Centre for Internet & Society

Though India needs a comprehensive law on the right to privacy, it may not be ready for something as avant garde as the “right to be forgotten” on the Internet, argues Shuma Raha

The article by Shuma Raha was published in the Telegraph on July 16, 2014. Sunil Abraham gave his inputs.


If you do a Google search for journalist and television personality Barkha Dutt, a raft of scurrilous information about her pops up. It isn’t tucked away somewhere on the 10th page either — it’s all up front, right there in “autosuggest”, almost prompting you to go and check it out. And thanks to Google’s search algorithm, the more people click on that link, it further strengthens the score for that “hit”.

Dutt says she has brought the matter to the attention of Google, but to no avail. “I have lost interest in the whole struggle,” she says. “But Google definitely needs to do something about the slanderous, inaccurate, fictional information out there that creates a narrative of its own.”

Well, in Europe at least, the tech giant has taken a step in that direction. Late last month, it started erasing search results that threw up information deemed to be “irrelevant”, “outdated” or “excessive”. The move came after the European Court of Justice ruled that Internet search engines would have to allow people the “right to be forgotten” in specific cases and accordingly, take down information about them.

The European Court ruling has triggered a huge debate since an individual’s right to be forgotten seems to be at complete loggerheads with people’s right to know. Nevertheless, it’s a landmark decision when it comes to right to privacy on the Internet. After all, the online space has perma-memory and inaccurate or irrelevant or outdated information about a person can be embedded there forever, damaging him or her in manifold ways.

So how far are we in India from securing the right to be forgotten on the Internet?

The short answer to that is, very far. That is because India does not have a well-defined privacy regime wherein one could envisage a court of law handing out a similar — and some would say a somewhat radical — order on a Google or a Bing. “The right to be forgotten is a bit too advanced for us,” says Sunil Abraham, director, Centre for Internet and Society, a non-profit organisation that works on policy issues relating to freedom of expression and privacy. “After all, we are yet to come up with a privacy and data protection regime that implements the best practices of European countries.”

Adds Apar Gupta, a Delhi-based lawyer, who has written extensively on privacy issues, “Sector specific privacy legislation do exist, but they do not provide substantive rights or efficient remedy in case of violations.”
No one disputes that India should get a right to privacy law, especially one that relates to the collection, processing and use of personal data. Right now the government’s surveillance mechanisms like the Central Monitoring System and the Lawful Interception and Monitoring Systems allow security agencies and income tax authorities to intercept communication, snoop on phone conversations, read emails and SMSes with little or no safeguards for privacy protection.

A right to privacy bill has, in fact, been in the works since as early as 2011. But the government has been dragging its feet over it. Early this year, a new version of the draft bill was “leaked” to the press. But few are happy with it. On the positive side, it raises the penalty for unlawful interception of communication (from Rs 1 lakh to Rs 2 crore) and increases penalties for other offences such as obtaining personal data under false pretexts. But crucially, it almost wholly exempts intelligence agencies from the purview of the law, thereby allowing them unbridled access to personal information. Of course, no one knows if this “leaked” draft is indeed the official one.

Experts say that the government should really formulate a right to privacy law based on the recommendations of a committee chaired by Justice A.P. Shah. The report, which was published in 2012, proposes that the right to privacy be statutorily extended to all Indians. It recommends, among other things, the appointment of privacy commissioners and the formulation of certain “national privacy principles” such as taking the consent of the individual prior to the collection of data, allowing him the choice to withdraw such consent, limiting the use of personal information to the stated purpose and so on. The privacy principles would apply to all data collectors in both private and public sectors.
There are, of course, a number of provisions in existing laws that relate to privacy. For example, Rule 419A of the Indian Telegraph Rules, 1951, sets down certain privacy safeguards such as maintaining details about the officer ordering an intercept of telecommunication.

Moreover, Section 66E of the Information Technology Act, 2000, prescribes “punishment for the violation of privacy” (in the context of capturing “private” images of a person without his or her consent); Section 43A lays down that a “body corporate” will be liable to pay compensation in case it fails to protect personal data gathered in the course of its operation; and Section 79 stipulates that “intermediaries” — entities such as Google, Facebook, Twitter — would have to take down any information stored or transmitted by them that is found to be grossly harassing, defamatory, blasphemous, obscene, pornographic and so on, within 36 hours of being notified.

Of course, this section of the IT Act has been roundly criticised as arbitrary and Draconian, but that is another story.
The point is that despite the fair number of privacy provisions, in the absence of a comprehensive law, the untrammelled and unauthorised use of personal data cannot be ruled out. “Every country in the world collects personal data. But once the data are collected for a particular purpose they should not be used for any other purpose. The law has to be in a position to catch the violators,” says Kamlesh Bajaj, CEO of Data Security Council of India, an organisation that works to promote data protection and privacy best practices.

As always, the key issue is that an individual’s right to privacy has to be balanced with public interest. And it is in that context that experts feel that even if India were to have a privacy law, it is probably not ready for something akin to the European Court ruling on the right to be forgotten. As Gupta says, “It raises a real danger of public personalities blocking legitimate journalism on grounds of privacy. This is specially true in a country like India which permits a high degree of illegality in the name of secrecy and confidentiality.”

Abraham agrees with that view. “I’m not sure if the right to be forgotten will enhance privacy or usher in a level of censorship,” he says.

As Europe grapples with that debate, India’s privacy warriors are asking for something far more fundamental — a comprehensive law that guarantees the right to privacy to all.