RIGHT TO BE FORGOTTEN 

By /

The pace at which personal data is generated, shared and stored, privacy has become a prime concern for citizens. The ‘Right to be Forgotten’ has grown into one of the most important concepts within the scope of data protection and privacy laws. Under this right, an individual can request that his/ her personal data be removed from the internet and other digital mediums, especially if such information has become outdated, irrelevant, no longer useful or harmful to their privacy. For instance, if the name of a person continues to be indexed in a search engine due to a past event, and the same no longer applies to their current situation, it is within their right to demand deletion.  

The Right to be Forgotten originated in the European General Data Protection Regulation (GDPR), but it is now recognised by various jurisdictions as a fundamental right to privacy. Under the GDPR, individuals have the right to request the erasure of personal data if it is no longer necessary for its original purpose, when consent is withdrawn, or when data processing is unlawful.  

Privacy in India has been declared as a fundamental right by the Supreme Court through the landmark case of K.S. Puttaswamy v. Union of India (2017). Building on this, India passed the Digital Personal Data Protection Act (the ‘DPDP Act’) in 2023 as a significant step towards establishing a robust privacy framework. The DPDP Act introduces several provisions designed to protect personal data, including the Right to be Forgotten, giving Indian citizens greater control over their digital footprints.  

The DPDP Act extends the same rights to individuals in India to have personal data erased from those who process such data. The DPDP Act has found inspiration from global privacy regulations such as GDPR while tailoring provisions to suit India’s digital as well as cultural context. Unlike the GDPR, Right to be Forgotten is not absolute right under the DPDP Act, there are limits on the scope of this right, particularly where the data is necessary for the fulfilment of legal obligations or for reasons of public interest, such as journalistic, historical, or scientific research.  

Role of DPDP Act-

The enactment of the DPDP Act is one of the most critical moments in India’s privacy law landscape. This legislation gives India a formal legal framework to protect personal data and enforce the Right to be Forgotten. In this regard, the DPDP Act not only empowers individuals to request erasure of their data but also obliges companies and organisations to set up transparent processes to handle these requests. The law emphasises accountability and transparency and protects individual rights. This is a significant shift for the data subjects in India to make sure that they are in control of their personal information, and it also creates confidence in digital ecosystems by guiding how personal data should be handled and protected. Further, the establishment of Data Protection Board under the DPDP Act plays an important role in ensuring its effective enforcement. The Board has dedicated bifurcations to sort complaints, guide businesses, and bring data controllers into a regime of compliance with the new law laid out under the DPDP Act.  

Besides, because the internet is global, India would need to engage with global counterparts in ensuring that firms, with their operation in several jurisdictions, abide by Indian data protection laws. This is much needed now that Indian consumers will be engaging more and more with global platforms, and cross border data flows are complex. 

Legal Framework-

India’s privacy and data protection environment has undergone significant changes over the last few  years. While privacy was always a part of the Constitution of India, enactment of the DPDP Act in 2023 clearly and comprehensively set up how personal data should be treated in India.  

Under DPDP Act, the major provisions regarding the Right to be Forgotten are: 

  1. Data Subject Rights: The DPDP Act equips the data subject with several rights, including access, correction, and erasure of their personal date. The Right to be Forgotten grants the right to ask that the data be erased once the purpose for which it was collected is no longer served or the data subject withdraws his consent for processing.  
  1. Obligations of Data Controller and Processor: The DPDP Act imposes obligations on data controllers and processors to respect the rights of individuals and to process personal data in a transparent and secure manner. This includes keeping records of requests for erasure and giving individuals means to submit and track their requests.  
  1. Exemptions: The right to erasure is subject to certain exemptions. For instance, data may not be erased if it is needed for compliance with legal obligations, for exercising the right of freedom of expression, or for processing data that is in the public interest. Additionally, data related to national security, public health, or scientific research may not be deleted under the Right to be Forgotten.  
  1. Enforcement Mechanism: The Data Protection Board of India, as a body constituted under the DPDP Act, shall oversee the conformity of data controllers or data processors according to the provisions of the DPDP Act. The Board will be able to play its role in resolving complaints of data erasure that may arise against data processors. Individuals may approach the Board for filing complaints if their Right to be Forgotten requests are being denied or ignored.  

Search engines and Online platforms-

Central to the implementation of the Right to be Forgotten are search engines, social media platforms, and content hosts. They contain tremendous amounts of personal information which the individuals may desire to have the access blocked, owing to numerous grounds. Platforms like Google, Facebook, Twitter, etc. receive the greatest number of requests for the implementation of Right to be Forgotten.   

Under the DPDP Act, search engines and social media sites are obliged to establish systems that enable users to request the deletion of personal data from their platforms and search results. This is similar to the mechanisms established by the GDPR, which mandates that search engines such as Google to remove certain search results that are outdated or irrelevant in connection with an individuals’ name. Social media, similarly, must delete or deny access to content, where the content in question does not meet the exemption grounds, including public interest, freedom of expression, and the like. Nevertheless, enforcing the Right to be Forgotten on such platforms poses several challenges in relation to the scale of data and resources needed to manage erasure requests. Large tech companies, especially those with a global reach, will have difficulties complying with national privacy laws, which leads to ongoing discussions about cross-border regulation and enforcement.  

Proof of data deletion on the Internet-

The problem related to the Right to be Forgotten is ensuring that personal data is irrevocably removed from the internet, and proving, consequently, that deletion indeed happened. A person submitting a request for removing definite information from a site or an index of any search engine does not warrant a total removal of such data. For instance, even after a person deletes a news report from appearing in search results, the original content could still live on the website or in online caches. In addition, cached webpage versions and data stored within backups or on third party websites may continue to reside, so one cannot easily ensure complete deletion.  

The DPDP Act addresses the problem by requiring data controllers to ensure that personal data erased cannot be recovered or reused. The DPDP Act also requires the data controller to provide the data subject with evidence of erasure, such as a certificate of erasure or acknowledgement that the request has been processed. While the requirement for evidence of data deletion is a step forward, it is difficult to meet because of the nature of the internet and the way in which data is stored and accessed in a decentralised manner. Still, technological advancements in data management, including blockchain-based solutions for data traceability, may help provide more robust evidence of data deletion in the future.  

Conclusion-

The DPDP Act is a big step for privacy rights in India. The Right to be Forgotten under this Act now affords Indian citizens greater control over their personal data and gives them the right to request the deletion of the data when they deem it is necessary. As India continues to strengthen its data protection framework in an era of digital ubiquity, a strengthening role for the Right to be Forgotten is empowering people to secure their privacy. To businesses and organisations, this would call for higher transparency, better data management systems, and the respect for people’s rights in managing their digital identities. The future of privacy in India is going to be shaped through the ongoing evolution of data protection laws, and DPDP Act would be a cornerstone in that journey.  

 

Related Posts

Inventorship by AI: Is It Really Necessary to Grant IP Ownership to AI?

Blogs/articles / By

The rapid advancement of Artificial Intelligence (AI) has given rise to numerous legal and ethical questions, particularly concerning Intellectual Property (IP) Rights. Among these is a crucial debate: Should AI be granted ownership of its inventions? While AI-generated innovations are becoming more sophisticated, the essence of IP law is rooted in incentivizing human creativity and […]

Patentability Search and why to do it? 

1 Comment / Blogs/articles / By

Inventors, entrepreneurs, and companies tend to hurry to file patents in the thrill of realizing a new concept. But before you spend time and resources on the patenting process, there is one step that is never to be forgotten: the Patentability Search. The patentability search can be the difference between a successful patent and a […]

Scroll to Top