It is vital that such a right is framed in the context of a robust data protection legislation and that proper safeguards are instituted to ensure that it is not used to reduce transparency and accountability, but instead to empower individuals to have more control over their lives
The European Court of Justice (ECJ) recently came out with two landmark rulings on the “right to be forgotten”, deciding on the territorial scope of the right and on how sensitive data or information is to be treated in relation to it. The right, at least in the EU, allows individuals to request a “data controller” to remove online information about them.
The data controller is an entity that decides how and why the data of an individual is processed. For search engines, since the Google Spain ruling in 2014, this has meant that they would have to de-reference links from search results where the information is inaccurate, irrelevant, or inadequate, subject to certain conditions.
There are a few reasons people may want to exercise this right — it gives a person control over the information available about them online, especially when such information can have implications for their safety, career or relationships; it can help victims of abuse not be publicly associated with painful and difficult parts of their lives and it can help people move on from mistakes made previously.
It appears that many people have exercised this right, with Google reportedly receiving over 8,45,000 requests over the last five years, and removing 45 per cent of the links.
The right has also been criticised, chiefly for its potential to curtail free speech, for the additional burdens on data controllers and for the implications on the Right to Information and accountability, especially if there is a lack of adequate safeguards.
Some of these concerns have been taken into account in the General Data Protection Regulation (GDPR), which carves out freedom of expression and information, public interest and research among others as exceptions to this right. The recent rulings of the ECJ are especially interesting in this context because they are among the first in trying to delineate the boundaries of the right.
First, in dealing with territorial applicability, the ECJ specified that Google would not be required to de-reference links outside the geographical boundaries of the EU or even outside the borders of the country from which the request arises. But it noted that de-referencing results globally may sometimes be necessary, depending on the facts and considerations in each case. Although the ruling requires search engines to “effectively prevent” or “seriously discourage” users from within the EU from gaining access to restricted results, this can be hard to implement if people utilise VPNs or similar encrypted software.
Second, in the sensitive data ruling, the ECJ requires search engines to “adjust the list of results” in such a manner that the overall picture it presents to an internet user reflects the current legal position, with links containing such information appearing at the top of the search results. For example, in a case of a person accused of a crime being acquitted, the absolution would have to be the first link that is displayed on the search results for that person. This is interesting because the ECJ is essentially telling search engines how they should order their search results, and seems to suggest that this reordering is something that should be done proactively, and “at the latest” on receiving a request to de-reference by the user. Some have noted that this could prove counter-productive, where results regarding the outcomes of a person’s legal disputes would not have otherwise made it onto the first page of results, especially where the person is a public figure. While well-intentioned, this requirement also raises concerns about the ways in which biased articles could make it to the top of search results, with credible reporting on the relevant allegations or charges appearing later on.
So, what do these rulings mean for us in India? Not much at the moment, except that they are among the first cases delineating the boundaries of the Right to be Forgotten and are likely to be relied on if similar cases were to arise here. Although India does not currently have the right, the draft Personal Data Protection Bill (Bill) includes a version of it.
It states that the individual wanting to exercise her right would have the right to “restrict or prevent continuing disclosure” of personal data by a data fiduciary in certain circumstances. Whether this means that such results are to be removed entirely or de-referenced is not specified.
Second, unlike the EU, which requires data controllers to determine whether to de-reference or remove content based on a request, the Bill proposes that an Adjudicating Officer would make this assessment.
There have also been cases dealing with this right in India, mostly in the context of name redaction or removal of publicly reported judgments, with High Courts taking differing views on the matter. In 2017, the Karnataka High Court (HC) ruled in favour of a petitioner who had approached it to have his daughter’s name removed from digital records pertaining to previous cases which had been settled. The HC granted the petition and redacted the daughter’s name from the cause title and the order.
In contrast, the Gujarat HC rejected a petition requesting that public display of the judgments and orders be restricted, where the petitioner was initially accused of several criminal offences but was subsequently acquitted. In this case, the decision hinged on what a “reportable” case was, and on the fact that there was no provision of law that the petitioner could point to for this request.
These cases highlight the need to effectively implement existing legislation. For example, the Indian Penal Code (IPC) contains provisions requiring anonymisation of victims of certain crimes. It also highlights the need for instituting a comprehensive data protection legislation.
The way rights are framed around our personal data will have significant implications for the Right to be Forgotten, if recognised in India. The recent EU rulings and the larger global conversations around this issue are important to consider and learn from, as they indicate the kinds of issues we’ll have to face if we enact a similar law.
However, it is clear is that any case dealing with the right will necessarily be subjective and depend on the individuals making the decisions in each case, whether that is a statutorily appointed Adjudicating Officer or a team at Google.
It will also always involve balancing the right to privacy with the right to free speech and the larger public interest. It is, therefore, vital that such a right is framed in the context of a robust data protection legislation, and that proper safeguards are instituted to ensure that it is not used as a way to reduce transparency and accountability, but is instead used to empower individuals to have more control over their lives.
(The writer is Junior Fellow, Esya Centre)
