Australia: Erasing your digital footprint - Australia's evolving right to be forgotten
The Attorney-General's Final Report1 on the Review of the Privacy Act 1988 (Cth) ('the Privacy Report'), published on 16 February 2023, considers enacting a right to be forgotten, also known as the right to erasure. This right would empower individuals to have more control over how organisations retain their personal information, giving them the right to delete their information. Katherine Sainty and Julia Colubriale, from Sainty Law, provide an overview of the right to be forgotten, the proposed amendment, its limitations, the significance, the implications for organisations, and how organisations can best prepare for the possibility that this right may be enshrined in Australian legislation.
Providing individuals with more control over their personal information is an issue which has been highlighted in recent Australian privacy reviews including:
- The Office of the Australian Information Commissioner reported the outcomes of a survey of Australian Community Attitudes2 towards privacy in the Privacy Report in 2020. The survey found that almost 9 in 10 people wanted more control over their personal information.
- The Australian Consumer and Competition Commissioner's Digital Platform Inquiry - Final Report3 published in 2019 also found that the Privacy Act 1988 (Cth) ('the Privacy Act') required more control for consumer empowerment in the context of search engines and social media platforms.
- The Attorney-General released both the Issues Paper4 and Discussion Paper5 for the Privacy Report in 2020 which responded to the concerns raised in the Digital Platform Inquiry - Final Report. The Discussion Paper gave stakeholder feedback on the Issues Paper inquiries into what the key features of the right should be if introduced, the public interest objectives to be considered, and the financial impact on organisations.
What is the right to be forgotten?
The right to be forgotten gives an individual the right to have their personal information removed from internet searches and other directories. This includes the right to ask for their personal information to be removed from organisation's databases, systems, and even online platforms in the public domain.
While many jurisdictions have begun to adopt a form of the right to be forgotten, the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') is well known for formalising the 'right to erasure' in Article 17.
The GDPR grants individuals the right to have their data erased when:
- their personal information is no longer needed for the purpose for which it was collected or processed;
- the individual has withdrawn the consent they gave when their information was first collected;
- their personal information was unlawfully processed; or
- the personal information has been collected in relation to designated services provided to a child.
An individual can also ask an organisation that holds personal information to erase it to comply with another EU law or EU Member State law.
While the right to erasure has been established in the EU for some time, the right remains subject to a contentious debate. Some advocates support the right for privacy protection and promoting freedom of expression by allowing individuals to control what public information is published. Others that oppose the right to erasure argue that it is a form of censorship and can undermine the public's access to information.
The Privacy Report discusses a few practical issues to effectively implement the right to erasure that the EU is still teasing out. This includes the burden placed on search engines to deal with the volume of requests and the adversarial position they must play in balancing public interest with privacy protection when deciding which results to de-index. This will be critical to consider in the practical implementation of the right to erasure in Australia.
Why is the right to be forgotten so important?
The right to be forgotten is now seen as an essential right to protect individuals in the digital age. An individual's digital footprint continues to grow as individuals and third parties publish more information about themselves. The internet has made it easy to access information and media about individuals that may not be accurate or relevant. As a result, individuals may be harmed, and their public reputation damaged with very limited avenues of redress until now.
In practice, the right to erasure would allow individuals to reduce their digital footprint by requiring organisations, including search engines and social media platforms, to remove that individual's personal information. We discuss below some of the proposed exceptions that limit where the proposed right applies.
Does the right to be forgotten exist in Australia?
Australia does not currently have a right to be forgotten in the Privacy Act or any other legislation.
Individuals can instead ask an organisation to correct their personal information under Australian Privacy Principles ('APP') 11, 12, and 13. While these APPs allow individuals some control, they neither provide a right to delete or erase personal information. For example:
- APP 11 requires that an organisation take reasonable steps to destroy or de-identify personal information that is no longer required for the consented purpose for which it was collected or required to be kept by law;
- APP 12 allows an individual to ask an organisation to provide them with access to personal information that is held about them, unless granting access to that information would be unlawful in the circumstances; and
- APP 13 requires organisations to correct an individual's personal information on request, so it remains accurate, current, and not misleading.
Despite the application of these APPs, the current legislation offers less robust protection than an express right to be forgotten. Individuals are currently only able to ask for their personal information to be removed from the public space by bringing an action for defamation. This is a time-consuming and potentially costly process for individuals which hinders their ability to control their personal information which is publicly available.
How has the right to be forgotten been proposed in Australia?
Right to erasure
The proposed right to be forgotten under the Privacy Report mirrors the GDPR's right to erasure. The Privacy Report has not released proposed wording but has instead recommended introducing a right that:
- allows an individual to make a request for the erasure of their personal information;
- requires organisations that collect personal information from third parties to pass on the erasure request to the third party and inform the requesting individual; and
- requires certain information, such as joint personal information, financial records, and rental or property records, to be 'quarantined' rather than erased for law enforcement purposes.
Right to de-index
As a sub-category of the right to be forgotten, the Privacy Report proposes the right to de-index internet search results for Australian domains, for example, domains ending in .com.au or .au, that have personal information about an individual that is excessive in volume, irrelevant, outdated, or no longer relevant.
This means that an individual could ask a search engine for a specific search result containing information about them to be removed from the total search results. When an individual makes the request, the search engine will determine whether to de-index the search result, based on only the information provided by the individual making the request. The right does not remove the content from the internet; however, it would decrease the ease of access to personal information through a search engine. This is significant as de-indexed content is very difficult to find. This means it practically achieves a similar result to removing access to the content.
There are criticisms of the proposed right on the basis that this is burdensome on social media platforms and they are an improper judge for this kind of public interest assessment.
The Privacy Report has proposed that the following types of information should be able to be de-indexed in search engines:
- sensitive information including medical history and political views;
- information about a child;
- excessively detailed information including home address and personal phone number; and
- personal information that is inaccurate, outdated, incomplete, or irrelevant.
What are the limitations to the right to be forgotten?
Similar to the GDPR, the Privacy Report proposes that the right to be forgotten is subject to exceptions that must be balanced so the right operates effectively and appropriately.
The proposed general exceptions to the right to be forgotten include:
- Competing public interests where public interest in an activity outweighs public interest in protecting privacy. This should be assessed after considering the implications on freedom of expression, law enforcement, health services, national security, and for academic, archival, or creative purposes.
- Relationships with legal character including where an organisation is required by law or contract to retain the information.
- Technical limitations on an organisation's ability to comply with a request or where the request is unreasonable, vexatious, or frivolous, but excluding where an organisation intentionally designs its systems to take advantage of the exception.
How can businesses and organisations prepare?
The Privacy Report signals that there is a move towards giving individuals more rights of control over their personal information in a way that aligns with international privacy laws.
Businesses and organisations can prepare for the right to be forgotten (if enacted) by:
- understanding and identifying what personal information it holds and where, and what processes and policies would be required to implement the right;
- being aware that they may be obliged to provide reasonable assistance by consulting with the individual who is exercising their right to be forgotten;
- establishing technical and operational measures to de-identify or delete personal information if their organisation has not already done so; and/or
The Commonwealth Government is assessing submissions to the Privacy Report and is expected to provide an official response to those submissions which will include the recommendations it supports sometime in 2023, although there is no specific timeframe for the initial draft of any suggested reforms arising out of the review. Early indications are that the right to be forgotten, is being seriously considered.
1. See: https://www.ag.gov.au/rights-and-protections/publications/privacy-act-review-report
2. See: https://www.oaic.gov.au/__data/assets/pdf_file/0015/2373/australian-community-attitudes-to-privacy-survey-2020.pdf
3. See: https://www.accc.gov.au/inquiries-and-consultations/finalised-inquiries/digital-platforms-inquiry-2017-19
4. See: https://www.ag.gov.au/rights-and-protections/publications/review-privacy-act-1988-cth-issues-paper
5. See: https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/