Significant developments in this space
Right to access and correct personal information
The Discussion Paper proposes the enhancement of existing rights in respect of individuals' personal information. This includes the introduction of:
- a requirement that organisations must identify the source of personal information they've collected indirectly or which they've inferred, on request by the individual, unless it is impossible or would involve disproportionate effort. This is likely to be difficult in practice for organisations that hold substantial amounts of inferred personal information or information developed by use of particular machine-learning techniques1; and
- a right for organisations to consult with an individual to provide access to personal information in a more digestible format, such as a general summary or explanation of the information held, in circumstances where the requested information is highly technical or voluminous in nature. This is a helpful development for organisations, particularly those that may hold especially large or complex amounts of personal information relating to an individual.
Right to erasure
The Discussion Paper tentatively proposes a new right to erasure, modelled on the GDPR's 'right to be forgotten'. Under this proposal, an individual could request erasure of their personal information on one of the following grounds:
- the personal information must be destroyed or de-identified under APP 11.2;
- the personal information is sensitive information;
- the individual has successfully objected to personal information-handling through the 'right to object' (this is explained below);
- the personal information has been collected, used or disclosed unlawfully;
- the entity is required by or under an Australian law, or a court/tribunal order, to destroy the information; or
- the personal information relates to a child and erasure is requested by the child, parent or authorised guardian.2
In light of contrasting submissions on the topic, the Discussion Paper requests further feedback on what exceptions may be appropriate and would strike a balance between individuals' interests in having greater control over their personal information and other public interests.
We expect any implementation of a right to erasure would be subject to organisations' existing legal obligations to retain information under other legislative regimes. Given the significant retention obligations certain organisations have under law, it is likely that public awareness of the practical limitations of such a right would need to be developed. Organisations would also need to review and implement changes to their technological systems to ensure they could comply with such requests.
Right to object
An additional consumer right discussed in the Discussion Paper is a right to opt out or withdraw consent from organisations collecting, using or disclosing an individual's personal information. This is framed as a 'right to object' or withdraw consent at any time.
On receiving notice of an objection, an organisation would need to take reasonable steps to stop collecting, using or disclosing the personal information and inform the individual of the consequences of the objection.3 Continued collection, use or disclosure would be permitted in certain circumstances.4 As noted in our accompanying Insight in relation to the proposed OP Code, this would be a significant development, particularly where the right to object could act as an override to limit an organisation's use for a reasonably expected secondary purpose related to the primary purpose.
Direct Right of Action
The Discussion Paper also proposes to provide individuals with a direct right of action against organisations for breaches. See here for more information.
Footnotes
-
Submission to the Issues Paper: Allens Hub for Technology, Law and Innovation and the Australian Society for Computers and Law, 8.
-
Discussion Paper, 118.
-
Discussion Paper, 113.
-
Discussion Paper, 113.