Author Topic: Proposed changes to the Australian Privacy Act (Right to Erasure)  (Read 1216 times)

0 Members and 1 Guest are viewing this topic.

Offline HalcyonTopic starter

  • Global Moderator
  • *****
  • Posts: 6126
  • Country: au
https://www.twobirds.com/en/insights/2023/australia/australian-privacy-reforms-are-we-getting-the-right-to-be-forgotten

Changes to our Privacy Act, similar to what is already enacted in the EU under their GDPR, are being proposed here.

This will have wide-spread implications for many Australian business and services online (and potentially this forum). It will be interesting to see what constitutes "personal information" and whether that extends as far as an email address or an online pseudonym that could potentially link an online profile to a real person.
 
The following users thanked this post: Ed.Kloonk, bigfoot22

Offline AndrewNorman

  • Contributor
  • Posts: 21
  • Country: au
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #1 on: January 31, 2023, 03:13:54 am »
I have spent the last few years working on systems that fall under GDPR and the problem is personal information gets very subjective at times. But I was sent this when I was talking to our security officer.

Quote
In order for a revealed email address to be considered a breach of GDPR the e-mail address has to fall into a specific category, namely one of the following: A personal e-mail address such as Gmail, Yahoo, or Hotmail. A company email address that includes your full name such as firstname.lastname@company.com

Then you start combining that with IP addresses and you end up with another can of worms.
 

Offline redkitedesign

  • Regular Contributor
  • *
  • Posts: 111
  • Country: nl
    • Red Kite Design
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #2 on: January 31, 2023, 03:59:59 am »
Forums like this still exist in Europe, so apparently its possible to comply with the GPDR.

Easiest way to comply is by not collecting the information in the first place. So don't collect names, only e-mail. And don't make e-mails public.  You don't need 2FA, no European forum needs that.

Right to be forgotten is another issue. However, as a forum you can argue (at least in the EU) that you need to keep all posts in order to preserve the logical thread. Especially quotes are safe under this rule. Posters are already able to edit their posts (and thus to remove them)

IP addresses of posters can be logged as you need them to report those offering nukes to the authorities.

In general, if there is a good reason to keep information, it is allowed. However, marketing and profit are never good reasons. Good reasons are legal obligations, actual functionality or explicit permission (e.g. A poster posting he works at $company is divulging personal information. However, you may assume the poster is not mentally impaired, so they have decided they want to use your forum to publish that information. That constitutes permission under EU rules. Note this also applies to nicknames used and published on the forum!)
 

Offline james_s

  • Super Contributor
  • ***
  • Posts: 21611
  • Country: us
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #3 on: January 31, 2023, 04:04:45 am »
It could also be that it is simply not enforced. How do you ever know what information a forum keeps around? How does enforcement work?
 

Offline AndrewNorman

  • Contributor
  • Posts: 21
  • Country: au
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #4 on: January 31, 2023, 04:25:53 am »
Enforcement is an interesting question.

If you have a breach then it is in your interest to declare it asap as it drops the penalty down a considerable amount.

Most of the time in the EU (I am mostly UK experience) you get reported to the authorities (normally after you refuse to delete someone, or someone is just feeling malicious) who then come in and check. Mostly if you work with them and show good faith in fixing the problem (and you haven't been caught selling data or anything like that) then the UK Information Office will play nice and give you some time to fix the issue.
 

Offline JPortici

  • Super Contributor
  • ***
  • Posts: 3573
  • Country: it
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #5 on: January 31, 2023, 05:31:10 am »
What you could do is create is a system of 2FA in addition to a password and username. That would beef up security but also require people of this forum to install a 2FA app on either windows, android or ios or Linux.

But it also means that you can meet the guidelines of the GDPR.

Simply ask new users to scan a QR code on their app or copy a line of text into their windows/linux authenticator app.

what? nothing like that is required. As andrew said as long as you don't sell information and delete it when requested you are fine. Only websites that require 2FA to be used are banks, institutional websites, and the google/apple developer websites (and the likes) and i'm sure it's only so they have an extra layer of CYA, it's not mandated by GDPR
 

Online SiliconWizard

  • Super Contributor
  • ***
  • Posts: 15800
  • Country: fr
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #6 on: January 31, 2023, 06:03:28 am »
It could also be that it is simply not enforced. How do you ever know what information a forum keeps around? How does enforcement work?

All that can be enforced (same in the EU currently) is that websites *ask* for permissions to store cookies and stuff, and provide a contact form/email where users can ask for personal data that the website holds about them and/or ask to delete it. As this is what can be "seen" from the outside, this all  that can be enforced. Websites/servers can just pretend they comply by showing what is expected, and do absolutely nothing else.

What they do behind the scenes, nobody can know until there is an investigation, which happens very rarely and only for the big guys usually, such as Facebook, Apple, Google, MS, etc.

And of course, even for the ones that do everything right, server backups still pose unique challenges as backups could contain data that is no more accessible on said server, but still held somewhere and owned by the company until the backups are destroyed, and for those using complex backup schemes involving chains of remote datacenters, you can imagine that "fully deleted data" is little more than fiction these days.
 

Offline redkitedesign

  • Regular Contributor
  • *
  • Posts: 111
  • Country: nl
    • Red Kite Design
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #7 on: January 31, 2023, 07:40:41 am »
It could also be that it is simply not enforced. How do you ever know what information a forum keeps around? How does enforcement work?
What they do behind the scenes, nobody can know until there is an investigation, which happens very rarely and only for the big guys usually, such as Facebook, Apple, Google, MS, etc.

Of course, with the GDPR being an EU thingie, it is implemented in every EU member state seperately, with their own laws and enforcement.

However, I do know of a publisher (DPG Media) and a City (Enschede) who've gotten fines (of 525000 and 600000 Euros) for GDPR-violations.
Another one (Voetbal Totaal) was reverted on appeal. So enforcement does exist (but isn't only focused on Internet/Media companies)
 

Offline Ranayna

  • Frequent Contributor
  • **
  • Posts: 986
  • Country: de
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #8 on: January 31, 2023, 12:14:18 pm »
Forums like these still exist in Germany. GDPR compliant. And from what i gather Germany is comparatively restrictive with data protection laws.
You need to consider that the GDPR does *not* prohibit any and all data collection.

If you have a legitimate need for an information, like the email address for registration as a way to verify and recover accounts, it is allowed to store it. What you cannot do is use that information for anything else that takes your fancy, like selling them to some information broker or ad company.

For deleted users the posts stay, and in all cases i remember the username also was kept associated to the posts, but the account information linked to the username is gone. Just prohibit using the email as actual username, and you are safe in that regard.
It can get a bit ugly though if someone used their real name as handle. I have seen it anonymized as "user<randomnumber>", but quotes are often not retroactively changed. I do not know if that might even be a GDRP issue though, since i don't think it is a reasonable expectation to do a "search & replace" through the whole forum.

Considering that at least one "User purge" that also removed most posts of that user happened here on the EEVBlog, i do not see what the effects really would be though. There is precedence, after all. Also I would not expect that such full purges are something that would often get requested here, since hopefully most users here are rather reasonable.
 
The following users thanked this post: thm_w, Jacon

Offline redkitedesign

  • Regular Contributor
  • *
  • Posts: 111
  • Country: nl
    • Red Kite Design
Re: Proposed changes to the Australian Privacy Act (Right to Erasure)
« Reply #9 on: February 01, 2023, 02:16:01 am »
It can get a bit ugly though if someone used their real name as handle. I have seen it anonymized as "user<randomnumber>", but quotes are often not retroactively changed. I do not know if that might even be a GDRP issue though, since i don't think it is a reasonable expectation to do a "search & replace" through the whole forum.

Strictly speaking, the quote is protected by the copyright of the poster. So the user who wants to be forgotten has to ask the poster who made the quote. It also affects the right of free speech of the poster, and ECHR (european convention of human rights, required law in all EU states) says that when two rights collide (free speech versus right to be forgotten) neither is an absolute.

Since that becomes an untanglable mess really quickly, the GPDR considers that unreasonable. 
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf