The “right to be forgotten” has a nice ring to it, right? In a world where everything we do online can be tracked, logged and analysed, the notion of forgetting can feel alluring.
That’s probably why the right to be forgotten — along with the related concept of the right to erasure — often makes headlines and captures the attention of politicians. However, while it may sound sexy, it’s no silver-bullet solution to protecting privacy.
In the lead-up to this year’s long-awaited reform of the Privacy Act, we need to stay vigilant against mere privacy theatre. There are many meaningful changes to better protect our human rights in the digital age, and we need to ensure we’re not distracted by false solutions.
What is the right to be forgotten?
When people refer to the right to be forgotten they most often are referring to the right to erasure, which gives people a right to request that organisations delete their personal information.
This sounds good, and in some ways, it is. It can be empowering to give people more options to exercise control over their personal information. But we need to be realistic about how meaningful this would be in practice.
The crucial thing about the right to erasure is that it’s a request. Just because you ask for your data to be deleted doesn’t mean the organisation has to. If we look at the EU General Data Protection Regulation (GDPR), it comes with a range of limitations. The crux is this: if the company deems the data necessary to keep for the purpose it was collected, you’re probably not going to get it deleted.
Australia doesn’t have a formally defined right to erasure. But there is a requirement for organisations to delete, destroy or de-identify personal information that is no longer necessary. That means organisations should be deleting personal information they no longer need without anyone having to ask.
The trouble is it’s far too easy for organisations to massage the law about what is really necessary to collect, use and store. You don’t want them to keep your data? Too bad. The company has determined it’s necessary for “business purposes” (whatever that may mean). And this question of necessity often comes back to ideology. I don’t think collecting huge amounts of personal information for targeted advertising is reasonable or necessary, but try telling that to advertising executives and their clients.
The right to erasure does nothing to fundamentally challenge the dominance of data-gluttonous logic. What’s more, it’s useless in the face of legislation that compels companies to retain data. It would have done nothing for the millions of individuals affected by the Optus breach, for instance. Nor would it have helped victims of robodebt. Nor would it prevent predatory startups in the real estate industry.
If we focus on the right to erasure alone, we risk shifting the burden of responsibility on to individuals to clean up the mess created by data-hungry organisations. People shouldn’t have to ask to have their information deleted; that responsibility should lie with the organisations that collect it.
Individual rights, responsibility, burden
This kind of thinking follows a long-established trend in privacy regulation that centres on individual autonomy so much that it sometimes undermines privacy. Take the notice and consent model — in which people are provided details about what is happening to their data, and then prompted (or forced) to “consent”. We end up with perverse outcomes where individual agency is valued so highly that information asymmetries and the context of power in which these transactions occur are ignored.
It’s well known that the notice-consent model is broken, in no small part due to companies manipulating it in their favour. (Another lesson from Europe is the absolute nightmare that is mandatory cookie consent banners.) It’s not hard to see how the right to erasure could also become an illusion of individual control while doing nothing to challenge the underlying business practices that cause harm.
More promising changes
This is not to say that we shouldn’t consider the right to erasure in Australia or take inspiration from other approaches in the GDPR. But we need to think carefully about what will improve privacy in a meaningful sense.
Reform to privacy law doesn’t happen often. This will be the first major reform of the Privacy Act since its introduction almost 50 years ago. We can’t afford to get distracted. Rather than just thinking about what individuals can do to exert control, we should be directing our attention to how we can dismantle the harmful business practices of organisations collecting our personal information.
Instead of manipulating people into providing consent, or putting the burden on them to request their information be deleted after the fact, we should be prohibiting or preventing bad privacy practices by organisations.
One such proposal is the “fair and reasonable” test. This could potentially require organisations to ensure that every time they collect, use or disclose your personal information, what they are doing is fair and reasonable. That might not sound as snappy as “the right to be forgotten”, but it could go a lot further towards improving privacy.
Should the onus be placed on individuals or corporations to protect data? Let us know by writing to letters@crikey.com.au. Please include your full name to be considered for publication. We reserve the right to edit for length and clarity.
We should perhaps clarify that a lot of data harvesting happens because of government overreach. The Optus hack as recall netted people’s medicare and driving licence details. Optus are a communications company, and could not monetise that data.
I am fortunate not to have been an Optus client, but no telco has required my medicare number. I agree with your general thesis, but neither Medibank nor Optus needed all that they had.
Yes they did. 100 points of ID is required for Telecommunications and Health Insurance Services. Medicare Card details are one of the acceptable form of identification.
https://www.afp.gov.au/sites/default/files/PDF/NPC-100PointChecklist-18042019.pdf
Where have we gone wrong? Corporations and Governments want to know everything about me almost down the the the position of the freckle on my Rs. Recently I had a very minor traffic altercation in an underground shopping center carpark with what I believe to be an illegality parked utility with an overhanging load (battens) protruding approximately 2 metres into the roadway. It scratched the roof of my vehicle. Took photos and wrote to Police requesting the owners name and address.
Plod, not being overexcited about doing anything replied that I could not be provided with that information for privacy reasons. Yet I read in Crikey that private car park owners apparently can and do so frequently.
Remember when individuals had some recognition (I am reluctant to use rights.) whereas today it is all corporations.
Lodge a claim with your insurer including the details of the other vehicle. They will sort it out. Insurers can access information that we mere mortals can’t.
Step mone would be unless the government requires the data there should be a deletion date on it. I am a teacher and I am forbidden to keep photos of my students for more than 3 weeks after their purpose is served. Sunset clause.
Interesting using the comparison of the EU GDPR, but missed something about the latter, broader context and governance in general i.e. database security responsibilities and penalties for those breachers using their power?
There are simply too many incidences in Australia mostly for reasons of incompetence, ignorance, ethical/moral bypasses and focus on short term revenue streams.
Not only do citizens have little control or rights over their data in Australia, they or entities may also be subjected to SLAPP action (‘Strategic Lawsuits Against Public Participation’) from complaining publicly; Australia and UK* are two developed nations still lacking robust anti-SLAPP regulations, supporting rights of all citizens.
*Think the UK is working on it…, esp. brought into focus in ’22 by UK govt. allowing a Russian oligarch Prighozin’s legal advisors to bypass sanctions and use SLAPP action against Elliot Higgins of UK entity, Bellingcat, which had exposed Wagner operations.
‘Digital rights’ can have some unforeseen consequences. Crypto currency requires enormous banks of computers in industrial style warehouses that keep the neighbours awake with the noise and consume huge amounts of electricity just to keep the fiendish lucre untampered with. Despite all that trouble, expense and awfully clever digital ‘security’ it didn’t stop the human being running the scheme from tampering with and purloining the crypto-goods well distant from the scene of all that security… thousands of km away in fact.