Cinthya Laky, founder of Style and Byte, talks with European jurist Blanka Halasi about Australia’s latest privacy legislation, with a focus on the right to access personal data and the right to erasure
The intersection of data protection and artificial intelligence is no longer just a topic for lawyers. It affects all of our lives—ours and our children’s as well.
It’s important to understand that in the digital world, our data is not merely a collection of statistics and bits, but personal values under legal protection.
Legislation spanning the intersections of artificial intelligence is currently underway. Australia’s 2025 Privacy Reform sets a completely new direction for automated decision-making, transparency, and individuals’ data rights. It is against this backdrop that we launched a related series of articles.
In our first article, we discussed the background and goals of Australia’s privacy reforms.In that piece, Blanka Halasi, technology and data protection legal expert at Style and Byte Magazine, elaborated in detail on how the new regulation affects automated decision-making, AI transparency, and the handling of biometric data. It also covered how Australian laws relate to European regulations such as the GDPR and the AI Act. You can read the full interview here:
In the second article of our series, we take an in-depth look at the right to access personal data and the right to have it erased. These rights are not merely theoretical possibilities—they are essential practical tools that allow us to use data in a convenient and transparent way.
Blanka shows how the Australian approach fits into the world of European norms—such as the GDPR and the AI Act—and what this could mean for technology and our future.
The Right to Access and Erasure
Australia’s Privacy Act 2025 reinforces individuals’ rights to access their data and have it erased, which serves to protect privacy in the digital world. The EU GDPR also addresses these points.
Question: What do the “right to access data” and the “right to erasure” actually mean, and why might anyone need them?
Answer: Questions like these are not answered in the AI Act, but primarily in the 2018 GDPR, which outlines personal data management limits and requirements at the EU level.
It is no coincidence that personal data is often called ‘the new oil’ nowadays, as its significance in the digital world—especially personal data—is as indispensable as oil once was.
With just a single piece of personal data, one can:
- Create a new identity,
- Gain access to bank accounts, or
- Become a victim of crime if these details are not properly protected.
This is precisely why the European Union established a comprehensive regulation aimed specifically at protecting personal data.
The GDPR details the rights of individuals regarding how they can manage their personal or sensitive data. Particularly important are the rights outlined in Articles 13–22:
- One of these is the right of access, which allows individuals to see their personal data and receive information about how and why it is processed.
- Another fundamental right is the right to erasure—or the “right to be forgotten”—which allows individuals to request deletion of personal data when its processing is no longer justified.
This legal framework ensures that personal data is processed transparently, controllably, and in a manner that protects individuals’ interests within the European digital space.
Question: How will the Australian reform affect these rights in practice? What does European practice show?
Answer: As mentioned earlier, the EU’s data protection regulation—especially the General Data Protection Regulation (GDPR), adopted in 2016 and enforced in 2018—represents a milestone in personal data protection, serving as a global model.
Let’s look closely at the two main topics of today’s article: the right to access data and the right to erasure.
The right to access (GDPR Article 15) allows individuals to receive detailed information about:
- What personal data is stored about them,
- The purposes for which it is processed,
- Who has access, and
- How long it is retained.
This right forms the foundation of transparency, which is essential for building trust in the digital environment. The European Data Protection Board (EDPB) emphasizes that:
“Data controllers must not only provide access to the requested data but also provide clear, easily accessible information to data subjects.”
The right to erasure, also known as the “right to be forgotten” (GDPR Article 17), has received particular attention in court practice. This right allows individuals to request deletion of personal data if its processing is no longer justified or if consent has been withdrawn.
The European Court of Justice’s ruling in the Google Spain case was of fundamental importance, stating that search engine operators must, in certain cases, remove personal data that is “outdated or irrelevant” in the given context.
The GDPR also imposes strict conditions on data controllers to respond to requests quickly and transparently. The law specifies that:
- Access requests must be responded to within one month,
- And data provision must be free of charge.
In practice, this represented a significant change compared to previous national regulations. Data protection authorities play an active role in enforcing compliance.
If data controllers fail to fulfill their obligations, fines of several million euros can be imposed.
The Australian Privacy Act reform will have a significant impact on the practice of handling personal data, especially when compared to the well-established EU rights of access and erasure. While the GDPR laid the groundwork for years of practice, the Australian reform seeks to keep pace with these expectations. A key element is the expansion of the right to access, building on EDPB transparency principles and requiring more detailed information from data controllers. Additionally, individuals will have the right to object to “unfair or unreasonable” forms of data processing, emphasizing human rights considerations.
In the area of the right to erasure, the Australian regulation not only adopts the GDPR’s “right to be forgotten” principle but also complements it with a requirement to anonymize data where deletion is not possible or justified (OAIC, 2024).
From a European perspective, the Australian reform shows that global data protection regulation is increasingly aligning with EU norms, which may facilitate harmonization of data practices and strengthen data protection rights internationally.
Question: How easy or difficult is it to exercise these rights today? Are there practical challenges?
Answer: The rights to access and erase data are clearly established in both the European GDPR and the Australian Privacy Act reform. However, the text of the law alone does not guarantee that individuals can easily and effectively exercise these rights in everyday practice. Real challenges typically arise in implementation.
In theory, the right to access data is simple: anyone can request that a company or organization show what data it holds about them. In practice, it is often more complicated.
Many individuals are unaware of where and how to make such a request, and company privacy notices are often difficult to understand or hidden on websites.
The data provided often comes as technical documentation or datasets, which are difficult for the average user to interpret. Additionally, companies sometimes make identity verification excessively complex, for example, by requiring paper documents for online data requests, which acts as a deterrent.
The EDPB emphasizes that the right of access is fully realized only if providers not only release the data but also present it in a clear and transparent manner. The Australian Privacy Act 2025 reform moves in this direction, requiring that data provision be “easily understandable, transparent, and free from misleading information.”
Exercising the right to erasure is even more complex. Requesting deletion is one thing; ensuring that the company actually deletes all data completely is another.
Data often exists across multiple systems, backups, or secondary storage, and deletion from these is often not automatic or resolved. Furthermore, companies often cite legal or business reasons, such as accounting or fraud prevention obligations, which can prevent immediate deletion.
This is often confusing and frustrating for individuals. Moreover, if the data has been shared with other companies, the individual cannot track whether deletion occurred there, so data can “survive” in the system.
Previous European court rulings—such as the “right to be forgotten” cases against Google—show that the right to erasure works effectively only if the request is precise, well-founded, and identifiable. Aware of this, the Australian reform goes further, requiring companies not only to delete data but also to inform the individual with whom the data was shared and to forward the deletion request to these third parties as well.
Question: Could you provide 1–2 practical examples to better understand our rights in these areas?
Answer:
- Right of Access – A User Request on a Social Media Platform
Anna registered on a popular social media platform and wants to know what personal data is stored about her. She requests access from the data controller in writing.
Theoretically: The data controller must provide Anna with her data in a transparent and understandable form. This may include basic information, posts, comments, as well as profile-related analyses or advertising data.
In practice: Anna receives a data package that mainly contains technical log files and encoded identifiers she doesn’t understand. The documentation does not help her understand exactly what data is used and for what purpose. Moreover, the platform responds only after several weeks.
This example clearly shows that although we have the right to access data, providers often fail to communicate this information clearly to average users, limiting the practical enforcement of the right.
2. Right to Erasure – A Customer Request at an Online Store
Peter previously purchased from an online store but no longer wants his personal data stored. He submits a request for deletion.
Theoretically: The store must remove Peter’s personal data, except where mandatory retention is required by law (e.g., for invoicing).
In practice: Although the store deletes Peter’s data from its system, the data remains with a partner company handling marketing campaigns. Peter cannot verify this, nor does he receive information from the partner about deletion. As a result, his data does not truly disappear from the digital space, and he continues to receive marketing messages.
This situation demonstrates that transparency in the data-handling chain and accountability of all parties involved are crucial for fully exercising the right to erasure. The Australian Privacy Act reform aims to address this gap by requiring deletion requests to be forwarded to third parties.
Conclusion
It is important to understand that protecting our data, our digital footprint, and our digital identity are all part of what surrounds our life and personality. Personally, I see more potential in having more data (for example, without it AI would not exist, or the police could find abducted people more easily), but awareness is primary. To understand the importance of data protection, we must first know how our data can be used, and secondly, we must understand the legal environment that protects us from abuse.
The recent scandals around the Flo and TEA apps highlight just how valuable our data is and that legislation worldwide must focus on protecting individuals. Australia is taking action and expanding the legal framework. We hope other nations follow suit.
