Draft of Data Protection Bill:Right to be forgotten
In News: A committee headed by former SupremeCourt judge BN Srikrishna recently submitted a draft law titled “Personal Data Protection Bill, 2018”and its recommendations to the government.Panel has pointed to the need to have a balanced approach on right to be forgotten.These are two separate outcome documents submitted to the ministry of electronics and information technology that will define the legal boundaries of the use of personal data.
Background:The 10-member committee was set up in July 2017 to recommend a framework for securing personal data in the digital world.
What is the right to be forgotten?
It refers to the ability of individuals to limit, de-link, delete or correct the disclosure of personal information on the internet that is misleading, embarrassing, irrelevant or outdated. Such disclosure may or may not be a consequence of unlawful processing by the data fiduciary.
As it was envisioned in the European Union (EU) after a landmark 2014 ruling by the European Court of Justice, the right to be forgotten allows a person to demand that links to online information about them be removed from search engine results if the data are outdated or irrelevant.
India and Right to be Forgotten
In India, a recent case, the Karnataka High Court had upheld the right to be forgotten in a petition filed by a woman saying an internet search should not reflect her name in a previous criminal order passed by it.
First step for this issue is to get the law in place first and then only everything else fall into place.There should not only be a right to be forgotten but there should be a right to get the data deleted.The search engines might not show results but one should have the right to object for the processing of data.The right to get the data deleted needs to be put in place.
There is a need to have enabling provisions in the law to go through this process which will make the process more simplified, free of lengthy procedures and less time consuming.
This right should not be confused with two things:
1.It shouldn’t be confused with the ability to take down illegal data which already exists anything that is obscene or definitely can already be taken down.
2.The right to be forgotten should be interpreted narrowly so that it doesn’t become a shortcut to defamation law. Defamation is used in India to stifle free speech from powerful interests and by people who have unlimited funds.
Highlights of the Personal Data Protection 2018 Bill:
- The appropriateness of a right to be forgotten in specific circumstances would require that the right to privacy be balanced with the freedom of speech.
- The draft bill notes that “the right to privacy is a fundamental right and it is necessary to protect personal data as an essential facet of informational privacy.”
- The bill also notes that it is necessary to create trust between the individual who provide their data and those who process this.
- On the right to be forgotten, the bill notes that that ‘data principal’ which means the individual or the person providing their data has a “right to restrict or prevent continuing disclosure.”But the bill does not allow for a right of total erasure like the European Union does.
- It also gives a data processor considerable leeway when it comes to deciding on this ‘right to be forgotten.’ The bill notes that “the data fiduciary may charge a reasonable fee to be paid for complying with requests.”
- The Bill also calls for privacy by design on part of data processors and defines terms like consent, data breach, sensitive data, etc.
- Proposed setting up of Data Protection Authority (DPA) to deal with such complaints.Data Protection Authority of India (DPA)is an independent regulatory body responsible for the enforcement and effective implementation of the law, consisting of a chairperson and six full-time members.In case of any appeal against an order of the DPA, an appellate tribunal should be established or an existing appellate tribunal should be granted powers to hear and dispose of any appeal.
Other recommendations by the committee:
The committee has recommended phased timelines for the adoption of different aspects of the privacy law, making data protection a critical component in India’s security posture rather than a mere compliance prerequisite. Also, the stringent penalties proposed on the misuse of data would create deterrence and also compel organizations to build a control led environment while processing or storing personal data.
A COMPARISON OF DATA LAWS IN OTHER COUNTRIES:
EUROPE (EUROPEAN UNION):
Europe has an encompassing law ‘General Data Protection Regulations,’ which came into effect on May 25, 2018.
User consent needs to be explicit Right to be forgotten, a concept that arose in the EU.
Applies to businesses anywhere in the world that handle European data.
Penalties for non-compliance are up to 4 percent of the company’s global turnover or 20 million Euros whichever is higher.
Data protection fragmented in various federal and state laws.
Each sector will deem what remainsprivate or personal data.
A movement to pass a new law onconsumer privacy protectionsfailed in the Congress in 2017.
California with ‘Shine the LightLaw,’ was one of the first states inthe US to implement privacy laws.
The Privacy Act of 1988 regulates the handling of personal information of individuals.
Privacy is not a fundamental right.
It Does not apply to government agencies, political parties.
Major criticisms stem from the idea that the right to be forgotten would restrict the right to freedom of speech.Many nations and the United States in particular have very strong domestic freedom of speech law which would be challenging to reconcile with the right to be forgotten.
This could produce a censoring effect in that companies such as Facebook or Google, will wish not to be fined under the act and will therefore be likely to delete wholesale information rather than facing the fine which could produce a “serious chilling effect.”
In addition to this, there are concerns about the requirement to take down information that others have posted about an individual.The definition of personal data in Article 4(2) includes “any information relating to” the individual. It would require companies to take down any information relating to an individual, regardless of its source, which would amount to censorship and result in the big data companies eradicating a lot of data to comply with this. Such removal can impact the accuracy and ability of businesses and individuals to carry out business intelligence, particularly due diligence to comply with antibribery, anticorruption and know your customer laws.
Connecting the Dots:
Now question is “In today’s age of cloud computing, is it truly possible to implement the Right to be forgotten clause in the Srikrishna committee’s draft data protection bill? THINK ABOUT IT.