ABSTRACT
This article seeks to critically analyse the concept of the Right to Be Forgotten under India’s Digital Personal Data Protection Act, 2023. It further examines the relationship between the Right to be Forgotten and the Right to Privacy under Article 21, as established in the landmark judgment of K.S. Puttaswamy v. Union of India.
The article also presents a comparative analysis between the European Union’s General Data Protection Regulation and India’s DPDP Act, 2023, highlighting the evolution of the Right to be Forgotten and the Right to Erasure.
It further examines the challenges faced by regulatory authorities in the implementation of this right, as well as the limitations of the DPDP Act, 2023, in the digital age and its broader implications. The article emphasises that this right provides an opportunity for an acquitted individual to start a new and fresh life and ensures that their rights are not adversely affected due to past accusations.
Additionally, the article highlights major concerns faced during the implementation of this right, including lack of awareness, conflict between freedom of speech and public interest, and various technical and practical challenges.
Keywords: Right to be Forgotten, Right to Privacy, DPDP Act 2023, GDPR, Data Protection, Freedom of Speech, Digital Privacy.
INTRODUCTION
“The impact of the digital age results in information on the internet being permanent. Humans forget, but the internet does not forget and does not let humans forget.” — the Supreme Court of India in K.S. Puttaswamy v. Union of India.[1]
In today’s digital age, there has been a rapid increase in the collection and use of personal data. Every online activity—such as browsing websites, online shopping, or interacting on social media—contributes to the creation of a digital footprint. Over time, this results in a detailed and permanent record of an individual’s personal life. While these developments have made daily life more convenient and interactive, they have also raised serious concerns about protecting individual privacy and the extent of control a person has over their personal information.
Online data not only reflects a person’s private life but may also include sensitive information such as past allegations or criminal records. This can adversely affect an individual’s future, even after acquittal, as seen in Jorawar Singh Mundy v Union of India.[2]
This concern has led to the emergence of the Right to be Forgotten (RTBF), which allows individuals to request the removal or erasure of personal data that is no longer necessary or relevant. In simple terms, RTBF enables a person to move beyond past accusations and prevent the continued availability of information that violates their privacy or was published without consent. However, this right is not absolute and is subject to reasonable restrictions.
Although the Digital Personal Data Protection Act, 2023, reflects aspects of this right, it does not explicitly recognise RTBF as a standalone right. Instead, it represents a shift towards greater accountability of data fiduciaries in handling personal data. The Right to be Forgotten is derived from the broader Right to Privacy under Article 21, as established in K.S. Puttaswamy v. Union of India. The Supreme Court clarified that privacy is not absolute and must be balanced with competing interests such as freedom of speech, public interest, and legal obligations through the test of proportionality.
Evolution of RTBF: European Union
Law is constantly evolving, and the concept of the Right to be Forgotten has developed gradually over time. One of the earliest and most influential developments occurred with the case of Google Spain v AEPD and Mario Costeja González[3], where Mario Costeja González sought the removal of online information that harmed his reputation. This case marked a significant milestone, as the Court of Justice of the European Union recognised that individuals have the right to request the removal of links or content that is inaccurate, irrelevant, or no longer necessary.
However, the application of this right was later limited in Google LLC v CNIL[4], where the Court held that search engines are not required to apply the Right to be Forgotten globally, but only within the European Union. Similarly, in NT1 & NT2 v Google LLC[5], the court emphasised that the right must be balanced against public interest, particularly in cases involving public records.
The Right to be Forgotten is now formally recognised under Article 17 of the General Data Protection Regulation (GDPR), introduced in 2018. This provision allows individuals (data subjects) to request the erasure of their personal data without undue delay under certain conditions, such as withdrawal of consent, unlawful processing, or when the data is no longer necessary for its original purpose. It also applies where individuals object to processing and no overriding legal grounds exist.
Nevertheless, the right is not absolute. Article 17(3) provides exceptions, including cases involving freedom of expression, legal obligations, public interest, and use for scientific, historical, or legal purposes. This framework ensures a balance between individual privacy and other fundamental rights, preventing misuse of the right as a tool for censorship or distortion of historical records
JURISPRUDENCE OF RTBF IN INDIA
In the case of K.S. Puttaswamy v. Union of India, [6]the Supreme Court of India acknowledged the Right to Privacy as a fundamental right. The issue was related to the Aadhaar scheme, which is a government program that assigns residents a unique identity number based on their demographic and biometric information. The issue that arose was the possibility of illegal access to personal data.
In M.P. Sharma v. Satish Chandra and Kharak Singh v. State of Uttar Pradesh, the Court had either rejected or offered a narrow interpretation of privacy protections. In the Puttaswamy case, the Supreme Court overturned these previous judgments, concluding that privacy is guaranteed under Article 21 (Right to Life and Personal Liberty), as it is fundamental to life and liberty. It also held that privacy is related to the freedoms protected under Articles 14 (Right to Equality) and 19 (Freedom of Expression, Movement, etc.).
In Sri Vasunathan v Registrar General[7], the petitioner sought the removal of her daughter’s name, which was appearing on search engines due to her involvement in a case of marriage annulment published online. The Court ruled that, despite the lack of a specific statute addressing this issue, such relief could be granted in India, considering the growing importance of privacy rights and the recognition of the Right to be Forgotten in other jurisdictions, such as Europe.
The case of Dharmraj Bhanushankar Dave v State of Gujarat [8]gave a contrasting judgment in a similar situation, where a person who was not guilty of any crime petitioned to have his name removed from public domains. The Gujarat High Court adopted a more positivist approach, ruling that it could not find the publication to violate the petitioner’s fundamental rights in the absence of the required legislative support. As a result, it declined to enforce the petitioner’s Right to be Forgotten.
In Kancherla Durga Prasad v State of Karnataka[9], the Court concluded that, due to the social rejection experienced as a result of involvement in a prior divorce, the individuals concerned had the right to have their personal information removed from the internet. This ruling is likely to have a significant impact on future High Court decisions and may carry persuasive value in disputes involving the Right to be Forgotten or the broader Right to Privacy.
The petitioner in Jorawar Singh Mundy v Union of India [10]was an American citizen of Indian origin. In 2009, he faced allegations under the Narcotic Drugs and Psychotropic Substances Act, 1985, during his travel to India. However, in 2011, he was acquitted of all charges, and this acquittal was upheld in 2013. The petitioner argued that, upon returning to the United States, he faced discrimination due to the continued availability of the judgment online.
In the case of X v YouTube[11], The Delhi High Court granted protection to an actress who filed a suit against the republication of her obscene videos. The Court affirmed her Right to be forgotten.
Comparative Analysis of GDPR and DPDPA
The Right to be Forgotten (RTBF), also referred to as the Right to Erasure, finds clear and detailed recognition under Article 17 of the General Data Protection Regulation (GDPR). This allows a person to request the deletion or removal of their personal data without any further harm when certain conditions are satisfied, such as when the data is irrelevant or when consent has been withdrawn.
An important feature of the GDPR framework is the obligation placed on data controllers under Article 17(2).[12] Where personal data has been made public, the controller must take reasonable steps to inform other entities processing that data to erase any links, copies, or replications. This ensures that erasure is effective across the digital ecosystem rather than being limited to a single platform.
The GDPR also ensures that individuals can object to the processing of their data and request that it be erased from online sources. The data controller cannot refuse such a request unless there are legitimate grounds to justify continued processing. Special protection is extended to children’s data, particularly where such data has been collected in relation to information society services.
However, the Right to be Forgotten under the GDPR is not absolute. Article 17(3) [13]provides specific exceptions where the right does not apply. There are situations where data must be retained to comply with legal obligations or for tasks related to public interest. The right may also be restricted where data is required for archival, scientific, or statistical purposes, or for the establishment and defence of legal claims. This framework reflects a careful balance between individual privacy and competing societal interest.
In contrast, the Indian approach under the Digital Personal Data Protection Act, 2023 (DPDPA) adopts a comparatively narrower framework. While the Act does not include the term “Right to be Forgotten,” similar protections are embedded within the rights granted to data principals. Chapter III of the Act outlines these rights, including the right to access information about personal data being processed. Individuals can request details regarding the nature of the data, the purpose of processing, and the entities with whom such data has been shared.
Section 12 of the DPDPA provides the right to correction, completion, updating, and erasure of personal data. A data principal may request deletion when the data is no longer necessary for the purpose for which it was collected or when consent has been withdrawn. However, this right is subject to limitations, particularly where retention of data is required to comply with legal obligations or for legitimate purposes.
The major difference between the GDPR and the DPDPA lies in their scope and level of protection. The GDPR offers a wider and more structured framework, covering both automated and structured manual processing of personal data. It also emphasises timely compliance, ensuring that requests for erasure are addressed without unnecessary delay. In contrast, the Indian framework primarily focuses on digital personal data and does not place the same level of emphasis on strict timelines for compliance.
Moreover, the GDPR explicitly addresses unlawful processing as a ground for erasure, whereas the Indian law largely operates within a consent-based model. This results in a relatively limited scope for the Right to Erasure in India. Despite these differences, the DPDPA represents a significant step towards strengthening data protection in India, drawing conceptual inspiration from global standards while adapting to domestic legal and technological realities.
Challenges and Concerns
- There is no clear and precise language explaining the Right to be Forgotten (RTBF) under the DPDP Act that directly defines the concept. According to Section 12(3[14]), the data principal has the right to have personal data updated, corrected, completed, and erased, particularly where permission has been revoked or the objective has been achieved.
- No provisions are given that address the qualification of a person who can file an erasure request. Does it also apply to data that was made public prior to the law’s enactment? Is it possible to apply this to publicly available material like news reports or court documents? If these issues are not resolved, there might be uneven application, ambiguity in the law, and a possible restriction on the right to free speech.
- The Right to be Forgotten may conflict with the freedom of speech and expression protected under Article 19(1)(a) of the Indian Constitution. This is a major concern. This provision might undermine press freedom, restrict public access to historical documents, or impede judicial openness, particularly when public rulings include references to personal information. Demands to remove criminal records or court rulings, even when they are necessary for public good, are a prime example.
- Therefore, a balance between the Right to be Forgotten (RTBF) and freedom of speech and public interest is very important.
- The implementation of the Right to be Forgotten faces several technical limitations, especially in the digital ecosystem, where data is stored across multiple servers, including third-party backups and cloud systems, making complete deletion almost impossible. The rapid growth of artificial intelligence further complicates the issue, as sometimes there is no clear authority that can be held responsible.
- Additionally, compliance across cross-border data flows adds another layer of complexity, especially where foreign entities are not subject to Indian law.
- This is another major concern regarding the implementation of the Right to be Forgotten, as many people may not be aware of the procedures involved in submitting a request for data deletion. To address this, there should be proper awareness of individuals’ rights, and in case of violation of this right, the plaintiff can seek remedies in court.
- The DPDP Act specifies several permissible uses of personal information, including national security, journalism, and judicial procedures. However, these exceptions are imprecise and unclear, lacking specific guidelines on what constitutes public interest, what qualifies as necessary information, and in which cases consent applies. These issues create significant challenges.
Conclusion
An important turning point in India’s transition to a more organized and citizen-centric data governance approach is the Digital Personal Data Protection Act, 2023. However, the Act fails to clearly express the Right to be Forgotten but provides the rights to grant relief in narrow terms, unlike the period prior to the DPDP Act, 2023, where there was no remedy and no authority responsible to control digital access.
Now, a formal Right to be Forgotten would provide people the ability to truly exercise control over personal data that is out-of-date, unnecessary, or potentially harmful. The government might guarantee that petitions for erasure are fairly assessed and that everyone is granted relief from their past and allowed to move on to new opportunities.
The Right to be Forgotten would also demonstrate India’s adherence to international best practices, especially those outlined in the General Data Protection Regulation (GDPR) of the European Union, which has emerged as a global standard for digital rights laws. Legal harmonization becomes not only desirable but also essential for efficient enforcement and international collaboration as data moves across borders more frequently and global platforms operate under Indian jurisdiction.
However, there are still many challenges faced by the implementation of the DPDP Act, 2023 in India, such as lack of awareness, insufficient knowledge, imprecise language, conflict between freedom of speech and expression and the Right to be Forgotten, and issues relating to data that is essential for public interest and should be preserved.
Therefore, to ensure proper implementation of this right, strong institutional support and regulatory clarity are essential. The Data Protection Board of India must have adequate legal and technical expertise to handle complex cases. Public awareness and stakeholder participation, including civil society, businesses, and legal experts, will also play a key role.
Although the Digital Personal Data Protection Act, 2023 is a significant step, the absence of an explicit Right to be Forgotten remains a gap. Addressing this through judicial interpretation and legislative reform is necessary to ensure that individuals are not permanently burdened by their digital past.
[1] KS Puttuswamy v Union of India, (2015) 8 SCC 735.
[2] Jorawar Singh Mundy v Union of India (2021) SCC Online Del 2306
[3] Google Spain SL, Google Inc. v Agencia Española de Protección de Datos, Mario Costeja González C-131/12.
[4] Google LLC v. CNIL C-507/17.
[5] NT1 & NT2 vs Google LLC [2018] EWHC 799 (QB)
[6] . K.S. Puttaswamy v. Union of India (2017) 10 SCC 1
[7] 7Sri Vasunathan vs The Registrar General WP No.62038 of 2016.
[8] Dharmraj Bhanushankar Dave vs State of Gujarat SCA 1854/2015.
[9] Kancherla Durga Prasad vs State of Karnataka CRL.P. NO. 8912/2017
[10] Jorawar Singh Mundy v Union of India (2021) SCC Online Del 2306
[11] X v https://www.youtube.com/watch?v=iq6k5z3zys0, (2021) SCC OnLine Del 4193
[12] Article 17(2) of GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
[13] Article 17(3) of GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
[14] Digital Personal Data Protection Act, 2023, 12(3) (India).
