Right to be forgotten under DPDPA

Right to be forgotten under the DPDPA, 2023

Author: Advocate (Dr.) Prashant Mali Published: November 1, 2024

SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email

The Digital Personal Data Protection Act (DPDPA), 2023 of India introduces the Right to Be Forgotten as one of the rights available to data principals (individuals) to ensure greater control over their personal data. While this inclusion is a progressive step in India’s data protection regime, there are debates about whether the provisions are sufficient in scope and implementation. Let’s examine this in detail.

What Is the Right to Be Forgotten Under DPDPA, 2023?

The Right to Be Forgotten allows data principals to request the erasure of their personal data in specific circumstances, such as:
1. When the purpose for which the data was collected is no longer valid.
2. If consent for processing the data is withdrawn.
3. If retaining the data is no longer necessary under applicable laws.

Key Strengths of the Right to Be Forgotten

1. Empowering Data Principals:

The provision gives individuals the ability to limit the persistence of their personal data, particularly in cases where the data has served its purpose or they no longer consent to its use.

2. Alignment with Global Standards:

The inclusion of this right brings India closer to global data protection frameworks, such as the General Data Protection Regulation (GDPR) in the EU, which has similar provisions.

3. Balancing Individual Rights and Organizational Needs:

By tying this right to specific conditions (e.g., withdrawal of consent or legal necessity), the Act attempts to balance the rights of individuals with the operational requirements of organizations. Challenges and Limitations of the Right to Be Forgotten


1. Ambiguity in Implementation:

The Act provides the right but leaves much of its implementation to future rules and regulations, which are yet to be notified. Without clarity on the processes, the right may remain difficult to exercise effectively.

2. No Automatic Deletion:

Unlike some global standards, the DPDPA does not mandate automatic deletion of data when its purpose is served. Data principals must actively request erasure, which could lead to data retention beyond necessity.

3. Exemptions and Restrictions:

The right is subject to several limitations, including:

• Retention of data required for legal or regulatory purposes.
• Situations where the public interest or national security overrides the individual’s request for erasure. These exemptions, while necessary in some cases, may be interpreted broadly, potentially undermining the individual’s right.
4. Judicial Oversight Required:

Exercising the Right to Be Forgotten may require adjudication by the Data Protection Board of India or courts, especially in cases where there is a conflict between individual rights and organizational interests. This could make the process lengthy and resource-intensive for individuals.

5. Exclusion of Non-Digital Data:

The DPDPA focuses on digital personal data, excluding personal data in non-digital formats. This limits the scope of the Right to Be Forgotten, unlike broader frameworks like the GDPR.

Comparative Perspective: How Does It Measure Up?

• GDPR vs. DPDPA:
The GDPR offers broader provisions, including the right to restrict processing and portability, which complement the Right to Be Forgotten. In contrast, the DPDPA lacks these supporting rights, potentially weakening the individual’s ability to control their data.
• India’s Public Interest Focus:
The DPDPA emphasizes public interest and national security, which could lead to more frequent denials of erasure requests compared to GDPR’s focus on individual rights. Recommendations to Strengthen the Right to Be Forgotten

1. Clear Guidelines:

The government should issue detailed rules on the procedure, timelines, and grounds for requesting and denying erasure.

2. Data Minimization and Retention Policies:

Organizations should be required to periodically review data retention policies to minimize the need for individuals to invoke this right.

3. Broader Scope:

Extend the right to include non-digital personal data for comprehensive coverage.

4. Independent Oversight:

Establish clear and efficient mechanisms for dispute resolution, reducing reliance on courts for adjudication.

5. Awareness and Accessibility:

Ensure data principals are aware of their rights and have easy access to tools for exercising them.


Conclusion

The Right to Be Forgotten under the DPDPA, 2023 is a promising step toward strengthening data privacy in India, but it is not without its challenges. While the Act introduces a foundational framework, its sufficiency depends on effective implementation, clear guidelines, and robust enforcement mechanisms. Organizations and regulators must work together to ensure that this right is meaningful and actionable, empowering individuals while balancing operational and public interests

SHARE : Share on WhatsApp Share on Twitter  Share on LinkedIn  Share on Facebook  Share on Email