The federal government has introduced a right for consumers to have their personal data deleted as part of its controversial Consumer Data Right scheme.
The introduction of the right to delete was promised as part of a deal with the Opposition to pass the Consumer Data Right (CDR) legislation unamended during the last sitting period in August.
The CDR legislation paves the way for the launch of open banking next year and other data sharing regimes, allowing consumers to transfer their own data held by companies and transfer it to other businesses and services.
Labor agreed to pass the legislation despite its “deep concerns”, on the condition the Coalition would include the right to delete in amendments during this sitting session.
The right has been included in the Treasury Law Amendment (2019 Measures No 2) Bill 2019, which was introduced to the lower house on Wednesday morning and is expected to easily pass through both houses.
The amendment does not actually lay out how the right to delete will work, instead just setting out that consumer data rules must include a requirement that an “accredited data recipient delete CDR data in response to a valid request by a CDR consumer for that CDR data”.
“By legislating that the ACCC must include rules relating to the deletion of personal data we are encouraging longer-lasting confidence in the system; and helping to ensure that respect for consumer’s wishes on how their data is used is a central element of the Consumer Data Right,” assistant treasurer Michael Sukkar said in Parliament.
The rules, to be developed by the competition watchdog, will spell out how a deletion request will be made by consumers, what makes a request valid, how the data must be deleted, reasons why a request can be refused and how the recipient is to notify the consumer when the data has been deleted.
The amendment states that the data cannot be deleted if there is a requirement to keep it under Australian law or because of an order of a court or tribunal, or if it relates to a current or anticipated legal proceeding or dispute resolution proceeding to which the data-holding body or consumer is a party to.
The CDR legislation has been labeled “very complex and messy” by digital rights advocates, with a senate inquiry into the bill uncovering a series of concerns around privacy, data security, consumer protection and sectoral coverage.
The prospect of introducing a right to delete at a later date, and no specifics around how this will work in practice, will also be problematic, Electronic Frontiers Australia chair Lyndsey Jackson said.
“It doesn’t give certainty for developers building these applications, because retrofitting this stuff in later is technically more difficult if it’s something you have to do later because the legislation changes,” Ms Jackson told InnovationAus.com last month.
“The right to be forgotten is an important one but it is a difficult thing to build into tech systems. It takes a lot of thinking about the data you should keep or need to keep, it’s not quite as simple as pressing a button and deleting someone entirely. A lot of processes and tech issues go into it, and implementing it will take a long time.”