Australia recently joined the growing ranks of countries that take privacy seriously - so seriously that a breach of the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) can now result in a fine of up to A$1.7 million for corporations and A$340,000 for individuals. The amendments to the Privacy Act and the coming into force of the APPs on 12 March 2014 introduce a new higher standard for the way in which organisations operating in Australia collect, hold, use and disclose personal information.
But what exactly do death, taxes and deactivated online accounts have in common? Put simply: the apparent inability to escape them.
The reforms to Australia's privacy laws were reflective of growing individual discontent in Australia concerning the handling of personally identifiable information by both the Government and the private sector, particularly online. Internet users are becoming increasingly aware that any personal information that they disclose online may be extremely difficult to "take back" or "be forgotten" and may be used in ways that they did not anticipate when providing it.
Hence the popularity of the website "Justdelete.me" created by a British web student. Justdelete.me lists hundreds of websites and rates them on the difficulty that people face when trying to delete an account or remove their personal information from that website. Each website is rated from "easy" to "impossible".
Sites such as Pinterest, Netflix, Youtube and Starbucks, for example, have been labelled by Justdelete.me under the "black code" of "impossible". According to Justdelete.me, even if you deactivate your account on these sites (as there is no way to actually delete an account), a record of everything that you have done in connection with those websites remains stored on the relevant company's database. Depending on the website in question, this could include data about your location, the videos you have watched, the songs you have played, the coffees you have ordered, the people you have contacted and your name, address and credit card information that you supplied to open the account.
Under the Privacy Act "personal information" is any fact or opinion about an individual whose identity is apparent or can be reasonably determined. While song preferences, coffee choices and viewing history may not constitute personally identifiable data in and of themselves, when associated with your name (or other information that can reasonably identify you) they are "personal information". For example, in 2006 Netflix publicly released movie ratings from un- identified users that listed the movie rated, the score given and the date of the rating. Researchers demonstrated that by taking this seemingly anonymous data and matching it with movie viewing histories and other habits they were easily able to identify most of the individuals who supplied the ratings.
Online businesses operating via social media/websites (websites) operating in Australia (and the organisations behind them) need to ensure that they comply with the APPs both generally and specifically in respect of the de-identification or destruction of personal information no longer needed for the notified purpose(s) for which such was originally collected. Where a website (or organisation behind it) does not allow individuals to delete their account and all personal information connected to it, then there are four main issues that they must consider:
Firstly, under the APPs organisations must not use or disclose information for a purpose other than the notified reasons for which it was originally collected (the primary purpose) unless the person has consented to this disclosure or (ii) would reasonably expect the organisation to disclose their information in this manner and the disclosure is related to the primary purpose.
It is difficult to envisage how a website (and the organisation behind it) could possibly justify the continued use of personal information tied to a de- activated account for the original notified purpose for collection - given the account is de-activated, no longer active, inactive (etc, etc, as per the pertinent Monty Python parrot sketch).
Secondly, the APPs require organisations to actively consider whether they need to retain personal information about an individual once such information has been used for the primary notified purpose(s) and to take reasonable steps to destroy or de-identify personal information that is no longer needed for the notified purpose(s) for which it was originally collected, unless certain limited exceptions apply. Please see our update "Australian businesses must destroy or de-identify personal information no longer needed for the purpose(s) authorised" for more information on the obligation to destroy or de-identify personal information.
It is hard to see how an organisation that holds on to personal information related to a de-activated account for any significant length of time after de- activation will not be in breach of the APPs.
Thirdly, organisations are obliged to keep personally identifying data secure from loss, interference, misuse and unauthorised access, modification and disclosure. Please see our update "Information security obligations for Australian businesses under the Privacy Act: A reminder from the OAIC" for more detail on ensuring personal information/data is secured.
Continuing to ensure that personal information related to de-activated accounts is kept safe from interference (such as through hacker activities) will become an increasingly costly exercise as more and more of such data needs to be stored and protected. The Privacy Commissioner will not look kindly, if there is a breach incident, on personal information being accessed that should have been de-identified or destroyed (ie should not have been kept) in the first place.
Lastly, the APPs place a new obligation on organisations to ensure that any personal information they hold, use or disclose is up to date, accurate, complete and relevant.
We suspect that personal information held from a de-activated account for any length of time after deactivation could not meet this obligation. Also, an individual who has de-activated their account is unlikely to welcome an organisation contacting them to update personal information held by that organisation for a de-activated account.
Conclusion: websites operating in Australia and the organisations behind them must be careful to ensure compliance with the amended Privacy Act and the new APPs, especially in respect of de- activated or deleted accounts. While death and taxes may be inevitable, a website retaining personal information for an indefinite period of time is not, especially after the de-activation of the relevant account, and to do otherwise will be a breach of Australia's tough new privacy laws.