Australians’ expectations regarding the protection of their privacy have fundamentally changed in recent years. Most Australians are increasingly concerned with the way that businesses, including those behind social media platforms and search engines, are using our private information.

Is the law keeping up?

As community expectations have changed, various government inquiries have considered whether laws that affect privacy—like the Privacy Act 1988 (Cth)—are up to modern standards.

In 2019, for example, the Australian Competition and Consumer Commission released the final report of its Digital Platforms Inquiry, which considered the impact of online search engines, social media and digital content aggregators (“digital platforms”) on competition, among other things. It recommended that “the Privacy Act needs reform in order to ensure consumers are adequately informed, empowered and protected, as to how their data is being used and collected”.

In December of 2019, Attorney-General Christian Porter announced that the Government would act on that recommendation. The review of the Privacy Act commenced in October 2020.

The impetus for review: Australia’s piecemeal privacy protection

Australian law does not protect privacy in a way that is comparable to many other developed nations.

That’s not to say privacy lacks any protection in Australia. The Privacy Act is Australia’s key information privacy law. The Act currently provides for 13 “Australian Privacy Principles” (or “APPs”) which outline general privacy standards applicable to organisations of a certain size and federal government agencies.

APP 6 provides (among other things) that applicable bodies must not use or disclose personal information collected for a particular purpose for some other purpose unless the person consents.

This principle, like many others protected by the Act, turns on what is meant by “personal information”. Under the current definition, the Act does not cover much of the online data we create and share every day without thinking. In 2017, the Full Court of the Federal Court decided that telecommunications metadata collected by Telstra was not “about” an individual, and so did not satisfy the definition of “personal information”.

The situation serves to illustrate how Australian privacy law might not meet consumer expectations of how businesses will treat their privacy.

On the horizon: a new “right to erasure” in the Privacy Act?

On 30 October 2020, the Attorney-General’s Department released an “Issues Paper” in relation to its review of the Privacy Act. The paper sought public feedback on tentative proposals to change the law.

An interesting proposal would provide individuals with the means to require applicable entities to remove their personal information. This proposal was framed as a “right to erasure”. The Issues Paper asked:

    1. Should a ‘right to erasure’ be introduced into the Act? If so, what should be the key features of such a right? What would be the financial impact on entities?
    2. What considerations are necessary to achieve greater consumer control through a ‘right to erasure’ without negatively impacting other public interests?

Following the lead of the Europeans

The proposal is inspired by principles in European data protection law. Back in 2014, the Court of Justice of the European Union decided the famousGoogle Spain case, which interpreted a European Directive to the effect that Google and other search engine providers have an obligation, in certain circumstances, to remove links to personal data that are inadequate, irrelevant, no longer relevant or excessive.

The so-called “right to be forgotten” that was expressed in the Directive underpinning that case was repealed in 2018, then re-articulated in the GDPR (the “General Data Protection Regulation”).

Article 17 of the GDPR sets out a “right to erasure”, which provides that certain individuals (“data subjects”) have a right to obtain from certain entities (“controllers” of data) the erasure of their personal data, without undue delay, where:

  • the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; or
  • the individual withdraws consent to use of their personal data; or
  • the data subject objects to the processing of their personal data (subject to a certain procedure); or
  • the personal data have been unlawfully processed; or
  • the personal data have to be erased for compliance with a legal obligation in European Union law, or law of an EU Member State, to which the “controller” is subject; or
  • the personal data have been collected in relation to certain services provided to a child.

The GDPR’s right to erasure protects individuals’ privacy in a way that has no equivalent in Australian law. But it comes at a cost. For businesses to which the GDPR applies, giving practical effect to a right to erasure can be an onerous exercise.

The question remains whether Australian consumers, and the Australian business community, would consider the cost to be worth it. Based on recent experience, it is likely that foreign-based digital platforms like Google and Facebook—which may also be subject to the long-arm reach of the Privacy Act—would not welcome reforms that would require them to spend further resources on compliance with Australian law.

Looking forward

The Government received submissions on its Issues Paper, including the prospect of a right to erasure, in late 2020.

It has announced that there will be further opportunity to provide feedback on the proposals once another discussion paper is released, sometime during 2021.

Whether or not Australia gets a European-style right to erasure, we expect to see significant changes to the Privacy Act in the next 12 months impacting on both the tech giants and local businesses.