Right to be Forgotten: A Study with Special Reference to India

Swati Pandita and Lovely Sharma

Abstract

In recent years, data privacy issues have dominated the discussion among media and academic
circles, more so after the Right to be forgotten was included in European Union’s Data
Protection Regulation. The Right to be forgotten (RTBF) is a statutory right defined under
Article 17 of GDPR. It means the data subject has the right to get his personal data erased or
delisted from any internet database or public platform if the information is no longer necessary.
As of now, this right is not backed by any statute in India but courts on multiple occasions have
ruled in its favor. This paper critically analyses the The Personal Data Protection Bill, 2019 and
the report of Justice Srikrishna Committee. The author also considers RTBF in the context of the
Right to know and examines the stand of the judiciary.

Keywords: Right to be forgotten, Data Privacy, Google Spain Case, Data Protection Bill, Right
to Know, Right of Erasure.


Assistant Professor, School of Law, FIMT-GGSIPU, Delhi. Author can be contacted at pandita.swati@gmail.com

Student, LLM IVth Semester, Chaudhry Charan Singh University, Meerut.
1. Introduction
In 1998, La Vanguardia, a Spanish newspaper published an announcement of bidding for two
properties being sold due to social security debt. Mario Costeja González, owner of one of the
property was named in the newspaper. In 2009, he requested the paper to erase the data from its
online edition. After his request was denied, he contacted Google Spain to remove the links from
the search engine as he objected to the processing. Google Spain forwarded the request to its
registered office in California, which denied the request again. Desperate to seek redressal,
Mario filed a complaint with AEPD (Agencia Española de Protección de Datos), a Spanish data
protection agency asking both bodies to remove his personal data from the internet. AEPD
rejected the complaint against the newspaper but asked Google Inc and Google Spain to remove
the data. They separately brought an action against the decision before the National Court
(Audiencia Nacional ) and argued that it does not come under the ambit of EU Directives nor
they can be considered controllers. They further added that uploading data cannot be called
processing. The court held that Google Inc is an establishment and it collects, retrieves, records,
and discloses data hence engaging in processing and can be called a controller. Court also held
that the individual has a right to object based on legitimate interest and seek erasure1.

Article 17 of GDPR allows the data subject to ask for the erasure of his personal data if it’s no
longer necessary for the purpose it was collected, he withdraws his consent and the controller has
no legal standing to keep it, he objects to the collection, or the data collection was illegal. 2
European Union’s bid to protect an individual’s privacy right, although imperfect, is crucial in
the times of rapidly growing penetration of the Internet.3

In India, the Right to be Forgotten surfaced for the first time in K.S. Puttaswamy V Union of
India4 where the bench opined that the Right to Privacy should include the Right to Erasure also.
In July 2017, the Ministry of Electronics and Information Technology formed a 10-member
committee headed by Justice B.N. Krishna, to identify loopholes in data protection and measures

1
Ignacio Cofone, “Google V Spain, A Right to be Forgotten”, Chi Kent Journal of International and Comparitive
Law,Vol. XV.
2
GDPR Article 17: Right to erasure (‘right to be forgotten’) - GDPR Software Solutions
3
Theresa M. Payton & Theodore Claypoole, Privacy In The Age Of Big Data: Recognizing Threats, Defending Your
Rights, And Protecting Your Family 1 (2015)
4
Writ Petition (Civil) No. 494 Of 2012
to address them. After due deliberations, the committee submitted a report titled “A Free and
Fair Digital Economy – Protecting Privacy, Empowering Indians” and draft data protection bill.5

2. Salient Features of the Personal Data Protection Bill, 2021

The 2018 bill dealt with the processing of the personal data of an individual by the government
or any private establishment, whether incorporated in India or abroad. In 2019, the bill was
amended to include non-personal data, as it could also affect privacy and it would be difficult for
the government to create authorities for two different types of data that are more or less similar.6
Scholars believe that this provision is too far overreaching as now it shall include data from the
military and companies too.

It allowed processing on the following grounds:

(i) “any function of Parliament or state legislature, or if required by the State for
providing benefits to the individual,
(ii) if required under law or for compliance with any court judgment,
(iii) to respond to a medical emergency or a breakdown of public order,
(iv) purposes related to employment, such as recruitment, or,
(v) for reasonable purposes specified by the Data Protection Authority concerning
activities such as fraud detection, debt recovery, credit scoring, and whistle-
blowing.”7

2.2 Obligations

The Bill laid down certain obligations on the data fiduciary8 like “processing personal data fairly
and reasonably, notifying the data principal of the nature and purposes of data collection, and

5
Sushovan Sircar & Vakasha Sachdeva, “Key Highlights from Srikrishna Committee Report on Data Protection”,
The Quint, 27 July 2018 available at: Srikrishna Committee: Key Highlights From Srikrishna Committee Report on
Data Protection and Draft Bill (thequint.com) (last visited 15 October, 2022)
6
Recommendation No. 2, p. 26 available at:https://prsindia.org/billtrack/the-personal-data-protection-bill-2019
7
Draft Personal Data Protection Bill, 2018 (prsindia.org) (last visited 15 October, 2022)
8
"Data Fiduciary" means any person, including the State, a company, any juristic entity or any individual who alone
or in conjunction with others determines the purpose and means of processing of personal data;
their rights, among others, and collecting only as much data as is needed for a specified purpose,
and storing it no longer than necessary.”9

2.3 Exceptions

However, certain data processing activities were not subject to the obligations specified. Data
principle10 cannot claim right if the data is for national security (pursuant to a law), prevention,
detection, investigation, and prosecution of contraventions to law, legal proceedings, personal or
domestic purposes, and journalistic purposes.

2.4 Child Protection

The bill specially mentioned the need to have stringent provisions to protect the privacy of
children. It has prohibited companies from processing data like behavioral monitoring, tracking,
targeted advertising, and any other processing harmful to the child. BN Srikrishna committee had
recommended creating division in the personal data of children. Websites specially created for
children would fall under the category of guardian data fiduciary and they will not be allowed to
collect data. However, websites for adults will not fall into this category. The bill did away with
this distinction. This implies that every single data fiduciary has to ensure whether they are
dealing with an adult or child, which is a bit tedious task to execute. It also recommended that
minors should be allowed to revalidate their consent on attaining majority 11

2.5 Surveillance

Another problematic provision of the bill states that any agency that processes personal data in the
interest of the sovereignty, security, or public order or for preventing a crime can be exempted by
the Central Government from all or any provisions of this bill if the oversight is fair, reasonable
and proportionate. Privacy advocates criticized this provision as it allows the central government
to override the cyber security standards and not enough balusters have been created by the
committee to protect an individual against state vendetta. Gautam Bhatia, an advocate working

9
Supra Note 5
10
"Data Principal" means the natural person to whom the personal data relates.
11
Recommendation No. 38, pp. 72-74, Committee of Experts under the Chairmanship of Justice B.N. Srikishna,
Report on a Free and Fair Digital Economy: Protecting Privacy, Empowering Indians (2018) available at:
https://meity.gov.in/writereaddata/files/Data_Protection_Committee_Report.pdf (last visited 15 October, 2022)
on privacy and data protection, remarked “without addressing surveillance head-on, a data
protection law will remain incomplete and ineffective.”12

2.6 Right to be Forgotten

The committee under section 20 recommended that data principles have the right to be forgotten.
They can apply to adjudicators appointed by the government.13

3. Right to be Forgotten
Right to be forgotten is defined as “the ability of individuals to limit, de-link, delete, or correct
the disclosure of personal information on the internet that is misleading, embarrassing,
irrelevant, or anachronistic.”14 B N Krishna Committee also recommended that this right must
be granted but after ensuring that freedom of speech and expression is not compromised in an
unjustified manner.

Deputy Information Commissioner of the UK When you unpick it, much of what is there of the
right to be forgotten is just a restatement of existing provisions—data shan‘t be kept for longer
than is necessary; if it has been processed in breach of the legal requirements it should be
deleted, which goes without saying.

In the GDPR, the right to be forgotten does not exist alone, but with the right to erasure. Article
17(1) of the Regulations says, ‘the data subject shall have the right to obtain from the controller
the erasure of his/her personal data without undue delay, and the controller, on the other hand,
shall have to do the same without undue delay if a certain condition exists.15

Clause 20 of the Personal Data Protection Bill 2019 allows the data principle to restrict the
disclosure of his personal data if:

i. “It has served the purpose for which it was collected or is no longer necessary for the
purpose;

12
Dhananjay Dhonchak, “Righ to be Forgotten:Privacy v Freedom”, Indian Express, August 2021
13
Supra Note 11
14
Michael J. Kelly and David Satola, “The Right to be Forgotten”, University of Illinois Law Review (2017) at p. 1.
15
Ashwinee Kumar, “The Right to be Forgotten in Digital Age: A Comparative Study of the Indian Personal Data
Protection Bill, 2018 and the GDPR”, Shimla Law Review, 2020
 ii. It was made with the consent of the data principal under section 11 and such consent
has since been withdrawn; or
iii. It was made contrary to the provisions of this Act or any other law for the time being
in force”16

The data principal has to apply on the above-mentioned grounds showing that his right to be
forgotten overrides the freedom of speech and expression of the data fiduciary.17

The application shall be filed before the Adjudicating officer appointed by the central
government. He shall before adjudging, have regard to the sensitivity of the data in question, the
scale of disclosure by data fiduciary and the extent to which information is asked to be curtailed,
the role of the individual in public life, and the importance of the data to the people. Any person
can file for the review of the order if he has a reason to believe that the order did not satisfy the
abovementioned grounds. An aggrieved party can also appeal to the Appellate Tribunal if not
satisfied with the decision.18

Recently, the government withdrew the data protection bill intending to introduce a new draft
bill in early 2023 after due public consultation. Union Minister for Information & Technology
stated that “The Personal Data Protection Bill, 2019 was deliberated in great detail by the Joint
Committee of Parliament. 81 amendments were proposed and 12 recommendations were made
toward a comprehensive legal framework for the digital ecosystem. Considering the report of the
JCP, a comprehensive legal framework is being worked upon.”19

4. Role of Indian Judiciary

16
Supra Note 11
17
Supra Note 11
18
Supra Note 11
19
Kazim Rizvi, “New Data Protection Bill must Enable a Progressive Data Governance System”, The Times of
India, October 9 2022 available at: https://timesofindia.indiatimes.com/blogs/voices/new-data-protection-bill-must-
enable-a-progressive-data-governance-framework/ (last visited on 22 October 2022)
grounds of the fulfillment of legal responsibilities, execution of duty in the public interest,
protection of information in the larger public interest, for scientific or historical studies, for
matters related to any legal claim, and the exercise of freedom of expression and information20.

Justice Kaul stated that the “right of an individual to exercise control over his personal data and
to be able to control his/her own life would also encompass his right to control his existence on
the Internet.” 21 The judges recognized that individuals are prone to making mistakes and the
digital footprints should not hinder their ability to reform.

In Laksh Vir Singh Yadav V Union of India22, the petitioner has requested the court to erase
information pertaining to his wife and mother from an online legal case law database. He
claimed that despite his non-involvement in the case, he faced bias and discrimination because
the information was in the public domain. The Delhi High Court dismissed his plea.

Kerala High court in Civil Writ Petition No 9478 of 2016 gave interim order to a legal database
website- Indian Kanoon, to remove the name of the rape victim from the documents. On the
other hand, in Dharamraj Dave v. State of Gujarat23, the Court rejected the plea for permanent
restraint on display and indexing of the non-reportable judgment on the internet on grounds of
lack of legal provisions establishing his right to erasure.

Karnataka High Court in Sri Vasunathan v. The Registrar General &Ors24 gave a similar order.
The petitioner requested the erasure of his daughters' name from a case posted online as the
parties had later entered into an agreement. The court gave relief but only to the extent of
deletion of copies of the case from an internet search. The certified copies of the case on the
website of the High Court were allowed.

In Zulfiqar Ahman Khan v. Quintillion Business Media Pvt. Ltd. and Ors.25, Delhi High Court
held that the right to be left alone is a part of the right to privacy and ruled in favor of the
plaintiff and asked the respondent to take down #metoo posts alleging sexual harassment from

20
Supra Note 4
21
(2017) 10 SCC 1, ¶ 629
22
WP(C) 1021/2016)
23
2015 SCC OnLineGuj 2019
24
2017 SCC OnLineKar 424
25
CS (OS) 642/2018
the internet. In another recent case of Jorawer Singh Mundy v Union of India26 the petitioner,
an American citizen approached the Delhi High Court requesting it to order the erasure of
information related to his case under the NDPS Act. The court emphasized the need for the right
to be forgotten and stated that “freedom allows an individual to silence earlier events in his life.”

The Madras High Court in Karthick Theodore V The Registrar General27opined that given the
lack of legislation regulating data protection, the burden is on the judiciary to fill the gap. It ruled
that people who have been accused of offenses and later acquitted by the court have a right to
deletion of information from the internet.

5. Balancing the Right to be Forgotten, Right to Information, and Freedom of

It is to be noted that the genesis of the right to information is in the fundamental right of freedom
of speech and expression as a person can be informed only through speech. Hence, in this part,
the author shall discuss the anomalous relationship between the right to be forgotten and freedom
of speech and expression. In this age, personal data is no less than a digital currency.28

Jeffery Rosen in his paper argues that the Right to be Forgotten interferes with someone’s right
to receive information.29 When CJEU declared that individuals have the right to be forgotten,
advocates of free speech claimed it was nothing but censorship.30

This issue was discussed in Olivier G v. Le Soir 31 also. A Belgian newspaper was sued for
making public its archives which included a newspaper report disclosing the full name of a truck
driver involved in an accident. The driver in his plea claimed that he was convicted and duly
rehabilitated and requested the information to be removed from the internet. The court ruled in

26
W.P.(C) 3918/2021
27
2021 SCC OnLine Mad 2755
28
Giovanni Sartor, “The Right to be forgotten: Balancing Interest in the Flux of Time”, International Journal of
Law and Information Technology, 24, 72–98 (2016).
29
Jeffrey Rosen, “The Right to Be Forgotten”, Stanford Law Review Online (2012) at p.88
30
Marcus Wohlsen, “For Google, the ‘Right to Be Forgotten’ Is an Unforgettable Fiasco”, Wired, July 3, 2014,
available at http://www.wired.com/2014/07/google-right-tobeforgotten-censorship-is-an-unforgettable-fiasco
(visited on 19 August, 2022).
31
P.H. v. O.G., Cour de Cassation Belgique, Apr. 29, 2016, N° C.15.0052.F (Belg.)
his favor by establishing the right of erasure in cases of a gap of a significant number of years, or
disproportionate damage.

The General Comment No 34 of UNHRC has reaffirmed that protection given under Article 19
of ICCPR extends to the online platform also32. In India, the same is said under Article 19 of the
Constitution. Srikrishna committee emphasized the need to balance both these rights. They
proposed a test where the principal’s right to the erasure of information is checked on the altar of
the right of speech and information of others33.

Ashwinee Kumar in his paper argues that in this case, the committee has not considered the
rights of the public but of tech companies against the right of the data principal. He states that
“All the related fundamental rights should be tested one on one by keeping ‘informational self-
determination’, of, first, on one hand, and ‘collective interest’ of the rest on the other. Here,
‘collective interest’ does not mean the society as a whole, but concentrates on the digital service
providers. The real fight is between the tech moguls and a common man. A war must be fought
between equals having almost analogous weapons.” 34

6. Criticism

With the judgment in Google V Spain case, criticism of the Right to be Forgotten had initiated.35
The consequences of information being permanently accessible over the internet had just started
gaining traction.

6.1 State as an Exception

Privacy rights activists are criticizing the exception granted to the government under section 35
of the PDP Bill, 2019. Justice B.S. Srikrishna Committee recommended exception to statutory
requirements on only one ground, i.e. security of the state. Under the new bill, the Central
government is authorized to any of the privacy safeguards if it believes it to be in the interest of
the sovereignty and integrity of India, the security of the state, and friendly relations with foreign
countries. It can refuse to comply with the statutory requirements to prevent any offense related

32
Hiroshi Miyashita, “The ‘Right to Be Forgotten’ and Search Engine Liability” Brussels Privacy Hub (2016).
Available at: https: //brusselsprivacyhub.eu/BPH-Working-Paper-VOL2-N8 (last visited Jan., 18, 2020)
33
Supra Note 11
34
Supra Note 13
35
Supra Note 1
to the above-mentioned issues. It is of great concern that the government can use the data of
common people without them being aware of it in the name of security and order. It gives undue
power to the central government which can be easily misused. Jairam Ramesh said, “separate
privileged class whose operations and activities are always in the public interest.”36

6.2 Dilution of User’s Rights

Consent for the processing of personal data can be withdrawn by the data principal at any point.
However, the citizen might have to face legal consequences if the state thinks that the withdrawal
was devoid of any valid reason. Here, what constitutes a valid reason is not defined. The bill, on
one hand, preaches that consent should be easy to give and withdraw and on the other hand puts
the burden of proof on the data principal. Also, the data fiduciaries are permitted under the PDP
Bill to charge fees from the principals for processing their requests. These one-sided provisions
favor the state heavily and would deter the common masses from exercising their right to
withdraw consent under the act. Activists have been claiming that the “document has become
prerogative of the rich.”37

6.3 Non-Consensual Data Processing

The bill states that the data can be processed without the knowledge and consent of the data
principles. The central government can direct fiduciaries to provide it with any non-personal data
or anonymous personal data, whereby the government cannot identify the person but still
improve the target area for services. It is of major concern, especially in a country like India,
where multiple data breaches have happened in the past. Citizens have raised concerns that this
provision can be arbitrarily used by the government to discriminate against the people on
political and religious grounds.38

Further, employers are also exempted from having consent to process data of its employees.
They can process it for the purpose of appointment or termination, attendance verification or

36
Vakasha Sachdeva, “Why is the JPC Report on the Personal Data Protection Bill being Criticised”, The Quint,
December 17, 2020 available at: https://www.thequint.com/tech-and-auto/tech-news/jpc-report-personal-data-
protection-bill-criticism-govt-exemption-dpa-control-social-media-verification (last visited on October 22, 2022)
37
Supra Note 36
38
The Wire Staff, “Data Protection Bill: Congress MPs File Dissent Notes over JPC Report,” The Wire, 22
November,2002. available at: https:// thewire.in/government/jpc-report-pdp-billjairam-ramesh-dissent-note-
unbridled-exemptions-government-agencies (last visited on 20 October 2022)
assessment of performance. It is feared that it would be arbitrarily used by employers to monitor
the workers and invade their privacy. Recently, a legal notice was issued to BECIL by Internet
Freedom Foundation for floating a tender for a ‘personnel tracking GPS.’39

6.4 Data Localisation

Data Localisation can stand for any mandate on the free flow of data across borders. The
committee required mirroring of sensitive and personal data in the base country. However, the
new bill allows the transfer of personal data outside India except for sensitive data. This
categorization of data is a good move but it shall lead to increased operational costs for
businesses. There are many companies, especially startups, that rely on cloud services for
storage. This policy has the potential to cause negative business sentiment. National Institute of
Public Finance and Policy in their paper argued that privacy protection needed to depend on the
location of the data. Security of the data depends more on technical measures, skills, and
cybersecurity protocols.40

6.5 Social Media User Verification System

The bill makes it mandatory for all social media companies to provide users an option to verify
their identity. In case of failure to do the same, these companies shall lose the status of
intermediaries, which shall make them legally liable for the content posted by their unverified
users. Regulation of social media is necessary in times when it can lead to an increase in hate
crimes or misinformation. However, building a massive verification system would be possible
only for a few giant companies, leading to monopolizing the sector. Another issue is the data
principals would have to submit official documents like Aadhar, PAN Card, Ration Card, etc for
verification. There is a possibility of this data being used for advertising agendas of the company
without explicit consent of the user and also of a data breach or identity theft happening. Also, it

39
Barik, Soumyarendra and Aashish Aryan, “US Bodies Push Back on Data Protection Bill, Seek New Working
Group,” Indian Express, 3 March 2022, available at: https:// indianexpress.com/article/india/us-bodiespush-back-
on-data-protection-bill-seek-newworking-group-7798193 (last visited on 20 October 2022)
40
Rishabh Bailey, “The issues around data localization”, The Hindu, February 25, 2020 available at:
https://www.thehindu.com/opinion/op-ed/the-issues-around-data-localisation/article62108462.ece (last visited on 20
October 2022)
is believed that anonymity on social media has its benefits too. It has helped people in past to
blow the whistle against their organizations, and ensure identity protection and personal safety.41

6.6 Power Imbalance

A cursory reading of the bill will make the reader realize that there is an imbalance of power in
the hands of the central government. The bill provides for an independent Data Protection
Authority to safeguard the rights of data principals. However, the draft bill authorizes the central
government to appoint members of the data protection authority on basis of recommendations of
an outside committee and to remove them according to the law. It also lacks the presence of any
judicial member on the panel as suggested by the Srikrishna Committee. It is clear from the draft
that this DPA is nothing but a toothless tiger, too fragile to take to task any violation committed
by the government.42

Also, an adjudicating officer is appointed by the central government to deal with the requests of
data principals to avail the right to be forgotten. These officers are to be appointed by the
members of the DPA, who are appointed by the state. This violates the doctrine of separation of
power.

7. SUGGESTIONS
Srikrishna committee while drafting the framework for the regulation of data collection did not
deliberate about the issue of mass surveillance by the state. In the past few years complaints of
targeted surveillance by political activists and journalists have increased. In such a situation it
becomes imperative to include provisions regulating the powers of government to collect data
from the principals.

Even if data needs to be collected or stored, there have to be some constitutional safeguards to
protect the interest of the citizens. This is where the role of legislators becomes more prominent

41
Dasgupta, Surajeet, “India’s Data Localisation Rules to be a Barrier to Digital Trade: US,” Business Standard, 11
April 2022, available at: https://www.business-standard.com/article/economy-policy/india-s-datalocalisation-rules-
to-be-a-barrier-to-digital-tradeus-122041100008_1.html (last visited on 20 October 2022)
42
Mandavia, Megha, “Personal Data Protection Bill Can Turn India into ‘Orwellian State’: Justice B N Srikrishna,”
Economic Times, 12 December 2022, available at: https://economictimes.indiatimes.com/news/
economy/policy/personal-data-protection-billcan-turn-india-into-orwellian-state-justice-
bnsrikrishna/articleshow/72483355.cms?. (last visited on 24 October 2022)
than ever. The law should put limitations on the state to ensure the data collection was directly
linked with the objective sought to be achieved by the government and if it was collected to the
extent it was necessary. In case of non-compliance, the victim should be adequately compensated
by a fast-track court.

Data Protection Authority should have judicial members on the panel to limit the power of the
executive and ensure independence in its functioning. The role of the central government in
appointment and termination should be a bare minimum.

The right to be forgotten, freedom of speech and expression, and right to information need to be
balanced. The legislature should draft laws and the court should implement them in such a
manner as not to give prominence to any single right over the other. A clearly defined test
should be laid out to determine what information can be made public and what should remain
private. Dr. Mozika in her paper advocates for a twofold assessment. The first is on lines with
ECHR, which protects private information like race, religion caste, health status, bank details, or
contact information. And the second one evaluates the actual harm caused to the individual
because the information is in the public domain.43

In the end, the concern of data protection should not be left to the ad hoc judicial protection of
the court, but a comprehensive law needs to be drafted with a rights-based approach to regulating
the collection, storage, and processing of data.

8. CONCLUSION

The Right to be Forgotten is still in an early stage in India, though recognized by the judiciary. A
comprehensive bill needs to be drafted keeping in mind the suggestions offered by privacy
advocates and JPC members. Along with these regulations, a stable accountability mechanism
also needs to be formulated. The legislature also needs to propose a test to decide the conflict
between the Right to be Forgotten, the Right to Information, and Freedom of Speech and
Expression.
43
Dr Jyoti Mozika, “Integrating the Right to be Forgotten in the Indian Legal Framework in the Light of Experiences
from the European” Indian Journal of Law and Justice, Vol. 12 Issue No. 1, available at:
https://ir.nbu.ac.in/bitstream/123456789/4138/1/Integrating%20the%20Right%20to%20be%20Forgotten%20in%20t
he%20Indian%20Legal%20Framework%20in%20the%20Light%20of%20Experiences%20from%20the%20Europe
an%20Union.pdf (last visited on 22 October 2022)
As a concluding remark, the bill was not coherent enough to be implemented and it remains to be
seen what reforms the union government will bring in the new bill.