What Is The Right To Be Forgotten?

If you’ve ever Googled your name and found something you wish wasn’t there, you’ve probably wondered whether you can make it disappear. That’s where the “right to be forgotten” comes in - a concept that’s been making headlines since the European Union introduced strong data protection rights under the GDPR.

In Australia, the position is a bit different. We don’t have a single, catch-all legal right to be forgotten in the same way Europe does. But there are still important rules about how your personal information can be collected, used, stored and, in some cases, deleted.

In this guide, we’ll break down what the right to be forgotten means in plain English, how it compares in Australia, and the practical steps businesses should take to handle removal requests, reduce risk, and stay compliant with privacy law.

What Does “Right To Be Forgotten” Mean?

The “right to be forgotten” is a shorthand way of describing a person’s ability to request the deletion or de-indexing of personal information about them. In the EU’s General Data Protection Regulation (GDPR), this is the “right to erasure” - individuals can ask organisations to delete their personal data in certain circumstances (for example, where it’s no longer needed, consent is withdrawn, or the data was processed unlawfully).

There are two common scenarios people are thinking about when they use this term:

• Deletion by the holder of the data: You ask a business or platform that holds your personal information to delete it.
• De-indexing by a search engine: You ask Google or another search provider to remove certain search results so that information is harder to find (even if it still exists on the source website).

In both cases, it’s not an absolute right. There are exceptions - for example, where keeping the information serves the public interest, freedom of expression, or compliance with laws that require certain records to be retained.

Does The Right To Be Forgotten Exist In Australia?

Australia’s current privacy framework is different. The Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) regulate how certain organisations and Australian Government agencies handle personal information. Under the APPs, individuals generally have a right to access and correction (APP 12 and APP 13). However, there’s no broad, GDPR-style right to erasure for every situation.

That said, Australian law still expects organisations to securely destroy or de-identify personal information they no longer need for the purpose for which it was collected (unless a legal obligation requires retention). In other words, deletion is sometimes required - but it flows from data minimisation and retention rules rather than a standalone “right to be forgotten.”

Key points to keep in mind in Australia include:

• No general erasure right: Individuals can request corrections, and businesses must take reasonable steps to ensure personal information is accurate and up to date. But deletion is only required in certain circumstances.
• Retention and destruction duties: If you no longer need the personal information for a lawful purpose, you should destroy or de‑identify it, unless keeping it is legally required.
• Search engines and de-indexing: Australian law doesn’t give a general statutory right to demand de-indexing. Requests to search engines are handled under their policies, and some disputes end up being considered under defamation or other laws depending on the facts.
• GDPR may still apply: If your Australian business offers goods or services to people in the EU or monitors their behaviour, GDPR obligations (including erasure) may apply extraterritorially.

If your business operates internationally, it’s important to map which laws apply to which customers and data flows, and then implement processes to honour those rights where required.

When Could You Still Need To Delete Data In Australia?

Even without a general erasure right, Australian businesses often need to delete or de‑identify data. Common triggers include:

• Original purpose is complete: You collected a customer’s details to fulfil a one-off order. The order is complete, warranty periods have passed, and there’s no legal reason to keep the information. It’s time to securely destroy or de-identify it.
• Consent withdrawn for optional uses: If you relied on consent for a non-essential use (for example, a marketing list) and that consent is withdrawn, you should stop using the data for that purpose. In many cases, deletion from that marketing list is the right call.
• Legal retention period has ended: Some laws require you to retain certain records for specific periods. When those periods end, you should destroy or de‑identify the data.
• Data minimisation and accuracy: If you’re holding inaccurate or out-of-date personal information that you can’t correct reasonably, destroying it can be the appropriate step.

Good governance here isn’t just about risk reduction - it’s also about building customer trust. Clear retention rules, transparent notices and easy opt‑outs make it more likely customers will engage with your brand confidently.

If you’re designing or updating your internal rules, it helps to align your practices with the principles discussed in Data Retention Laws so your team has a practical, defensible framework to follow.

How Should Businesses Handle Erasure And De-Indexing Requests?

Even though Australian law doesn’t enshrine a universal right to be forgotten, you’ll still receive requests to “delete my data” or “remove my name from your site.” Having a repeatable process helps you respond quickly and consistently.

1) Verify The Requester’s Identity

Before you disclose, alter or delete any personal information, verify that the person making the request is who they say they are. This protects your customers and reduces the risk of unauthorised changes.

2) Identify The Legal Basis For Holding The Data

Map the personal information you hold and why you hold it (contract, consent, legal obligation, legitimate interests, etc.). If you still need the information for a lawful purpose, you may refuse deletion but should explain why and offer alternatives (such as suppression from marketing lists).

3) Check Retention And Legal Holds

Some records cannot be deleted yet because of accounting, corporate, workplace or other legal obligations. Where a legal hold applies (for example, an active dispute), you should preserve relevant data.

4) Decide: Deletion, De-Identification Or Suppression

If you no longer have a legal basis to retain personal information, delete it securely (including from backups where feasible and appropriate). Where operational needs remain, consider de‑identification. For marketing, suppression (keeping minimal details on a “do not contact” list) is often better than deletion to ensure the person is not re‑added accidentally.

5) Communicate Clearly

Let the requester know the outcome, what you deleted, what you kept and why, and how long any retained records will be kept. If you rely on policy or legal obligations, reference them plainly and invite further questions.

6) Search Engine De-Indexing

If someone asks you to remove content from your website, assess whether you should remove the content itself (for example, a blog post or staff profile) or whether de‑indexing is more appropriate. If the request is directed at Google (or another search provider), the individual will typically submit that request directly to the search engine. You should still cooperate where appropriate, especially if you control the source content.

7) Keep An Audit Trail

Document what you did and why. A simple internal log helps if the request escalates or repeats. This also feeds into your continuous improvement: if you see patterns, you can refine data flows or forms to reduce future friction.

8) Update Your Notices And Preferences

Make sure your Privacy Policy and collection notices explain how people can make access or correction requests, how to opt out of direct marketing, and what happens when they do. Clear unsubscribe and preference controls are essential - and they also support compliance with Email Marketing Laws.

What Legal Documents And Policies Support Compliance?

Great privacy compliance isn’t only about reacting to requests - it’s about having the right documentation and processes from the start. The following tools help you manage personal information properly and respond to removal requests with confidence.

• Privacy Policy: Explains what personal information you collect, why you collect it, where it’s stored, who it’s shared with and how people can access, correct or complain.
• Cookie Policy: Tells users about tracking technologies on your website, the purposes (analytics, advertising, functionality) and how to manage consent or preferences.
• Privacy Collection Notice: Short, context‑specific notice presented at the point of collection (for example, at checkout or sign‑up), reinforcing key privacy information.
• Data Processing Agreement (DPA): Contract terms with vendors who process personal information for you (for example, SaaS providers), covering security, sub‑processors, deletion and assistance with requests.
• Data Breach Response Plan: A step‑by‑step plan for identifying, containing and notifying eligible data breaches under the Notifiable Data Breaches scheme.
• Internal Retention Schedule: A practical matrix listing categories of personal information, where they live, who owns them and how long they’re kept. This is informed by your obligations under Data Retention Laws.

If your business relies on scraping or aggregating data from public sources, it’s also wise to revisit how those activities intersect with your privacy obligations and the terms of the websites involved - our guide on web scraping steps through the main issues.

Common FAQs About The Right To Be Forgotten In Australia

Is There Any Way To Remove My Name From Google In Australia?

There’s no automatic legal mechanism that forces de-indexing across the board. However, search engines have their own processes for removing certain content (for example, sensitive personal information, doxxing, or content that violates their policies). If the issue relates to defamatory content, you should seek legal advice promptly to assess your options.

Can Customers Force My Business To Delete Their Records?

Customers can ask, and you should assess the request carefully. If you no longer need the data and have no legal basis or obligation to keep it, deletion or de‑identification is appropriate. If you must retain certain records (for example, tax or employment records), explain this clearly and limit the use of that information to the necessary purpose only.

We Sell To EU Customers - Do We Need To Honour GDPR Erasure?

Possibly. If you offer goods or services to EU residents or monitor their behaviour, the GDPR may apply to those data subjects. In practice, many Australian businesses implement GDPR‑compatible processes to avoid maintaining two different standards. DPAs with your vendors are also critical here to ensure deletion cascades through your supply chain.

Do We Have To Delete Backups?

Aim to implement a reasonable approach. If your backups are immutable and deleting individual records is impracticable, you may keep data in cold storage for disaster recovery while preventing any operational restore or access for the deleted profiles. Your policy should explain this approach and ensure backups are rotated so data is eventually overwritten.

Practical Tips To Reduce Future Deletion Requests

There are a few design choices that can dramatically cut down on complex erasure requests:

• Collect less by default: If you don’t collect it, you don’t have to secure, find or delete it later.
• Separate operational data from marketing data: Make it easy to remove customers from marketing while retaining what’s necessary for accounting or legal requirements.
• Use short retention periods for high‑risk data: Payment details, health information and identity documents deserve tighter controls and shorter default lifespans.
• Offer self‑service controls: Easy profile editing and unsubscribe links reduce manual requests and improve customer experience. This aligns with obligations under Email Marketing Laws.
• Build deletion into vendor contracts: Ensure your cloud and SaaS providers will delete or return data on request, and pass that obligation to any sub‑processors via your Data Processing Agreement.

Key Takeaways

• The “right to be forgotten” (erasure) is a GDPR concept; Australia doesn’t have a general statutory right to erasure but does require destruction or de‑identification when personal information is no longer needed.
• Australian businesses must balance deletion requests with legal retention obligations and, where relevant, search engine de‑indexing policies and defamation risks.
• Implement a clear request-handling process: verify identity, assess your legal basis, check retention rules, decide on deletion/ de‑identification/ suppression, communicate outcomes and keep an audit trail.
• Foundational documents - including a Privacy Policy, Cookie Policy, collection notices, and a Data Processing Agreement - support day‑to‑day compliance and smoother responses to removal requests.
• Map your data retention rules against your obligations under Data Retention Laws, and ensure you have a tested Data Breach Response Plan.
• If you sell to EU residents, consider whether GDPR applies and align your processes to honour erasure requests for those customers.

If you’d like a consultation on handling “right to be forgotten” requests or updating your privacy framework, you can reach us at 1800 730 617 or team@sprintlaw.com.au for a free, no-obligations chat.