THE RIGHT TO BE FORGOTTEN: AN INTERNATIONAL PERSPECTIVE ON

A COMPLEX LEGAL LANDSCAPE

The way we perceive data and information today has exponentially evolved since the pre-World
Wide Web era. The expansive nature of Data and information, as we understand it today, is
exponentially different from how it was perceived before the advent of the World Wide Web.
The means of acquiring information, amassing knowledge and increasing awareness were all
subject to one hindrance which was that of Accessibility. The occurrence of an event and
receiving knowledge of it was separated by a considerable gap. As a direct consequence of this
gap, knowledge about events, people, politics and society was in a way, limited. While the
geography and the physicality still remains the same, humankind has mastered the art of creating
infinite and everlasting links, cutting across oceans and national boundaries, to reduce this gap.
With the remarkable achievements in science and technology and the dawn of the Internet, what
has been created is an intangible bridge, greatly facilitating accessibility to multifarious
resources and extensive information. Along with accessibility, another aspect that has become
attached with information and events in this age is that of Permanence, which is a double edged
sword.

Access to the history of the world, the history of individuals and contemporary events, anything
capable of being questioned, can to a very large extent be answered by data and information
available on the Internet. Such answers are easily accessible at the click of a button and are, at
the same time, Permanent, albeit subject to modifications in line with the occurrence of events
impacting them. The underlying issue that crops up however, is whether individuals want
pertinent details and questions about themselves to be showcased and answered via the internet
and for them to be available for the rest of time.

The concept of autonomy and control is stripped to a considerable degreesignificantly

compromised when such information about a person’s life is displayed for the world to see on
the internet. It brings to the forefront a blatant disregard for an Individual’s Right to Privacy and
the Right to Life and Liberty. One might, on the other hand, argue that it is in the interest of and
the right of the public to “know” and to be aware, and for media corporations or search engine
companies, to argue that they have the Right to Freedom of Speech and Expression exercised via
putting out relevant information for the masses to access.

Information about an individual accessible via the Internet has profound effects on nearly every
aspect of one’s life, ranging from societal implications to serious professional impacts. Thus,
maintaining one’s privacy and creating a code of conduct to control online behavior becomes
imperative, albeit, within the constraints of acceptable norms and keeping in mind the Right to
Freedom of Speech and Expression. Controlling or restricting such information ab initio may not
be feasible or fairIt may not be feasible or even fair, to control or restrict such information ab
initio, however, it can be done by bestowing a right upon individuals to retroactively erase that
which might be harmful or irrelevant, which is where the Right to be Forgotten or the Right of
Erasure gains prominence.
The dialogue on the Right to be Forgotten is one that has its origins stemming from the wider
contextual understanding and recognition of the Right to Privacy. Privacy as a concept
encompasses many different areas of law including data protection. While the Right to Privacy
forms an inextricable part of Rights guaranteed to individuals under legislative frameworks
across the world. The Right to be Forgotten, or predominantly also known as the Right of
Erasure as a facet of the Right to Privacy is quickly emerging as a relevant and recognised right
under various jurisdictions prompted particularly by the European Union jurisprudence.

However, there also exist countries that give no statutory recognition to the Right to be Forgotten
and the Judicial decisions in such jurisdictions have also consistently struck down averments
wherein the Right to be Forgotten has been asserted. Eventually, it comes down to whether
Jurisprudence and legislation in a particular country lean more towards upholding and protecting
the Right to Privacy or the Right to Freedom of Speech and Expression and if protection in equal
measure is meted out to both these essential Rights, then how the countries propose to reconcile
the two.

The applications and implications of the Right to be Fforgotten are still in the process of being
formulated and understood. It is imperative at this juncture to take a look at various legislative
and judicial progressions in this regard.

THE EUROPEAN UNION

STATUTORY RECOGNITION

As more nations become aware of how contemporary technology might erode our privacy, they
have been resolute and quick to pass Data Protection Regulations. The European Union General
Data Protection Regulation (“GDPR”) was a breakthrough in data privacy and is considered the
gold standard among Data Protection Regulations.

The GDPR, inter alia, provides for the Right to be Forgotten or The Right of Erasure under
Article 17 which provides:

Article 17. Right to Erasure (‘Right to be Forgotten’).–

1. The data subject shall have the right to obtain from the controller the erasure of personal data
concerning him or her without undue delay and the controller shall have the obligation to erase
personal data without undue delay where one of the following grounds applies:
(a) the personal data are no longer necessary in relation to the purposes for which they were
collected or otherwise processed;
(b) the data subject withdraws consent on which the processing is based according to point
(a) of Article 6(1), or point (a) of Article 9(2), and where there is no other legal ground
for the processing;
(c) the data subject objects to the processing pursuant to Article 21(1) and there are no
overriding legitimate grounds for the processing, or the data subject objects to the
processing pursuant to Article 21(2);
(d) the personal data have been unlawfully processed;
 (e) the personal data have to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject;
(f) the personal data have been collected in relation to the offer of information society
services referred to in Article 8(1).
2. Where the controller has made the personal data public and is obliged pursuant to paragraph 1
to erase the personal data, the controller, taking account of available technology and the cost of
implementation, shall take reasonable steps, including technical measures, to inform controllers
which are processing the personal data that the data subject has requested the erasure by such
controllers of any links to, or copy or replication of, those personal data.

3. Paragraphs 1 and 2 shall not apply to the extent that processing is necessary:
(a) for exercising the right of freedom of expression and information;
(b) for compliance with a legal obligation which requires processing by Union or Member
State law to which the controller is subject or for the performance of a task carried out in
the public interest or in the exercise of official authority vested in the controller;
(c) for reasons of public interest in the area of public health in accordance with points (h) and
(i) of Article 9(2) as well as Article 9(3);
(d) for archiving purposes in the public interest, scientific or historical research purposes or
statistical purposes in accordance with Article 89(1) in so far as the right referred to in
paragraph 1 is likely to render impossible or seriously impair the achievement of the
objectives of that processing; or
(e) for the establishment, exercise or defence of legal claims.

The precursor to the General Data Protection Regulation (GDPR) was the EU Data Protection
Directive 95/46/EC1 (“DPD 95/46”), which was adopted in 1995 for the protection of individuals
with regard to the processing of personal data and on the free movement of such data. The
ideation of the Right to be Forgotten emerged primarily in Europe with this Directive,“as a right
to rectify, erase or block data” when it is “incomplete or inaccurate”, as expressed by Article
12(b)2 of DPD 95/46.

JUDICIAL DISCOURSE

➔ GOOGLE SPAIN v. AEPD AND MARIO COSTEJA GONZÁLEZ3

(“GOOGLE SPAIN CASE”)

The judicial genesis of the Right to be Forgotten can be traced back to the 2014 ruling by the
Court of Justice of the European Union (“CJEU”) in the Google Spain Case. The basis of the
ruling emanates from and further details the protection arising from the existing Rright to
Eerasure under DPD 95/46. The fundamental principle of the Right to be Forgotten is
encapsulated by Mr González’s case against Google Spain and Google Inc., to take the required
steps to remove his personal data from their indices and to bar future access to such data. The
1
Council Directive 95/46/EC, 1995 O.J. (L 281), 31 (EC)
2
Article 12. Right of access.-
Member States shall guarantee every data subject the right to obtain from the controller:
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the
provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
3
Google Spain v. AEPD, 2014 ECLI : EU : C : 2014 : 317.
Google Spain ruling essentially talks about the Right to de-list which allows users to request
that search engines remove web addresses from results when a search is done using their names.

The relevant observations made by the CJEU in the Google Spain case may be summarized as
follows:

Enforcing the Directive

The CJEU in the Google Spain case said that if it were found, following a request by the data
subject (Mr González in this case) pursuant to Article 12(b) of DPD 95/46, that the inclusion in
the list of results displayed following a search made on the basis of his name of the links to web
pages published lawfully by third parties and containing true information relating to him
personally was, at that point in time, incompatible with Article 6(1)(c)-(e) of DPD 95/46 4
because that information appeared, having regard to all the circumstances of the case, to be
inadequate, irrelevant or no longer relevant, or excessive in relation to the purposes of the
processing at issue carried out by the operator of the search engine, the information and links
concerned in the list of results would have to be erased.

Striking a Fair Balance

The CJEU came to the conclusion that individuals did have a qualified Right to be Forgotten and
emphasized that this must be balanced with the Rights of Freedom of Expression and of the
media. The CJEU opined that a data subject may, in accordance with the Fundamental Rights
guaranteed under Articles 75 and 86 of the Charter of Fundamental Rights of the European
Union (the “Charter”), ask search engines to delist certain URLs from search results when
searches are conducted using their name. It clarified that these rights override, as a rule, not only
the economic interest of the operator of the search engine but also the interest of the general
public in having access to that information upon a search relating to the data subject’s name.
However, that would not be the case if it appeared, for particular reasons, such as the role played
by the data subject in public life, that the interference with his fundamental rights is justified by
the preponderant interest of the general public in having, on account of its inclusion in the list of
results, access to the information in question.

Limited impact of de-listing on the access to Information

In practice, the impact of the delisting on individuals’ Rights to Freedom of Expression and
Access to Information will prove to be limited. When assessing the relevant circumstances, the

4
Article 6.(1) Member States shall provide that personal data must be.-
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further
processed;
(d) accurate and, where necessary, kept up to date ; every reasonable step must be taken to ensure that data which
are inaccurate or incomplete , having regard to the purposes for which they were collected or for which they are
further processed , are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for
which the data were collected or for which they are further processed . Member States shall lay down appropriate
safeguards for personal data stored for longer periods for historical, statistical or scientific use.
5
Article 7: Respect for private and family life.
6
Article 8: Protection of personal data.-
Data should be processed fairly and for specified purposes and on the basis of consent or some other lawful basis.
 interest of the public in having access to the information is taken into account. If the interest of
the public overrides the rights of the data subject, de-listing will not be appropriate.

No information is deleted from the original source

The judgment states that the right only affects the results obtained from searches made on the
basis of a person’s name and does not require deletion of the link from the indexes of the search
engine altogether. That is, the original information will still be accessible using other search
terms, or by direct access to the publisher’s original source.

➔ GC and OTHERS7 and GOOGLE v. CNIL8

On 24 September 2019, the CJEU issued two judgments further delineating the scope of the
Right to be Forgotten in the context of Search Engines and De-listing/De-referencing. Both
judgments complement the CJEU’s prior ruling in the Google Spain Case.

GC and OTHERS
In the case of GC and Others, the CJEU provides further guidance on the relationship between
the Right to be Forgotten and the Freedom of Information and makes the following relevant
observations:

Reconciling Articles 7&8 of the Charter with Article 11

The provisions of DPD 95/46 must be interpreted as meaning that, where the operator of a search
engine has received a request for de-referencing, the operator must take into account the
seriousness of the interference with the data subject’s fundamental rights enshrined under
Articles 7 and 8 of the Charter and ascertain whether the inclusion of that link in the list of
results displayed following a search on the basis of the data subject’s name is strictly necessary
for protecting the freedom of information of internet users potentially interested in accessing that
web page by means of such a search, protected by Article 119 of the Charter.

Relevance of the Current Situation

Also that the provisions of DPD 95/46 must be interpreted as meaning that the operator of a
search engine is required to accede to a request for de-referencing where the information relates
to an earlier stage of the legal proceedings in question and, having regard to the progress of the
proceedings, no longer corresponds to the current situation, in so far as it is established upon
following due procedure that the data subject’s fundamental rights override the rights of
potentially interested internet users protected by Article 11 of the Charter.

Obiter Dictum
When answering a preliminary question regarding the de-referencing of data relating to a
criminal procedure, the Court made a very interesting obiter dictum. It stated that in any event,
i.e. even if a request for de-referencing is not granted, the search engine operator is required to

7
GC and Others (C-136/17) ECLI:EU:C:2019:773
8
Google v CNIL (C-507/17) ECLI:EU:C:2019:772
9
Article 11 Freedom of expression and information. 1. Everyone has the right to freedom of expression. This
right shall include freedom to hold opinions and to receive and impart information and ideas without interference by
public authority and regardless of frontiers. 2. The freedom and pluralism of the media shall be respected.
 adjust the list of results in a way that the overall picture it gives internet users reflects the
current legal position. Practically, this means that links to webpages containing information on
the current position must appear in the first place on the list. The search engine operator is
obliged to comply with this rule in any event and at the latest on the occasion of the request for
de-referencing.

GOOGLE v. CNIL
The judgment in Google v CNIL delineates the Territorial Scope of the Right to be Forgotten
with the CJEU noting that numerous third states do not recognise a Right to be Forgotten, and
that it is in no way apparent from the wording of the GDPR that the EU legislature wanted to
confer the Right to be Forgotten a scope going beyond EU borders, the CJEU came to the
conclusion that currently, there is no obligation under EU law to carry out de-referencing on all
language versions of a search engine. The CJEU opted for EU-wide de-referencing. In addition
to EU-wide de-referencing, the search engine operator has to adopt, if necessary, sufficiently
effective measures capable of preventing or, at the very least, seriously discouraging internet
users in the Member States from gaining access to the links in question.

➔ TU, RE v. GOOGLE LLC10

In dealing with cases of purportedly inaccurate information being listed by search engines, the
recent decision of the CJEU in the case of TU, RE vs Google LLC lends credibility.
In this judgment the CJEU, in light of the GDPR, remarked that Search engine operators such as
Google are required to de-reference the respective information, if a person who seeks de-
referencing submits “relevant and sufficient” evidence capable of substantiating his or her
request, and thereby manifests the inaccuracy of the information found.
However, it leaves open the question of how a data subject might demonstrate the ‘manifest
inaccuracy’ of the information in the links.
Furthermore, this judgment is no different from the others in terms of referring to the appropriate
balance that should be exercised exercise required and adds that where, the information is likely
to contribute to a debate of public interest; , it is appropriate in light of all the circumstances of
the case and , to place particular importance emphasise on the Right to Freedom of Expression
and of Information.

KEY TAKEAWAYS:
[1.] The trajectory of recognition of the Right to be Forgotten follows, first, from the DPD 95/46,
then the Google Spain judgment and finally culminates into comprehensive codification via the
GDPR. The Right to be Forgotten or Right of Erasure is now governed by various provisions
under the GDPR that extensively enumerate the procedures to be followed for de-referencing, the
grounds for its approval, while also providing exceptions in certain cases where de-referencing
may be refused keeping key considerations of society, public interest and Freedom of Speech in
mind.
1.[2.] The Balancing of Rights is of utmost importance and has been reiterated time and again in
terms of determining the question of de-referencing.
2.[3.] The territorial limits of de-referencing have been limited to EU-wide de-referencing. While the
Court has tried to grant, in line with the principle of proportionality, the highest possible level of
10
TU, RE v Google LLC [2023] 1 WLR 1103
 protection of the Right to Data Protection, the resultant approach in terms of the territoriality
principle, is a pragmatic one committed at respecting the named interests of other states, thereby
avoiding any international tensions.

THE UNITED KINGDOM

The United Kingdom is presently regulated by the Data Protection Act 2018 which incorporates
the European Union GDPR. However, after the exit of the UK from the EU in March, 2019, the
UK Government has transposed the General Data Protection Regulation (Regulation (EU)
2016/679) into UK National law, thereby creating the UK GDPR.

➔ NT1 & NT2 v. GOOGLE LLC11

The England and Wales High Court gave its first decision on the Right to be Forgotten in the
case of NT1 & NT2 v. Google LLC.
A number of relevant observations were made in light of the Google Spain Case, particularly
with reference to the balancing exercise. A crux of the judgment encompasses the following
relevant pointers:

Spent Conviction vis-a-vis Freedom of Information

In this case, in consonance with the Rehabilitation of Offenders Act 1947 12 (“The 1947 Act”),
the court observed that as a matter of principle, the fact that the conviction is spent will normally
be a weighty factor against the further use or disclosure of information about those matters. But
the specific rights asserted by the individual concerned for de-indexing will still need to be
evaluated, and weighed against any competing free speech or freedom of information
considerations, or other relevant factors, that may arise in the particular case.

Rights to Respect for Private and Family life- Article 8 of The European Convention on
Human Rights 195113
If the use or disclosure causes, or is likely to cause, serious or substantial interference with
private or family life that will tend to add weight to the case for applying the general rule of
being “forgotten” as expressed in Section 4 of the 1974 Act.

Value of Freedom of Expression vis-a-vis Facts of the Case

Another aspect of the proportionality assessment will be the nature and quality of the societal
benefits to be gained in the individual case by the use or disclosure in question. Freedom of
expression has an inherent value, but it also has instrumental benefits which may be weak or
strong according to the facts of the case.
11
NT1 & NT2 v Google LLC : [2018] EWHC 799 (QB)
12
The Rehabilitation of Offenders Act 1974 provides by Sections 1, 4 and 5 that some convictions become “spent”
after the end of a specified rehabilitation period.
13
Article 8. Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance
with the law and is necessary in a democratic society in the interests of national security, public safety or the
economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or
for the protection of the rights and freedoms of others.
Approach to Decide
The balancing process in any individual delisting case is ordinarily, as a matter of principle, to be
entered into with the scales in equal balance as between delisting on the one hand and continued
processing on the other. Accordingly, with appropriate adaptation, the court determined that the
In re S (A Child)14 approach must be followed: neither privacy nor freedom of expression “has
as such precedence over the other”; the conflict is to be resolved by an “intense focus on the
comparative importance of the specific rights being claimed in the individual case”.

GERMANY

The German Federal Constitutional CourtThe German Federal Constitutional Court often focuses
on balancing privacy rights with other fundamental rights. The court (Bundesverfassungsgericht
- “BVerfG”) issued two landmark decisions in the case of (Bundesverfassungsgericht -
“BVerfG”) in parallel proceedings regarding the Right to be Forgotten on November 6, 2019.

In the first case15, the plaintiff, having completed his sentence for murder demanded that any
online records about his crime be removed or anonymized, claiming that their accessibility
would jeopardize his capacity to reintegrate into society.
While the right to privacy was not alluded to in this judgment, the issue at stake in this case was
actually the reconciliation of the freedom of the press and media with more general “personality
rights” under German Law.
The court held that since these rights are not fully harmonized by EU law, the fundamental rights
guaranteed by the German Basic Law (Grundgesetz) applied.
The plaintiff prevailed and the BVerfG determined three criteria to be considered for the
balancing test:
1. The lawfulness of the initial publication;
2. The extent to which the time passed since the initial, lawful publication is a decisive factor in
determining the need for protection and
3. The level of protection granted in every case should correspond to the changing relevance of
information over time.

In the second case16, according to the Court, the balancing exercise must take into account the
Fundamental Right to Private and Family Life as well as the Fundamental Fight to the Protection
of Personal Data on the one hand and the Freedom to Conduct a Business on the other hand. In a
rather remarkable move, the court ruled that it is qualified to hear constitutional challenges from
German citizens based on fundamental rights protected by the European Union’s Charter of
Fundamental Rights.
The BVerfG confirmed that the right at issue was the Right to Privacy and followed the basic
guidelines set down in the Google Spain ruling.
The BVerfG also concurred with the CJEU that Google cannot in certain circumstances rely on
its Right to Freedom of the Press and Media.
14
In re S (A Child) [2004] UKHL 47 [2005] 1 AC 593
15
BVerfG - 1 BvR 16/13
16
BVerfG - 1 BvR 276/17
However, Google ultimately won, and the BVerfG did not require the removal of the problematic
links—a move that could appear to be at odds with the CJEU’s ruling in Google Spain, but as the
BVerfG noted, this outcome was attributable to the fact that the circumstances of this case were
very different from those in Google Spain, therefore the outcome of the parties’ interests had to
be different as well.

Another important case law which is not directly about the right to be forgotten, deals with data
protection and privacy principles, which are fundamental to the GDPR and, consequently, to the
Right to be Forgotten and it derives it reference from the BVerfG case is the
Wirtschaftsakademie Case17. In this, the CJEU decided that Wirtschaftsakademie, the owner of a
Facebook page, processed the personal data of page visitors jointly with Facebook. The
administrator helped determine the goals and methods of data processing by using Facebook's
services and setting settings for data collecting. Under Directive 95/46/EC, the Court ruled
Wirtschaftsakademie liable, highlighting the wide meaning of “controller”. Joint accountability
was formed by elements like setting up and managing the fan page, influencing data tools, and
focusing on certain demographics. The ruling guaranteed stronger protection for visitors’ rights
by acknowledging page administrators as controllers. The Court established a two-pronged
standard to determine whether data processing complies with national law. It confirmed the
autonomy of a supervisory body to judge the legality of data processing without interference
from another body.

Test laid down in the judgement:

 The controller’s establishment must take place on the member state of the supervisory
authority's jurisdiction.
 Data processing needs to be done “in the context of activities” of the relevant
establishment.

Key Takeaway from the case:

The verdict offers a conflicting conclusion. Determining the boundaries between the protection
of personal data and free expression has never been easy. Ensuring that data privacy does not
undermine the fundamental values of free expression is crucial. Strictly speaking, it is best to
avoid using data protection rules as weapons to support speech in situations where personal data
is involved. Despite the well-developed global attempts to strike a balance between these
fundamental rights, this decision represents a commendable advancement in the body of current
jurisprudence. The ruling upholds the restrictions of privacy laws and non-consensual data
processing while also bolstering the power of supervisory agencies to step in and safeguard free
speech. It remains to be seen if the balance between two basic rights is met not just in laws but
also in reality as the process of implementing laws like GDPR plays out.

THE UNITED STATES OF AMERICA

Consideration of the Right to be Forgotten can be seen in some US Case Laws, specifically in
Melvin v. Reid, Sidis v. FR Publishing Corp, and more recently in Garcia v. Google.

17
Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein (ULD) v. Wirtschaftsakademie Schleswig-
Holstein GmbH, C-210/16
Melvin v. Reid (1931)18 involved an ex-prostitute who was accused of murder and later cleared
of the charges. After her acquittal, she attempted to lead a peaceful and anonymous life.
However, her past was exposed in the 1925 film, The Red Kimono, and she sued the film’s
producer, ultimately winning the case. The court reasoned that any person living a life of
rectitude has that right to happiness which includes a freedom from unnecessary attacks on his
character, social standing or reputation.
Similarly, the 1971 case of Briscoe v. Reader S Digest Association, Inc.19 demonstrates that
American courts have been considering the recognition of a right to be forgotten for some time,
since their reasoning has emphasised the significance of forgiveness in a person's recovery. Even
though the First Amendment's protection of free speech was upheld in both cases, the reasoning
employed by both judges is still relevant in the larger discussion. Presently, however, US courts
continue to dismiss privacy arguments unless certain extraordinary circumstances arise that
would support an exemption in the event of problems worthy of public attention.

The case of Sidis v. FR Publishing Corp. (1940) 20 involved William James Sidis, a former child
prodigy who desired a private life as an adult. However, an article in The New Yorker disrupted
his wishes. The Court ruled that there are limitations to the right to control one’s life and
information about oneself. Additionally, the Court recognized that there is value in publishing
factual information, and individuals cannot ignore their celebrity status merely because they
desire privacy.

In the case of Garcia v. Google (2014)21, the circumstances were such that the two lines that
actress Cindy Lee Garcia shot for, were applied in a different film and context by the director.
In furtherance of the same, she sued Google for invasion of privacy, intentional infliction of
emotional distress, copyright infringement, and other causes of action.
The Ninth U.S. Circuit Court of Appeals affirmed the dismissal of her lawsuit stating that
essentially Garcia would like to have her connection to the film forgotten and stripped from
YouTube, and that such a “Right to be Forgotten,” although recently affirmed by the CJEU, is
not recognized in the United States.

The Right to be Forgotten, though statutorily recognised and judicially upheld in the EU, is
primarily seen as a restriction on Free Speech and Expression in the USA. The bedrock of
freedom of speech and expression is the “Right to Know.” Only when a person has clear access
to information can they effectively exercise their Right to Freedom of Speech and Expression.
As a result, online censorship manifests itself as a probable result if search engines are
compelled to remove links to valid content that is already in the public domain. In the US, the
Right to Free Speech is one of the most revered rights and anything that could be used to
suppress speech is discouraged. tThe practical implementation of the Right to be Forgotten
would amount to censorship thereby being in direct conflict with the First Amendment rights in
the United States.

18
Melvin v. Reid, 112 Cal.App. 285, 297 P. 91 (1931)
19

20
Sidis v F-R Publishing Corporation 311 U.S. 711 61 S. Ct. 393 85 L. Ed. 462 1940 U.S.
21
Garcia v. Google, Inc., 771 F.3d 647 (9th Cir. 2014) (en banc)
Talking of the First Amendment rights in the USA, the jurisprudence settled by the courts can be
seen in the cases of Florida Star v. B.J.F, First National Bank of Boston v. Bellotti, Smith v.
Daily Mail Publishing Co., Oklahoma Pub. Co. v. Distr. Court, Bartnicki v. Vopper and Langdon
v. Google.

The U.S. Supreme Court held in The Florida Star v. BJF (1989)22 that there is a zone of
personal privacy where the government can protect citizens from press intrusion and that honest
publication is not always guaranteed by the constitution. The ruling made clear that publishing
true material that was obtained legally can only result in punishment if it is specifically targeted
to serve a very important state goal. Although a newspaper was publishing police records in this
case, its concepts are seen to apply to case law in the United States. According to the judgement,
search engines that display content that discloses lawfully obtained, factual facts about a person
may be shielded from legal prosecution provided the information is accurate.

The U.S. Supreme Court interpreted the First Amendment in relation to the right to be forgotten
before the notion gained traction in the 1978 decision of First National Bank of Boston v.
Bellotti23. The Court argued that the First Amendment forbids the government from limiting the
public's access to information while simultaneously safeguarding the press and individual right
to self-expression. According to the literal view, any rule that restricts access to information
would be against the basic right to free expression. This decision highlights the First
Amendment's broad protections and suggests opposition to legislation that would restrict people's
access to a variety of information.

In the United States, Smith v. Daily Mail Publishing Co. asserted, the First Amendment of the
U.S. Constitution guarantees people's freedom to publish information on matters of public
interest that they legally acquire, even in the face of significant interests relating to the private
lives of those involved. Therefore, a right to de-reference publicly available information on data
protection grounds would be unconstitutional.24 This justification also applies in cases where
there is a strong public interest in keeping the information secret, such as when it concerns legal
proceedings, is relevant to ongoing legal proceedings,25 or even occurs when the information's
publisher is aware that the information's source obtained it unlawfully.26 The freedom to get
information is thus protected by the First Amendment, and this includes using search engines.27

However, retaining privacy on the internet under the notion of Right to be Forgotten is gaining
ground. Right to be Forgotten known as the Right to Erasure in the U.S., is now recognised
under a recently enacted legislation in California i.e the The California Consumer Privacy Act
of 2018 (“CCPA”)28 which gives consumers more control over the personal information that
businesses collect about them. This landmark law secures new privacy rights for California
consumers, including:
22
Florida Star v. B.J.F., 491 U.S. 524 (1989)
23
First National Bank of Boston v. Bellotti, 435 U.S. 765 (1978)
24
Smith v. Daily Mail Publishing Co., 443 U.S. 97 (1979)
25
Oklahoma Pub. Co. v. Distr. Court, 430 U.S. 308 (1977)
26
Bartnicki v. Vopper, 532 U.S. 514 (2001)
27
Langdon v. Google, 474 F. Supp. 2d 622 (D. Del. 2007)
28
https://oag.ca.gov/privacy/ccpa
1. The right to know about the personal information a business collects about them and how it is
used and shared;
2. The right to delete personal information collected from them (with some exceptions);

In November of 2020, California voters approved Proposition 24, the CPRA, which amended the
CCPA and added new additional privacy protections that began on January 1, 2023. As of
January 1, 2023, consumers have new rights in addition to those above, such as:
1. The right to correct inaccurate personal information that a business has about them; and
2. The right to limit the use and disclosure of sensitive personal information collected about
them.

It remains to be seen how this may play out since the First Amendment Rights occupy
considerable weight and dominance in the United States.

SOUTH KOREA

The main law and regulations related to Data protection are the Personal Information
Protection Act 2011 (as amended in 2020) (“PIPA”) and its implementing regulations, which
regulate the collection, usage, disclosure, and other processing of personal information by
governmental or private entities as well as individuals.

It is pertinent to mention that PIPA provides for legislation for Rectification or Erasure of
Personal Information as can be discerned from Articles 36 and Article 39-7 [Newly Inserted by
Act No. 16930, Feb. 4, 2020]29

The relevant provisions from PIPA have been enumerated below:

Article 36. Rectification or Erasure of Personal Information.-

(1) A data subject who has accessed his or her personal information pursuant to Article 35 may
request a correction or erasure of such personal information from the relevant personal
information controller30: Provided, That the erasure is not permitted where the said personal
information shall be collected by other statutes.
(2) Upon receipt of a request by a data subject pursuant to paragraph (1), the personal
information controller shall investigate the personal information in question without delay; shall
take necessary measures to correct or erase as requested by the data subject unless otherwise
specifically provided by other statutes in relation to correction or erasure; and shall notify such
data subject of the result.
(3) The personal information controller shall take measures not to recover or revive the personal
information in case of erasure pursuant to paragraph (2).
(4) Where the request of a data subject falls under the proviso to paragraph (1), a personal
information controller shall notify the data subject of the details thereof without delay.

29
https://www.dataguidance.com/sites/default/files/personal_information_protection_act.pdf
30
Article 2(5).The term “personal information controller” means a public institution, legal person, organization,
individual, etc. that processes personal information directly or indirectly to operate the personal information files as
part of its activities;
(5) While investigating the personal information in question pursuant to paragraph (2), the
personal information controller may, if necessary, request from the relevant data subject the
evidence necessary to confirm a correction or erasure of the personal information.
(6) Necessary matters in relation to the request of correction and erasure, notification method and
procedure, etc. pursuant to paragraphs (1), (2) and (4) shall be prescribed by Presidential Decree.

Article 39-7. Special Cases on Users’ Rights.-

(1) Users may withdraw consent to the collection, use and provision of personal information at
any time from information and communications service provider, etc.
(2) Information and communications service providers, etc. must make it easier for users to
request to withdraw their consent under paragrahparagraph (1), to access their information under
Article 35, and to rectify under Article 36 than to give consent to the collection of their personal
information.
(3) Once a user withdraws his or her consent pursuant to paragraph (1), the information and
communications service provider, etc. shall take necessary measures without delay such as
destroying the information to such an extent that it is not recoverable or revivable.

South Korea was one of the first countries to debate the Right to be Forgotten in the aftermath of
the Google Spain ruling in the EU. On April 29, 2016, the Korea Communications Commission
(“KCC”) issued the Guidelines on the Right to Request Access Restrictions on Personal Internet
Postings. With the Guidelines, individuals can request web operators or service providers to
restrict the public from accessing his/her postings that he/she has personally uploaded in the
past, and to ultimately remove this online information that the individuals cannot delete by
themselves.

As the relevant Rectification and Erasure provisions find mention in PIPA, and the dialogue
around Right to be Forgotten/Right of Erasure has found significant takers within South Korea, it
will be interesting to note the trajectory that the judiciary adopts moving forward with respect to
the same.

BRAZIL

The Brazilian Supreme Court of Justice (“STJ”) has construed the Right to be Forgotten to be
adjusted and understood against Article 5.X of the Brazilian Constitution.31

STJ’s interpretation of the Right to be Forgotten is based on the protection of privacy, honor, and
image whereas CJEU bases it upon the Fundamental Right to Data Protection and Privacy which
are recognised as a Separate Fundamental Rights in the EU.

An illustration is provided via the judgment of the Brazilian Federal Supreme Court (“STF”)
delivered in February 2021, in the Aida Curi Case32 wherein it was held:
31
CONSTITUIÇÃO FEDERAL [C.F.] [Constitution] Art. 5 (Braz.). All persons are equal before the law,
without any distinction whatsoever. Brazilians and foreigners residing in the country being ensured of inviolability
of the right to life, to liberty, to equality, to security and to property, on the following terms:
X - the privacy, private life, honour and image of persons are inviolable, and the right to compensation for property
or moral damages resulting from their violation is ensured.
32
RJ, Crim. No. 2012/0144910-7, Relator : Jorgi Mussi, 10.10.2013, Diario Da Justicia [DJ], 04.06.2021, (Braz.)
 “The idea of a right to be forgotten is incompatible with the Constitution, thus understood as the
power to prevent, due to the passage of time, the disclosure of facts or data that are true and
lawfully obtained and published in analogue or digital media...[A]ny excesses or abuses in the
exercise of freedom of expression and information must be analysed on a case-by-case basis,
based on constitutional parameters—especially those relating to the protection of honor, image,
privacy and personality in general…”

This leads to the understanding that the STF based the incompatibility of the Right to be
Forgotten with the Federal Constitution on the peculiarity of the Brazilian concept of the Right
to be Forgotten. The Right to be Forgotten may well be exercised and allowed on a case-to-case
basis, being tested along constitutional and other legal provisions.

INDIA

The extensive interconnectedness facilitated by modern technology has had profound

sociological impacts culminating in individuals developing more holistic and progressive
perspectives, the Indian Judiciary has also, with time, understood that the dDimensions of the
Rright to Pprivacy are much larger and has moved away from an anti-privacy stance as reflected
in the early judgments of Kharak Singh vs State of UP33 and M.P Sharma vs Satish Chandra34.
MP Sharma dealt with the Rright against Sself-incrimination and while it did mention the right to
privacy in passing, it did not hold that privacy is a fundamental right and declared it was not. On
the other hand, the ruling in Kharak Singh maintained that a person's Right to Privacy was
unconstitutional and that any intrusion into their house was a breach of their liberty.Whereas, in
Kharak Singh it was held that any intrusion into a person’s home is a violation of liberty but
went on to say that there was no right to privacy contained in our Constitution.

There is no formal legislation in India yet that encompasses the Right to be Forgotten. However,
the judicial precedent leads towards acceptance of such a rRight as a subset of the Right to
Privacy.

➔ JUSTICE K.S. PUTTASWAMY v. UNION OF INDIA35

Having been subjected to a “case-by-case analysis” over the years, the Right to Privacy received
significant judicial attention, and the ambit and scope of Article 21 of the Constitution of India
was constantly receiving wider interpretations. To put all overarching discussions to rest, a
resounding victory for Privacy came on 24th August 2017, wherein a nine-judge bench of the
Hon’ble Supreme Court of India, in the case of Justice K.S. Puttaswamy v. Union of India,
unanimously ruled that the Right to Privacy is a Fundamental Right under Article 21 of the
Constitution of India as a part of freedoms guaranteed under Part III of the Constitution of India.
It is pertinent to mention that the Court opined that the informational privacy though not an
absolute right, is an aspect of the right to privacy. The right of an individual to exercise control
over his data and to be able to control his/her existence on the internet, and unauthorized use of
such information may, therefore, lead to violation of this right.
33
AIR 1963 SC 1295
34
AIR 1954 SC 300
35
(2017) 10 SCC 1
 This observation has a resounding impact on contemporary litigation in respect of the Right to be
Forgotten as it inadvertently recognises such a right as an aspect of Right to Privacy.
Understanding the Right to be Fforgotten in congruence with Informational Privacy could thus
imply that personal information that no longer serves the original purpose for which it was
intended must be expunged from public records. As a result, when it is not pertinent, an
individual can exercise control over his data and call for publicly accessible material to be
removed from databases, web searches, and other public platforms.

DHARAMRAJ BHANUSHANKAR DAVE v. STATE OF GUJARAT AND Ors.36

The "right to be forgotten" was discussed by the Gujarat High Court in 2015 for the first time in
an Indian court. Previously found not guilty of any crimes, the petitioner requested a permanent
injunction against the judgment's public display. The petitioner's identity was on copies that were
available on Google and legal portals even though they were marked as "non-reportable."
Judgement accessible under Gujarat High Court Rules, the High Court's function as a Court of
Record, and the petitioner's inability to establish a legal breach were among the reasons given by
the court, presided over by Justice R. M. Chhaya, for dismissing the case. Nothing about the
"right to be forgotten" was acknowledged by the court.

A contrary view about the Right to be Forgotten was taken by the Karnataka High Court in 2016,
in the case of Sri Vasunathan v. The Registrar General 37, wherein, a woman (X) had worries
regarding her internet presence following her marriage and the resolution of legal issues. To
safeguard her privacy and public reputation, her father attempted to hide her name from internet
searches. Upholding the "right to be forgotten," Justice Anand issued an order to conceal X's
identity from web searches after realising the grave worries about the consequences. The court
pointed out that this kind of protection is consistent with Western norms, especially when it
comes to delicate instances affecting women.

The conflicting opinions from the High Courts in Gujarat and Karnataka draw attention to how
complicated the "right to be forgotten" is in India. Karnataka recognised the necessity for privacy
protection, particularly for women in delicate instances, whereas Gujarat rejected it. Important
concerns include the fact that search engines and online platforms have not been involved in
these cases, the possibility of conflicts with the right to free speech and information, and the need
for comprehensive legislation and a more in-depth Supreme Court ruling to address the nuances
of this changing legal environment.

➔ ZULFIQAR AHMAN KHAN v. QUINTILLION BUSINESSMAN MEDIA38

In this case, a petition was filed in the Hon’ble Delhi High Court, requesting the suppression of
two stories written against the petitioner on a news website based on anonymous harassment
charges in the #Metoo campaign. While the news portal removed the pieces during the pendency
of proceedings in the Court, the Court additionally prohibited the substance of those two pieces

36
Special Civil Application No. 1854 of 2015.
37
Writ Petition No. 62038 of 2016.
38
2019 (175) DRJ 660
 from being republished during the suit’s duration. It was opined that the media cannot try any
allegation and pronounce any person as the culprit. Media should not, therefore, proceed to
selectively sensitize one sided accounts. If a person is exonerated in an inquiry, his Right to be
Forgotten and Right to be Left Alone should be observed by all with more sense of
responsibility. The Court also upheld the Plaintiff’s Right to Privacy, of which the “Right to be
forgotten” and the “Right to be left alone” are inherent aspects.
This is a remarkable way forward on the cases of Right to be Forgotten whereby the Court has
not only granted interim relief but also further re-publication of the said articles even with
modifications have been restrained.

➔ JORAWER SINGH MUNDY v. UNION OF INDIA & OTHERS39

An interim order was passed by the Hon’ble High Court of Delhi wherein the Hon’ble High
Court recognised the Petitioner’s Right to Privacy. The court considered the issue of whether a
judgment where the accused (here petitioner) was acquitted, can be removed from online
platforms. The court examined the Right to Privacy of the Petitioner on the one hand and the
Right to Information and Maintenance of Transparency in judicial records on the other hand. By
way of an order dated 12 April 2021 passed in the said writ petition, the Hon’ble Delhi High
Court observed that the Right to be Forgotten and Right to be left alone are inherent aspects of
an individual’s Right to privacy. The court observed that the Petitioner was entitled to some form
of interim relief during pendency of the writ petition and accordingly directed the respondent
search engines to remove the judgment dated 29 January 2013 from their search results.

A similar approach was also undertaken in the recent case before the Hon’ble High Court of
Delhi in the case of X v Youtube Channel40, where an actress filed a suit against re-publishers of
her explicit videos and the court granted her protection, iterating the Right to be Forgotten as an
inherent facet of the Right to Privacy.

In Subhranshu Rout v. State of Odisha41, the Odisha High Court, while examining the Right to
be Forgotten as a remedy to be given to victims of sexually explicit pictures/pornography, stated
that information in the public domain is like toothpaste, once it is out of the tube one can’t get it
back in and once the information is in the public domain it will never go away. The Court
recognized the importance of the Right to be Forgotten and the emergence of such laws in the
Indian landscape.

In Saanvi Singh v State of Orissa42, the Hon'ble High Court of Orissa analysed a petition to
remove certain sensitive and obscene material from all social media intermediaries. The court
further deliberated upon the right to be forgotten, particularly the lack of a statute that
incorporates the right. Albeit the court conveyed its importance and conveyed how the same was
incorporated into the GDPR. It was stated that information in the public domain is like
toothpaste and once out of the tube the same cannot be put back into the tube.

39
2021 SCC OnLine Del 2306
40
X v. HTTPS : //WWW.YOUTUBE.COM/WATCH?V=IQ6K5Z3ZYS0, 2021 SCC OnLine Del 4193
41
2020 SCC OnLine Ori 878
42
2023 SCC Online Ori 1191
In Google INC v XXX43 and others, the Hon'ble High Court acknowledged the right of
individuals to be forgotten and concluded that the same is also applicable to judgments of
various courts. The court ordered Google to hide the identity of any litigant who wishes to
exercise their right to be forgotten. The court further stated that the intermediary could utilize AI
tools to identify such data and remove it from its medium. Emphasis was placed upon Rule 3(d)
of the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules,
2021 which lays down the procedure by which an intermediary has to take down certain
published information after exercising due diligence similar to the mechanism established under
the GDPR.

In X v Union of India44, the Hon'ble Delhi High Court contemplated the liability of search
engines as intermediaries. It was observed that Search Engines like Google and Bing cannot be
brought under the definition of Social Media Intermediaries and thus escape certain liabilities.
The Hon'ble Court was dealing with the logistics of removing NCII (Non-Consensual Intimate
Imagery). The Court after perusal and all considerations laid down certain guidelines. It was
ordered that the grievance officer as appointed by the Intermediary must be sensitized and the
definition of NCII must be interpreted liberally. The Court further emphasized that every district
cyber police station must have an assigned officer who plays the part of a liaison between the
victim and intermediaries. Further, a fully functional helpline should be established and be
available round the clock. It was also emphasized that after a court or a law enforcement agency
has ordered the removal of NCII, then a token or a digital identifier based approach must be
adopted by the search engines to ensure such material does not resurface. A third party encrypted
platform was suggested that consolidates all NCII content so that the victim does not have to
scour the internet to find URLs of each and every publication.

In Karthick Theodore v. Madras High Court (2021)45, the Madras High Court ruled that an
accused person has the right to have their name removed from decrees or verdicts, especially if
they are available online and in the public domain. In coming to its ruling, the Court stated that,
pending the legislative body's approval of the Data Protection Act, it is the Court's duty to
safeguard individuals' rights to privacy and reputation. It continued by saying that the council
should incorporate an impartial method for handling requests to conceal the identities of those
who have been charged with crimes but have been found not guilty when it approves the Data
Protection Regime.

Additionally, more recently, The Hon’ble Supreme Court of India, by way of an order dated 18
July 202246 noted that the “Right to be Forgotten” or the “Right of Eraser” forms part of the right
to Privacy of an individual and directed the Supreme Court registry to work out a mechanism to
ensure that the names of the Petitioner and Respondent be masked in a manner that they do not
appear on any search engine. The Petitioner and the Respondent in this case were involved in a
case involving offenses relating to modesty of a woman and transfer of sexually transmitted
diseases.

43
2023 SCC Online Ker 6155
44
2023 SCC Online Del 2361
45
2021 SCC OnLine Mad 2755
46
XXXX v. Kancherla Durga Prasad & Ors. Miscellaneous Application No. 875/2022 in SLP(Crl) No. 3211/2022
Additionally, more recently, the Delhi High Court in the case of SK v. Union of India47,
following its observation that the judgement was freely accessible on the Indian Kanoon website
and could be found through a Google search, the Court ordered that the petitioner's name be
hidden on the Indian Kanoon portal. This way, even if the judgement was found through a search
result or Google search, the petitioner's name would not be visible. Therefore, within a week, the
Court ordered Indian Kanoon to delete or obscure the petitioner's identity from the ruling. This
gave a lot of recognition to the right to be forgotten.

The abovementioned judicial decisions display serious recognition of The Right to be Forgotten,
and have also analyzed the same not just in context of the Fundamental Rights enshrined in the
Constitution of India, but have also paid adequate attention to the EU legislation that highly
values the Right to be Forgotten and is considered to be the gold standard among Data Protection
Regulation.

BALANCING COMPETING RIGHTS

The CJEU advocated the application of the balancing test. However, the main difficulty that
India currently faces is in respect of developing such a balancing test, since under the Indian
Constitutional text, there is no express mechanism present for balancing of rights. In the context
of freedom of speech and expression, it needs to be seen whether there are any circumstances
where another fundamental right like Article 21 may operate as a valid limitation on Article
19(1)(a).

To balance the competing rights of equal supremacy is not an easy task for the judiciary, hence,
the development of a proper mechanism is a necessity.

The solution to recalibrate two fundamental rights may lie in the general principles propounded
by the five-judge bench decision of the Supreme Court in Sahara India Corpn v. SEBI.48 The
Court advocated a three-step test prior to the deployment of the balancing measure. Firstly, the
operation of one fundamental right is a “real and substantial risk” to the effective operation of
another; secondly, a balancing measure is necessary i.e., no “reasonable” or less intrusive
alternative can negate the said risk (necessity test); and thirdly, the benefits of such balancing
measures outweigh the damage caused to the operation of the right/freedom, which is sought to
be limited (“proportionality test”)).

The Madras High Court in Kanimozhi Karunanidhi v. Thiru P. Varadarajan 49 had the
opportunity to balance the conflict between free speech under Article 19(1)(a) and the right to
privacy under Article 21. The applicant in the case was seeking an order of an injunction on the
contention that the respondents cannot be allowed to continuously publish articles, which contain
either a direct or indirect reference to her, and her immediate family members.
On the other hand, the Respondents contended that the right to freedom of expression included
the “right to publish any material, which according to it, is in public interest.”
Herein, the Court ordered a limited injunction that only prohibited publication of information
pertaining to her “private life” without her consent. The injunction, however, was not to extend
47
2023 SCC OnLine Del 3544, Order dated 29-5-2023
48
(2012) 10 SCC 603
49
2018 SCC OnLine Mad 1637.
to any information as “to the functions of the applicant as a Member of the Parliament or as a
Leader of the Political Party.”

The fact that Right to be Forgotten is a recently emerging right under the Right to Privacy and it
is not yet recognised under any specific legislation in India, makes it necessary for the courts to
have clear-cut guidelines to balance the Right with Freedom of Speech and Expression. A
prospective development with respect to legislation in India, however, comes in the form of the
the latest Digital Data Protection Bill 2023.

Digital Personal Data Protection Bill 2023 (the“Bill”) and Right to Privacy

The Digital Personal Data Protection Bill of 2023 is a significant legislative

initiative aimed at regulating the processing of personal data in the rapidly evolving digital
landscape of India. As digital transactions, services, and communication continue to grow, the
bill addresses the critical need to protect individuals’' personal data while fostering innovation
and economic growth. By establishing a comprehensive framework that outlines the rights and
responsibilities of both data fiduciaries and data principals, the bill strives to ensure
transparency, consent, and security in the handling of personal information. This legislative
proposal reflects the Indian government’'s commitment to striking a balance between promoting
a thriving digital ecosystem and safeguarding the privacy and rights of its citizens in the modern
era.

The bill’'s features encompass its applicability, consent requirements, rights and duties of data
principals, obligations of data fiduciaries, transfer of personal data outside India, exemptions,
establishment of the Data Protection Board, penalties, and more.

The Digital Personal Data Protection Bill of 2023, which recognises privacy as a basic right in
accordance with the Puttaswamy judgement, is a step in the right direction for privacy and the
right to be forgotten in India. The measure strengthens regulatory control by putting an emphasis
on informed consent and creating the Data Protection Board of India. It addresses cross-border
data transfers but does not have strong tools to evaluate data protection requirements in other
countries. The measure empowers people by highlighting the data fiduciaries’ obligations to
ensure accuracy and deletion in relation to the right to be forgotten.

Concerns are raised about India's State exemptions, meanwhile, as they would allow for
unrestricted data collecting when compared to UK legislation. Judicial permission is required to
maintain strict restrictions over the processing of data connected to national security under the
UK’s Investigatory Powers Act.The Digital Personal Data Protection Bill of 2023 brings several
positive aspects to the right to privacy and the right to be forgotten in India's digital landscape.
Notably, it explicitly recognizes the right to privacy as a fundamental right, aligning with the
Puttaswamy case50. The bill's focus on informed consent ensures individuals' data autonomy,
while the Data Protection Board of India strengthens regulatory oversight. The bill also addresses
cross-border data transfers, safeguarding personal data privacy though it lacks comprehensive
50
(2017) 10 SCC 1
mechanisms for assessing the adequacy of data protection standards in receiving countries.. In
terms of the right to be forgotten, data fiduciaries' responsibilities for data accuracy and erasure
are emphasized, reinforcing individuals' control over their information. Overall, the bill advances
privacy and data control in the digital era and is addressing this important aspect especially since
online frauds and scams are on the rise.

In comparison to the UK's data protection laws, the Digital Personal Data Protection Bill of 2023
introduces some significant differences. While both countries address exemptions for
government processing, the UK's Investigatory Powers Act, 2016 tightly regulates bulk data
processing for national security through judicial approval. The Indian bill's exemptions for State
entities raise concerns about unchecked data collection and potential privacy violations.
Additionally, the Indian bill permits the State to process personal data for benefits, licenses,
permits, or certificates, even without individual consent, potentially compromising purpose
limitation and enabling unintended profiling. The UK's legal framework ensures comprehensive
checks on data processing, including retention limits and parliamentary oversight, enhancing
data privacy safeguards.

The key provisions of the bill related to the Right to Privacy and the Right to be Forgotten:

Right to Privacy:

The Digital Personal Data Protection Bill, 2023 recognizes the paramount importance of the
Right to Privacy in the digital age. It introduces a structured framework that outlines the rights
and obligations of both data fiduciaries (entities processing personal data) and data principals
(individuals whose data is being processed). This framework ensures transparency, consent, and
security in the handling of personal information.

1. Applicability: The bill extends to international activities aimed at Indian customers to

encompass digital personal data processing in India, both online and offline.The bill applies to
the processing of digital personal data in India, encompassing data collected both online and
offline. It extends to data processing outside India if it is intended to offer goods or services
within India.

2. Consent: The bill places a strong emphasis on the legitimate aim and the individual's
permission, offers thorough warnings and permits withdrawal, and guarantees data primary
control.emphasizes the importance of obtaining lawful purpose and individual consent for
processing personal data. Data fiduciaries are required to provide detailed notices to data
principals before seeking consent, explaining the purpose of data collection and processing.
Consent withdrawal is allowed, providing individuals with control over their data.
3. Rights of Data Principals: The bill acknowledges the rights of data principals, which include
the right to access, correct, and erase their personal data. Data principals also have the right to
raise grievances and nominate others to exercise their rights in case of incapacity.

4. Obligations of Data Fiduciaries: Data fiduciaries are mandated to ensure the accuracy and
security of the data they process. They must report data breaches and erase data once the purpose
of processing is fulfilled.

Right to be Forgotten:

While the Digital Personal Data Protection Bill, 2023 does not explicitly recognize the Right to
be Forgotten, its provisions indirectly touch upon aspects that relate to this right, particularly in
terms of data erasure and consent withdrawal.

1. Obligation of Erasure: The bill requires data fiducaries to remove information when it has
served its intended purpose, therefore complying with the Right to be Forgotten. requires data
fiduciaries to erase data once the purpose for which it was collected is fulfilled. This requirement
aligns with the concept of the Right to be Forgotten, as it entails the removal of personal
information that is no longer relevant or necessary.

2. Consent Withdrawal and Data Removal: The bill gives data principals the ability to change
their minds, in line with the concept of data control and database deletion.grants data principals
the right to withdraw consent for processing their personal data. This aligns with the idea that
individuals should have control over their data and be able to request the removal of their data
from databases and public platforms.

While the Digital Personal Data Protection Bill is criticised, particularly in relation to privacy
and the right to be forgotten, but it represents a significant step in addressing digital concerns. In
the absence of clear laws, concerns are raised since it exposes people to possible damages
including discrimination and financial loss. When the right to be forgotten is ignored, personal
data control and human sovereignty are called into question. State entity exemptions run the
possibility of allowing unrestricted monitoring, which would violate the proportionality principle
affirmed in rulings such as Zulfiqar Ahman Khan v. Quintillion Businessman Media and affect
individuals' right to privacy. Provisions that challenge purpose limitation and permit State data
processing without consent also put unjustified data profiling at risk. Some of the criticisms
include the lack of mechanisms for data portability, insufficient evaluations of cross-border data
transfers, and reservations regarding the independence of the Data Protection Board. of 2023
represents a significant step towards addressing the challenges posed by the digital age, there are
several notable criticisms regarding its provisions related to the right to be forgotten and the right
to privacy.

Despite this it has some criticisms and issues as well. One of the notable criticisms pertains to the
absence of clear regulations addressing potential harms arising from personal data processing.
The bill's lack of comprehensive provisions to define, regulate, and mitigate potential harms
leaves individuals vulnerable to a range of risks, including financial loss, reputational damage,
discrimination, and unwarranted surveillance. Additionally, the omission of the right to be
forgotten, a concept recognized in other jurisdictions, raises questions about individuals'
autonomy to control their personal data and request its removal from online platforms when its
original purpose is no longer relevant.

The bill's introduction of exemptions allowing State entities to engage in data processing without
adhering to certain regulations has raised concerns about unchecked surveillance and potential
misuse of personal data. These exemptions could potentially undermine the principle of
proportionality upheld by the Supreme Court in various cases like Zulfiqar Ahman Khan v.
Quintillion Businessman Media51; and individuals' right to privacy. Furthermore, the provision
permitting the State to process personal data for various purposes, even if it overrides individual
consent, challenges the principle of purpose limitation and may lead to data profiling without
stringent consent mechanisms.

The absence of provisions for the right to data portability and the lack of mechanisms to assess
cross-border data transfer adequacy have also drawn criticism, potentially compromising
individuals' data control and privacy when data is transferred to countries with weaker data
protection regulations. Moreover, concerns have been raised about the impact of short
appointment terms on the independence of the Data Protection Board and the potential
compromise of anonymity and privacy in children's data protection.

There are differences in the way that data protection and governmental authority are balanced
when compared to the data protection legislation of the United Kingdom. As the measure moves
forward, resolving these issues is essential to having complete law that protects individuals' right
to privacy and promotes a thriving digital economy. Future discussion and interpretation ought to
centre on the formal creation of the Right to be Forgotten in Indian Jurisprudence.Thus, overall,
the Digital Personal Data Protection Bill of 2023 is a significant step towards regulating the
processing of personal data in the digital landscape of India. While it introduces several positive
aspects, such as robust data fiduciary obligations, individual rights, and the establishment of a
regulatory authority, there are notable criticisms that need consideration. The lack of regulation
for potential harms, omission of important rights like data portability and the right to be
forgotten, and potential issues with cross-border data transfer adequacy are areas of concern.
Furthermore, the comparisons to the UK's data protection laws highlight certain divergences that
may impact the balance between data protection and governmental powers. As the bill
progresses, it is essential for lawmakers to address these criticisms and ensure that the final
legislation strikes the right balance between protecting citizens' privacy rights and fostering a
thriving digital ecosystem and specially the Right to be Forgotten needs to be statutorily
established under the Indian Jurisprudence in order to set the pace for further deliberation and
interpretation on the matter.

COMMENT

51
2019 (175) DRJ 660
Reconciling the Right to be Forgotten with the Right to Freedom of Speech and Expression can
be a complex and challenging task, especially with respect to de-listing. The following may
serve as possible solutions or prospective ways to forge the path ahead:

1. Contextual Evaluation: A contextual evaluation could be conducted to determine the

specific circumstances surrounding a request for the removal of personal data. This could
involve taking into account factors such as the age of the information, the public interest in
accessing the information, and the potential harm that could be caused by leaving the
information online. This approach could help to ensure that decisions are made on a case-by-
case basis and take into account the specific context in which the information is being
accessed.
2. Right to de-list must be in relation to Right to Privacy Only: Legislators should advance
measures to establish a right to de-list solely as a Data Protection Measure in pursuance of
the preservation of right to privacy. Such a right, ordinarily should not be established in the
context of defamation legislation as that might set a dangerous precedent and increase the
likelihood of misuse.
3. Time-Bound Removal: Personal data could be removed from public access after a stipulated
duration of time, beyond which it ceases to serve the purpose for which it was made available
in the first place.
4. Transparency and Accountability: Mechanisms could be put in place to ensure
transparency and accountability in the handling of requests for the removal of personal data.
This could include establishing clear criteria for evaluating requests, providing individuals
with information about the decision-making process, and creating avenues for appeal. This
aspect directly hinges on formulating and incorporating a Comprehensive Data Protection
Law.
5. Collaboration between stakeholders: Collaboration between stakeholders, such as search
engine companies, policymakers, and civil society organizations, could help to develop
solutions that are acceptable to all parties. This could involve convening multi-stakeholder
dialogues, establishing working groups, and other forms of collaboration that enable
stakeholders to share their perspectives and work together to find solutions.

In juxtaposition with other jurisdictions, India does not guarantee a secure position to its citizens.
It has not incorporated any statutory protection for the Right to be Forgotten and as a result the
courts are also confronted with a dilemma. While there has been recognition of the Right to be
Forgotten, the issue of how to apply the Right to be Forgotten in India and how to balance it with
freedom of expression remains unresolved, leaving important questions unanswered.

The answers to these questions must come by way of formulating a comprehensive data
protection framework which will determine how search engine companies, courts, and the public
can operate within the contours of Privacy Law.

While the EU’s legislative and judicial approach provides some guidance by acknowledging that
the Right to be Forgotten can coexist with freedom of expression and by offering suggestions on
how to resolve conflicts between these rights, there is still much work to be done. The Right to
be Forgotten is a relatively new right, and its evolution will take its own path even if
Comprehensive Personal Data Protection Laws are enacted in India. The ongoing debate about
the Right to be Forgotten is just the beginning of establishing legal precedent for balancing the
Right to Privacy and Freedom of Expression in the digital realm.

It is important to keep in mind that each Country’s Judiciary would tackle the emergence and
execution of the Right to be Forgotten in different ways yielding varying outcomes because
when a Court is faced with a potential conflict between two individual rights, its decision may be
impacted or limited by several factors, including the specific wording of the relevant law, the
court’s method of interpretation, and the legal principles and precedents established in that
Country.