The “right to be forgotten” has a nice ring to it, right? In a world where everything we do online can be tracked, logged and analysed, the notion of forgetting can feel alluring.
That’s probably why the right to be forgotten — along with the related concept of the right to erasure — often makes headlines and captures the attention of politicians. However, while it may sound sexy, it’s no silver-bullet solution to protecting privacy.
In the lead-up to this year’s long-awaited reform of the Privacy Act, we need to stay vigilant against mere privacy theatre. There are many meaningful changes to better protect our human rights in the digital age, and we need to ensure we’re not distracted by false solutions.
What is the right to be forgotten?
When people refer to the right to be forgotten they most often are referring to the right to erasure, which gives people a right to request that organisations delete their personal information.
This sounds good, and in some ways, it is. It can be empowering to give people more options to exercise control over their personal information. But we need to be realistic about how meaningful this would be in practice.
The crucial thing about the right to erasure is that it’s a request. Just because you ask for your data to be deleted doesn’t mean the organisation has to. If we look at the EU General Data Protection Regulation (GDPR), it comes with a range of limitations. The crux is this: if the company deems the data necessary to keep for the purpose it was collected, you’re probably not going to get it deleted.
Australia doesn’t have a formally defined right to erasure. But there is a requirement for organisations to delete, destroy or de-identify personal information that is no longer necessary. That means organisations should be deleting personal information they no longer need without anyone having to ask.
The trouble is it’s far too easy for organisations to massage the law about what is really necessary to collect, use and store. You don’t want them to keep your data? Too bad. The company has determined it’s necessary for “business purposes” (whatever that may mean). And this question of necessity often comes back to ideology. I don’t think collecting huge amounts of personal information for targeted advertising is reasonable or necessary, but try telling that to advertising executives and their clients.
The right to erasure does nothing to fundamentally challenge the dominance of data-gluttonous logic. What’s more, it’s useless in the face of legislation that compels companies to retain data. It would have done nothing for the millions of individuals affected by the Optus breach, for instance. Nor would it have helped victims of robodebt. Nor would it prevent predatory startups in the real estate industry.
If we focus on the right to erasure alone, we risk shifting the burden of responsibility on to individuals to clean up the mess created by data-hungry organisations. People shouldn’t have to ask to have their information deleted; that responsibility should lie with the organisations that collect it.
Individual rights, responsibility, burden
This kind of thinking follows a long-established trend in privacy regulation that centres on individual autonomy so much that it sometimes undermines privacy. Take the notice and consent model — in which people are provided details about what is happening to their data, and then prompted (or forced) to “consent”. We end up with perverse outcomes where individual agency is valued so highly that information asymmetries and the context of power in which these transactions occur are ignored.
It’s well known that the notice-consent model is broken, in no small part due to companies manipulating it in their favour. (Another lesson from Europe is the absolute nightmare that is mandatory cookie consent banners.) It’s not hard to see how the right to erasure could also become an illusion of individual control while doing nothing to challenge the underlying business practices that cause harm.
More promising changes
This is not to say that we shouldn’t consider the right to erasure in Australia or take inspiration from other approaches in the GDPR. But we need to think carefully about what will improve privacy in a meaningful sense.
Reform to privacy law doesn’t happen often. This will be the first major reform of the Privacy Act since its introduction almost 50 years ago. We can’t afford to get distracted. Rather than just thinking about what individuals can do to exert control, we should be directing our attention to how we can dismantle the harmful business practices of organisations collecting our personal information.
Instead of manipulating people into providing consent, or putting the burden on them to request their information be deleted after the fact, we should be prohibiting or preventing bad privacy practices by organisations.
One such proposal is the “fair and reasonable” test. This could potentially require organisations to ensure that every time they collect, use or disclose your personal information, what they are doing is fair and reasonable. That might not sound as snappy as “the right to be forgotten”, but it could go a lot further towards improving privacy.
Should the onus be placed on individuals or corporations to protect data? Let us know by writing to letters@crikey.com.au. Please include your full name to be considered for publication. We reserve the right to edit for length and clarity.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.