The freedom of speech and expression:
Freedom of speech and expression, subject to reasonable restrictions imposed by the State is a fundamental right guaranteed under Constitution of India. Countries world over confer this right on their citizens. The right to write and speak through available mediums and channels is conferred on an individual who may publish material about himself or in respect of third parties for the benefit of the public at large. To illustrate this, a person may upload personal data relating to himself and his family on a website. Alternatively, a reporter may report news about a lawyer’s license to practice being revoked on account of professional negligence with a view to bringing this to the notice of interested parties. However, a report by a correspondent cannot be derogatory or defamatory in nature and resultantly harm or tarnish the reputation of a person. Therefore so long as the freedom of speech and expression is not defamatory or disparaging within the restrictions imposed it would be regarded as fair, free, justified and acceptable.
The right to be forgotten:
On the other hand the courts in certain jurisdictions are recognizing a right of a person “to be forgotten”. Simply stated this is a right of a person to have information and data about himself to be deleted permanently either consequent upon (i) closure/deletion by him of his own account on which he may himself have posted material about himself or others and (ii) it having been published by third parties about him with a view to ensuring that the material published is no longer viewable or accessible. The concept is akin to the privacy a person is entitled to and reasonably expects.
The case of Google Spain SL, Google Inc. v Agencia Espanola de Proteccion de Datos, Mario Costeja Gonzalez as decided by the Court of Justice of the European Union in Case C- 131/2010.
In a recent ruling of the European Court of Justice, Google was directed to remove information available about Mr. Mario Costeja Gonzalez from its search engine with a view to maintaining a fair balance between the interests of potential internet users and those of Mr. Gonzalez’s right to privacy / protection of personal data. The balance to be maintained was between the nature of information in question, its sensitivity for the subject’s private life and the interest of the public in having that information of the role played by the subject in public life. In this case, it was held that the request by a person that links on certain web sites be removed from the list of results displayed upon a search being caused, on the grounds that the person wishes that the personal information relating to him as appearing on certain of those pages be “forgotten” after a certain period of time, that if it is found that pursuant to a request by the subject that the inclusion of those links is inadequate or irrelevant or excessive or not relevant any longer over a period of time, the links and the results need to be removed/deleted. What would be taken into consideration is whether the subject has a right that the information in question as relating to him personally should no longer be linked to his name or the overall public has interest in having access to the information when a search is caused.
In the case of Equustek Solutions Inc. v Jack as decided by the Supreme Court of British Columbia the Plaintiff’s alleged that it’s trade secrets were misappropriated and a near identical product was manufactured, sold and passed – off by the Defendants. Whilst Google volunteered to remove the results of the search of the copied product from its Google.ca website, it declined to block the results of the search in other countries. The Plaintiff requested Google to block the relevant webpages / URL’s from Google Canada’s search results and which Google did. Thereafter the Plaintiff sought and succeeded in obtaining an order requiring Google to remove/delete the Defendants sites from all Google’s search results world over. In deciding the case the court asserted jurisdiction over Google Inc. The choice-of-law clauses in Google's user agreements did not preclude the court from asserting and exercising extra-territorial jurisdiction over Google Inc. There was no other way in which Defendants' online sales could have been halted. In passing the order the court referred to and relied upon the “right to be forgotten" case decided by the European Union.
The “right to be forgotten” is important to protect the rights and interests of persons who avail of the social media in order to ensure prevention of its misuse in any manner which may be defamatory / derogatory resulting in embarrassment or ridicule in the society at large. Such persons are justified to contend and raise concerns of a violation of their privacy rights in cases where information and data uploaded by or about them is stored and shared by service providers with third parties. On the other hand service providers defend and justify the storing and sharing of information on account of persons having explicitly agreed to be bound by the terms and conditions of services agreements which include the storage and sharing of their information and data by the service provider during the period their account is active and even consequent upon its deletion by such person.
The position in various jurisdictions and India
The concept of the right to be forgotten has been implemented in the European Union and Argentina in recent years. EU privacy law mandates the right to be forgotten and makes it obligatory upon service providers to delete the data after fulfilment of the purpose for which it is obtained or stored. Likewise, in the United Kingdom, Principle 6 of Data Protection Act, 1998 deals with data retention policies and restricts the processing of personal data. The regulations in the United Kingdom emphasize on the nature and content of the information and data that maybe retained and do not permit it’s entire retention. Singapore has been proactive in enacting and enforcing a robust law in the interest of Personal Data Protection. The PDPA requires commercial (and) other organizations to deposit their personal data collection with the concerned data officer. The basic requirements of posting/displaying/transferring personal data are the consent of the individual, the specific purpose of such an act and lastly the reasonableness of the act. Pursuant to right of the freedom of speech and expression as embodied in The First Amendment of the American Constitution, the Supreme Court of the United States of America has defended the rights of news agencies when publishing / reporting personal data/information of persons. The right to be forgotten is unprotected in the US. The media that privacy can limit the right of the media to reveal the shameful past of an person has been the subject matter of litigation and been rejected by the US Supreme Court.
As of date, India does not have a stand-alone legislation governing data protection or privacy. However, the applicable provisions of the Information Technology Act, 2000 (“the Act”) provide for payment of compensation by body corporates to affected person for failure to protect sensitive personal data, payment of compensation and punishment for intermediaries in case of failure to preserve and retain data as per the direction given by the Central Government, payment of compensation by person or intermediary or punishment for disclosure of information in breach of lawful contract, in case of wrongful disclosure, misuse of personal data and violation of contractual terms of personal data. India has also adopted the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("the Rules) which mandate implementation and maintenance of reasonable security practices and procedures for body corporates that possess, deal with or handle sensitive personal data or information. The Rules direct body corporates to provide a policy for privacy and disclosure of information and also provide grounds and conditions for collection, disclosure and transfer of sensitive personal data or information.
A draft of The Privacy (Protection) Bill, 2013 has been proposed by the Centre for Internet and Society. It contains provisions that deal with data protection, interception and surveillance. The draft contains provisions for a new Data Protection Authority of India to be established with wide powers of investigation, review and enforcement. In addition, the Bill proposes the introduction of comprehensive regulation, including regulation of the collection, processing and storage of data by any person, regulation of the use of voice and data interception by authorities, regulation of the manner in which forms of surveillance not amounting to interceptions of communications may be conducted.
The concept of the right to being forgotten is even more important with the development of information technology the consequent introduction of social networking sites and email as the most preferred source and avenue of social media and communication. Given the fact that people are extensively using various forms of social media, email and cloud computing services the chances of their personal information and data being adversely or prejudicially misused or compromised are extremely high and probable. In fact there is an immediate need for the legislature in India to either amend the existing laws governing the use of internet / services provided by the service providers hosting social media websites and email or enact an altogether entirely separate and stand-alone legislation which amongst other issues deals with matters affecting data retention and its use and in the absence of which there is a grave risk of a person’s data being misused to his/her detriment.