Every individual in the European Union has the Right to be Forgotten. This right ensures that when need be, if a person seeks to delist his personal information from the internet searches, he has the right to approach the data operators directly asking them to do the same. This right is incidental to the right to privacy. But the question is whether the personal information is off the internet globally or just in your region?

Google LLC has its domain search versions categorized country wise. It uses the technique of geo-blocking to prevent one region from using the version categorised specifically for some other region.

In the latest case of Google LLC v. CNIL, the defendant in support of the individuals that approached them, demanded Google to de-reference the links containing personal information of them globally and not restricting the dereferencing to the EU region. The defendant argued that such disclosure of information in other regions but in EU violates the EU directive that provides for the Right to be Forgotten.

To clarify further, Google will 'dereference data' to find out where and when the information is stored, at what address (technically) and then modify/delete it.

Google on the other hand stated that such interference by CNIL is violative of Public International Law and that the demand of the defendant is also in restriction to the Freedom of Speech and Expression.

With regard to the case in question, the Court of Justice European Union referred to the General Data Protection Regulations (Directive 95/46/EC) and held that an individual can invoke his/her right to be forgotten only within the borders of the EU. The court inferred that other countries cannot be demanded to allow the Right to be Forgotten as according to the one in the EU.

The court also stated that the data operators must in their capacity consider and strike a balance between an individual's right to be forgotten and public right to information.

Right to be Forgotten in India-

The Delhi HC in its order (Subodh Gupta v Herdscene and & Ors,) wherein the plaintiff had contended that the information available about him over the internet sites were defamatory and mere allegations without any backing. The court ordered (i) Herdsceneand; (ii) Instagram LLC; (iii) Facebook, Incorporated; (iv) Facebook Ireland Limited; (v) Google Incorporated; and, (vi) Google India Pvt. Ltd.- to remove the links from their domain. The court also further held that such allegations in the contents available online without a "legal recourse" are capable of creating "mischief."

This sheds light on the fact that even though not on the premise of the right to be forgotten, the indian court has considered erasing personal information of individuals from the internet. Further it can be seen that the result has been ordered to be delisted primarily only from Google India, which as seen in the EU case makes it possible for people outside India to be able to access such information.

Conclusion:

The GDPR in the EU have formed the basis for data privacy regulations in many countries. The judgment in favour of Google, allowing dereferencing only around the EU and not globally stands criticised, however the judgement when read intrinsically allows the Member States to weigh between the right to be forgotten and the right to freedom of information and if in the interest of the national public good, there be a reason to demand for dereferencing globally, such an order can be made. This proves that there is no complete bar and limitation to the right to be forgotten in the EU.

In India, post the Puttuswamy Judgement, right to privacy is considered a fundamental right. However, right to be forgotten has not been mentioned in the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011. However in The Data Protection Bill, 2018, Right to be Forgotten has been proposed, which can be invoked by any person if f data disclosure is no longer necessary, the consent to use data has been withdrawn or if data is being used contrary to the provisions of the law. It is true, that the road to Data Protection to be implemented in India is a new and long one, but the recent HC judgement proves that the issues with regard to data when considered in a court of law are dealt with by considering the consent of the parties for the use of such data. The future of data protection laws, with a lot of learning from the EU regulations is a difficult but possible implementation.

Footnotes

[1] https://www.livelaw.in/pdf_upload/pdf_upload-365121.pdf

[2] Google v CNIL Case C-507/17

[3] THE PERSONAL DATA PROTECTION BILL, 2018

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.