Disclosure: Privacy Australia is community-supported. We may earn a commission when you buy a VPN through one of our links. Learn more.

By Will Ellis

• 
• 
• 

Last Updated on January 1, 2024

European-style “right to be forgotten” privacy regulations are being considered for implementation in Australia.

In the aftermath of the FTX scandal, the Attorney General of Australia has said that the right to be forgotten and the right to sue for privacy violations would be considered for the next batch of Australian laws.

On Monday, Mark Dreyfus said that when his bill to increase sanctions for firms that fail to secure client data passes in 2022, the United States would start to discuss privacy regulations along European lines.

Dreyfus predicted last week that the Privacy Act will undergo a “full spectrum” of modernizations.

The “significant increases to fines” he instituted “have sent a message to business Australia that they have to take greater care about the privacy of Australians”, he told Guardian Australia on Monday.

The time for making such adjustments was long passed.

Focus on Compensation for Breached Citizens

Dreyfus said it had “long been a suggestion of the Australian Law Reform Commission to establish a legislative tort of privacy”, which would allow people to seek compensation if their privacy was invaded. It was “among the topics to be examined”, the lawyer stated.

Under the General Data Protection Regulation (GDPR) of the European Union, individuals have the right to have their data destroyed when it is no longer needed for the reason it was obtained or when the individual withdraws permission.

In addition to the aforementioned rights, GDPR also protects individuals against being exposed to automated decision-making and profiling, as well as the right to have one’s data transferred to another party in certain situations (such as when it is being used for direct marketing).

Prime Minister Anthony Albanese said in September that mandating the deletion of old data was a “very straightforward notion”. Dreyfus also brought up the possibility that businesses would be forced to erase identity verification data.

We need to update the legislation to reflect the realities of the digital age, and all businesses have a responsibility to safeguard their consumers’ private data, Bose said.

Digi believes that the European General Data Protection Regulation has many positive features that should be implemented in Australia, including consumer rights regarding data deletion.

Meta “supports enhanced privacy safeguards for Australian customers”, according to a company spokeswoman. “This includes the establishment of a statutory tort for major intrusions of privacy and a right to erasure in specific situations.”

However, the issue of privacy invasion may prove more divisive, since some in the media are concerned that it would give the wealthy and powerful greater tools in the courtroom to limit press freedom.

During previous discussions, the Business Council of Australia voiced their opposition to the law change, arguing that it was “premature to establish a tort that would frequently overlap with the safeguards of the Australian Privacy Principles”.

Questions Raised Over the Need

We have not seen strong evidence that there is a need for them, it said, noting that the Australian Information Commissioner’s mediation procedure has mostly been effective in addressing concerns.

This comes after the major Coinbase settlement. When asked about the AHRC’s future plans, Dreyfus responded, “the breadth of work is something that continues under active consideration”.

Dreyfus initiated discussions on Tuesday to establish a federal judicial panel to investigate and punish what he called “very uncommon” cases of “problematic behaviour by judges”.

Dreyfus said that the commission represented a “longstanding Labor policy” that was “endorsed by the federal courts”.

For constitutional considerations, the Nacc cannot cover the courts, thus he is seeking to set up the two bodies at the same time.

The commission was deemed a “suitable sister organisation”, and its launch was anticipated for “short after” the Nacc’s mid-2023 debut.

Dreyfus said that a discussion paper will be created in the second round of whistleblower legislation to evaluate the need for a commissioner to safeguard whistleblowers.

A Senate investigation on the government’s first whistleblower measure is underway and is expected to report by the middle of March.

What is the Right to Be Forgotten / Right to Erasure

Let’s say you bought Amazon shares or Tesla shares, or products in the past—what if: one morning, you wake up to the news page of your phone to find both companies had leaked millions of customer and investor credit card numbers, addresses, and login details? 

What would your recourse be? (Right to be forgotten privacy law explained).

One would be to cancel unused subscriptions and delete data so it doesn’t get a chance to leak. Individuals have a “right to be forgotten”, which means that upon request, any company or service that has collected and stored their personal information must delete all traces of such information. 

Individuals inside the European Union have this privilege thanks to the GDPR, a piece of legislation designed to safeguard their private information. 

The right to be forgotten is not absolute; for example, it does not apply in all countries outside the EU, and there are other situations in which a person’s data may not be erased.

Let’s say that Suzie subscribes to a monthly email newsletter on French wine but then decides she’d rather drink Belgian beer than French wine. She decides to cancel her subscription to the wine magazine as a consequence. 

If she no longer wishes to receive the newsletter, she may use her “right to be forgotten” under the ePrivacy Directive and have the newsletter’s publisher erase her name, email address, and any other identifying information.

People have used this protection to have previously-public material scrubbed from search engine results, including some that included sensitive details about themselves. For instance, people have the right to request that search engines (Guide: 7 Most Private Search Engines for 2023…) delete links to sites that contain personally identifiable information about them (within specified restrictions).

Difference between the right to be forgotten and the right to erase

The right to delete one’s personal data is referred to as the “right to be forgotten” in the General Data Protection Regulation. Nonetheless, the term “right to be forgotten” is often used to describe this concept.

The right to be forgotten is not unique to the General Data Protection Regulation (GDPR), and it has been used in past court judgements. However, the “right to erasure” as defined by the GDPR is more specific, since it contains the criteria under which the right does and does not apply, and it provides companies with a timeframe of one month within which to react to erasure requests.

Takeaway

Australians have pressing worries at home, with concerns over the recession, which comes after Australian businesses were forced to close down during the COVID-19 pandemic.

However, that doesn’t mean your online privacy isn’t important. And with hyper-powered AI tools like ChatGPT on the horizon… it’s more important than ever to be aware of what’s happening in the realm of personal digital privacy.