EDPB Decision on noyb complaint against Meta is ultra-vires its authority and unfair

After GDPR became effective on May 25, 2018, many businesses had to re-work their personal data handling methods to ensure that the collection meets the requirements under Article 6 of GDPR related to “Lawfulness of Processing”.

Article 6 of GDPR  lists 6 options for lawfulness and says that processing shall be lawful if atleast one of the six conditions apply.

The six options are

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Apart from the “Consent” the Article lists “necessary for performance of a contract to which the data subject is a party”.

Meta accordingly added in its “Terms and Conditions” that personal data of the data subject may be used for the purpose of personalized advertising and considered it as part of the “Contract”. (Presume this was done during the period prior to May 25 2018)

“noyb” an Activist group of Max Schrems  filed a complaint on 25th May 2018 itself objecting to the Meta practice. Hence this represents the Pre-GDPR practice which was challenged. The Irish Data Protection Commission (DPC) did not agree with ‘noyb’ and a further appeal landed with EDPB. On January 4 2023, the EDPB came up with its decision overruling DPC view and holding that use of data for personalized advertising can be done only through a “Consent” and not through “Contract”.

This means that Article 6 (1) (b) of GDPR cannot be used and only 6(1)(a) is applicable for this use.  EDPB has every right to interpret this clause the way it wants but such interpretation is subject to Judicial review and would be fair only if it is prospective. The correct decision should have been an advisory to Meta to change the procedure subject to its right for a further appeal.

However EDPB decision to overrule the decision of the Irish Data Protection Commission (DPC) and holding that META is “Bypassing” GDPR through the measure and coming down heavily with a fine of over $300 million does not seem to be a fair decision. It appears to be guided by a sense of vindictiveness on Meta or perhaps an outcome of  Irish and Non Irish division in the EDPB.

The decision of EDPB may not appear correct from the judicial perspective since “Terms and Conditions” which are part of an online service is recognized as a contract and it was well within the rights of Meta and DPC to accept it as a Lawful basis since the data subjects has accepted the contract.

The argument would be whether the “personalized advertising” is  an acceptable use or not and whether it should be considered as “Necessary for the service” or not.

If Meta considers that “Advertising Revenue” is essential for its existence, it may argue that personal advertising is “Necessary” for the service and therefore it can seek consent as part of the Terms. If the user does not accept the Terms he can opt out of the service.

To insist that a service provider should provide the service but he should only use certain revenue sources as “Content Based Advertising” and not “User identity based Advertising” is an intrusion into the policies of structuring of a commercial service.

Since this decision of EDPB is an over ruling of GDPR Article 6 which says “Any one of the following applies..) it may be considered “Ultra Vires” the authority of EDPB.

I therefore consider that the decision of EDPB is unfair and would not be surprised if a judicial authority overturns this decision.

Refer for details here: noyb.eu

Also refer: Meta’s new year kicks off with  $410M+ in fresh EU privacy fines

PS: Counter views are welcome

Naavi

P.S: The EDPB decision does not accord additional protection to the data subject since it does not prevent collection of personal data.  It only suggests that there shall be no personalized advertisement without specific consent. The personalized ads only appear when the data subject is viewing the content himself. Hence it is difficult to see what kind of  “Harm” is caused by such advertising.

Also read.. Advertising Profile

Naavi

 

Posted in Cyber Law | Leave a comment

New Year Resolution -2023

Today is the last day of the year 2022. As we prepare for the New Year, many of us would think of how we celebrate the night of 31st welcoming the new Year.

But what professionals need to also think about is what they need to achieve in the year 2023 which is good for themselves and the society around them.

We therefore need to look at the New Year Resolution for each one of us which can be one or more goals to be achieved in the coming year.

This year, let us not make the new year greetings just wishing a happy new year. Let us prep it up with our own New Year Resolution and urge others to adopt a positive and beneficial new year.

Naavi Wishes all his friends a Happy New Year with the following New Year Resolution.

    1. This year shall be the year of “Neuro Rights Awareness” in India. Just as I have been working on Cyber Law Awareness, Data Protection Law awareness, time has come to work for Neuro Rights awareness and this shall be the prime agenda of Naavi-2023.
    2. In Continuation of the work on Data Protection Law, assuming that the Government of India does pass the law during this year, I will continue to educate the society with  the need for Compliance. Towards this end, I will continue to refine the Data Protection Compliance Standard of India (DPCSI) along with Data Valuation Standard of India (DVSI). This will be the second point of agenda of Naavi-2023
    3. The third point of agenda of Naavi-2023 is strengthening FDPPI with the new initiatives such as the Federation of Data Protection Consultants (FDPC) and the Data Disputes Mediation and Arbitration Platform (DDMAP).

Happy New Year to all of you hoping that you would all provide your support to enable me meet my Agenda 2023.

Naavi

Posted in Cyber Law | 1 Comment

BASIC STRUCTURE THEORY – A PROPOSITION CONTRARY TO THE FIRST PRINCIPLES OF JURISPRUDENCE.

Recently Union Minister of Minister of Law  has been raising questions on the relationship of the Executive and the Judiciary in respect of appointment of Judges. (Refer here).

Another question which has been bugging me always is the Supreme Court’s tendency to jump into every executive decision and scrutinizing it from the Constitutional view point ignoring the need to keep limits between the Executive and Judicial functions.

In this respect what is intriguing is that our Constitution has been amended so many times including the Preamble itself but we still discuss that the “Basic Structure” cannot be altered. There appears to be inconsistency in the approach of the Supreme Court in such matters. I am also reminded of the Justice Chelmeshwar’s statement in the Puttaswamy case

” To sanctify an argument that whatever is not found in the text of the Constituion cannot become a part of the Constitution would be too primitive an understanding of the Constituion and contrary to settled cannons of constitutional Interpretation”

(Please see more at “Does Written Text of the Constitution not have any sanctity?)

The above comment of Justice Chelmeshwar underscored the arrogance of the Supreme Court that they can not only interpret and read down the constitution but also go beyond the written constitution and lay down principles not mentioned in the Constitution at all.

As a common citizen I cannot understand how Supreme Court can usurp such powers and re-define Constitution according to their whims and fancies. In such situations the debate always veers around to the powers of the Supreme Court and the Executive as regards the Constitution where the Keshavananda Bharati judgement is often cited.

In the light of the above, it was interesting to observe a post from Advocate Mathew J Nedumpara, a veteran advocate who calls a Spade a Spade which has been reproduced here with his permission.

Mr Nedumpara clearly lays down certain principles which expose the fallacy in the approach adopted  by the Supreme Court in the NJAC case. It warrants some introspection by the Supreme Court.

Otherwise the effect of Keshavananda Bharati judgement is to freeze the Constitution along with all the basic structure amendments made upto a particular date and there after not allow any amendments that become necessary with the passage of time.

This also means that India is not a Parliamentary democracy but a Court administered Country in which Parliament is subordinated to the NJAC controlled Judiciary.

Wonder if there are any similarities of this structure to what we find today in Afghanistan where a self appointed “Council” lays down the laws of the nation for the executive to follow.

Naavi

A Guest Post from : Advocate Mathews J Nedumpara

Kesavananda Bharati’s case is hailed to be the most important judgment ever rendered by the Supreme Court of India. The case was heard by the full court consisting of 13 judges. The case was argued for 6 months and the judgment consists of half a million words. Even the common people have heard of the judgment.

In the said case, the Supreme Court laid down a doctrine called ‘basic structure’ and said that while the Parliament could amend every article of the constitution including those concerning the fundamental rights, but not the ‘basic structure’.

The judges would not have, even in their wildest of dreams, ever contemplated the extent to which the said doctrine would affect the constitutional law of this country. We have a written constitution. Many modern democracies, including the United States, Canada, Australia have written constitutions like we have. Wherever there is a written Constitution, it provides for a mechanism for amendment. Article 368 of our constitution empowers the Parliament to amend the Constitution, except for certain matters, by a Bill which has been passed by each House by a majority of the total membership of that House and by a majority of not less than two-thirds of the members of that House present and voting and which has been ratified by not less than one-half of the states.

By the Constitution (24th Amendment) Act of 1971, the Parliament expressly made it clear that the constitutionality of a Constitution Amendment Act is not justiciable.

It was in the backdrop of the said amendment that the Kesavananda Bharati case came to be instituted and a split judgment in the ratio of 7:6, popularly known as the ‘fundamental rights case’, came to be delivered. The basic structure doctrine meant not mere re-writing of the constitution, but destroying one of the core features of the constitution, namely, balance of powers or separation of legislative and judicial functions.

Prior to Kesavananda Bharati, one could invoke the jurisdiction of the Supreme Court under Article 32 if his fundamental rights are violated for remedies in nature of various writs. After Kesavananda Bharti, petitions are filed in the SC pleading violation of no fundamental rights, but on the premise that the basic structure of the constitution is infringed. In Minerva Mills, on that premise, Constitution (42nd Amendment) Act was struck down. In 2014, the National Tax Tribunal was struck down on the premise that it is violative of the basic structure of the constitution!

As a law student, almost 40 years ago, I was told that any “person aggrieved”, meaning any person who has suffered a legal injury at the hands of another which will entail him remedies in law can approach a court, and that access to justice is the birth right of every citizen. ‘Right, remedy, forum’, nay, in other words, without a right being infringed, there is no room for the law entailing you any remedy. And without right and remedies, there is no question of any court to enforce it.

But Kesavananda Bharati, meant that one can approach the highest court of the country without recourse to any other court when he has admittedly not suffered any legal injury, simply because he feels the basic structure of the constitution has been infringed. I am not being sarcastic. I am dealing with the reality.

The SCOARA, the premier lawyers body of the Supreme court, challenged the Constitution (99th Amendment) Act, which provides for NJAC, a body consisting of the Chief Justice of India and the two senior most judges, 2 eminent persons representing the civil society to be selected by a committee consisting of the PM, the CJI and the Leader of the Opposition and the Law Minister as the 6th member representing the executive, on the premise that it is violative of the “basic structure”.

Shockingly, the said plea was accepted, the entire Constitution Amendment Act which had received the unanimous approval of both Houses of the Parliament and 21 State Assemblies, was struck down.

Since the judgment ran into 1034 pages, few would have read and even those who have read it probably may not have understood the “principle/reason” for which it was struck down.

It would shock you that the reasons are that:

(a) the independence of the judiciary is one of the basic structure of the constitution which the Parliament has no power to abrogate,

(b) the core of that independence of judiciary is not in the discharge of its judicial function independently and impartially post appointment,

(c) the core of the independence is in appointments,

(d) that this core is secured when the Chief Justice of India has “primacy” and therefore the word ‘consultation’ used in Articles 124 and 217 does not mean consultation, it does not even mean concurrence, but “primacy”,

(e) the “primacy” does not mean the primacy of the individual opinion of the CJI, but the opinion of the collegium of judges,

(f) that the “primacy” of the collegium in the matter of appointment and transfer of judges is an integral component of the “basic structure” of the constitution by virtue of the judgement in the Judges-2 case,

(g) that the validity of the 99th Constitutional Amendment ought to be tested on the touchstone of the judgement in the Judges-2 case and

(h) that the constitutional amendment is in violation of the Judges-2 case; it is unconstitutional.

As a student of law, I cannot imagine of a concept which is so destructive of the first principles of jurisprudence than the basic structure doctrine, which is hailed as the greatest contribution of the Supreme Court to our constitutional law.

Hundreds of judgments are rendered, even by constitutional benches, on wide ranging issues, relying on the basic structure theory, which in all humility, I hold to be against the first principles of jurisprudence.

Law is a very simple subject. It is nothing but reason; common sense. Kesavananda Bharati, so too the hundreds of judgments which pronounce that the judgements of the Supreme Court are the law of the land by virtue of Article 141, and now by virtue of Article 142 as well, are, in all humility, are rendered against the first principles. The subtle but real distinction between the concept of res judicata, res inter alios acta, stare decisis, judgment in rem and judgment in personam are failed to be noticed.

The concept of Rule of Law is built on the doctrine of estoppel res judicata. Stated in simple words, it means that, a judgement in a case between A and B will bind them, no matter how erroneous the judgement could be. The doctrine of res inter alios means that a judgement in which one was not a party will not bind one. In other words, C, D and others are not bound by a judgment in a case between A and B. However, there is an exception, namely, judgements in rem, namely, judgments as agaisnt the whole world. All judgements except those concerning status are judgments in personam. It will not bind any except those who were party to the proceedings. As aforesaid, most judgements are in the realm of judgments in personam, except judgments in criminal cases or those concerning status. For instance, a judgment in a suit for divorce where divorce is granted, the judgment is one rendered in rem, as against the whole world. Where divorce is rejected, the judgment is one in personam, because there is no change of status.

The doctrine of res judicata estoppel is co-related to the concept of ’cause of action’. Unless the cause of action and the parties are the same, there is no res judicata. There is no Estoppel against law.

No judgment of the Supreme court, even of the full court of the SC, even Kesavananda Bharati, constitutes to be estoppel res judicata except to those who are parties to it. The judgment in Kesavananda Bharati will not bind me or you. It will only bind the parties to that case and is res judicata in so far as the cause of action which came to be decided is concerned.

Article 141, understood in its correct perspective, will not make that judgment binding on me or you. However, in this country and nowhere else, may be because Article 141 is so misunderstood, judgments of the SC are treated as legislation, and even beyond. In the NJAC case, the judgment of the SC in the Judges-2 case was given a status even higher than that of Article 368 of the Constitution. To repeat, the 99th Constitution Amendment Act was struck down because it is in breach of the Judges-2 case and the basic structure theory propounded therein.

In the name of the basic structure doctrine, the will of the people as reflected in the 99th Constitution Amendment Act, to dismantle the collegium system where judges appoint themselves, which has proven to be nothing but a synonym for nepotism, a creation of the Judges-2 case, was struck down and the collegium was restored. In other words, the mechanism of judicial review, a sacrosanct concept recognized in all modern legal systems as a tool for the enforcement of basic rights, is being used in India to subvert the will of the people- the supreme legislature.

My thoughts delve into these issues because I believe in democracy and am concerned about its future, in particular the future of the Supreme Court. The Supreme court is hailed to be the most powerful court on the planet. People file thousands of PILs, calling upon the court to resolve all problems of mal-administration which the country faces today, which the court will certainly not be in a position to handle. The criticism the court will invite where it fails to deliver as an executive in substitution will lead to large scale public resent and criticism. The power of contempt which was used during the days of inquisition and the Dark Ages will not be able to save the court. Allowing the executive to be demonized using PIL as a tool also does not augur well for democracy.

Mathews J Nedumpara

P.S: The most interesting part of the Keshavananda Bharati judgment is the statement

the core of that independence of judiciary is not in the discharge of its judicial function independently and impartially post appointment

Naavi

Posted in Cyber Law | Leave a comment

Defining Personal Data under Naavi’s theory of Privacy (“Nee Maayeyolago, Ninnolu Maayeyo” )

While discussing Data Protection and “Privacy Protection through Data Protection” or “Information Privacy”, the critical aspect is to have a clear definition of what is “Personal Data”.

We may recall that under “Shape of Things to Come” series of articles Naavi suggested that the New Data Protection Law of India should define “Protected Data”, “Protected Person” and go ahead to prescribe the obligations of the data fiduciary.  However this suggestion was ignored and DPDPB2022 has defined “Personal Data” and “Data Principal” in a conventional manner as under.

“personal data” means any data about an individual who is identifiable by or in relation to such data”

“Data Principal” means the individual to whom the personal data relates and where such individual is a child includes the parents or lawful guardian of such a child;

It is observed that the definition of Personal data in DPDPB 2022 is that “personal data” means any data “about” an individual who is identifiable by or in relation to such data;

On the other hand, at present, the Data Protection Law of India which is Section 43A of ITA 2000 defines Personal Information as

“Personal information” means any information that relates to a natural person,
which, either directly or indirectly, in combination with other information available or likely to be available with a body corporate, is capable of identifying such person. “

At the same time GDPR defines Personal Data  and data subject using the following definitions

 ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’);

…an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

In all these definitions, there are two elements namely the “Data” and the “Data Principal or Data Subject”. The nature of data that is defined as personal data is “About” and is “Related to the data subject/principal” and is capable of being identified as related to or about the individual who is recognized as the data subject/principal.

GDPR uses the term “Identifiers” while ITA 2000/DPDPB2022 does not. The concept of “Identifier” is absent in DPDPB 2022 and it can have its own consequences in some instances.

In GDPR we need to distinguish between “Identifier” and “Identified Information” as two distinct elements of personal data. In the Indian Context, “Identifier” itself becomes “Information” that is identifiable with a data principal. This leaves us an enigmatic challenge “Is a person identified with the identifier” or “Identifier identifies a person”

(Reminds me of  a devotional composition in Kannada by saint Kanakadasa and made immortal by the singing of late Dr Rajkumar,titled  “Nee Mayeyolago, Ninnolu Maayeo“, (This composition discusses whether the human being is within the consciousness or consciousness is within the human being as a philosophical concept. Translation of lyrics in English  )

This discussion is relevant in defining the “Profile”, “Data Portability”, “Right to Forget” which are all concepts that form part of the Data Protection debate.

In the Kerala Judgment on Right to forget the judgement held inter-alia that the copy of the Judgement containing the identity of the individuals is part of “Personal Data” of the individual and went about discussing circumstances when the identities have to be redacted and circumstances when they are part of the Open Data etc. It is also presumed that this concept has been recognized under the Puttaswamy Judgement as well as the other discourses on Data Protection.

According to this hypothesis, personal data with a data fiduciary consists of

a) Data Supplied by the data principal

b) Data Generated by the Data fiduciary during his encounter with the data principal

c) Data gathered about the data principal from other sources and tagged with the data principal

d) Inferences drawn from all data tagged with the data principal as well as other data some of which can even be non personal data, environmental data etc.

All these are together considered as the “Profile” of the data principal.

In exercising the Right to Portability and Right to Forget, we try to include this entire profile as the personal data of the individual.

In this context, the Health Data created by a hospital, Financial data created by a  lending organization, Mobile usage data created by a Telecom operator, Buying habit data created by an E Commerce company, The criminal profile created by a Law Enforcement Agency and the Judgement created by a Court are considered part of the Profile to be ported or purged.

This often gives raise to a conflict between the IPR of the data fiduciary in creating the profile whether it is the property of the data principal or is the property of the data fiduciary. In “Porting” it may be acceptable to delete that part of the profile that constitutes “Trade Secret” but this is a small part of the profile since most of the profile consists of “Copyrightable” material and not trade secret and hence if we accept that the information built by the data fiduciary is part of the personal data then the entire profile becomes the presumed property of the data principal which needs to be ported or purged or transferred to a nominee when such requirement arises.

Under Naavi’s “Theory of Data”  which we have discussed in several articles in this website we had identified a hypothesis titled “Additive Value Hypothesis” where I had advocated that the value of data changes during its life cycle and at different stages different stakeholders may add value and that should belong to the stake holder who adds such value. (Ed: Since the same theory advocates that Data is the eyes of the beholder, addition of value to one person may be reduction in value for another person)

Under this hypothesis, when a data fiduciary generates “Knowledge” from the data provided by the data principal, the “Additional knowledge” belongs to him and is not part of the profile to be ported or purged (or transferred under nomination if available) as the case may be.

I therefore would like to suggest that the “Judgement of a Court about an individual” is not to be considered as “Personal Data” on which the individual has a right of modification or right to dictate restricted disclosure. This data is “Sovereign Data” belonging to the Court and the Court alone has the right to dispose it in a manner it deems fit.

Hence I would like to advocate a modification to the Kerala Judgement and not recognize the Right to Forget as extending to the Court judgements.

(P.S: This is proposed as a academic thought by Naavi a Research Student of Theory of Data or Theory of Privacy and not an advisory for compliance by Naavi the Data Protection Consultant)

In the “Shape of Things”  series of articles, I had therefore suggested the definition of data to include a category of data which I had called “Joint Data” where multiple persons may hold a right on a data element. The disposal of “Data Generated during a transaction between multiple parties” should therefore be subject to the principle of “protecting the interests of all joint owners” and such data cannot be considered as an exclusive property of an individual.

Once this argument is accepted, there will be problems regarding health data or financial data etc. The business may start monetization of the data to the detriment of the data principal.

This is the “Risk of Harm” of which “Advertising” and “Monetization” could lead to risk of loss of reputation etc.

I had addressed all these aspects in the “Shape of Things”  series of articles though I believe no body observed the in depth meaning of many of my suggestions. I had suggested a higher level of consent for “Advertising Profiling” and “Monetization” of personal data to take care of preventing privacy harms to the individuals.

I re-iterate that

“Data Principal” only has a right  of disposal regarding the data supplied by him to a data fiduciary and the value and right of information built over it by the data fiduciary belongs to the data fiduciary. The Data Fiduciary should be able to obtain an appropriate consent including “Discovery Consent” to use the personal data supplied by the data principal for the commercial benefit of the Data Fiduciary.

Further the Court in the case of Judgements is not a “Data Fiduciary” in the normal sense (even lesser so than a Hospital that generates medical records or a Bank that generates financial records of an individual) and hence is not obligated to protect the Privacy of the individual by redacting the names of the litigants, or witnesses or counsels or the judges.

If however, the Court has reasons of security such as witness protection or need to protect the dignity of an individual as in cases that deserve in-camera hearings, it may exercise its discretion to redact the identity of individuals from public gaze while retaining it in its own records just like pseudonymization of disclosed data by private data fiduciaries.

In the case of commercial entities such as Hospitals and Banks or Data Analytics companies who also generate value added data, the consent should cover whether there are rights  of use of the data in identified or pseudonymized or anonymized form by the data fiduciary since it also has a right on the profile.

These may be considered as thoughts for academic debate. I request academicians to participate in the debate.

(P.S: As already stated this is proposed as a academic thought by Naavi a Research Student of Theory of Data or Theory of Privacy and not an advisory for compliance by Naavi the Data Protection Consultant.

These conflicts have been resolved for compliance purposes in the Data Protection Compliance Standard of India which incorporates the concepts of higher level of consents such as monetization consent or witnessed consent)

Naavi

Other Recent Articles on the Right to Forget:

1 Hats off to Kerala High Court for it’s treatise on Right to Forget
2 Hats off to the Kerala Judgement on Right to Forget..2: Ratio Decidendi in Puttaswamy Judgement
3 Hats off to the Kerala Judgement on Right to Forget-3: Right to Forget is not Right to Anonymity..
4 Hats off to the Kerala Judgement on Right to Forget-4: Need for Transparency in Judiciary
5 Hats off to the Kerala Judgement on Right to Forget-5: Evolution of the Right to be forgotten

Right to Erasure and Right to Forget.. Are they same? (24th November 2022)

Right To Forget ..in Madras High Court  (August 6, 2021)

We should forget the “Right to Forget” in Indian Data Protection Act (DEC 15 2017)

Posted in Cyber Law | Leave a comment

Hats off to the Kerala Judgement on Right to Forget-5: Evolution of the Right to be forgotten

[This is a continuation of our earlier article on the Kerala Judgement on Right to Forget]

The Kerala High Court Judgement on Right to Forget is a landmark judgement for the reason that it went into details of the Definition of Privacy and evaluate the Right to Forget in the context of need to ensure transparency of the Court proceedings.

The judgement also went into an analysis Right to Forget as a concept which finally resulted into the second conclusion that the Court came to namely, “The right to be forgotten cannot be claimed in current proceedings or in a proceedings of recent origin.”

In the course of its arriving at the decision, the Court observed as follows:

The right to be forgotten is a right that developed as a consequence of the dignity of an individual, adopted to forget the past and live in the present. It is based on the broader rights in Articles 7 and 8 of the Charter of Fundamental Rights of the EU (Charter).

The Data Protection Directive of 1995 (Directive 95/46/EC) contained no express right to be forgotten. But the Court of Justice of the European Union (CJEU) in its decision in the Google Spain v. AEPD [Case C-131/12 Judgment of the Court (Grand Chamber) Google Spain SL v. Agencia Española de Protección de Datos (AEPD], held that an implied right existed in the Directive.

In Google Spain v. AEPD, the grievance of the plaintiff was that links to newspaper articles relating to his insolvency proceedings were available on a Google search of his name. Contending that although the article was truthful, it injured his reputation and violated his privacy, thereby warranting erasure as it was no longer relevant. Although the CJEU did not direct the removal of the article itself which was published lawfully, it directed Google to remove links to the webpage containing personal information on any of the four conditions, such as where information was i)inadequate, ii)irrelevant, iii)no longer relevant, or iv)excessive in relation to the purposes of the processing at issue. This was to be applicable even to information published lawfully and that was factually correct.

The Court also recalled that

Article 17 of the GDPR lays down when a data subject can exercise the right of erasure, the obligation of data controllers to erase links to third-party websites, and the exceptions to the when the right can be exercised. This extends the “Right to Erase” to not only a right to get the information removed from the hands of the downstream data processors but also the other intermediary data consumers such as the websites. 

It may however be observed that DPDPB 2022 recognizes the Search Engines as part of the deemed consent provision under  “Public interest” .

The Court  considered the definition of Right to be Forgotten as  a derivation of part of “Internet Privacy” (or Information Privacy) related to individual autonomy rather than secrecy or intimacy. It also recalled that UK, France and US provides for the erasure of conviction records subject to the fulfilment of certain conditions. This is more a part of the “Right to rehabilitation” and is to be provided by data protection legislation.

This observation is relevant from the context that PDPB 2019 provided that Right to Forget is subject to Judicial Review at the Adjudication level and not an obligation of the Data Fiduciary. In such cases the conditions if necessary on granting such rights could be reviewed by the authority other than the data fiduciary.

The Right to forget is considered as subject to freedom of speech and expression, public interest in the area of public health, archiving for public interest etc. The ‘right to delisting’ and ‘right to oblivion’ are facets of the right to be forgotten in the digital context. The ‘right to oblivion’ is considered as a right which allows individuals to demand the deletion of personal information collected by information society services.

The Court then said

“The interpretation of the extent to which this right to be forgotten will be applicable in India, is an important consideration in determining the liability of the different stakeholders, actors, publishers etc. and the extent to which this right will be available in different judicial proceedings. Whether the right is available on current as well as future claims is a question to be answered by us in the context of the different factual matrices before us.” This right to be forgotten is predicated on the past, as is evident from its nomenclature which includes the term “forgotten”. Therefore, it can only apply retrospectively, on information that has already been disclosed, rather than being claimed to mask information ex-ante.”

The Court also remarked that

In the European context, the right to erasure is considered as the right to be forgotten. However, in the Indian context, we are looking at these concepts by relating them to fundamental rights.
We may have to distinguish this right on broader aspects. We have already observed that the right to be forgotten is predicated on the past. The right to erasure does not depend upon the passage of time or any period. Erasure means to delete. In the Indian scenario, these rights rest on fundamental rights not like in Europe, where it is based on European directives and more or less a regulatory mechanism exists related to data transmission or dissemination of personal information.

Therefore, the right to erasure cannot be understood in the same manner, as we refer to the right to be forgotten.

The right to be forgotten can be claimed to erase memory to move forward in life with dignity. Whereas, when the information is incorrect or irrelevant the right to erasure can be claimed.

This is an excellent clarification which removes the doubts in the minds of many data protection professionals. We hope this concept will be upheld by the Supreme Court also at some times in future.

It has been our contention that DPDPB 2022 has dropped Right to Forget but retained Right to Erasure. This clarification will help us distinguish between the two in terms of compliance. (Please refer to our earlier article where we elaborated this) .

The Court further clarified

In a given case,  a party, if implicated in a criminal case is later, on investigation found to be innocent and has no connection with the crime involved, such a party may be permitted to invoke the right to erasure immediately to delete all details published online. In a claim based on the right to be forgotten, what is to be considered is the interest of a party to erase memory related to events in the past and to build a future with sincerity and good deeds and move forward in life.

The Court also said

The mere extension of an Open Court system in a digital space cannot itself be called violative of privacy rights, in the absence of any law laid down in this regard by the Parliament. Law has already recognised the Open Court system…

The right to privacy is not invaded by any publication made in a court of justice, in legislative bodies, or the committees of those bodies; in municipal assemblies, or the committees of such assemblies, or practically by any communication. made in any other public body, municipal or parochial, or in any body quasi public, like the large voluntary associations formed for almost every purpose of benevolence, business, or other general interest; and (at least in many jurisdictions) reports of any such proceedings would in some measure be accorded a like privilege. Nor would the rule prohibit any publication made by one in the discharge of some public or private duty, whether legal or moral, or in conduct of one’s own affairs, in matters where his own interest is concerned.

Individual privacy rights must yield to the larger public interest in the absence of any legislation.

The Court has limitations in balancing interests affecting a class of individuals and that of public interest. This exercise has to be done by the Legislature. The Court, however, may address the fundamental rights claimed by individuals which might not have a bearing on the collective goal. The Court cannot assume the role of the legislature to address a class and command the law.

If the Court attempts to carry out such an exercise on a notion of upholding fundamental rights, it would in essence be encroaching upon the competency of the legislature to make laws. However, nothing prevents the Court from adjudicating individual grievances and balancing such individual grievances against public interest as referable under Section 8(1)(j) of the Right To Information Act, 2005 if such individual rights have reasons to depart.

The Court also recalled the Madras High Court decision Karthick Theodre v. Registrar General, and Others [2021 SCC Online Mad 2755] where it had been stated

There must be a proper policy formulated in this regard by means of specific rules. In other words, some basic criteria or parameters must be fixed, failing which, such an exercise will lead to utter confusion…..This Court honestly feels that our criminal justice system is yet to reach such standards where courts can venture to pass orders for redaction of name of an accused person on certain objective criteria prescribed by rules or regulations It will be more appropriate to await the  enactment of the Data Protection Act and Rules thereunder, which may provide an objective criterion while dealing with the plea of redaction of names of accused persons who are acquitted from criminal proceedings. 

We are, therefore, of the view that the Court cannot prevent the dissemination of case details in the public domain citing the privacy of individual litigants.

The Court also recalled that

The Hon’ble Supreme Court in its judgment in R. Rajagopal alias R.R. Gopal And Another v. State of T.N. And Others [(1994) 6 SCC 632] held that the right to privacy does not extend to Court records and other public records.

The Court also recalled part of the Puttaswamy judgement stating

If we were to recognise a similar right, (Ed: Right to be forgotten as in GDPR)  it would only mean that an individual who is no longer desirous of his personal data to be processed or stored, should be able to remove it from the system where the personal data/information is no longer necessary, relevant, or is incorrect and serves no legitimate interest. Such a right cannot be exercised where the information/data is necessary, for exercising the right of freedom of expression and information, for compliance with legal obligations, for the performance of a task carried out in public interest, on the grounds of public interest in the area of public health, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, or for the establishment, exercise or defence of legal claims. Such justifications would be valid in all cases of breach of privacy, including breaches of data privacy.

In individual cases, the Court may, after adverting to time and space, order the erasure of past records. However, nothing prevents the Legislature from bringing in Legislation recognizing the right to be forgotten to erase such records after the expiry of such period as it deems fit to fix. Further, laying down the grounds when such a right to be forgotten can be exercised is the prerogative of the Legislature. As the right to be forgotten is not an absolute right, it is crucial that the legislature enumerates the grounds when an individual can claim this right.

On the basis of the above observations the Court drew a distinction of “Present” and “Past Records” and the right to be forgotten can be considered only in respect of “Past Records”, By “Past Records” the Court perhaps meant after a criminal has served the sentence.

The Court went on to state

the right to be forgotten can be claimed as a right to erase past memory. The public records relating to the petitioners who were either accused or parties to the criminal proceedings cannot be erased forever. The digital space is a dynamic space allowing vibrant data to be refreshed without the constraints of time and space. The boundaries of privacy have no limitations in the digital space.

In the real world, humans have limitations created by space and time. In the normal course of human conduct, time will erase memory. This particular problem in a digital space of allowing information to remain forever would certainly affect the right claimed as a right to be forgotten. The internet has unlimited capacity to remember. The Court cannot generally balance the interest claimed by the individuals and the information available in the digital domain for eternity.

we are of the opinion that the claim to erase or redact personal information based on the right to be forgotten, in current proceedings or proceedings concluded recently is a myth and cannot be relied on to prevent the uploading of judgments in the Court Information System.

The Court hinted that Google is not a mere intermediary and  can adopt AI to create a tool and identify particular data and remove the same as necessary.

As regards India Kanoon which picks up data from public records such as the Case Information System,  Court has preferred to state

Reporting and publishing judgments are part of freedom of speech and expression and that cannot be taken away lightly without the aid of law.

Thus the Court left it to the Legislative to define Right to be forgotten and indicate the time after which certain personal data may be subjected to being sent to the oblivion.

In view of the above judgement, the responsibility is now cast on the MeitY to ensure that DPDPB 2022 provides suitable clarification regarding right to forget and how it can be distinguished from right to erasure.

Concluding Remarks

In conclusion it can be said that this judgement of honourable Mr Justice A Muhamed Mustaque and the honourable Mrs Justice Shoba Annamma Eapen assisted by Sri B G Harindranath,  as amicus Curiae has been an excellent contribution to the development of Jurisprudence on Right to Forget. It may require a detailed analysis by experts and this series of articles is only a reflection of the undersigned for further discussions.

Naavi

All articles in the series:

Hats off to the Kerala Judgement on Right to Forget-5: Evolution of the Right to be forgotten
Hats off to the Kerala Judgement on Right to Forget-4: Need for Transparency in Judiciary
Hats off to the Kerala Judgement on Right to Forget-3: Right to Forget is not Right to Anonymity..
Hats off to the Kerala Judgement on Right to Forget..2: Ratio Decidendi in Puttaswamy Judgement
Hats off to Kerala High Court for it’s treatise on Right to Forget

 

Posted in Cyber Law | Leave a comment

Hats off to the Kerala Judgement on Right to Forget-4: Need for Transparency in Judiciary

[This is a continuation of our earlier article on the Kerala Judgement on Right to Forget]

The Kerala Judgement on Right to Forget had three conclusions namely

    1. A claim for the protection of personal information based on the right to privacy cannot co-exist in an Open Court justice system.
    2. The right to be forgotten cannot be claimed in current proceedings or in a proceedings of recent origin.
    3. In family and matrimonial cases, arising from the Family Court jurisdiction or otherwise and also in other cases where the law does not recognise the Open Court system, the Registry of the Court shall not publish personal information of the parties or shall not allow any form of publication containing the identity of the parties on the website or on any other information system maintained by the Court if the parties to such litigation so insist.

For arriving at the above conclusions the Court analysed the definition of Privacy and the concept of Right to Forget as distinguished from Right to Anonymity which we have discussed in the previous article.

The Court then went on to reflect on how the Indian Court system has evolved from the days of the East India Company to today to highlight the principle of “Open Court System”. In particular the Court has considered the “Evolving Accountability and Transparency in Judicial function in the era of Digital space” and the need for independence of judiciary to be asserted with Courts being projected as democratic institutions.

The Court also underscored that since “ignorance” of law is not considered a defence in law, there is a greater need for Courts to be open about its functions and pointed out the live streaming practice that is being used in India now.

The Court significantly also alluded to the “Open Data” and said “The court cannot claim a monopoly over data available with the Judiciary…Data analytics can offer solutions to increase accountability and drive social good, welfare policy formulations etc. Withholding data would be detrimental to the public interest….the larger public interest compels the judiciary to share data with the public, stakeholders, researchers, government etc.”

The Court therefore felt that “In the larger interest, the data collected must be shared to benefit governance as well. Therefore, the Court cannot ignore the larger legal ecosystem in which administration of justice operates while deciding a matter of this nature.” and looked at the Right to Forget to be balanced with the need for judicial transparency.

In the context of redaction of litigant’s identity in Court judgement, this principle of “Open Court” is an important basic doctrine that has been highlighted by this judgement.

…to be continued

Naavi

All articles in the series:

Hats off to the Kerala Judgement on Right to Forget-5: Evolution of the Right to be forgotten
Hats off to the Kerala Judgement on Right to Forget-4: Need for Transparency in Judiciary
Hats off to the Kerala Judgement on Right to Forget-3: Right to Forget is not Right to Anonymity..
Hats off to the Kerala Judgement on Right to Forget..2: Ratio Decidendi in Puttaswamy Judgement
Hats off to Kerala High Court for it’s treatise on Right to Forget

Posted in Cyber Law | Leave a comment