Australia Needs a ‘Right to Erasure’ Before the Next Data Breach Hits

If the past three years have taught Australians anything, it is that corporate promises about data security are fragile shields against sophisticated cyber-criminals. Optus, Medibank and Qantas alone have seen more than 25 million customer records spilled into criminal markets. Investigations drag on, class actions stack up and regulators threaten billion-dollar penalties, yet breaches keep coming. Clearly the regulatory stick is not forcing companies to fix systemic weakness quickly enough.

One reform could tip the balance: giving individuals the legal power to compel firms to delete, or properly de-identify, their personal data. Europe’s General Data Protection Regulation has offered such a “right to erasure” since 2018. Australia, despite strong public support, continues to deliberate. Delay is no longer defensible.

Why a deletion right matters

1. It removes the honey pot. Hackers target large, centralised troves of information. If companies retain only what is essential for current services, attackers have less to steal and monetise.

2. It flips corporate incentives. Firms now hoard data because analytics and targeted marketing promise revenue. Mandatory deletion schedules would force executives to weigh the profit of retention against legal exposure and reputational risk.

3. It restores individual agency. Australians can already request data corrections, yet they cannot insist unused data be purged. Empowering users to do so would rebalance a relationship in which companies dictate terms customers rarely read or understand.

4. It aligns with cybersecurity reality. No firewall is perfect, and state-backed gangs probe global networks for a living. Since breaches are inevitable, harm reduction through minimisation is the smartest defence in depth.

Addressing the objections

Critics warn that mandatory erasure could hamper fraud investigation, compliance obligations or valuable public research. These concerns are solvable. Exemptions for law-enforcement, national security and statistical use already exist elsewhere. De-identification techniques allow datasets to retain utility without exposing individuals.

Businesses also claim technical complexity. Yet deleting dormant records or segregating active ones is less challenging than rebuilding customer trust after a breach. If Qantas can seek court injunctions worldwide to prevent publication of stolen files, it can certainly modernise data pipelines to honour deletion requests.

A pragmatic roadmap

1. Set clear retention ceilings. Personal data held for longer than, say, five years without active consent must be erased or anonymised unless a legally defined exception applies.

2. Mandate transparent disclosures. Firms must list what categories of data they keep, why, and for how long, in plain language, not buried in 40-page policies.

3. Create fast, free recourse. Consumers should lodge erasure requests through a standardised online portal, companies would have strict deadlines to comply or justify refusal.

4. Tie fines to turnover. A maximum penalty of AU$50 million is progress, but for tech giants this can be pocket change. Europe links fines to global revenue, Australia should follow suit to ensure meaningful deterrence.

5. Support small business. Provide turnkey tools, templates and government grants to help resource-constrained firms implement secure deletion workflows without stifling innovation.

Waiting only helps criminals

The Minister for Communications says privacy reform is complex and requires “getting the balance right.” True, but the balance is already skewed. Ordinary Australians shoulder lifelong identity-theft risks while corporations drag their heels over governance upgrades. Every month of consultation adds fresh victims to future breach headlines.

Granting citizens a right to erasure will not eradicate cybercrime. It will, however, shrink criminals’ rewards, realign corporate behaviour and restore a measure of control to the people whose data fuels the digital economy. Canberra must move from in-principle support to legislation, before the next breach reminds us, once again, how high the stakes have become.

Photo Credit: DepositPhotos.com