Australian Law Reform Commission Proposes New Data Deletion Principle

By Murray Griffin  

March 31 --The Australian Law Reform Commission (ALRC) March 31 proposed the introduction of a new Privacy Act 1988 principle that would allow individuals to request the destruction or de-identification of personal information.

The principle would require an entity to either take reasonable steps to comply with such a request from an individual or to provide its reasons for noncompliance.

Possible reasons for noncompliance might include a legal requirement to keep the data, the ALRC said.

The proposal is contained in an ALRC discussion paper that forms part of its inquiry into “serious invasions of privacy in the digital era.”

The former federal Labor government ordered the inquiry last year, and the ALRC will submit its final report to the current Liberal-National Party Coalition government by June.

The final report's recommendations aren't binding on the government.

Comparison to EU Proposal

The ALRC said its proposed new principle differs from the European Union's “right to be forgotten” proposal in its proposed EU-wide data protection regulation because the principle would only allow an individual to make a destruction or de-identification request about information that he or she has provided to an organization.

The European Parliament's version of the draft regulation, approved March 12, replaces a “right to be forgotten” included in the original European Commission proposal with a “right to erasure” of personal data, which also would create an obligation for companies receiving such a request to forward the request to other data processors to which the data have been transferred .

Unlike the EU proposal, the proposed Australian principle wouldn't apply to private information posted by other individuals or organizations, the ALRC said.

The ALRC sought input on whether the proposed principle should also require an entity to take steps to notify any third parties of the request if it has shared the information with them.

Other Recommendations

The draft report also advised that the government introduce a new “Serious Invasions of Privacy Act” that would allow individuals to seek damages for an intrusion on their private affairs or a misuse or disclosure of private information about them, subject to certain defenses.

If the government elects not to seek a new invasion of privacy statute, the ALRC recommended that existing statutes acknowledging causes of action for serious breaches of privacy be amended to authorize courts to award damages for emotional distress.

The ALRC also asked whether a government regulator should be given new powers to issue take-down orders that would require an organization to remove from a website private information about an individual that might constitute a serious invasion of privacy.

It also proposed that device surveillance and workplace surveillance laws be made uniform through Australia. “Offences in surveillance device laws should include an offence proscribing the surveillance or recording of private conversations or activities without the consent of the participants,” the ALRC added.

Submissions on the discussion paper are due by May 12.

 

To contact the reporter on this story: Murray Griffin in Melbourne at correspondents@bna.com

To contact the editor responsible for this story: Katie W. Johnson at kjohnson@bna.com


The 236-page discussion paper “Serious Invasions of Privacy in the Digital Era” is available at http://www.alrc.gov.au/sites/default/files/pdfs/publications/whole_dp80.pdf.