Wednesday, February 28, 2024

The Internet Never Forgets

The Delhi High Court has said that a person’s right to be forgotten is intrinsically linked to his right to privacy, and search engines and intermediaries are legally bound to disable access to offending content.

By Dr Swati Jindal Garg

The Delhi High Court recently passed a slew of directions to social media intermediaries, the Ministry of Electronics and Information Technology and the Delhi Police to expeditiously handle cases of dissemination of “non-consensual intimate images” (NCII) on the internet.

The order was passed in the wake of a plea by a woman seeking blocking of certain sites carrying her intimate images and registration of an FIR against a man who, she alleged, had got acquainted with her through social media. She also claimed that she was taken advantage of by the man who in the “absence of her family members, came over to her place and forced himself upon her”. He allegedly not only clicked explicit pictures of her, but also involved her minor son in sexual acts and leaked her pictures to various pornographic sites.

A single-judge bench of Justice Subramonium Prasad, while passing the directions, observed that the “internet never forgets, and once such content is uploaded, it becomes exceptionally difficult to control its spread”. The Court also said that if individuals have a “right to informational privacy”, it also contains within itself the “individual’s right to be forgotten which has been held to be the consequence of dignity of an individual and, thus, a facet of the right to privacy”.

Justice Prasad observed that search engines play an important role in “dissemination of content and its powers in connecting said content to consumers is undeniable”. The Court said: “It is unfathomable as to how a search engine can feign helplessness when it comes to removal of or disabling access to links which prima facie contain content that is illegal as declared by the court… An approach that entails the victim/user having to sift through the internet to identify and then share every URL hosting their NCII-‘non-consensual intimate images’ is unconscionable in the eyes of this court.”

The Court further said that search engines and social media intermediaries not only have the ability and the capacity, being in the position that they are to access the said content, but also have the legal obligation to disable access to the offending content. This responsibility, the Court observed “cannot be brushed under the carpet on the ground that it (intermediaries) does not host content”. 

Among the various directions issued, the Court also said that the grievance officer appointed by the intermediary for receiving complaints must be “appropriately sensitised”. “The definition of NCII abuse must be interpreted liberally by intermediaries to include sexual content obtained without consent and in violation of an individual’s privacy as well as sexual content obtained and intended for a private and confidential relationship,” it said.

Explaining the process that needs to be followed and streamlined, the Court directed that once an information alleging NCII is received, the Delhi Police must immediately register a formal complaint and bring the perpetrators to book to prevent the repeated upload of unlawful content, hence attacking the problem in its bud. It said that every district cyber police station must have an assigned officer to liaise with intermediaries against which grievances have been raised by the victim. Further, an endeavour should be made to ensure that the grievance is resolved within time schedules stipulated under the IT Rules in order to make sure that the problem does not escalate.

The plea of most victims in such cases revolves around the right to be forgotten, which is also an extension of the right to privacy that is enjoyed by an individual.The same is governed by the Personal Data Protection Bill that is yet to be passed by Parliament. The right to privacy was declared a fundamental right by the Supreme Court in 2017 in the landmark verdict of Puttaswamy case. 

Justice SK Kaul in KS Puttaswamy vs UOI had said: “Right of an individual to exercise control over his personal data and to be able to control his/her own life would also encompass his right to control his existence on the Internet.” The Court had said at the time that “the right to privacy is protected as an intrinsic part of the right to life and personal liberty under Article 21 and as a part of the freedoms guaranteed by Part III of the Constitution”.

The Personal Data Protection Bill was introduced in the Lok Sabha on December 11, 2019, and it aims to set out provisions meant for the protection of personal data of individuals. Clause 20 under Chapter V of this draft bill titled “Rights of Data Principal” mentions the “Right to be Forgotten”. It states that the “data principal (the person to whom the data is related) shall have the right to restrict or prevent the continuing disclosure of his personal data by a data fiduciary”.

However, it cannot be construed that the sensitivity of personal data is solely determined by the concerned person. It is overseen by the Data Protection Authority. So while the person whose data is in question is given the protection of some provisions under the Draft Bill under which he may seek to get the sensitive information removed, ultimately his rights are subject to the approval/authorisation by the adjudicating officer who works for the Data Protection Authority.

The right to be forgotten is a common name for a right that was first established in May 2014 in the European Union as the result of a ruling by the European Court of Justice. The Court found that European data protection law gives individuals the right to ask search engines like Google to remove certain results for queries related to a person’s name. In deciding what to remove, search engines must consider if the information in question is “inaccurate, inadequate, irrelevant or excessive,” and whether there is a public interest in the information remaining available in search results. 

In furtherance of this, in 2018, the EU adopted the General Data Protection Regulation that sets out a right to erasure. This data protection, however, is available only to individuals and not to corporations and other legal entities. Requests for delisting of personal information, though, usually come from the effected person himself. However, it may also come from someone acting on his behalf provided that the said person has the legal authority to do so.

As social media pervades every aspect of life, it becomes imperative that the content uploaded has strict parameters of control. The record of an individual’s history has a bearing on the conduct of the person and the way others respond to the extent that the said collection will also affect the future of the concerned person. Thus, cherishing and assuring the dignity of an individual by guaranteeing the right to personal liberty and privacy in a reasonable manner helps to bring evolution of the individual, along with giving him an opportunity to have a second chance in life. Protecting one’s privacy and establishing a code of conduct to regulate online activity, therefore, becomes the need of the hour. The right to privacy along with the right to be forgotten is intrinsically an inalienable right guaranteed under the fundamental rights by the Constitution.

The object of national laws and fundamental rights in the context of protecting an individual’s privacy extends to his right with respect to the processing of personal data. The right to be forgotten implies that personal data which is no longer needed for the purpose that it was originally destined to fulfill must be completely erased from public record. Or alternatively, it also means that data that was uploaded without due sanction or in a mala fide manner must be removed as it infringes upon the personal rights of the affected person.

The above mentioned case is not the only one wherein a court has made comments and passed directions regarding a person’s personal data. In Subhranshu Rout too, the Orissa High Court, while examining the “right to be forgotten” as a remedy to be given to victims of sexually explicit pictures/pornography, stated that “…information in the public domain is like toothpaste, once it is out of the tube one can’t get it back in and once the information is in the public domain it will never go away”. The Court recognised the right to be forgotten in such cases and the emergence of such laws in the Indian landscape.

Justice Asha Menon of the Delhi High Court had also stated in a similar case that “a woman has the unbridled right to be forgotten and she is fully entitled to protection of privacy from invasion by strangers”.

It cannot be denied that the right to information and the right to privacy work in tandem. Therefore, it is essential to formulate laws and an ethical code of conduct within the Information Technology Act for the regulation of the right to be forgotten. 

In this regard, the centre on February 25, 2021, had notified the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, which provide a redressal mechanism for reporting on any intermediary operations that tend to violate a person’s right to privacy. This helps to maintain the dignity of an individual. 

—The writer is an Advocate-on-Record practicing in the Supreme Court, Delhi High Court and all district courts and tribunals in Delhi


News Update