There is a vast range of information readily available online. While this is usually beneficial for a number of reasons, it can become an issue where it involves personal information

Personal information is usually information that can be used to identify someone. So, this could include emails and phone numbers. 

In some jurisdictions, individuals can enjoy the right to be forgotten. This way, they can rest assured that their personal data is not being kept by certain organisations. 

In this article, we’ll go through the right to be forgotten in Europe and whether this kind of right exists in Australia. 

What Is The Right To Be Forgotten?

The right to be forgotten is essentially the right to have your personal data removed from a certain place. In other words, people have the right to contact a party that is holding their personal data and to ask them to erase it. 

This is covered specifically under Article 17 of the General Data Protection Regulation (GDPR). It also outlines that the erasure should not have ‘undue delay’, which is about a month. 

This goes hand in hand with an individual’s right to access their personal information, which can be found in Article 15 of the GDPR. 

The right to be forgotten usually applies when:

  • The personal data is no longer necessary for the organisation’s original purpose for collection
  • The person withdraws their prior consent to having their data processed
  • A pre-existing legitimate interest no longer justifies the processing of data
  • An individual objects to processing their data for marketing purposes 
  • The data was processed unlawfully
  • The removal of data is required by law
  • A child’s personal data has been processed for information society services

How To Remove Personal Information From The Internet

As we mentioned, Article 17 of the GDPR grants individuals the right to have their personal data removed by certain organisations. However, it’s important to note that this right does not exist in Australia. 

So, in Australia, what do you do if you want to have your personal information removed from the internet?

While we cannot rely on GDPR for this removal of data, we can turn to Australian Privacy Principles. The other closest thing to the right to be forgotten is the tort of defamation. So, if your personal information is in the public sphere and says something untrue or damaging to your reputation, you can take legal action to have this taken down. 

However, this means that you can only request to have your data taken down on the basis of defamatory action. 

What Does Australian Privacy Law Say?

In Australia, privacy matters are regulated by the Privacy Act 1988 and the Australian Privacy Principles (APP). However, there is no right to be forgotten in Australia. 

Instead, two main privacy principles are the closest we can get to this right, namely, APP 12 and 13. 

Australian Privacy Principles

The Australian Privacy Principles are essentially a privacy framework in Australia. 

If your business has an annual turnover that exceeds $3 million, the Privacy Act applies to you and as such, you need to comply with certain obligations under the APPs. 

In relation to the right to be forgotten, Australia has two principles that are similar to it. 

APP 12 provides that an APP entity must provide an individual with access to their personal information if they request it. This does not, however, grant a right to remove that data. 

There are some situations where an APP entity may refuse to grant them access to their personal information, such as where it would be unlawful. 

APP 13 provides that APP entities must correct personal information so that it remains accurate, up-to-date and is not misleading. 

What Is The Tort Of Defamation?

Another way information can be removed from the internet is if you take legal action against someone under the tort of defamation. 

This usually arises where someone suffers a loss or damage from a representation made about them which is not true, but leads people to believe it is true. This also applies where defamatory material is posted online. 

Some common remedies for defamation include damages or an injunction. The court may make an order for the defamatory material to be removed or taken down. 

General Data Protection Regulation

The GDPR is a privacy law that operates and takes effect in the EU. 

However, even if you are an Australian business, doing business in the EU may mean the GDPR applies to you too. 

It’s worth speaking to a lawyer who can chat you through your privacy obligations, as this will depend on the nature of your business activities and where you conduct business generally. 

Key Takeaways

The right to be forgotten is a right granted in the EU by way of the GDPR. This right doesn’t exist in Australia, however, we have similar legal protections such as the right to access your information upon request and to have your information updated. 

If you need help or guidance around your privacy obligations as a business in Australia, our privacy lawyers are happy to chat with you. You can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.

Rowan Gardoce
Rowan is the Marketing Coordinator at Sprintlaw. She is studying law and psychology with a background in insurtech and brand experience, and now helps Sprintlaw help small businesses
About Sprintlaw

Sprintlaw's expert lawyers make legal services affordable and accessible for business owners. We're Australia's fastest growing law firm and operate entirely online.

5.0
(based on Google Reviews)
Have a question?
Get your FREE quote now.

We'll get back to you within 1 business day.

  • This field is for validation purposes and should be left unchanged.