5 September 2024

Understanding the ‘Right to Erasure’ and its challenges in Australia

Jonathan Gadir
Senior Consultant

elevenM’s Jonathan Gadir discusses some of the consumer barriers to ‘right to erase’ and suggests some steps Australian businesses can take to get ready for its arrival in Australia.

The right to erasure (sometimes referred to as the right to be forgotten) gained prominence with the implementation of the European Union’s General Data Protection Regulation (GDPR) in 2018. However, similar provisions exist in other privacy laws worldwide, such as the California Consumer Privacy Act (CCPA) in the United States or the national privacy law of South Korea.

In countries where it exists, calling this a right is a bit overblown. It is a right to ask to have your personal information deleted. But the provisions usually allow the organisation receiving the request to invoke a number of reasons for why it cannot meet the request, including that it would take an unreasonable amount of effort or cost, or retaining the information is necessary for internal business processes or for regulatory or law enforcement purposes.

The right to erasure has received a lot of attention because search engines like Google have been taken to court by individuals who experienced harm because of something that came up in search results when people searched their names online. Examples of when this occurs are:

  • when people have committed a crime, “done their time” and are seeking to re-join society
  • public allegations were made about a person that were mistaken however the correction, if it was published, is not as prominent as the original erroneous article
  • a person has been acquitted in a legal process but not enough coverage of this has occurred to drown out the original story when their name is searched.

Precedents have been established by European courts ordering that certain search results not appear because the harm to the individual outweighs any public interest in the information being easily found.  The underlying website content is still there but it is made harder to find.

Personal information held by organisations we deal with

The much more common and everyday concern is whether we have the right to ask businesses or other organisations we deal with to get rid of our data.

There are already some limited obligations on organisations subject to the Privacy Act to provide individuals’ access to and correction of their data if they request it.

But there are a few factors that make us reluctant to exercise this right and would equally apply to the right of erasure in the event it is adopted by upcoming privacy reforms.

If you’re a business who wants to be seen to be privacy-enabling, you should be aware of these psychological and practical barriers, as well as what you need to do to get prepared for a right to erasure.

Reluctance to request correction or deletion

The biggest reason that people don’t ask for their personal information to be deleted is of course that businesses that hold the most of our personal information would not provide us with a service if we demanded they delete it. It is simply a condition of use.

For many of us, request processes are also hard to find and time consuming, and leave applicants unsure of whether their request has been actioned effectively, or at all, given that data is often dispersed throughout different systems and third-party service providers like cloud platforms.

Unknowns of who has our data

There is also an assumption that we all know what organisations hold our data and what they hold. This is not true in our current data ecosystem. Data is spread around from one organisation to another – sometimes with consent, sometimes lawfully or unlawfully without consent. 

With such unknowns, how meaningful is it to have some theoretical right to delete it when we don’t even know who has it?

Organisational Preparedness

As we noted, sometimes organisations don’t do a good job of making it easy for their customers to apply for correction or deletion. But with changes potentially on our doorstep, organisations need to do better – and even if reform doesn’t happen, organisations can establish trust with customers by having a transparent and easy to follow process. Giving customers greater control of how their personal information is managed just makes sense – and in this case brings the added bonus of reducing unnecessary data holdings.

Organisations should be clearly offering the option to correct or delete and be ready to handle requests openly and efficiently. To help with this, we set out some key steps for any organisation to be able to meet such requests.

1. Develop a Clear Process

Create a designated point of contact for receiving requests, a verification process to confirm the identity of the requester, a timeline for responding to and acting on requests and a procedure for documenting the actions taken.

2. Train Your Staff

Ensure that all relevant employees understand what to do when they receive requests like this. This would include customer facing staff as well as IT and data management teams responsible for locating and deleting data.

3. Map Your Data

Conduct a comprehensive data mapping exercise to understand what personal information you collect, where it’s stored (including backups and archives), how it flows through your organisation and who has access to it. This will make it much easier to locate and delete specific individuals’ data when requested.

4. Implement Technical Solutions

Invest in tools and systems that can help you manage such requests efficiently. This might include:

  • Customer relationship management (CRM) systems with built-in privacy request handling features
  • Data discovery tools to help locate personal information across your systems
  • Automated deletion workflows to ensure thorough and consistent data removal

5. Review Data Retention Policies

Regularly assess your data retention policies to ensure you’re not keeping personal data longer than necessary. This can reduce the volume of data you need to manage and minimise the risk of retaining data that should be deleted.

6. Prepare for Exceptions

Identify scenarios where you may need to refuse an erasure request. This could include rules within your retention and disposal authority or legal obligations to keep transaction, employee or tax records for set periods.

7. Consider Third-Party Data Sharing

If you’ve shared personal data with third parties, you may need to inform them of deletion requests. Develop a process for notifying these parties and ensuring they also comply.

Contact us

Learn more about the merits, competing rights and prospects of the right to be forgotten in elevenM podcast episode #110.

If you’re interested in learning more about how to undertake a data processing inventory or implement retention and disposal and other data controls, get in touch.