Skip to content   Skip to footer navigation 

Why companies can keep your data forever

In Australia, your rights to have a company erase your data are very limited.

person_calling_company_on_smartphone
Last updated: 17 January 2023
Fact-checked

Fact-checked

Checked for accuracy by our qualified fact-checkers and verifiers. Find out more about fact-checking at CHOICE.

Need to know

  • Consumers in Australia have very few rights when it comes to getting companies to delete their personal data, even when they're no longer a customer
  • With the recent hacks of Optus and Medibank, the risks of having your data fall into the wrong hands are clearer than ever
  • Woolworths says it de-identifies customer Everyday Rewards data when an account is closed, but continues to retain 'personal information' 

After the recent Optus and Medibank data hacks, Gail became more conscious of her data and which companies were holding it. 

The Sydney resident decided to contact Woolworths and ask that her data from an Everyday Rewards Card she hadn't used in years was deleted and her account closed. The company's response disappointed her. 

Woolworths told her via email: "Regrettably, we can't delete your Everyday Rewards account. Instead, we'll continue to hold and use certain information as required or permitted by law." 

"I was pretty shocked," she says. "It got me thinking, you know, should I shop there?" 

The company did say they would close her account and "de-identify" her personal information, but Gail says this response wasn't good enough. 

"Really, I think we need some better regulation and to improve protections," she says. 

No right to erasure 

Anna Johnston from Salinger Privacy says unlike other jurisdictions such as the European Union, Australian consumers don't have a right to erasure of their data embedded in law. 

She said Australians do have a right to ensure company data on them is correct and that it's only being used in a way that is fit for purpose. But, Johnston says, these protections are vague in how they're defined. 

"We don't have an explicit right to deletion, but in some situations a customer may be able to argue that the purpose of any data being held has ended and it should be deleted," she says. 

The obligation should squarely be on the organisations to not keep data beyond a reasonable time period and to not use it for purposes that the customer doesn't want

Anna Johnston, Salinger Privacy

"Then we have the company defining the purposes for which they are going to keep, and keep using, that data. If they say they want to keep using that for marketing, for example, it becomes difficult," she adds. 

Johnston says the right to erasure is being considered in the upcoming review of the Privacy Act but, she warns, it wouldn't be a catch-all solution to companies holding your data. 

"We shouldn't need consumers to then do the heavy lifting [of having to ask companies to delete their data]. The obligation should squarely be on the organisations to not keep data beyond a reasonable time period and to not use it for purposes that the customer doesn't want," she says. 

Hoards of personal data  

CHOICE senior campaigns and policy adviser Rafi Alam says increasingly the purchase price of goods at the checkout isn't just in dollars, but in data. 

"Whether it's loyalty programs at Woolies or buying Christmas gifts online, consumers are forced to give up personal data just to buy the things they need. And under Australian law, this is a lifetime cost, with zero right to have this data deleted by businesses even when it's no longer needed for their purchase," he says. 

More and more it seems like Australia's biggest businesses are becoming data brokers first, willing to put their hoards of personal data above their customers' satisfaction

CHOICE senior campaigns and policy adviser Rafi Alam

"Personal data is personal for a reason, and businesses shouldn't get to hold onto this information when customers want it gone." 

He says Gail's example shows that companies like Woolworths were "desperate to cling to data" despite the customer's wishes. 

"More and more it seems like Australia's biggest businesses are becoming data brokers first, willing to put their hoards of personal data above their customers' satisfaction. And with many of these businesses mediating our access to essential services like groceries and housing, customers deserve more than to have their rights pushed aside for profits."

Woolworths responds 

In a response to our questions, a Woolworths spokesperson says their priority is "to do the right thing for our customers, including when it comes to data privacy".

"When an Everyday Rewards Member requests deletion of data, Woolworths Group takes steps to close their account, which involves the removal of any personal information on their Everyday Rewards account, including their name, address, email, contact number and date of birth.

To manage and demonstrate our compliance with laws, we may be required to continue to hold personal information

Woolworths spokesperson

"Once an Everyday Rewards account has been closed, personal information is no longer visible to our customer teams. However, to manage and demonstrate our compliance with laws, we may be required to continue to hold personal information. We are upfront with our customers on this, if they contact us regarding the deletion of their personal data," the spokesperson says. 

Reform needed 

Alam says he hopes the upcoming federal government review of the Privacy Act gives Australian consumers the same right to erasure that shoppers in the European Union have had for years. 

"Beyond this, the Privacy Act needs to ensure all businesses are treating their customers with a duty of care – including ensuring businesses only collect and keep the data they need to give consumers what they're paying for," he says. 

the Privacy Act needs to ensure all businesses are treating their customers with a duty of care

CHOICE senior campaigns and policy adviser Rafi Alam

"We've seen the risk of holding onto large amounts of personal data in the recent Optus and Medibank data breaches, and we're likely to see even more egregious examples unless the law is changed." 

We care about accuracy. See something that's not quite right in this article? Let us know or read more about fact-checking at CHOICE.

Stock images: Getty, unless otherwise stated.