Data Protection Policy Can’t Be Neglected

by May 13, 2019 0 comments

India does not even have a data protection policy. This is something that our policy-makers need to look forward to instead of batting for the right to be forgotten

As a concept, the Right To Be Forgotten (RTBF) evolved in the 1990s in western Europe and subsequently developed as part of human rights jurisprudence. France became a pioneer of this issue when it recognised the “right to oblivion.” This right was available to all convicted individuals, who had served their prison sentences. Often, in cases like these, social stigma is attached to individuals even after they have served their punishments. In general, people had ready access to the criminal history of such cases and the actual commission of a crime would perpetuate stigma. As a result, individuals suffered regardless of the geographical location.

The RTBF is reflected in Article 17 of the General Data Protection Regulation (GDPR) of the European Union (EU). The EU Parliament took nearly four years of preparation and debate to approve the GDPR in 2016, which was finally enforced on May 25, 2018. The GDPR framework replaced an outdated Data Protection directive from 1995. It contains provisions that require businesses to protect their personal data as well as privacy of the EU citizens for transactions that occur within the member states of the EU. It also regulates the exportation of personal data outside its boundaries.

In the Indian context, RTBF is envisaged in the Justice BN Srikrishna Committee report (2018) on Data Protection Bill. The report held that the “rights of the citizens have to be protected, the responsibilities of the States have to be defined but data protection can’t come at the cost of trade and industry.” Thus, there is also a strong possibility of this right making its way into the Indian legislature. The rationale of the Supreme Court of India in the Puttaswamy judgement has upheld other fundamental rights securing individual liberty in the Constitution. In addition, individual dignity is one of the basis for right to privacy. Privacy itself was held to have a negative impact (the right to be let alone) and a positive one (the right to self-development).

The sphere of privacy includes the right to protect one’s identity. This right recognises the fact that all information about a person is fundamentally their own and he/she is free to communicate or retain it for himself/herself. This core of informational privacy is, thus, a right to autonomy and self-determination with respect to one’s personal data. Such a notion has also been echoed in the Srikrishna Committee report (2018) on data protection.

Further, it believes that a free and fair digital economy, one that empowers the citizens, can only grow on the foundation of individual autonomy, working towards maximising the common good. However, the report manifests an approach to balance free speech with RTBF. Many have pointed out that the Bill doesn’t lay down the golden principle of allowing individuals to be true owners of their own data. The report further includes a balancing test with five criteria for the judiciary to weigh the freedom of speech and expression with RTBF.

RTBF is sometimes referred to as the Right to Erasure (RTE). As it is commonly misunderstood, RTBF is not synonymous to the RTE. It is rather an extension of it. The underlying principle of RTE is that when there is no compelling reason for the subject’s data to be processed, he/she can request the data controller to erase/remove their personal data, stop any further distribution of their personal data or potentially prevent third parties from processing their personal data.

RTE was applied to only proprietary databases. For example, if one wishes to unsubscribe from a

magazine, he/she can ask the concerned firm to delete all information that they possess of him/her. RTE did not apply to search databases as RTBF does. Hence, RTBF is actually an extension of the RTE.

The debate around this has gained a lot of traction in India after the Supreme Court recognised Right to Privacy in its landmark case of Justice KS Puttaswamy (Retd) and Anr vs Union Of India and Others. The apex court held that right to privacy is part of the right to life and personal liberty as guaranteed under Article 21 of the Indian Constitution. A nine-judge Bench held that “life and personal liberty are inalienable rights. These are rights which are inseparable from a dignified human existence. The dignity of the individual, equality between human beings and the quest for liberty are the foundational pillars of the Indian Constitution…” The verdict has given impetus to demands for recognition for other fourth generation human rights in India, like the right to be forgotten and RTE.

The right to privacy guarantees liberty in private spaces, electronic or otherwise. This means that the information, which is not in the public domain, is protected from coming into the public domain. Right to be forgotten, on the other hand, involves information that is already in the public domain and is required to be delinked from the individual, who has claimed the right to be forgotten.

Further, the RTE operates in an even niche area, where an individual can target a specific database and claim a RTE against it for the removal of information which concerns them. But the fourth-generation communication rights, like the right to be forgotten, come with their own set of flaws.

First, one of the major problems is that the guarantee of the right vests with only a few individual corporations. Take the example of Google. As per Google’s Transparency report, it can remove only 41 per cent of the URLs against which some issue was raised. This means that the authoritative framework for implementing such a right now vests with a corporation and it is performing an adjudicatory function while deciding to accede to a request of removal. This is something which the Indian legal system does not envisage; wherein adjudicatory role is an essential state function.

Second, there is a concern that accused criminals can wipe out valuable evidence while their guilt is under adjudication. This can turn out to be an implementation nightmare for security agencies, especially those who are collaborating on international crimes and possibly terrorism.

Third, the sheer reach of the internet make a case for something, like the right to be forgotten absolutely impractical. If there is an adjudicatory order, for instance against Google, the information, which a claimant is seeking to protect, is not necessarily saved by such a request. This simply because Google is not the sole repository of that information. Details may be available through other search engines and may still be hosted as it is a primary website. Hence, it is highly problematic to put such a right in motion. Regardless to mention, it also involves significant expenditure to bring it into force.

Fourth, India does not even have a data protection policy. This is something that our policy-makers need to look forward to instead of batting for the right to be forgotten. Because in the absence of such a system, multinational corporations, which practically administer and govern the internet, are beyond the jurisdiction of the Indian law and courts. Hence, even a guarantee will be meaningless if the decisions of our courts are not respected/recognised.

(Raghav Pandey is an Assistant Professor of Law and Anoushka Mehta is a student of Law at the Maharashtra National Law University, Mumbai)

Writer: Raghav pandey/Anoushka mehta

Courtesy: The Pioneer

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

Your data will be safe!Your e-mail address will not be published. Also other data will not be shared with third person.