Menu

A Critical Evaluation of the Right to be Forgotten in the Context of the 2023 Digital Personal Data Protection Act

Publications, Research paper

ABSTRACT

The “Right to be Forgotten” (RTBF) allows individuals to request the erasure of their personal data from online sources. This concept is also known as the “right to erasure,”. This right empowers people to have their information removed when its purpose is served or it becomes inaccurate. In India RTBF is enshrined in Section 12 of The Digital Personal Data Protection (DPDP) Act 2023. This paper aims to critically evaluate the provisions related to RTBF included in the DPDP Act 2023. This paper examines the efficacy of the provisions in protecting the interests of Data Principals (DP), assesses the implementation strategies and the impact of these regulations on both data principals and Data Fiduciaries (DF).

KEYWORDS – Right to be Forgotten, Right to privacy, DPDP Act 2023, data principal, data fiduciary

INTRODUCTION

The “Right to be Forgotten” is a key part of the Right to Informational Privacy. Its origins lie in the French concept of “le droit à l’oubli” (the right to oblivion). In France, ex-convicts can request to remove their names from official records so that their past will not affect their future life. The first prominent case on “RTBF” was Google Spain SL, Google Inc v Agencia Española de Protección de Datos (2014). In this case Mario Costeja González, a Spaniard, challenged the online circulation of his insolvency case details. Even after the case was resolved the case details were available online. This case led to the introduction of the “right to erasure” under Article 17 of the EU’s General Data Protection Regulation (GDPR).

In India, the “Right to be Forgotten” has also been recognized by various courts. In cases of sexual offences involving sensitive issues RTBF protects the victims from social stigmatisation. In the landmark case of K.S. Puttaswamy v. Union of India, the Supreme Court asserted the “Right to be Forgotten” as part of the right to life and personal liberty under Article 21. In the same case, Justice D.Y. Chandrachud observed, “The dangers to privacy in an age of information can originate not only from the State but from non-State actors as well. We recommend that the Union government establish a robust data protection regime that carefully balances individual rights with the legitimate concerns of the State.” This paved the way for enacting a legal framework for protecting personal data of individuals. Initially the Personal Data Protection Bill, 2019 was introduced, which was later withdrawn and replaced with the Digital Personal Data Protection (DPDP) Act, 2023.

METHODOLOGY

For this paper doctrinal legal research methodology is adopted. This method is adopted to analyse the scope, limitations, and enforcement mechanisms of the RTBF under the DPDP Act, including the legal procedures available for individuals to exercise this right and the corresponding obligations of data controllers. The methodology also includes the comparison of RTBF in the DPDP Act to that provided under EU GDPR. The paper also evaluates the potential impact of the RTBF on DF.

LITERATURE REVIEW

SCOPE OF RTBF UNDER DPDP ACT 2023

The Right to Be Forgotten is provided under Section 12 of the DPDP Act, 2023. It allows the DP to request the correction, completion, updating, or erasure of their personal data that was processed with their consent. To exercise this right, the DP needs to submit a request to the Data Fiduciary, asking for their personal data to be erased.

Once the request is made, the Data Fiduciary has a duty to erase the data. However, this duty is subject to certain conditions. The Data Fiduciary can retain the data if it is needed for specific purposes or to comply with legal requirements. Section 7 the Act also emphasises that the Data Fiduciary has to erase the personal data when the DP withdraws their consent or when the original purpose of processing the data has been fulfilled.

The Act follows a balanced approach where the DP has the right to request deletion of data, and the Data Fiduciary has a corresponding obligation to comply. Additionally, Section 15 of the Act requires the DP to ensure that the information provided in their erasure request is genuine and can be verified. This ensures integrity of the process.

Under Section 14 of the DPDP Act, the DP has the right to nominate another individual who can exercise rights on behalf of the DP . The designated individual can exercise rights in the event of the death or incapacity of the DP. The process for making such a nomination is to be carried out in the manner prescribed under the Act and the rules established thereunder. This makes sure that the DP’s rights are protected and can continue to be exercised, even if they are no longer able to do so themselves.

EXCEPTIONS TO RTBF

The RTBF provided under the act is not absolute and is subjected to specific exceptions. These exceptions are listed out in Section 17 in Chapter IV of the act. The exemptions to right to erasure are :

  • Necessary for enforcing legal rights or claims.
  • Required by courts, tribunals, or regulatory bodies for judicial, quasi-judicial, or supervisory functions.
  • For prevention, detection, investigation, or prosecution of offences or legal contraventions.
  • Processing data of individuals outside India under contracts with entities abroad by persons based in India.
  • For schemes of compromise, mergers, demergers, or other corporate arrangements approved by a competent authority.
  • To ascertain financial information or assets of loan defaulters, in compliance with applicable disclosure laws.
  • Processing of personal data by entities notified by the Central Government for purposes such as:
    • Sovereignty and integrity of India.
    • State security.
    • Friendly relations with foreign states.
    • Public order or prevention of offences.
    • Data shared with the Central Government by such instrumentalities.
  • Data processing necessary for research, archiving, or statistical purposes, provided:
    • The data is not used for decisions specific to any DP.
    • It complies with prescribed standards.

GRIEVANCE REDRESSAL MECHANISM

The DPDP Act provides a clear grievance redressal mechanism for DPs to address issues related to their personal data. The act mandates that the DP shall have readily available means of grievance redressal. This mechanism is meant to handle any act or omission by the Data Fiduciary or Consent Manager regarding their obligations under the Act, including the protection of personal data and the exercise of DP rights.

The Central Government has the authority to classify certain DF as Significant DF based on specific criteria such as the volume or sensitivity of the data they handle. These Significant DF are required to appoint a Data Protection Officer (DPO). The DPO acts as the primary point of contact for grievance redressal and is responsible for ensuring compliance with the Act.

If a DP has a complaint, they must first approach the grievance redressal mechanism of the Data Fiduciary or Consent Manager.  The Data Fiduciary is required to address the grievance within a prescribed timeframe, even though the act is silent about the period of that timeframe.

If the DP is not satisfied with the resolution provided or if there is no response from the Data Fiduciary, they can take the matter to the Data Protection Board (DPB). The DPB is an independent authority established under the Act. As far as possible the board has to act as a digital office from receiving the complaint to pronouncement of decision.

 It has to act on the complaints made by the DP and ensure that DF comply with their obligations. The DP can file a formal complaint with the DPB, including all relevant details and evidence of the Data Fiduciary’s failure to act.

If the DP or any other aggrieved person is dissatisfied with the decision of the DPB, they have the right to appeal to the Appellate Tribunal. This ensures a higher level of review and provides further opportunity to resolve the grievance effectively.

This step-by-step mechanism ensures that the rights of DPs are protected, and their grievances are addressed through a transparent and fair process.

COMPARISON WITH PROVISIONS OF EU GENERAL DATA PROTECTION REGULATION (GDPR)

SCOPE OF RTBF

In India, RTBF is governed under the DPDP Act. It’s also recognized under the EU General Data Protection Regulation. While both the DPDP Act, 2023, and the EU GDPR recognize this right, the scope and implementation mechanism have considerable differences.

In the EU GDPR, RTBF is outlined in Article 17, granting individuals a comprehensive right to request data erasure under a wide range of conditions. Under the DPDP Act, it mainly depends upon the consent of the DP. Under GDPR, The Right to Be Forgotten allows individuals to request the deletion of their personal data under specific conditions, such as when the data is no longer needed for its original purpose, consent has been withdrawn, the data was unlawfully processed, the individual objects to the processing without overriding legitimate grounds, or the data was collected during childhood (typically under 16, subject to national laws). 

Similar to the Indian framework, the RTBF under GDPR is not absolute and is subject to certain exemptions, which include:

  • in exercising freedom of speech and expression
  • to ensure compliance with legal obligation or ruling
  • used to perform a task in the public interest (such as, for example, scientific research or historical research)
  • for defending legal claims or establishing legal defence
  • in public interest or for public health reasons

TIME FRAME TO RESPOND TO GRIEVANCES

When an individual wishes to exercise their Right to Be Forgotten under GDPR, they must submit a formal request to the concerned organisation (data controller). Upon receiving the request, the organisation is obligated to respond within one month. However, if the request involves complexities, the organisation is permitted to extend the response period to a maximum of two months. This provision ensures clarity and accountability, setting a definitive timeline for addressing requests and protecting the individual’s rights.

In contrast, the Digital Personal Data Protection Act, 2023 (DPDP Act) in India lacks explicit provisions regarding the time frame within which a Data Fiduciary must act on such requests. The absence of a defined timeline creates ambiguity and may lead to delays in the enforcement of an individual’s right to erasure. This lack of specificity can hinder the accountability of DF and affect the effectiveness of the grievance redressal mechanism.

DEFINITION OF PERSONAL DATA

Under the Digital Personal Data Protection Act, 2023 (DPDP Act), the term “personal data” is narrowly defined. It only includes data that is in a digital format at the time of processing and data that was originally collected in physical form but has subsequently been converted into a digital format for processing. On the other hand, personal data under the General Data Protection Regulation (GDPR) has a wider scope. It includes all personal information of a natural person such as personal number, credit card number,etc. Thus it not only includes data stored in digital format but also in physical form.

The narrower definition in India restricts the applicability of RTBF to personal data in digital form, leaving out data stored and processed in non-digital systems. This creates a gap in privacy protection, particularly in sectors where paper-based systems are still prevalent, such as healthcare, education, and government services. The EU’s inclusive approach ensures that individuals can exercise RTBF over data processed through both digital and manual systems.

The DPDP Act’s definition of personal data aligns with India’s focus on regulating digital ecosystems. It takes into account the country’s ongoing digital transformation initiatives. However, this shortcoming can be a barrier to protection of personal data in non-digital formats. 

On the other hand, the GDPR’s broader definition ensures comprehensive coverage, allowing individuals to exercise their RTBF across diverse contexts.

CHALLENGES FOR THE DF

Under the DPDP Act, DF has significant responsibilities with regard to Right to Be Forgotten. As already discussed, DP has the right to request for erasure or deletion of data when the data becomes insignificant or the consent for processing the data is withdrawn. This compels Data Fiduciary to establish a robust system to process the request for data erasure within a reasonable time frame. Their responsibility is not limited to the erasure of data but extended to checking the identity of Data Principal and the validity of their request.

LARGE AMOUNT OF DATA

We are living in an era of data boom. The amount of data generated, stored and transmitted is unprecedented. This casts another difficulty to DF to locate the data that’s to be deleted. Thus compliance with the requirements of the DPDP Act requires data mapping. DF has to locate the data and erase it across all systems. Due to the large amount of data, attending to requests for deletion on a case by case basis is a cumbersome task.

FINANCIAL BURDEN

Additionally, ensuring compliance is financially demanding. DF has to upgrade the existing system and technology for tracking and erasing the data, coordinating with third-parties, and training of the manpower. All these require a huge investment of money. Apart from the financial investment, if they fail to comply with the provisions it can result in hefty sums of fines. Thus, complying with a provision or not, both require money.

LEGAL COMPLEXITIES

As already discussed RTBF is not absolute, it has certain exceptions. Thus DF has to be well informed about when to erase the data and when not to, and what are the specific circumstances under which data shall not be erased. This adds to the legal complexities of DF. 

HUMAN RESOURCE

Additionally, DF must train their staff to ensure compliance, as they will be the primary point of contact for addressing grievances from DPs. They are also required to appoint Data Protection Officers (DPOs) to oversee RTBF compliance, manage grievance redressal, and conduct regular audits. This makes adhering to the RTBF a resource-intensive yet essential aspect of the DF’ operations.

CRITICISM OF RIGHT TO BE FORGOTTEN

The Right to Be Forgotten (RTBF) under the DPDP Act, 2023 in India, like its counterparts in other jurisdictions such as the GDPR, has garnered several criticisms. These concerns mainly revolve around the practical implementation, potential abuse, and broader societal impacts. Below are some of the key criticisms of RTBF under the DPDP Act, 2023:

Potential for Abuse and Censorship

While the RTBF is designed to empower individuals to control their personal data, it can also be misused. Individuals may request the deletion of data, even if it is accurate or relevant to the public interest. For example, people may want to erase negative reviews, past legal judgments, or news reports that could harm their reputation, even though the data is truthful. This can potentially lead to censorship of public records, legal proceedings, and historical information, undermining the public’s right to know and transparency. The lack of clear boundaries on this issue could result in a distortion of public information.

Impact on Freedom of Expression

The RTBF provisions under the DPDP Act have been criticised for potentially infringing upon the freedom of speech and expression. By allowing individuals to erase data, the law might restrict access to information that is of societal or journalistic importance. For instance, public debates or critical opinions that are shared online could be erased if the person involved exercises the RTBF, creating conflicts between privacy and free speech. Media outlets, bloggers, and other content creators may be especially concerned about this conflict when it comes to protecting the public’s right to access relevant information.

Burden on DF

The RTBF imposes a significant operational burden on DF. They must establish systems to process RTBF requests, verify the identity of the requesting individuals, and assess the validity of the request. This can be especially challenging for organisations dealing with large volumes of personal data, including businesses that rely on big data analytics and cloud storage. In the case of large data sets or third-party processors, ensuring the complete erasure of data across all systems, including backups, becomes complex and resource-intensive. This administrative burden could overwhelm small and medium-sized enterprises (SMEs), which may not have the resources to handle RTBF requests efficiently.

Challenges in Enforcement and Implementation

The DPDP Act’s enforcement mechanisms for RTBF may face difficulties due to the lack of established infrastructure and the evolving nature of data privacy laws in India. While the law is an important step forward, its effectiveness will depend heavily on the Data Protection Board and the speed at which grievance redressal mechanisms are set up and operationalized. Given that the DPDP Act is still in its early stages, challenges in training personnel, setting up complaint mechanisms, and developing compliance audits could hinder effective enforcement. The lack of clarity about cross-border data flows and jurisdictional enforcement is another challenge that may complicate RTBF requests from data principals located outside India.

While the Right to Be Forgotten under the DPDP Act, 2023 provides important privacy protections, effective enforcement and clear guidelines will be essential for making RTBF a balanced and workable solution in India’s evolving data protection landscape.

CONCLUSION

The Right to Be Forgotten (RTBF) under the DPDP Act, 2023 represents a crucial step in enhancing individual privacy rights in India, aligning with global privacy norms and providing individuals with greater control over their personal data. While the RTBF holds significant promise for protecting privacy, the analysis has highlighted several challenges in its practical implementation and enforcement. Issues such as the lack of specificity in the legal framework, the operational burden on DF, and the potential for misuse of the right have emerged as key concerns. Moreover, the scope of the RTBF under the Act is limited compared to international standards like the GDPR, particularly in its focus on digitised data and its broad exceptions for data retention.

Despite these challenges, the RTBF is an essential component of India’s growing data protection landscape, providing a balance between privacy rights and the needs of businesses, legal frameworks, and societal interests. The effectiveness of the RTBF will depend on clear regulatory guidance, robust grievance redressal mechanisms, and the ability of DF to adopt adequate measures for compliance. As the data protection regime matures, it will be crucial for policymakers to address the criticisms and ensure that the RTBF is not only enforceable but also aligned with broader human rights, innovation, and freedom of expression.

In conclusion, while the RTBF under the DPDP Act, 2023 is an important right for individuals, its successful implementation will require addressing its limitations, ensuring clarity in its application, and safeguarding against unintended consequences such as censorship or disruption to business and technological advancements. Through continuous improvements in legal provisions, enforcement mechanisms, and stakeholder cooperation, India can strengthen its data protection framework and ensure that the RTBF serves its intended purpose without infringing upon other fundamental rights.

Sreelekshmi I Nair

H. H. Maharajas Government Law College, Ernakulam