Everlasting life. Movies are based on it, philosophers obsess about it, and cosmetic multinationals advertise a million and one ways to preserve it (well, the younger years at least). Despite the obsession, everlasting life remains firmly mired in the impossible but with one exception – the world wide web. On the web, our digital selves float like shadows long after we pass away. The question is whether an individual has a right to ask an internet provider to delete this information, or whether what goes online, stays online. This article will examine a recent case in Europe exploring the ‘right to be forgotten’ and the current situation in Australia.
Case Summary: Google Spain v AEPD and Mario Costeja Gonzalez (“Costeja”)
In the late ‘90s, a Spanish newspaper published announcements relating to the sale of personal property to satisfy social security debts online and in print. Mario Costeja Gonzalez’s details formed part of this list. In 2009, Mario Costeja Gonzalez requested Google remove his records because they were no longer relevant. Google refused.
The European Court of Justice (ECJ) determined that individuals had the right to ask search engines such as Google, Bing and Yahoo to remove links to their personal information. The information must be inadequate, irrelevant, excessive or inaccurate for the rule to apply and the information removed. Following Costeja, Google has made a form available online, allowing people to request removing their information. Consequently, there have been over 91,000 applications asking for search engines to remove 328,000 links, reflecting widespread concern with privacy and the availability of personal data online.
Privacy Law in Australia and a Right to Be Forgotten
Google’s ‘request for removal’ form is available only to the 28 European Union member states and no ‘right to be forgotten’ exists in Australia. Australian privacy law is governed by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APP). Recently, the Australian Law Reform Commission (ALRC) made a move in Europe’s direction, recommending that a “right to deletion of personal information” be inserted as an amendment to the Privacy Act as another APP.
However, amending or reforming the Privacy Act or APPs to create a right for individuals to request deleting online information is a balancing act. The government’s data security agenda focuses heavily on data retention, evidenced by the recent passing into law of the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).
The Relevant APPs
The closest Australia gets to the Costeja rule is the right to have personal information corrected as set out in APP 12 and 13.
APP 12: An APP entity holding information about an individual must provide that individual with access to the information if the individual requests it. An APP entity is an agency or organisation.
APP 13: An APP entity must take reasonable steps to confirm and correct any personal information if it is satisfied the information is:
- Misleading, or
- An individual requests the entity correct the information.
Neither of these rules stretches to force an organisation to delete an individual’s records, and under APP 12, it is at the entity’s discretion to correct the personal information.
In short, Australia does not currently have a right to be forgotten. The ruling in Costeja does not apply to Australia and current privacy laws in Australia only extend to allowing an individual to request an entity correct their personal information.
Given the government’s focus on data retention, a privacy law reform to legislate for a right to be forgotten seems unlikely. This is despite the Australian Law Reform Commission’s recommendation to create a right to delete personal information. For now, we’re stuck with everlasting life online, whether we like it or not.
Questions? Please get in touch on 1300 544 755.