In this piece, author analyses the underrated idea of the right to be forgotten with retrospective effect in the usurping Indian data protection regime. It also advocates the need to chalk out a proper grievance redressal mechanism for the disposal of data collected with uninformed consent under the Aadhar regime.
Sanskrati Jain is a student of Dharmashashtra National Law University, Jabalpur
With the upsurge of the digital world, the horizon of privacy rights is widening continuously. But India is a newcomer to the family of privacy rights; it just recognized privacy as a basic right in 2017 (K.S. Puttaswamy-I)[1] and recently it has come up with a central data protection law. This nascent right has various important facets such as the right to be forgotten, the concept of consent, the decisional autonomy, the right to access, and so on to be implored upon.
The Government even with the enactment of the new Data Protection law has failed to clarify its stance on the data already collected under the Aadhar regime, and whether the new law would be retrospectively applicable or not. The Aadhar data is still being utilized by numerous private players (expressly prohibited by the SC) without the informed consent of Indians.[2] Till date there is no proper mechanism devised by the government to dispose of unwanted data collected under the Aadhar scheme and enforce the right to be forgotten, a very intrinsic aspect of the right to privacy.
In this piece, the author demonstrates how UIDAI is violating the decisional autonomy of Indians by not providing them a proper channel through which they can erase their data collected under the Aadhar scheme in the backdrop of uninformed consent. The author further discusses the relevant provisions of newly introduced data protection legislation and the B.N. Sri Krishna Committee[3] recommendations to the effect, and the ideal opportunity with the central govt. to provide for enforcement right to be forgotten with retrospective effect under newly enacted Act.
The Aadhar Judgement
The apex court in the case of K.S. Puttaswamy v. Union of India[4](hereinafter referred to as Puttaswamy Judgement), while upholding the constitutionality of the Aadhaar Act[5] recognised the right to privacy as a part of the right to life and personal liberty guaranteed under Article 21[6] of Indian constitution.[7] But it upheld only that portion of Aadhar Act, which authorized Aadhaar number-based verification to be used to verify a person’s identification in order to receive a subsidy, benefit, or service from the Central or State Government, as it considers people’s dignity from both a personal and a communal point of view.
The Supreme Court itself has struck down various sections of the Aadhar Act, for instance the portion of section 57[8] and has prohibited private companies from using an individual’s Aadhaar number to verify that person’s identity for any reason under a contract on the grounds that it violated the basic right to privacy. The Supreme Court interpreted Section 2(d)[9] of the Aadhaar Act to prohibit government agencies from storing Aadhaar metadata of transactions and metadata to be kept no longer than 6 months, where the Aadhaar Act provided for the retention of Aadhar metadata for five years.[10]
The plurality of opinions in the Puttaswamy Judgement leads us to one single relevant conclusion that even though the Aadhar Act is constitutionally valid but is not 100% correct and the data surrendered to UIDAI in the name of the Aadhar scheme is not in safe hands and can be misused by the government itself. The Court further stated that the Centre must pass a strong data protection law as soon as possible.[11]
The Notion of Decisional Autonomy and Right to be Forgotten
The nine-judge bench in the Puttaswamy judgment has affirmed that the right to privacy involves “decisional autonomy”[12] as it includes the right of a person to make an informed decision not to enforce his fundamental right, it can be waived off by the data principal with his/her informed and due consent.[13] The problem stems from the various ways in which this identifying system might be exploited, or rather misused, by the state.[14]
The Puttaswamy case (2017) recognized the right to privacy, but Indians were unaware of this right. The consent given by data principals was not informed and violated their decisional autonomy.[15] This is particularly concerning in an under-literate country like India, where people are oblivious to their rights and may not understand the nuances of a nascent right.[16]
Justice H.R. Khanna, in his historic dissent in the ADM Jabalpur case[17], has said that there are some very intrinsic and fundamental rights conferred by birth to a human, and are available to subjects even before their formal recognition[18]. It means some fundamental rights remain unaffected by their recognition in the constitution hence, cannot be curtailed by the state without any compelling just, fair, and reasonable cause even before their recognition. Here, the state has inflicted upon the individual’s fundamental right to privacy (decisional autonomy) by collecting their personal data before 2017, without their prior informed and conscious consent. Hence, this right has a retrospective effect from the date of its formal recognition.
Therefore, the author proposes that to enforce this decisional autonomy, an inherent part of the right to privacy, an express provision in legislation pertaining to the erasure of data and enforcement of it through the express right to be forgotten to the data principal is need of the hour
The New Data Protection Law
The Indian government formed a committee led by Retd. Justice B.N. Srikrishna to draft a Digital Personal Data Protection law, including provisions for the Right to be Forgotten.[19] The law was passed by both houses of Parliament and assent from the President on 11th August, 2023. The Act aims to enact the right to be forgotten, which is now unavailable under the Information Technology Act, 2000.[20] However, it was later withdrawn due to 81 amendments suggested by a Joint parliamentary committee.
This statute recognizes the extremely important aspect of the right to privacy known as the Right of Erasure. An individual, whose data is being processed (data principal), will have the right to: – (i) obtain information about processing, (ii) seek correction and erasure of personal data, (iii) nominate another person to exercise rights in the event of death or incapacity, and (iv) grievance redressal.
According to the Sri Krishna Committee’s recommendations, the provisions of the Act guarantee that the exercise of this right does not conflict with another person’s freedom of speech and expression or their right to knowledge by balancing the right to be forgotten with competing rights and interests. Its application is determined by elements like the sensitiveness of the restricted personal data, the public relevance of the data, and the significance of the data primary in public life.[21]
Pathway Ahead
With an orientation towards justice, the author opines that the right to be forgotten is a must which has been made available to aggrieved data principals, but still, there is no proper channel for the same has been designated by the legislator. As the data so surrendered was not done with informed consent, the state should chalk out a good plan by which the data principals can withdraw their uninformed consent to the usage of their personal and sensitive data so surrendered. The right to be forgotten allows individuals to request the deletion of their personal information from records, ensuring their mistakes or bad decisions are not publicly visible. Its jurisprudence is originating from the General Data Protection Regulation of the European Union.[22]
Recently, in the case of Jorawar Singh Mundy v. Union of India (2021)[23], the petitioner, an American citizen, presented a writ petition in the Delhi High Court and prayed that the ruling in a narcotics case where he has been acquitted to be removed from all respondent sites since it had affected his career prospects. As the right to be forgotten falls under the purview of the right to privacy, the Delhi High Court ordered Google and Indian Kanoon to erase the judgments from their respective portals. Similarly, in the case of X v. YouTube (2021)[24], the Delhi High Court upheld an actor’s right to privacy under Article 21 of the Indian Constitution. It directed websites and online service providers to take down the actor’s explicit recordings that had been uploaded to numerous video-sharing services without her consent.
Conclusion
Due to the Court’s liberal interpretation of the right to privacy, several claims have been made possible. There is no doubt that privacy claims will frequently need to be balanced against other conflicting interests, even the precise limits of the right will continue to be determined case by case. The legislature has tried setting forth the rights and obligations of data fiduciaries and principals while taking into consideration the principles of purpose limitation, data minimization, reasonable effort, storage limitation, reasonable safeguards to prevent data breaches, and assurance that there is no unauthorised collection or processing of personal data, [25]which is a highly commendable job.
All these are good efforts in this direction lately, but the government. has not clarified its stance on the data collected under the Aadhar scheme and the lethargic approach of the government to this important issue has led to a kind of anarchy on this issue.[26] Here, the author opines that it is a golden opportunity with the Central govt. which is having the power to notify the dates of enforcement of this Act (which may differ for different provisions of the Act), it can cope up with this evil by applying the right to be forgotten with retrospective effect. It shall make a special provision for ensuring prohibition on its unauthorised usage and complete and veritable disposal of unwanted data so collected by the state itself and a systematic mechanism to ensure the proper disposal of such data shall be chalked out.
[1] (2017) 10 SCC 1.
[2] Ibid [20] (Justice Kaul).
[3] Justice B.N. Srikrishna Committee Report on “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” (27 July 2018).
[4] K.S. Puttaswamy (n 1).
[5] The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Act 18 of 2016).
[6] The Constitution of India (1950) Art. 21.
[7] y Vrinda Bhandari, Amba Kak, Smriti Parsheera and Faiza Rahman, An Analysis of Puttaswamy: The Supreme Court’s Privacy Verdict (2017) IndraStra Global, 11, 1-5. https://nbn-resolving.org/urn:nbn:de:0168-ssoar-54766-2 accessed 21st December 2023.
[8] The Aadhaar Act [57] (n 5).
[9] Ibid.
[10] Justice D.Y. Chandrachud’ s dissent in Puttaswamy Judgement argues that the whole Aadhaar project violates privacy and is unlawful. He also stated that the Unique Identification Authority of India (UIDAI) has acknowledged to storing sensitive data, which violates the right to privacy and the right to equality, under article 21 and Article 14, respectively
[11] K.S. Puttaswamy, (n 1) [44] (Justice Kaul) [179 180 185] (Justice Chandrachud).
[12] Ibid [141] (Justice Chandrachud).
[13] Ibid [70] (Justice Kaul), “The State must ensure that information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed”
[14] Ibid [173] (Justice Chandrachud) [21] (Justice Kaul) [47] (Justice Bobde).
[15] K.S. Puttaswamy, (n 1) [38] (Justice Chelameshwar) [84 (iv)] (Justice Chandrachud).
[16] Gautam Bhatia, “The Supreme Court’s Right to Privacy Judgment – IV: Privacy, Informational Self-Determination, and the Idea of Consent,” (Indian Constitutional Law and Philosophy, 30 August 2017) <https://indconlawphil.wordpress.com/2017/08/30/the-supreme-courts-right-to-privacy-judgment-iv-privacy-informational-self-determination-and-the-idea-of-consent/> accessed 21 December 2023.
[17] ADM Jabalpur v. Shivkant Shukla, AIR 1976 SC 1207.
[18] Ibid [525, 573, 593] (Justice Khanna).
[19] Srikrishna Committee Report (n 3).
[20] The Information Technology Act, 2000 (Act No. 21 of 2000).
[21] Sanskruti Yagnik, “The Right to be Forgotten: The good, the bad and the ugly”, (Law and Other Things,1 February 2022) <https://lawandotherthings.com/the-right-to-be-forgotten-the-good-the-bad-and-the-ugly/> accessed 21st December 2023
[22] General Data Protection Regulation, 2016, No. 679, European Parliament, and Council of the European Union, 2016 (European Union).
[23] Jorawar Singh Mundy v. Union of India, Cri. App. No. 14 of 2013, (Delhi H.C.) (Unreported) [https://www.livelaw.in/pdf_upload/16186364774292021-393948.pdf] .
[24] X v. YouTube, CS(OS) 392 of 2021 (Delhi HC) (Unreported) [<https://www.livelaw.in/pdf_upload/1629825342565877432021-1-399323.pdf>].
[25] Namita Viswanath and Savithran Ramesh, ‘The Supreme Court’s Aadhaar Judgement and The Right To Privacy’, (Indus Law, 11 October 2018), https://www.mondaq.com/india/privacy-protection/744522/the-supreme-court39s-aadhaar-judgement-and-the-right-to-privacy
[26] Gopi Krishnan Nair, “What Aadhaar Needs: Right to Notice, Right to Object, Right to be Forgotten”, (Spontaneous Order, 3 August 2018) https://spontaneousorder.in/what-aadhaar-needs-right-to-notice-right-to-object-right-to-be-forgotten/
[1] (2017) 10 SCC 1.
[2] Ibid [20] (Justice Kaul).
[3] Justice B.N. Srikrishna Committee Report on “A Free and Fair Digital Economy Protecting Privacy, Empowering Indians” (27 July 2018).
[4] K.S. Puttaswamy (n 1).
[5] The Aadhaar (Targeted Delivery of Financial and Other Subsidies, Benefits and Services) Act, 2016 (Act 18 of 2016).
[6] The Constitution of India (1950) Art. 21.
[7] y Vrinda Bhandari, Amba Kak, Smriti Parsheera and Faiza Rahman, An Analysis of Puttaswamy: The Supreme Court’s Privacy Verdict (2017) IndraStra Global, 11, 1-5. https://nbn-resolving.org/urn:nbn:de:0168-ssoar-54766-2 accessed 21st December 2023.
[8] The Aadhaar Act [57] (n 5).
[9] Ibid.
[10] Justice D.Y. Chandrachud’ s dissent in Puttaswamy Judgement argues that the whole Aadhaar project violates privacy and is unlawful. He also stated that the Unique Identification Authority of India (UIDAI) has acknowledged to storing sensitive data, which violates the right to privacy and the right to equality, under article 21 and Article 14, respectively
[11] K.S. Puttaswamy, (n 1) [44] (Justice Kaul) [179 180 185] (Justice Chandrachud).
[12] Ibid [141] (Justice Chandrachud).
[13] Ibid [70] (Justice Kaul), “The State must ensure that information is not used without the consent of users and that it is used for the purpose and to the extent it was disclosed”
[14] Ibid [173] (Justice Chandrachud) [21] (Justice Kaul) [47] (Justice Bobde).
[15] K.S. Puttaswamy, (n 1) [38] (Justice Chelameshwar) [84 (iv)] (Justice Chandrachud).
[16] Gautam Bhatia, “The Supreme Court’s Right to Privacy Judgment – IV: Privacy, Informational Self-Determination, and the Idea of Consent,” (Indian Constitutional Law and Philosophy, 30 August 2017) <https://indconlawphil.wordpress.com/2017/08/30/the-supreme-courts-right-to-privacy-judgment-iv-privacy-informational-self-determination-and-the-idea-of-consent/> accessed 21 December 2023.
[17] ADM Jabalpur v. Shivkant Shukla, AIR 1976 SC 1207.
[18] Ibid [525, 573, 593] (Justice Khanna).
[19] Srikrishna Committee Report (n 3).
[20] The Information Technology Act, 2000 (Act No. 21 of 2000).
[21] Sanskruti Yagnik, “The Right to be Forgotten: The good, the bad and the ugly”, (Law and Other Things,1 February 2022) <https://lawandotherthings.com/the-right-to-be-forgotten-the-good-the-bad-and-the-ugly/> accessed 21st December 2023
[22] General Data Protection Regulation, 2016, No. 679, European Parliament, and Council of the European Union, 2016 (European Union).
[23] Jorawar Singh Mundy v. Union of India, Cri. App. No. 14 of 2013, (Delhi H.C.) (Unreported) [https://www.livelaw.in/pdf_upload/16186364774292021-393948.pdf] .
[24] X v. YouTube, CS(OS) 392 of 2021 (Delhi HC) (Unreported) [<https://www.livelaw.in/pdf_upload/1629825342565877432021-1-399323.pdf>].
[25] Namita Viswanath and Savithran Ramesh, ‘The Supreme Court’s Aadhaar Judgement and The Right To Privacy’, (Indus Law, 11 October 2018), https://www.mondaq.com/india/privacy-protection/744522/the-supreme-court39s-aadhaar-judgement-and-the-right-to-privacy
[26] Gopi Krishnan Nair, “What Aadhaar Needs: Right to Notice, Right to Object, Right to be Forgotten”, (Spontaneous Order, 3 August 2018) https://spontaneousorder.in/what-aadhaar-needs-right-to-notice-right-to-object-right-to-be-forgotten/