The Indian data protection bill is a great example of drawing inspiration from the West, with many provisions of the Personal Data Protection Bill, 2019 being verbatim copies of the European GDPR.
However, the Indian PDP bill has been able to deviate in certain aspects from the European GDPR and the sad part is that the deviations are much more stringent in nature. Under article 17 of the GDPR, the right to be forgotten has been given (Under the broad heading of Right to erasure), which can be exercised by a Data-Subject (Data-Principal in India) by applying directly to the Data-Fiduciary for removal of certain information pertaining to him/her which are not relevant anymore.
However, this right will be exercised only once the Data Fiduciary is satisfied that it is not violating the right to information of other citizens; thus, the adjudicatory role of deciding whether particular information will be removed or not is with Data-Fiduciary.
This creates a relation between the Data-Principal and the Data Fiduciary. However, when this right comes to India there is a clear segregation of the right to be forgotten with the right to erasure. Whereas the former is given under section 20, the latter is given under section 18 (1) (d).
The method of exercise of the right to be forgotten is also completely different from what is provided under the Western GDPR. Whereas in GDPR the right can be exercised by the data-principal applying to the data-fiduciary, who shall then decide, under the Indian PDP bill, for the application of the right the data-fiduciary needs to apply to the Adjudicatory Authority.
The basis for the insertion of an Adjudicatory Authority is given on page 85 of the BN Srikrishna Committee report, 2018, where the Committee admits that the function to be exercised under section 20 is an adjudicatory function which cannot be exercised by a private entity.
There has to be democratic accountability, which can only be there with a democratically elected government. Thus, the right can be exercised only by a governmental body (which is democratically elected) attracting democratic accountability; which again does not seem a very interesting analogy to transfer the power of adjudication from a ‘Non-State’ actor to a ‘State-Actor’. Interestingly, there are other changes brought in also, such as that the right to erasure has been segregated from the right to be forgotten.
Whereas, under the GDPR, there is a broad heading of right to erasure under Article 17, under section 18 (1) (d), the right to erasure has been given, which again is not absolute in nature. Interestingly, for the application of this right the application does not need to be sent to the Adjudicatory Authority but rather to the data-fiduciary, who shall decide whether a particular piece information needs to be erased or not.
The question which logically follows is what happens to the principal of democratic accountability, which is eulogized in the right to be forgotten but ironically forgotten in the right to erasure. Further, right to erasure is not an absolute right, but will be applied only after the Data-Fiduciary is satisfied. If he/she is not satisfied the information won’t be erased.
The only remedy with data-principal is to ask the fiduciary to put a note by the side of the information that the particular information is disputed by the data-principal.
The writer is Assistant Professor of Law, National Law University, Jabalpur.