Data Privacy: Current & Upcoming Laws

Right to Privacy is an essential fundamental right that has been enshrined in the Indian Constitution under Article 21 after the case of Justice K. S. Puttaswamy (Retd.) & Anr. v. Union of India & Ors. The right also covers the aspect of informational privacy and thus, is an invasion of the data privacy of an individual would lead to the infringement of the fundamental right to privacy.

Recently, the Orissa High Court, in the case of Gugul v. State of Odisha, emphasized the need for Right to be forgotten[1]. The court stated that the pictures and videos of a rape victim on social media platforms are an infringement of their right to privacy and thus stressed upon the need for a mechanism that could permanently delete the data from the internet and thus, the Right to be Forgotten came into picture.

Origination of Right to be Forgotten

The Right to be Forgotten came into existence in the year 2014, where the European Court of Justice (ECJ) gave a judgment in favor of a Spanish man who was unhappy that his name when searched on Google displayed a newspaper article from 1998[2]. The man approached the newspaper office in 2009 and asked them to remove the article since it was not relevant but they refused to do so. He, then, approached Google to do the same. Later, the ECJ gave an order directing Google to delete the irrelevant data from their search as requested by a public member.

The European Union (EU) incorporates the right to be forgotten in the Recitals 65 and 66 under Article 17 of the General Data Protection Regulation (GDPR)[3]. The Article states that it is the right of an individual to obtain the data from the controller and have it erased without any delay and the controller is obligated to erase that data without any delay. Article 17, which defines the right to be forgotten is dovetailed with Article 15 which contains the people’s right to access their personal information.

Article 17 also provides guidelines pertaining to when the right to be forgotten will apply. These include:

  1. The personal data collected by the organization is no longer required.
  2. The individual withdraws consent to use his or her personal data.
  3. The personal data of the individual is used by the organization for marketing purposes.
  4. The organization is processing personal data for legitimate interests and the individual objects to such processing then the organization cannot process that data.
  5. Unlawful use of personal data.
  6. Erasure of personal data by the organization to comply with the legal ruling, etc.

But there are also some instances where the right to be forgotten can be overridden by the organization’s right to process someone’s data. The GDPR has specified such instances and they are as follows:

  1. Data is used for exercising the right to freedom of speech and expression and information.
  2. Data is used for complying with the legal ruling.
  3. Data used to carry out a task in the public interest or when an organization exercises official authority.
  4. Data used for public health purposes.
  5. Data used for performing preventive and occupational medicine.
  6. Data used for exercising legal defense, etc.

Thus, the right to be forgotten prevails in the EU but it too does have exceptions where it can be surpassed by other rights. From this, we can conclude that the Right to be Forgotten is a human right that is not absolute.

Status of the Right to be Forgotten in India

In India, the right to be forgotten as of now has not been implemented. The B.N. Sri Krishna Committee has laid down a report which emphasized the need that the consent of an individual should be obtained to process their personal data. Also, the draft of the Personal Data Protection Bill, 2018 has a section of Right to be forgotten but the bill does not provide for the right to erasure. Section 27 of the Personal Data Protection Bill 2018 has recognized three scenarios or instances where the Right to be forgotten will be applicable if:

  1. The data of the individual is no longer necessary
  2. The individual withdraws his or her consent to use personal data.
  3. The data is in contravention to the laws of the country.

An officer will be appointed to determine the applicability of the three scenarios and then he or she will have to determine whether the right to be forgotten overrides the right to freedom of speech and expression and information. The provision of right to erasure of data as prevailing in the EU is not applicable in India but it might be included later on as the bill is still in debate before the parliament and if approved, then it will become a law.

Implementation of the Right to be Forgotten in India

The Right to be forgotten is regarded as a Human Right but implementing it in India would be a tough task since firstly the court observed that there is no law in the country under which this right can be included and it was suggested that this right should be included in Article 21 and they also stated that many European countries have already recognized this right and the Orissa High Court became the first institution in the country who emphasized on the implementation of this right.[4]

Also, as discussed above, there is a provision that allows for the appointment of an adjudicating officer. The flaw in this provision is the individual still does not get the right to remove his personal data since it is upon the determination and discretion of the officer to determine whether to remove or not remove it. India is a country where the problem of corruption is deep-rooted and there may be instances where the adjudicating officers can be bribed and thus the individual’s personal datas might not be removed.

Solution to Proper Implementation

One of the options which can be exercised for the proper implementation of the Right to be forgotten is end-to-end encryption which is used by WhatsApp. But what is end-to-end encryption? Before we discuss end-to-end encryption, let’s first learn about the term ‘encryption’. Encryption is an old technique that was used during the World Wars in which the message was converted into an indecipherable format. Encryption, in this modern era, is computer-generated. In this, a normal encryption is generated in which the data by the sender is deciphered by middlemen and then is encrypted again for the receiver. In such a case, the deciphered data remains with the middlemen. Thus, this encryption gave rise to a new technology called end-to-end encryption. End-to-end encryption is a more secure form of encryption where the role of the middlemen is absent and thus the cypher remains undisturbed but like everything thing in this world has pros and cons, end-to-end encryption has the biggest con which is that it will provide a safe space for the criminals to conduct illegal activities like transferring of illegal money, etc.

Privacy Laws in the Digital Age

Another reason why encryption technology cannot be implemented in India is that encryption is not illegal in India. Thus, there is no bar on anyone for encrypting the messages and data and transferring it to anyone and would also prove to be a hindrance in the recently recognized right to privacy in the domain of economic activities in cyberspace.

Personal Data Protection Bill, 2019

The Personal Data Protection Bill, 2019 was introduced by the Ministry of Electronics and Information technology in Lok Sabha. It was inspired by the principles of the General Data Protection Regulation, 2016. The aim and premise of this bill is to protect the details of individuals and establish a Data Protection Authority for the same[5]. It intends to regulate data usage by state and private entities. It governs the processing of data by both governments and companies incorporated in India. It also governs foreign companies if they deal with the personal data of individuals in India.

Importance of the Personal Data Protection Bill 

As half of the world population have started using the internet for various purposes, the concern about data is very important. The smartphone that we use has AI that analyses us. It collects information about us from our habits to health issues. And usage of these AI technologies is inevitable in this 21st century. So, it is very important to protect the details of the individuals. Thus, countries around the world have started to pay attention to creating data-related laws and policies to protect people.

Regulation of  Personal Data 

In India, the protection of data, its usage, and issues related to it is regulated by the Information Technology Rules, 2011 under the IT Act, 2000. This rule states that a company shall be held liable if any negligence happened while maintaining data security standards.

Individuals’ Rights over Data

Any processing of data can only be done by the consent of data principle. This bill provides certain rights to data principles with respect to their personal data, such as confirmation on whether their personal data has been processed, seeking correction, completion, or erase of their data, and restricting continuing disclosure of their personal data.

Joint Parliamentary Committee (JPC)

To examine and provide recommendations on the said bill, a Joint Parliamentary Committee (JPC) is formed. It was constituted in December 2019. It consists of 20 members from Lok Sabha and 10 from Rajya Sabha. On 21st September, P.P. Chaudhary (Member of JPC) moved the motion for a time extension. Through a voice vote, the motion was passed by Lok Sabha. The house extended the time up to the second week of the winter session of the parliament 2020 for submission of reports and recommendations.


As per the report, Clause 35 of the bill is an issue of concern. The clause provides immunity to governmental agencies from the application of this bill for reasons of national security, integrity, sovereignty, public disorder, and friendly relations with foreign states. It is merely giving a blanket for governmental agencies to conduct surveillance. Some of the suggestions in the bill could be restrictive for service providers and enterprises said the Internet and Mobile Association of India. It also stated that it may not be possible to achieve India’s target of a $1 Tn digital economy by 2024. To protect the data of individuals and to establish a Data Protection Authority for this purpose, this Bill was introduced. The bill has recently been referred to the Joint Parliamentary Committee (JPC) to examine it and make a report on the same.


The bottom line of the above discussion is that the Right to be forgotten would be highly beneficial legislation for India but such legislation would have to balance with other laws which might be a herculean task. If balanced legislation is not achieved with respect to Right to be forgotten then it would lead to a lot of troubles such as terror funding operations, drug cartels, etc., and thus, in my opinion, some way or the other, it will also violate the right to privacy. So, the Orissa High Court has taken a commendable step but it will take a long time to implement such a right in India.


[1] Orissa High Court calls for right to be forgotten, available at: (last visited on March 25, 2021).

[2] What is right to be forgotten in India? , available at: (last visited on March 25, 2021).

[3] Right to be forgotten, available at: (last visited on March 26, 2021).

[6] Implementation of Right to be Forgotten, available at: (last visited on March 27,2021)

[8] Joint Parliamentary Committee on Personal Data Protection Bill, available at: (last visited on 27 March, 2021)


Leave a Comment

Your email address will not be published. Required fields are marked *