Photo by Miguel Á. Padriñán: https://www.pexels.com/photo/close-up-shot-of-keyboard-buttons-2882523/
Australians have a keen appetite for privacy and want better protections for their privacy. According to the Office of the Australian Information Commissioner (OAIC), 90% of Australians support laws that give them greater agency over how their personal information is handled.
Reflecting this interest, the Federal Government passed a small selection of privacy reforms in 2023 and committed to implement over 100 more, including the right to delete.
What is the right to delete?
The right to delete is sometimes called the “right to erasure” or the “right to be forgotten”. It is a legal guarantee that individuals can request the deletion of their personal information when it is no longer necessary for a legitimate purpose. It aims to give people greater control over their digital footprint.
Does Australia have it?
Currently, Australia does not recognise a right to delete personal data, despite public support for stronger privacy protections.
While Australia’s Privacy Act 1988 (Cth) contains some adjacent protections such as:
- Australian Privacy Principle (APP) 11, which requires organisations to take reasonable steps to destroy or de-identify personal information once it’s no longer needed;
- APP 13, which grants individuals the right to correct inaccurate personal information.These do not amount to a general or enforceable right to deletion at the request of the individual.
What about the Consumer Data Right?
Australia’s Consumer Data Right (CDR) was introduced to increase competition by allowing consumers to access and share their data between service providers, particularly in the banking, energy, and telecommunications sectors. The CDR allows individuals and small businesses the right to access and control their own data held by companies and securely share that data with accredited third parties, such as banks.
However, at the end of 2023 just 0.31% of banking customers were utilizing the service. Following this dismal uptake more than 50 percent of data sharing arrangements were discontinued or not renewed.
Why the slow uptake? Banks claim that compliance with the tech is expensive and stifles competition between banks as the smaller banks are disproportionately strained by the cost of compliance. According to ABA CEO Anna Bligh ‘It’s time to go back to the drawing board. The current CDR regime isn’t delivering for customers or enhancing competition and a new pathway forward is needed’.
Who does have the right to delete?
The right to delete is not a radical idea. It has been successfully implemented in the EU, UK, California, South Korea, and soon Canada.
Article 17 of the GDPR, followed by the UK and EU, affords individuals the right to request organisations remove their personal data from their records. These deletion requests can be made verbally, by email, or through a form. The US Consumer Reports organisation has developed the “Permission Slip” app. This allows individuals to make and track data deletion requests in an accessible way.
This means that international companies are familiar with right-to-delete protocols. If Australia follows a similar structure, the adoption of the tech will be relatively seamless for the multinational corporations holding Australian data.
Why does the right to delete matter?
Data Sovereignty
Australians lack meaningful control over how their personal data is stored, used, and shared. The right-to-delete enshrines the principle of data sovereignty, recognising that individuals rather than corporations own and control their own personal information. Without this right, Australians remain passive subjects of data extraction, rather than active participants in the digital economy.
Protection from Data Breaches
The longer data is held, the more likely it is to be caught up in a breach. The right to delete gives people the legal power to reduce their exposure by requesting that unnecessary, outdated, or irrelevant data be removed. This is especially critical in Australia, where companies retain large amounts of personal data with minimal security safeguards. They can’t lose data they no longer hold.
Correcting the Power Imbalance
Complex privacy policies and vague consent processes mask the reality that individuals are systematically disempowered in digital environments. The right to delete would help rebalance this relationship by giving individuals a simple, enforceable tool to assert control, say “no,” and set limits on the retention of their data.
What does Australia need for a right to delete?
Australia needs a legally-enshrined right for residents to insist that companies delete their personal information - regardless of whether they have a direct relationship or not. This needs to be backed by penalties for companies that fail to comply in a timely manner.
When California implemented the right to delete, despite public appetite for the reform, the right had minimal uptake. What changed this? Permission slip allowed Californians to make, manage and receive outcomes on deletion requests all in the one app. This made the reform accessible and better known, and use of the right increased rapidly.
As Australia looks to implement the right to delete, we should look at ways to learn from California and ensure the process is user-friendly. We also need information and educational campaigns to ensure that Australians know about the rights they have, and how to enforce them.