Delhi HC's Landmark Right to Be Forgotten Ruling: A Privacy Precedent That Arrived Before the DPDP Act Could
India's Delhi High Court issued a 144-page right to be forgotten framework on May 29. Here's what it means for businesses, citizens, and the DPDP Act.
#Delhi HC's Landmark Right to Be Forgotten Ruling: A Privacy Precedent That Arrived Before the DPDP Act Could
India just received its most detailed right-to-be-forgotten frameworkânot from the legislature, not from the Data Protection Board, but from a single Delhi High Court judge working through a stack of 30 petitions filed by acquitted individuals whose names still haunt Google search results. The May 29, 2026 order from Justice Sachin Datta is 144 pages, covers every category from quashed FIRs to matrimonial disputes, and tells search engines, legal databases, and media houses exactly what they must do when someone asks to disappear from the internet. For businesses operating in India's digital economy, this ruling does not sit quietly alongside the Digital Personal Data Protection (DPDP) Act, 2023âit fills the enforcement vacuum that the Act has been unable to fill on its own.
#What Justice Sachin Datta Actually Ordered
The batch case, Laksh Vir Singh Yadav v. Union of India and Connected Matters (2026 DHC 4891), consolidated 30-plus petitions from individuals who had been acquitted of criminal charges, had proceedings quashed, or appeared incidentally in court recordsâand whose names continued to appear prominently in search engine results.
The court's ruling flows from the 2017 Supreme Court judgment in K.S. Puttaswamy v. Union of India, which established privacy as a fundamental right under Article 21 of the Indian Constitution. Justice Datta ruled that this right encompasses "informational privacy" and that the permanent digital visibility of concluded criminal proceedings constitutes disproportionate harm to an individual's dignity, privacy, and livelihoodâwhat the judgment calls "digital permanence."
The practical framework established by the ruling has two principal tools:
De-indexing (De-linking): Search engines and online legal databases must remove links to relevant documents from name-based search results. Critically, the underlying documents themselves are not deletedâthey remain accessible through direct URL, to courts, to parties, and to law enforcement. Only discoverability via a name-search is removed.
Masking: In publicly accessible versions of judgments published by courts and legal repositories, personal identifiersânames, addresses, and other details that could identify the individualâare replaced with anonymized placeholders. The legal reasoning, findings of fact, and judicial conclusions remain fully visible and searchable on their merits.
Both remedies can extend to international scope. The ruling follows the logic of the EU's Google Spain precedent in affirming that where a judgment concerns an Indian resident, de-indexing orders can apply globallyânot just to Indian search results. For companies like Google and Microsoft that operate search engines with global indexes, this matters.
#Who Can Use This Rightâand Who Cannot
The ruling is not a blanket privacy amnesty. Justice Datta built in specific limitations that will directly shape how lawyers advise clients and how companies build compliance workflows around these requests.
Eligible petitioners include:
- Persons acquitted or discharged in criminal matters where proceedings have concluded
- Individuals whose FIRs or criminal proceedings were quashed by a court
- Parties mentioned incidentally in civil or matrimonial proceedings where they were not the primary subject
The court's assessment is case-specific, weighing factors including: the nature of the offense alleged (not proven), how much time has elapsed, the continuing relevance of the information, the severity of ongoing dignitary harm, and whether the requesting individual holds a position of public accountability.
Ineligible categories are firm:
- Persons convicted of offenses against women or children
- Convictions involving breach of public trustâpublic servants, elected representatives, and those in fiduciary positions
- Cases where the court finds that the public interest in continued visibility outweighs the individual's privacy interest
This tiered framework mirrors the structure that the DPDP Act envisions for the "right to erasure" under Section 13âbut does so via constitutional interpretation rather than statutory right, because the DPDP Act's Section 13 won't be fully enforceable until May 2027 at the earliest.
#Why Indian Courts Had to Act Before the DPDP Board Could
The timing of this ruling is not accidental. It is a direct consequence of the enforcement gap that has defined India's data protection regime since the DPDP Rules were notified on November 13, 2025.
On paper, the Digital Personal Data Protection Act gives every data principalâevery Indian residentâthe right to correction and erasure of personal data under Section 13. But that right is exercisable by filing a complaint with the Data Protection Board of India (DPBI), and the Board has only recently become operational after receiving its first Chairperson and Members on June 6, 2026. Until that appointment, the Board could not hear cases, register Consent Managers, or issue any enforcement directions.
The result was a legal paradox that the Mondaq analysis published in April 2026 documented with particular clarity: courts in India were referring data grievances to a regulatory body that did not yet have functioning leadership. The Madhya Pradesh High Court, in at least one documented instance, ordered a complainant to take a data grievance to the DPBIâwhich could not yet act on it.
Justice Datta explicitly acknowledged this vacuum. The May 29 ruling notes the "absence of a fully operational statutory framework" despite the DPDP Act's enactment, and the court exercised its constitutional jurisdiction under Article 226 to fill the gap. In the court's framing: constitutional rights do not wait for implementing regulations.
This is not a precedent without risk. Courts exercising jurisdiction in the absence of functioning regulators can produce inconsistent outcomes across different benches. But for now, it means that individuals with pending privacy harms have a functional remedyâand businesses serving those individuals have binding compliance obligations.
#What the Ruling Means for Businesses in India's Digital Economy
The business impact of this ruling extends well beyond law firms handling acquittal cases. Four categories of organizations need immediate attention.
Search engines: Google, Microsoft Bing, and DuckDuckGo are explicitly named as respondents in the de-indexing framework. Upon receipt of a valid court order for de-indexing, they must remove the specified links from name-based searches globally. The ruling rejects the argument that search engines function as neutral intermediariesâthey actively amplify content visibility and, accordingly, bear responsibility for addressing legitimate de-indexing requests. Companies should audit their India-facing content takedown processes against this framework before requests arrive.
Legal databases and online repositories: Platforms like Indian Kanoon, SCC Online, and Manupatra must implement masking in published judgment versions upon court order. The ruling's framework anticipates that both existing and newly published digital judgments may be subject to masking obligations. Technology infrastructure to anonymize named parties in existing document librariesâat scaleâdoes not currently exist at most platforms, and the ruling creates a forward compliance obligation without a clear implementation deadline.
Media houses and digital publishers: News outlets that published coverage of criminal proceedings at the time of arrest or charge face potential obligations to update or anonymize coverage when the underlying proceedings result in acquittal or are quashed. The ruling is more nuanced here than a blanket de-indexing mandateâit focuses primarily on judicial records, not contemporaneous news reportingâbut the principles establish a legal foundation for future litigation.
HR and background verification firms: Companies that conduct background checks using online judicial databases, and firms that rely on search-engine-surfaced legal records as part of hiring processes, now operate in a landscape where indexed records may be incomplete by court order. Compliance programs should note that an absence of search results does not mean an absence of judicial historyâde-indexing removes discoverability, not the underlying record.
#The Unresolved Questions: Where Courts End and the DPDP Act Begins
The Delhi HC ruling is significantâbut it is also temporary scaffolding. It does not resolve several questions that the DPDP Act will need to address once it becomes fully enforceable.
Scope of the statutory right: Section 13 of the DPDP Act gives data principals the right to erasure of personal data that is "no longer necessary for the purpose for which it was collected." Judicial records serve ongoing public interest purposes beyond the original case. Whether Section 13 extends to demand erasure of court-published recordsâor whether judicial records sit outside the Act's scope as a matter of statutory interpretationâis an open question that the Data Protection Board will eventually need to answer.
Cross-border data transfers: The ruling's global de-indexing orders intersect uncomfortably with the DPDP Act's pending cross-border transfer framework. As of today, the government has not notified any restricted-country list under Section 16 of the Act. When that list arrivesâand it is expected to carry implications for how Indian personal data stored on foreign servers must be treatedâthe interaction with judicial de-indexing orders will require careful legal analysis.
Government exemptions: The DPDP Act grants the central government broad exemptions from the Act's obligations when processing data is necessary for national security, public order, or law enforcement. Investigative agencies that access judicial records for ongoing investigations may find that data subjects' newly crystallized Article 21 rights conflict with these exemptionsâa tension the Supreme Court is already examining in the journalists' challenge to the DPDP Act, where the first hearing was held on March 23, 2026.
Legal data platforms vs. personal data fiduciaries: The ruling treats Indian Kanoon and SCC Online as platforms obligated to implement maskingâbut neither of them is a "data fiduciary" in the DPDP Act's sense. They do not collect personal data from individuals for service delivery; they republish public judicial records. Whether the DPDP Act's rights framework can be mapped onto judicial record platforms, or whether Article 21-based constitutional rights are the only relevant remedy, is a question the Act's enforcement will need to address.
#The Pattern Is Clear: India's Courts Are Not Waiting
Taken alongside the Dabur cybersquatting ruling from December 2025âin which the Delhi HC restructured WHOIS privacy protections and is currently facing a challenge from GoDaddy and Namecheap at a July 16, 2026 hearing that explicitly invokes the DPDP Actâa pattern is visible. Indian courts are actively adjudicating digital privacy rights, shaping the landscape through constitutional interpretation and IP law, while the statutory framework catches up.
That is not a criticism. It reflects the practical reality of implementing a major data protection regime in a country with an active judiciary and a dense ecosystem of digital rights litigation. But it does create layered compliance obligations for businesses: a court-ordered right-to-be-forgotten framework coexists with a statutory right to erasure that becomes enforceable in May 2027, and the two are not perfectly aligned.
The businesses that will navigate this period most smoothly are the ones building compliance infrastructure nowâbefore the statutory regime crystallizesâwith enough flexibility to accommodate judicial interpretations that the DPDP Act's drafters did not fully anticipate. If you are building a consent management framework or reviewing your data retention policies, this ruling is not a footnote. It is a preview of the enforcement environment you are heading into.
For tools to assess your organization's readiness under both frameworks, see our DPDP compliance resources and our consent management guide.
Sources:
- Delhi HC Right to Be Forgotten Guidelines â Bar & Bench
- When the Internet Won't Let You Move On â Cyril Amarchand Blogs
- Right to Be Forgotten Ruling Analysis â CyberPeace
- India's Data Protection Board: The Enforcer That Isn't There Yet â Mondaq
- GoDaddy Challenges Delhi HC's Domain Privacy Order â MediaNama
- MeitY Plans to Cut DPDP Compliance Timeline â Chambers and Partners
- Supreme Court Notice on Constitutional Challenge to DPDP Act â IFF
- India's DPDP Timeline: Critical Compliance Deadlines â India Briefing