In December 2019, the Attorney-General announced that the Australian Government would conduct a review (the Review) of the Privacy Act 1988 (Cth) (the Privacy Act). The Review aimed to investigate the effectiveness of Australia’s current data protection regime to ensure it “empower[s] consumers, protect[s] their data and best serve[s] the Australian economy”. Since then, the Attorney-General has published an Issues Paper in October 2020 (the Issues Paper) and a Discussion Paper in October 2021 (the Discussion Paper) and conducted several rounds of public consultations. This series from Gilbert + Tobin’s Technology + IP team will guide you through the key issues that have been raised by the Review.
Right To Erasure
The ‘right to erasure’ is the right to have personal information removed from public directories in certain circumstances. The primary purpose of this right is to prevent undue interference with privacy and reputation due to the ongoing accessibility of information. Although the ‘right to erasure’ originally stems from the Article 17 of the European Union General Data Regulation (GDPR) and the famous Google Spain v González judgement, the concept is supported by the statutory frameworks of the majority of G20 countries.
Background: Existing Regime
At the moment, there is no ‘right to erasure’ under the Privacy Act. However, under the Australian Privacy Principles (APPs), entities which are subject to the Privacy Act are required to give individuals access to their personal information and to correct any errors in their personal information in certain circumstances.
Under APP 12.1, an entity that holds personal information about an individual must, on request of the individual, give them access to the information, with only limited ability to refuse access (APP 12.1). Likewise, under APP 13, an entity must, on request of an individual, take reasonable steps to correct any personal information about that individual to ensure that it is accurate, up-to-date, complete, relevant and not misleading (Note: this requirement also applies where the entity is satisfied the personal information is inaccurate, out-of-date, incomplete, irrelevant or misleading, having regard to the purpose for which it is held – it does not only apply on the request of the individual). Under APP 11.2, whether or not requested, an entity is obliged to delete or de-identify personal information once it is no longer needed and no longer required by law to be kept in an identifiable form.
Various versions of the right to erasure are recognised in overseas jurisdictions, including the European Union, and the United Kingdom. The ‘right to erasure’ is reflected in Article 17 of the GDPR which states that individuals have the right to erasure of “personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay”. However, this is a qualified right and only applies in certain circumstances, including where the data has been unlawfully possessed or is no longer necessary for the purposes for which it was collected or otherwise possessed. Similarly, the UK Data Protection Act 2018 also contains a right to erasure which mirrors the GDPR.
The Discussion Paper
The Discussion Paper examined submissions from various stakeholders discussing the benefits and challenges of permitting a right to erasure. The Discussion Paper explored adopting a ‘right to erasure’ modelled on Article 17 of the GDPR. It proposed that the Privacy Act could be amended to provide a limited ‘right to erasure’ where one of the following six grounds applies:
- the personal information must be destroyed or de-identified under APP 11, i.e. once the purpose for which the information was collected has ceased to exist;
- the personal information is sensitive information, i.e. race/ethic origin, political opinions, religious beliefs or affiliations, sexual orientation etc;
- an individual has successfully objected to personal information handling through the right to object, i.e. withdrawal of consent or objection to the selling of personal information while still being able to access and use a service;
- the personal information has been collected, used or disclosed unlawfully;
- the entity is required by or under an Australian law, or a court/tribunal order, to destroy the information; and
- the personal information relates to a child and erasure is requested by a child, parent or authorised guardian.
However, the above grounds would be subject to the following exceptions which strive to achieve a balance with the public interest that may necessitate the retention of personal information in certain circumstances as well as mitigate the risk of permanently deleting personal information that might be relevant to a subsequent legal dispute or law enforcement investigation. These proposals might also operate to increase the efficacy of APP 11, where an entity refuses to destroy or de-identify personal information as required, by enabling an individual to initiate this process at their request. The Review considered the following proposed exceptions to the “right of erasure”:
- personal information is required for a transaction or contract;
- erasure is technically impractical or would constitute an unreasonable burden;
- erasure would hinder law enforcement;
- public interest and freedom of expression;
- personal information in a generally available publication and search results; and
- possible further exceptions such as where the erasure request is ‘frivolous or vexatious’, would make unreasonable impact on the personal information of another individual, would pose a serious threat to life, health or safety of another individual, and where the information is required for archival research or statistical purposes in the public interest.
Submissions to the Review expressed a high level of interest in the right to erasure, with many submissions either supporting and opposing the right.
Submissions that supported a right to erasure came from government bodies, higher education, and financial services. The OAIC supported the right to erasure, arguing that under present laws, individuals have little control over how their personal information is used or disclosed after it is collected. The OAIC noted that there is a significant level of consumer support in favour of using a right to erasure. For instance, in the OAIC’s 2020 ACAP survey 84%, and in the Deloitte Australia’s Privacy Index 2021 survey 79%, of the respondents indicated that they would ‘likely’ to ‘very likely’ use a right to erasure. Notably, the OAIC also proposed that the right should be qualified with a requirement for APP entities to take reasonable steps to comply with an erasure request, as opposed to a strict obligation.
Submissions identifying challenges with introducing a right to erasure included stakeholders from telecommunications, healthcare and financial services. These submissions argued that a right to erasure would be unnecessarily and overly onerous on businesses, it may undermine legitimate business practices, and the cost will be disproportionate to any privacy benefit to an individual. When one thinks of the various systems and databases (including backups and archives) that may be operated by a business, it is not difficult to imagine how a right to erasure may require a business to incur significant cost and effort. Many submitters who opposed the right to erasure argued that the GDPR is in a different legal context compared to Australia and the existing regime for destruction or de-identification under APP 11.2 is fit for purpose and allows for APP entities to meet their obligations at a systems level rather than a costly individual case-by-case basis.
There has been disagreement about whether the right to erasure should apply to indexed search engine results. The Discussion Paper considered whether there should be an exception to the right to erasure for the de-indexing of search results on a search engine. Google’s response to the Issues Paper advocated for this position. It argued that requests to remove links to content that has been indexed by a search engine requires private tech companies to make assessments of whether each indexed result is “inaccurate, inadequate, irrelevant or excessive” and assess whether the results are in the public interest, which is an inappropriate decision-making responsibility for a private company. This was the issue at play in the Google Spain v González decision. Under the GDPR and UK Data Protection Act 2018 Google is currently required to complete a similar analysis for its UK and EU operations as these regimes extend to indexed search results. The OAIC’s submission in response to the Discussion Paper recommended that the right to erasure should be extended to the de-indexing of search engine results, to the extent that the construction of the index requires a collection of personal information.
There is significant general support for considering a ‘right to erasure’ as part of the reform of the Privacy Act. However, the Discussion Paper and majority of the submissions recognised that there needs to be a balancing of interests in personal and private information as against countervailing public interest considerations including free speech, freedom of media, access to information, administration of justice, public health and safety, and national security concerns. There is also the significant issue as to the potential cost and administrative burden this may place on business, and whether the benefits of a ‘right to erasure’ justify these costs. We await to see how the Government strikes the balance between these competing interests.
Authors: Andrew Hii, Claire Harris And Ali Khan