basic right warrants in this respect the capacity of the individual to determine in principle the disclosure and use of his/her personal data. Limitations to this informational self- determination are allowed only in case of overriding public interest.” 27 Legislation incorporating the right to be forgotten can be traced back to the year 1995, when the European Union enacted Directive 95/46/EC. Although the Directive did not expressly codify this right, a combined reading of Article 6(1)(e) and Article 12(b) produced an inference of the right to be forgotten. Article 6(1)(e) required that member states keep personal data “in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed.” 28 Article 12(b) provided the data subject the right to rectify, erase or block the processing of personal data if the same is not in line with the Directive, “in particular because of the incomplete or inaccurate nature of the data.” 29 Today, the law relating to privacy is well developed in the European Union than in any other part of the world. Article 7 of the Charter of Fundamental Rights of the European Union states that “[e]veryone has the right to respect for his or her private and family life, home and communications,”30 and Article 8 states that “[e]veryone has the right to the protection of personal data concerning him or her,” and that “[s]uch data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.”31 Further, the 27 BVerfGE 65, 1. 28 Council Directive 95/46/EC, art. 6(1)(e), 1995 O.J. (L 281) 31. 29 Council Directive 95/46/EC, art. 12(b), 1995 O.J. (L 281) 31. 30 Charter of Fundamental Rights of the European Union, art. 7, 2010 O.J. (C 83/02). 31 Charter of Fundamental Rights of the European Union, art. 8, 2010 O.J. (C 83/02). Vol. 12 No. 1 ISSN: 0976-3570 45 first legally binding treaty addressing data privacy is the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, known as the Council of Europe Convention on Privacy.32 It requires signatory nations to enact legislation that offers safeguards for processing personal information that fulfil the minimum levels of protection specified in the convention.33 Most important, however, is Article 8 of the European Convention on Human Rights which states that everyone has the right to private family life, and prohibits a public authority from interfering with this right except for reasons in accordance with the law and necessary in a democratic society that pertain to national security, public safety, the country’s economy, criminal and public health purposes, or for protecting the rights and freedoms of others.34 In 2014, the right to be forgotten was recognised as a right in Europe after the CJEU in the case of Google Spain SL and Google Inc. v.Agencia Española de Protección de Datos (AEPD) and Mario Costeja González 35 asked Google to remove an unfavorable link concerning Mr. González from its search results. Proposals for the adoption of a similar right have emerged in several jurisdictions, including Argentina,36 Brazil,37 Colombia,38 Mexico,39 and Hong 32 Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, E.T.S. No. 108, Jan. 28, 1981. 33 Daniel J. Solove & Paul M. Schwartz, Privacy Law Fundamentals 255-56 (International Association of Privacy Professionals, 4 th edn., 2017). 34 Convention for the Protection of Human Rights and Fundamental Freedoms, E.T.S. No. 5 (Nov. 4, 1950). 35 Google Spain. 36 Rodriguez Maria Belen c/Google y Otro s/ dafios y perjuicios, Oct. 29, 2014, Suprema de Justicia de la Nacion (Arg.); Edward L. Carter, “Argentina’s Right to Be Forgotten” 27 Emory Int’l L. Rev. 23 (2013). 37 Brazilian Congressman Introduces Right to Be Forgotten Bill, Hunton& Williams: Privacy & Info. Security Law Blog (Oct. 23, 2014), available at https://www.huntonprivacyblog.com/2014/10/articles/brazilian-congressman- introduces-right-forgotten-bill (visited on 6 July, 2020); Draft Bill 215/2015, Infanticide to the Newly-Born Digital Rights in Brazil, Dig. Rights (Oct. 27, 2015), available at http://www.digitalrightslac.net/en/proyecto-de-ley-2152015-infanticidio-contra-los- recien-nacidos-derechos-digitales-en-brasil (visited on 8 July, 2020). INDIAN JOURNAL OF LAW AND JUSTICE 46 Kong.40 Most notably, in 2015,Russia became the first country to codify the right to be forgotten into legislation.41 With certain exceptions, this law imposes an obligation on search engines to remove search results listing information on individuals where such information is unlawfully disseminated, untrustworthy, outdated, or irrelevant.42 In Spain, courts have recognized as a right the ability of citizens to remove irrelevant and outdated information.43 This covers information that is not relevant to the circumstances for which it is sought or is no longer true. The Court went on to declare that a person has a “fundamental right” to privacy that extends to the removal of information about herself.44 A. Google Spain Sland Google Inc. V. Agencia Española De Protección De Datos (AEPD) And Mario Costeja González Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González 45 is the case that gave birth to a concrete right to be forgotten in the European Union. It laid down for the first time that there exists a right to be forgotten online. The case arose out of a complaint made by Mr. González where he alleged that his privacy had been infringed because newspaper reports relating to an auction had been made available on the public domain and appeared in search results despite the event having been resolved and thereby becoming irrelevant. He filed a complaint against the newspaper La VanguardiaEdiciones SL, Google Spain, and Google Inc. with Agencia Española de Protección de Datos (the Spanish Data Protection Agency), to have the reports about him as well as related search results appearing on Google deleted or altered. While AEPD did not agree to his 38 Sala Primera de Revision, Sentencia T-277/15, Corte Constitucional [Constitutional Court] May 12, 2015 (Colom.) 39 Derecho de Olvidarte, Instituto Federal de Acceso a la Informacion y Proteccion de Datos [IFAI], Google Mexico, S. de R.L. de C.V., Expediente PPD.0094/14 (Mex.). 40 David Webb v. Privacy Commissioner for Personal Data, [2015] No. 54/2014 (Hong Kong Administrative Appeal Board). 41 GrazhdanskiiKodeksRossiiskoiFederatsii [GK RF] [Civil Code] No. 264-FZ (Russ.) 42 Ibid. 43 Google Spain. 44 Id. 45 Google Spain. Vol. 12 No. 1 ISSN: 0976-3570 47 demand to have newspaper reports altered, it ordered Google Spain and Google, Inc. to remove the links in question from their search results. The case was brought in appeal before the Spanish High Court, which referred the matter to the CJEU. Mr. González requested the Court to order La Vanguardia either to remove or alter the pages in question and Google Spain and Google Inc. to remove or conceal the data so that it no longer appeared in the search results. In essence, therefore, the Court was required to decide whether individual citizens have the right to make their personal information untraceable, even if the publication is lawful and the content remains available on the web pages containing it. In a judgment having far reaching implications, the CJEU held that individuals have the right to request search engines to remove links with personal information about them where the information is “inaccurate, inadequate, irrelevant or excessive.” The Court outlined this right in the following words: “[I]f it is found, following a request by the data subject pursuant to Article 12(b) of Directive 95/46, that the inclusion in the list of results displayed following a search made on the basis of his name of the links to web pages published lawfully by third parties and containing true information relating to him personally is, at this point in time, incompatible with Article 6(1)(c) to (e) of the directive because that information appears, having regard to all the circumstances of the case, to be inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the processing at issue carried out by the operator of the search engine, the information and links concerned in the list of results must be erased.”46 The Court went on to hold that it is not necessary“that the inclusion of the information in question in the list of results causes prejudice to the data subject.”47 On facts, the Court held that Mr. González had established that the information was sensitive, had been first published several years ago, and was no longer relevant. Having regard to this, the Court held that he had a right that 46 Ibid, ¶ 94. 47 Ibid, ¶ 96. INDIAN JOURNAL OF LAW AND JUSTICE 48 that information should no longer be linked to his name.”48 The Court recognized that search engines, by assembling links to articles containing sensitive information about people, have enormous power to create a “detailed profile” of people, which permanently remains on the internet.49 Finally, the Court noted that the “data subject’s rights […] override, as a general rule, that interest of internet users,” although “that balance may however depend […] on the nature of the information in question and its sensitivity for the data subject’s private life and on the interest of the public in having that information”. Therefore, Google was asked to remove the links to the articles in question from the list of results appearing for Mr. González’s name. The implication of this landmark decision is that Google is no longer the sole decider of people’s profiles in searches of their names; people in the European Union now have a right to seek the removal of certain links from searches of their names. In 2019, the CJEU further delineated the scope of the right to be forgotten in the context of search engines through two opinions. In Google Inc. v. Commission nationale de l’informatique et des libertés (CNIL),50 the Court had to determine the territorial scope of the right to be forgotten. It established a general rule of EU-wide de-referencing in connection with measures preventing or at least seriously discouraging access to non-EU search results. The second case, GC and others v. Commission nationale de l’informatique et des libertés(CNIL), 51 addresses the processing of sensitive data by search engine operators and the de-referencing of such data. This is an area where interference with the data subject’s rights to privacy and protection of personal data is liable to be particularly serious due to the sensitivity of such data. The Court held that: “the provisions of Article 8(1) and (5) of Directive 95/46 must be interpreted as meaning that the prohibition or restrictions relating to the processing of special categories of personal data, mentioned in those provisions, apply also, subject to the exceptions provided for by the directive, to the operator of a 48 Ibid, ¶ 98. 49 Ibid, ¶ 98. 50 Google Inc. v. Commission nationale de l’informatique et des libertés (CNIL), Case C- 507/17 (CJEU, Sept. 24, 2019). 51 Ibid. Vol. 12 No. 1 ISSN: 0976-3570 49 search engine in the context of his responsibilities, powers and capabilities as the controller of the processing carried out in connection with the activity of the search engine, on the occasion of a verification performed by that operator, under the supervision of the competent national authorities, following a request by the data subject.” These decisions provide guidance on the relationship between the right to be forgotten and the freedom of information. IV. General Data Protection Regulation In 2012, the European Commission decided to overhaul the existing data protection regime, to make it conform to the needs of the digital age. To this end, the Commission came up with the General Data Protection Regulation (GDPR). The most prominent feature of the GDPR is that it is designed to give European Union citizens more control over their personal data. It also aims to simplify the regulatory environment for business so that citizens as well as businesses in the European Union can benefit from the digital economy. The GDPR supersedes the Data Protection Directive which was established in 1995. Under the Directive, each EU member country implemented its own data privacy laws.52 This resulted in a patchwork of divergent privacy protections. Further, the Directive could not cater to the change that the world saw in the technological domain. Therefore, the GDPR was established, which is the first regulation that tries to implement a global initiative to bring laws relating to personal data in line with the current technological developments. Issues of consent, control and the possibilities to secure deletion are central issues covered by it. The GDPR also aims to “harmonize” privacy laws in the EU by providing the same strong data protections for the entire region.53 The GDPR provides for a right to be forgotten under Article 17 in the form of a right to erasure. Under this provision, a data subject has the right to request the 52 Christopher Kuner, “Data Protection Law and International Jurisdiction on the Internet (Part I)” 18 INT’L J.L. & Info. Tech. 179-80 (2010). 53 Simone Fischer-Hbner and Stefan Berthold, “Privacy-Enhancing Technologies” in John R. Vacca (ed.) Computer and Information Security Handbook (Morgan Kaufmann, Cambridge, 3rd edn., 2017). INDIAN JOURNAL OF LAW AND JUSTICE 50 erasure of personal data related to them on any one of several prescribed grounds within 30 days. However, to avail this right, the individual must establish one of the following four grounds:54 (i) the data is no longer necessary in relation to the purposes for which it was collected, (ii) the data subject has withdrawn consent, (iii) the data subject objects to the data processing, and (iv) the processing does not comply with the GDPR. Upon such request being made by an individual, the internet service provider/ data controller is obligated to “carry out the erasure without delay,”55 unless the retention of the data is “necessary” for exercising “the right of freedom of expression,” as defined by member states in their local laws. The Regulation also provides an exemption from the duty to remove data for “the processing of personal data solely for journalistic purposes, or for the purposes of artistic or literary expression.”56 In addition, according to Article 18of the GDPR, known as the “restriction right,” the data subject “shall have the right to obtain from the controller restriction of the processing” of personal data.57 When processing is restricted, data controllers are permitted to store the personal data, but not to process it further. In such a scenario, the controller renders the data inaccessible, instead of fully deleting it as in the case of the right to be forgotten. The data subject is entitled to erasure when, inter alia, “the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed.”58Bycontrast, the restriction right applies more narrowly, for instance,to cases where “the accuracy of the data is contested by the data subject.”59 V. Position in India 54 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), at 2, COM (2012) 11 final (Jan. 25, 2012). 55 General Data Protection Regulation, art. 17. 56 General Data Protection Regulation, art. 17(3). 57 General Data Protection Regulation, art. 18. 58 General Data Protection Regulation, art. 17(a). 59 General Data Protection Regulation, art. 18(a). Vol. 12 No. 1 ISSN: 0976-3570 51 Indian privacy and data protection laws are insufficiently developed, unlike those of the European Union. There is no legislative or constitutional provision that expressly provides for the right to privacy. However, in 2017, the Indian Supreme Court declared the right to privacy as being a fundamental right in the case of Justice K. S. Puttaswamyv. Union of India.60 The Supreme Court, in this very case, also discussed the right to be forgotten. In the concurring opinion delivered by Justice S K Kaul, the Court identified the right to be forgotten as being a part of the larger umbrella of informational privacy. The Court noted that this right provides an individual control of the information that they put out, and also the power to seek removal of data concerning them. Justice Kaul stated that the “right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the Internet.”61 The Court recognized that mistakes made in the past should not be held against people throughout their lives via the digital footprint left behind. Their ability to evolve and reform should not be hindered. The Court also added that the public does not have a claim to access all truthful information relating to others. However, the absence of a data protection law is bound to create deterrence in the proper enforcement and resolution of these concerns. The primary issue is that there is currently no delineation of the ambit of the right to be forgotten, and this task will inevitably have to be taken up by judicial authorities. Courts are entrusted with ad-hoc resolution of a probable ‘right’ whose content is nebulous.62 This has led to varied outcomes. In Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd. and Ors., 63 the Delhi High Court recognized the plaintiff’s right to be forgotten. The issue arose out of the publication of articles containing harassment allegations against the plaintiff during the #MeToo campaign by the respondent. The court directed the respondent to take down these 60 (2017) 10 SCC 1. 61 (2017) 10 SCC 1, ¶ 629. 62 Sohini Chatterjee, In India’s Right to Privacy, a Glimpse of a Right to be Forgotten, The Wire (28 Aug. 2017), https://thewire.in/law/right-to-privacy-a-glimpse-of-a-right-to-be- forgotten(visited on 9 July, 2020). 63 CS (OS) 642/2018, decided on 9 May, 2019. INDIAN JOURNAL OF LAW AND JUSTICE 52 articles from the internet as they might cause massive injury to the plaintiff. The court also held that the ‘right to be forgotten’ and the ‘right to be left alone’ are integral facets of the right to privacy. On the other hand, the Gujarat High Court, inDharamrajBhanushankarDave v. State of Gujarat,64 rejected a request for erasure of a judgment, pointing out that the petitioner had failed to establish which provisions of law were attracted and how the uploading of the concerned judgment constituted a violation of Article 21 of the Constitution. In this case, the petitioner, through a writ petition under Article 226,prayed before the court for restricting the disclosure of a court judgment published by the respondent on the internet despite the fact that the said judgment was non-reportable. The petitioner alleged that it had been hampering his personal and professional life. Referring to its rules, the Gujarat High Court held that copies of the judgment of High Court can be given to any party by the order of Assistant Registrar. Further, the court also held that the petitioner had failed to prove any violation of Article 21. Therefore, the Court did not recognise the right to be forgotten. Even though Section 69A of the IT Act and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 hold relevance, there is a dearth of clarity about the parameters of an individual’s right to be forgotten and what restrictions can be imposed on the same. Again, in Sri Vasunathanv.The Registrar General &Ors.,65 the Karnataka High Court ordered erasure only of copies of the order yielded on an internet search but did not extend the relief to certified copies of the order on the High Court website. Here, the prayer of the petitioner was to direct removal of his daughter’s name from an order published in the digital records maintained by the respondent. The said order was in line with an FIR filed by the petitioner’s daughter against a man for offences relating to compelling her for marriage, forgery, etc. Subsequently, the parties entered into a settlement and the FIR was quashed. Recognising a right to be forgotten, the Karnataka High Court directed the respondent to mask the name of the petitioner’s daughter. The Court noted that this: 64 2015 SCC OnLineGuj 2019. 65 2017 SCC OnLineKar 424. Vol. 12 No. 1 ISSN: 0976-3570 53 “would be in line with the trend in the Western countries where they follow this as a matter of rule “Right to be Forgotten” in sensitive cases involving women in general and highly sensitive cases involving rape or affecting the modesty and reputation of the person concerned.” 66 A. The Right to be Forgotten in the Personal Data Protection Bill, 2019 The discussion around the law of data protection in India reached a crescendo in the case of Justice Puttaswamyv. Union of India.67 On the directions of the Supreme Court, the government set up an expert committee to formulate a comprehensive data protection framework for India. The Committee, headed by Justice B N Srikrishna, submitted a report entitled “A Free and Fair Digital Economy: Protecting Privacy, Empowering Indians”, which contained a draft Personal Data Protection Bill. The Data Protection Bill seeks to shape the regulation governing today’s increasingly data-driven geopolitical landscape by developing a comprehensive data governance framework. The currently existing data protection framework, which comprises of the Information Technology Act, 2000 and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 does not contain a right to be forgotten. The newly proposed Bill seeks to introduce this right. Under Section 20, the Bill provides that every data principal shall have the right to restrict or prevent continuing disclosure of personal data relating to him by any data fiduciary if such disclosure meets one of three given conditions. These are that the disclosure of personal data: (i) has served the purpose for which it was made or is no longer necessary; or (ii) was made on the basis of the data principal’s consent and such consent has since been withdrawn; or (iii) was made contrary to the provisions of the new Data Protection Act or any other law in force.68 However, there is a vast difference between the proposed right to be forgotten in India and that envisaged under the General Data Protection Regulation. Unlike 66 2017 SCC OnLineKar 424, ¶ 9. 67 (2017) 10 SCC 1. 68 The Personal Data Protection Bill, No. 373 of 2019. INDIAN JOURNAL OF LAW AND JUSTICE 54 the GDPR, the proposed Indian right does not include a right to seek complete erasure of the collected data by an individual, known as the data principal, but only to prevent continuing disclosure of personal data. Additionally, to exercise the right envisaged under the Personal Data Protection Bill, the individual has to file an application before the Adjudicating Officer. This is not required to be done by the data principal while exercising any other right under the Bill. Under the GDPR as well, an individual, known as the data subject, can exercise the right to erasure by simply asking the data controller to erase or remove his/her personal data.69 B. Balancing the Right to be Forgotten and the Freedom of Expression The landmark decision of the CJEU, declaring a right to be forgotten, invited large criticism from proponents of free speech.70 They argued that granting people the right to seek erasure of information about them from Google searches amounted to blatant censorship and was at odds with the freedom of speech and expression.71 They based this criticism on the fact that the freedom of speech and expression, which grants the right to impart ideas, opinions, and information, also includes the right to receive information.72 In fact, some 69 General Data Protection Regulation, art. 17. 70 Craig Timberg & Sarah Halzack, Right to Be Forgotten v. Free Speech, Wash. Post (May 14, 2014) available at http://www.washingtonpost.com/business/technology/right-to-be- forgottenvsfreespeech/2014/05/14/53c9154c-db9d-11e3-bda1- 9b46b2066796_story.html (visited on 9 July, 2020); Lisa Fleisher, Google Ruling: Freedom of Speech v. The Right to Be Forgotten, Wall St. J. (May 13, 2014) available at http://blogs.wsj.com/digits/2014/05/13/eu-court-google-decision-freedomof-speech- vs-right-to-be-forgotten/ (visited on 8 July, 2020). 71 Marcus Wohlsen, For Google, the ‘Right to Be Forgotten’ Is an Unforgettable Fiasco, Wired (July 3, 2014), available at http://www.wired.com/2014/07/google-right-to- beforgotten-censorship-is-an-unforgettable-fiasco/ (visited on 9 July, 2020); Jane Yakowitz, “More Bad Ideas from the E.U.” Forbes (Jan. 25, 2012) available at http://www.forbes.com/sites/kashmirhill/2012/01/25/more-bad-ideas-from-the-e-u (visited on 6 July, 2020). 72 Handyside v. the United Kingdom, Appl. No. 5493/72, ¶ 49 (ECtHR, Dec. 7, 1976). Vol. 12 No. 1 ISSN: 0976-3570 55 scholars argued that the Court “forgot” about freedom of expression while delivering its decision in Google Spain.73 The right to freedom of expression has been recognized in almost every national constitution and in several international human rights treaties, including the Universal Declaration of Human Rights,74 the International Covenant on Civil and Political Rights,75 the African Charter on Human and Peoples’ Rights,76 and the European Convention on Human Rights.77 The UN Human Rights Committee in General Comment No. 34 has confirmed that Article 19 of the ICCPR protects all forms of expression and the means of their dissemination, including all electronic modes of expression.78 This means that the freedom of expression extends to the online sphere as well as the offline sphere. However, the criticisms are not well-founded. For one, according to a report compiling aggregate data on the right to be forgotten, Google has denied 75 percent of erasure requests in the last two years.79 On the theoretical front as well, the construction of the decision does not support the argument that the right to freedom of speech and expression was completely disregarded. According to the Court, the two rights have equal weight and which right should prevail would depend on the circumstances of a case. The Court stated that a person’s right to privacy generally overrides “as a rule, not only the economic interest of the operator of the search engine but also the interest of the general public in finding that information upon a search relating to the data subject’s 73 Stefan Kulk and Frederik J. ZuiderveenBorgesius, “Google Spain v. Gonzalez: Did the Court Forget About Freedom of Expression?” 5(3) Eur. J. of Risk Reg. 389 (2014). 74 Universal Declaration of Human Rights, G.A. Res. 217 (III) A, art. 19 (1948). 75 International Covenant on Civil and Political Rights, 999 U.N.T.S. 171, art. 19 (1966). 76 African Charter on Human and Peoples’ Rights, CAB/LEG/67/3 rev. 5, 21 I.L.M. 58, art. 9 (1982). 77 European Convention on Human Rights and Fundamental Freedoms, ETS 5, art. 10 (1950). 78 Human Rights Committee, General Comment No.34, CCPR/C/GC/34, Sept. 12, 2011, ¶ 12. 79 Google Transparency Report, available at https://www.google.com/transparencyreport/removals/europeprivacy/?hl=en (visited on 5 July, 2020). INDIAN JOURNAL OF LAW AND JUSTICE 56 name.”80 In saying so, it highlighted that privacy defines the boundaries of freedom of expression, and not vice versa.81 A notable case in which the relationship between the right to be forgotten and the freedom of expression was discussed was Olivier G v. Le Soir.82 In 2008, the Belgian newspaper Le Soir made its entire archive freely available online,83 thereby making public a 1994 article reporting a car accident with the full name of the driver. The driver requested Le Soir to remove his name or delete the article, as he had been duly convicted and declared “rehabilitated”. The Belgian Cour de Cassation decided that the right to privacy might under specific circumstances justify the limitation of Le Soir’s right to freedom of expression.84 This could be the case where there has been a lapse of a significant amount of time, or the lack of actual interest in communicating the name of the driver.85 Here, the Court deemed that the maintenance of the online article several years after the events described disproportionately damaged the petitioner’s privacy interest compared to the benefit received by the newspaper in respecting its right to free expression. The court noted that this conclusion was bolstered by the fact that the petitioner was not a public figure. Therefore, Le Soir was required to remove the name of the applicant from the article contained in its database. Subsequently, in 2016, an Italian court remarked that the public’s right to information expires “just like milk.”86 In this case, like Google Spain and Olivier G, the petitioner had filed a request to seek the removal of an article regarding a past transgression from the website of a news outlet, Primadanoi. He claimed that the site would appear whenever a search using his or his company’s name was made. However, unlike Google Spain, the article in question was relatively recent and thus could be more impactful. The court evaluated the 80 Google Spain, ¶ 81. 81 Giancarlo F. Frosio, “The Right to Be Forgotten: Much Ado about Nothing” 15 Colo. Tech. L.J. 315 (2017). 82 P.H. v. O.G., Cour de Cassation Belgique, Apr. 29, 2016, N° C.15.0052.F (Belg.). 83 Ibid. 84 Ibid. 85 Ibid. 86 Cass., n. 13161/16 (June 24, 2016) (It.). Vol. 12 No. 1 ISSN: 0976-3570 57 petitioner’s right to privacy with the public’s interest in accessing information and the newspaper’s freedom of expression, and held that the latter expired after two years. Therefore, the court fined Primadanoi €10,000 for the six-month delay in taking down the article.87 On the other end of the spectrum are countries that have afforded greater importance to the protection of the freedom of speech and expression. In the United States of America, for example, any right to be forgotten order issued against a media house would almost certainly violate the First Amendment. Although the Supreme Court has acknowledged the significance of an individual’s right to privacy, it has also remarked that “privacy concerns give way when balanced against the interest in publishing matters of public importance.”88 The restrictions of the freedom of expression in the United States are extremely narrow, extending only to “grave and immediate danger to interests which the state may lawfully protect.”89 The law also protects the publication of “lawfully obtain[ed] truthful information about a matter of public significance” unless there is a need “of the highest order.”90 A full analysis of this issue would depend on the facts of a particular case, but given the primacy of the freedom of expression in the United States of America, it is unlikely that an order requiring a newspaper to alter its content or archived material would be construed as consistent with freedom of the press.91 A Dutch court in 2015 followed this approach while refusing a right to be forgotten petition against a victims’ rights website, holding that the freedom of 87 Athalie Matthews, How Italian Courts Used the Right to be Forgotten to Put an Expiry Date on News, Guardian (Sept. 20, 2016), available at https://www.theguardian.com/media/2016/sep/20/how-italian-courts-used-the-right- to-be-forgotten-to-put-an-expiry-date-onnews (visited on 9 July, 2020). 88 Bartnicki v. Vopper, 532 U.S. 514, 533 (2001). 89 W. Va. State Bd. of Educ. v. Barnette, 319 U.S. 624, 639 (1943). 90 Smith v. Daily Mail Publ’g Co., 443 U.S. 97, 102 (1979). 91 Eric Posner, We All Have the Right to be Forgotten, Slate (May 14, 2014), available at http://www.slate.com/articles/news_and_politics/view_from_chicago/2014/05/the_e uropean_right_ to_be_forgotten_is_just_what_ the_internet_needs.html (visited on 9 July, 2020); Robert G. Larson III, “Forgetting the First Amendment” 18 Comm. L. &Pol’y 91 (2013). INDIAN JOURNAL OF LAW AND JUSTICE 58 expression could only be restricted in “exceptional cases.”92 The following year, the French Court of Cassation held that even with regard to personal information under a right to be forgotten request, requiring a newspaper to remove content would impermissibly infringe upon freedom of press.93 Therefore, what seems clear is that in each case, a balance between an asserted freedom of expression and the right to privacy would be involved. International standards as well as domestic legislations make it clear that both the freedom of expression and the right to privacy are qualified rights,94 subject to limitations that comply with the three tests of legitimacy, proportionality, and necessity. C. Proposed Tests The tensions between right to respect for privacy and the freedom of expression are easy to identify, but difficult to resolve.95 What courts and other adjudicatory bodies must keep in mind while balancing freedom of expression and the right to be forgotten is that both the rights are fundamental, and yet qualified. Therefore, both the rights must be balanced in a fair and proportionate manner without giving precedence to one over the other.96 The ideal method is to adopt a case-by-case analysis, considering in each situation whether there was a reasonable expectation of privacy, whether there was a reasonable expectation of a duty of confidence, how the information was collected, and whether an individual is personally identifiable using the collected information. This test would give courts a consistent approach to analyze the case and arrive at a decision. The first assessment that courts must make is whether the information is private and should be afforded protection. Individuals claiming the right to be forgotten 92 Case No. C/19/103209/HA ZA 14-029 (Rechtbank Noord-Nederland, May 1, 2015) (Neth.). 93 Cour de Cassation, Case No. 15-17729, May 12, 2016 (Fr.). 94 David Anderson, A Question of Trust, 28 (Williams Lea Group, London, 2015). 95 Haya Yaish, “Forget Me, Forget Me Not: Elements of Erasure to Determine the Sufficiency of a GDPR Article 17 Request” 10(1) JOURNAL OF LAW, TECHNOLOGY & THE INTERNET 17 (2019). 96 MGN Ltd. v. the United Kingdom, App. No. 39401/04, ¶142 (ECtHR, Jan. 18, 2011). Vol. 12 No. 1 ISSN: 0976-3570 59 must establish that they had a reasonable expectation that the information would remain private. Whether the actions were conducted in public and whether they concern private and family life, as outlined in Article 8 of the ECHR, are included within this element. This category of information may include information about their health, bank or payment accounts details, contact or identification information, racial or ethnic origin, among others. In all such cases, there must be an evaluation of whether there exists an overriding public interest in the information resulting in its need to remain accessible on the internet. The public interest is a broad concept that encompasses information relating to public officials and public figures which is important to matters of public concern.97 This includes matters associated with public health and safety, law enforcement, consumer and social interests, among others. All the same, intimate details of a person’s private life may also be in the public interest if it involves a public figure or if that person is in a position of trust. The next assessment is whether the person applying for erasure has suffered substantial harm due to the existence of the information at issue in the public domain.98 The threshold for this is high – actual harm must be established by the person and the depiction of mere embarrassment or discomfort is not sufficient. This test also includes within its ambit an assessment of whether an individual is personally identifiable using the information. This component ensures that the freedom of expression is not muffled due to privacy concerns. With minimal effort like blurring faces or hiding names, the media can report stories while respecting individuals’ privacy. VI. Conclusion The right to be forgotten first materialised in Europe, but has since been accepted by several other nations including India. Although the right is limited and is still nascent, it has been hailed as a pertinent right that every individual must be entitled to. The right was recognised in India in the Puttaswamy case and an attempt has been made to make a provision for this right in the Personal 97 TshabalalaMsimang& Another v. Makhanya and Others (18656/07) [2007] ZAGPHC 161 (S. Afr.). 98 Axel Springer AG v. Germany (No. 2), App. No. 48311/10 (ECtHR, July 10, 2014). INDIAN JOURNAL OF LAW AND JUSTICE 60 Data Protection Bill, 2019 which is yet to see the light of day. However, a mere proclamation of the right will not suffice; it is pertinent to develop comprehensive regulations and guidelines that delineate how the right will be implemented. Along with such regulations, accountability mechanisms and audit procedures must be established.99 In India, the legislature has failed to give ample attention to the codification of a much-needed data protection framework. As such, the implementation of the right has been fraught with uncertainty and non-uniformity. Universal experience depicts that as the digital age advances, it is imperative that a law be developed that can meet every challenge, and provide for solutions. 99 Colin J. Bennett and Charles D. Raab, The Governance of Privacy: Policy Instruments in Global Perspective 29 (MIT Press, Cambridge, 2 nd edn., 2006).