Have you ever Googled yourself? If you haven’t, you might be shocked by the results that appear when you type your name into the search bar and hit “enter.” This was the experience of Gonzalez, a Spanish national, who discovered news articles from 1998 about his past debt resurfacing online. Despite resolving the issue long ago, this outdated information continued to haunt him, popping up whenever someone searched for his name on the internet. It was as if this unwanted data had become a permanent tattoo he never consented to. Hence, in a world where digital footprints can linger indefinitely, one might wish for a genie to erase such burdensome pasts. In reality, however, that genie took the form of the ‘Right to be Forgotten,’ a legal concept established by the European Court of Justice which subsequently allowed Gonzalez to have his information erased from Google. 

The right to be forgotten empowers individuals to request the removal of outdated or irrelevant information from the internet search engine, allowing them to reclaim control over their digital image and identity. This right is typically granted when the information concerning the individual is considered inadequate, irrelevant, or no longer relevant. By enabling individuals to control the information about the past, this right allows an individual to erase or delete one’s digital footprint. Consequently, search engines like Google or Bing may be required to remove links to websites containing unwanted personal information from their search results.

The rapid advancement of digital technology has led to an exponential increase in the volume of data circulating on the internet. According to statistics from DataReportal, Nepal had approximately 15.4m internet users at the start of 2024. Likewise, the number of social media users stood at 13.5m, accounting for around 43.5 percent of the total population. As internet penetration continues to rise, more individuals will have their information exposed to the domain of the internet. It is the harsh reality that individuals have limited or no control over the information shared online, and once published, such data often attains a permanent status, making its removal nearly impossible. Moreover, with no restrictions on who can post content online, anonymous individuals can share information about others without their consent that will loom over the internet for ages thereby affecting the privacy rights of individuals in the digital space.

Legal scenario

In the context of Nepal, the individual right to privacy is guaranteed and protected under Article 28 of the Constitution. Building upon this constitutional foundation, the Individual Privacy Act of 2018 provides a comprehensive legal framework for safeguarding personal data and related information. This Act mandates that personal information cannot be collected without the explicit consent of the individual concerned and restricts the use of such data strictly to the purposes for which it was gathered. Additionally, the Muluki Criminal Code includes provisions aimed at protecting individual privacy.

Although the prevailing laws offer robust protections against unauthorized data collection and usage, they fall short of addressing the challenges posed by information already available in the public domain. The right to privacy ensures the confidentiality of personal data but does not extend to the removal or deletion of information that has already been disseminated in the public domain.

This lacuna in law can be addressed via the incorporation of the right to be forgotten which will allow the erasure of information already available in the public domain. Countries such as Spain, Germany, Argentina, South Korea, India, Switzerland, and the UK have already embraced this right, allowing individuals greater control over their digital information. As a result, major online platforms including Google, Yahoo, Bing, and Facebook have received thousands of takedown requests from individuals seeking to reclaim their online privacy.

Not an absolute right

It is crucial to recognize that the right to be forgotten is not an absolute right; it is subject to specific limitations and conditions. The European Union’s General Data Protection Regulation (GDPR) provides clear guidelines on when an individual may request the removal of their personal information. Article 17 of the GDPR outlines key circumstances under which this right can be exercised, such as when the data is no longer necessary, when consent is withdrawn, when the data has been unlawfully processed, or when there are no overriding legitimate grounds for retaining the information.

A blanket provision allowing unrestricted use of the right to be forgotten would be neither practical nor desirable. This right must be carefully balanced against freedom of expression and the right to information, as excessive enforcement could be misused to suppress critical discourse or erase public records of legitimate interest. The right to be forgotten, therefore, functions as a double-edged sword, while it safeguards individual privacy, it also has the potential to limit public access to essential information. Hence, striking the right balance is essential. The right to be forgotten should only be upheld in cases where an individual’s privacy rights outweigh the public interest in retaining access to the contested information.

Remedy through courts

In the Nepali context, a writ petition was filed by the authors before the Supreme Court of Nepal, seeking formal recognition of the right to be forgotten. Although the Court ultimately dismissed the petition, it issued a directional order during the final hearing, signaling the need for further legal deliberation on the matter. As the full text of the judgment is yet to be issued, its detailed reasoning and implications on the right to be forgotten remain to be seen; however, the decision is poised to play a pivotal role in shaping the future of digital privacy rights in Nepal.