On 19 January 2017, the Full Court of the Federal Court of Australia handed down its much anticipated decision in relation to whether certain types of network data stored by Telstra Corporation Limited (Telstra) was ‘personal information’ for the purposes of the Privacy Act 1988 (Cth) (Privacy Act).
Notably, the Federal Court was not asked to consider whether the network data was ‘personal information’1.
Instead, the Privacy Commissioner’s appeal was primarily focused on the significance of the phrase ‘about an individual’ within the wider definition of ‘personal information’. The Privacy Commissioner contended that those words were redundant.
If the Privacy Commissioner was correct, and the phrase ‘about an individual’ was redundant, then it would follow that the definition of personal information would have wider application.
The Federal Court unanimously dismissed the Privacy Commissioner’s appeal – it found that the words ‘about an individual’ were relevant. This finding was sufficient for the Federal Court to dismiss the appeal.
As a consequence, not all information which concerns or relates to an individual has the potential to be ‘personal information’ – that information must be ‘about an individual’ in order to do so.
The Federal Court also provided some guidance to follow when assessing whether information is ‘personal information’:
- Firstly, is the information ‘about an individual’ (ie an individual must be the subject matter of the information)? This will depend on the facts of the case.
- Secondly, is the identity of an individual ascertainable or can it reasonably be ascertained?
While there is now judicial clarification that this ‘two step’ process seems to be required, the decision’s practical significance is qualified by the fact that the court did not elaborate on the actual meaning of the term ‘about an individual’ or when, and in what circumstances, the identity of an individual can be ‘reasonably ascertained’.
Further, it is worth bearing in mind that this decision concerned the pre-12 March 2014 definition of ‘personal information’ under the Privacy Act and that the current definition is slightly different. However, there does not seem to be any reason why the current definition would also not involve this two step analysis.
A summary of the decision and facts of the case is provided below.
At its heart, this dispute centered on the interpretation of the Privacy Act definition of ‘personal information’ and whether metadata stored by Telstra was information ‘about an individual’ and thus ‘personal information’ as defined by the Privacy Act.
Metadata is generally understood to refer to data that is about or describes other data.
It is important to note that the Federal Court considered the application of the (now superseded) National Privacy Principles (NPP) and the wording of the definition of ‘personal information’ that was included in the Privacy Act, prior to when many significant amendments were made to that Act in March 2014.
NPP 6.1 granted an individual a right to access personal information about the individual held by an agency or an organisation.2 Under the Privacy Act the definition of ‘personal information’ at the relevant time was:
‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’3 (emphasis added).
In June 2013, a Fairfax journalist, Mr Ben Grubb, requested that Telstra provide him with access to all of the metadata stored by Telstra concerning his mobile service. The requested data included the:
- estimated longitude and latitude positions of the cell towers used in communications
- time a data session had begun and finished
- URLs of websites accessed by him and
- cell towers that he was connected to at a given time.
Telstra initially responded by stating that some of the requested information (such as inbound or outbound calls and data usage) could be found from Mr Grubb’s online billing account. However, Telstra took the position that the balance of the information would not be provided without a subpoena. After Telstra’s response, Mr Grubb lodged a complaint with the Privacy Commissioner to seek access to all of the data he requested. In response to the privacy complaint, Telstra provided additional metadata to Mr Grubb but continued to withhold network data and incoming call records.
This network metadata included IP address information, URL information and cell tower location information and it was this subset of metadata which became the subject of the ultimate appeal to the Federal Court.
The Privacy Commissioner’s decision
The Privacy Commissioner accepted that the network metadata held by Telstra was ‘personal information’ on the basis that it was information about an individual and that an individual’s identity could reasonably be ascertained by cross matching the network metadata with other databases held by Telstra4. Consequently, the Privacy Commissioner determined that Telstra was in breach of NPP 6.1 as it had failed to provide Mr Grubb with access to his personal information.
In coming to the conclusion that Mr Grubb’s identity could be reasonably ascertained from the network metadata, the Privacy Commissioner placed emphasis on the fact that it was:
- possible, given that Telstra had previously responded to requests from law enforcement agencies to cross-match metadata to ascertain an individual’s identity and
- reasonable to provide the network metadata to Mr Grubb, in light of the resources and existing operational capacities at Telstra. On this point the Privacy Commissioner noted that Telstra could charge Mr Grubb for the resources required to provide him with his network metadata and had indeed offered a similar service to customers before the decision was handed down.
Regarding the request for incoming call records, the Privacy Commissioner found that granting access to this information would have an ‘unreasonable impact on the privacy of other individuals’ and the request was denied based on the exception set out in NPP 6.1(c).
The AAT’s decision
Telstra sought a review of the Privacy Commissioner’s decision by the AAT. The AAT adopted a different (and narrower) approach to the definition of ‘personal information’. The AAT’s approach focused on the importance and relevance of the words ‘about an individual’.
The AAT found that the mobile network data was information ‘about’ the way in which Telstra delivers its calls and messages. It was not information ‘about an individual’ (ie Mr Grubb). This was so, notwithstanding the fact that Telstra would not have generated the network metadata if Mr Grubb had not made the calls or sent the messages5. Accordingly, the AAT concluded that Mr Grubb’s rights to access personal information did not extend to the network metadata. The AAT also distinguished Mr Grubb’s rights under the Privacy Act from the rights of law enforcement agencies that permit those agencies to access network metadata, pointing out that separate and distinct legislative regimes apply to the access by enforcement agencies of information stored by Telstra.
The Federal Court’s decision
The Privacy Commissioner appealed the AAT’s decision to the Federal Court. The appeal concerned the significance of the words ‘about an individual’ in the definition of ‘personal information’, as they applied in 2013.
The Privacy Commissioner contended that the AAT erred in focusing on the words ‘about an individual’ as the first step in deciding whether Telstra’s network data was personal information or about something else. In addition, the Privacy Commissioner argued that the words ‘about an individual’ were redundant and weight should not be given to those words6.
The Federal Court found that the words ‘about an individual’ had meaning and substantive effect. This was sufficient to dismiss the Privacy Commissioner’s appeal. The Federal Court also commented that the words ‘about an individual’ required an individual to be the subject matter of the information in question.
The Federal Court did not decide the broader question of whether any of the information originally requested by Mr Grubb was ‘personal information’. As stated above, there was no ground of appeal raised by the Privacy Commissioner which alleged that the AAT erred in its conclusion that the network data was not about Mr Grubb.
The Federal Court provided very little guidance on how one should assess whether information is ‘about an individual’, and thus potentially personal information. The Federal Court merely stated that such an assessment required an evaluative conclusion, and would ultimately depend upon the facts of any individual case7.
The Privacy Commissioner’s grounds of appeal were narrowly defined and ultimately only required the Federal Court to consider whether the words ‘about an individual’ were significant or not and not their actual meaning.
The definition of personal information is central to the operation and scope of the Privacy Act. However, without further consideration by the courts, the precise meaning and scope of the types of information which are covered is unclear and can give rise to uncertainty in particular situations. This is highlighted by the fact that the Privacy Commissioner and AAT took different approaches to the interpretation of the definition of ‘personal information’ in this case. At the very least, this case provides some useful guidance on the relevance of the words ‘about an individual’ as those words are still used in the current version of the definition (although in a slightly varied form)8.
In any event, the significance of this case is qualified by the fact that the Federal Court considered the pre-12 March 2014 definition of personal information and before the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth) was enacted. This Act deems certain telecommunications data to be personal information under the Privacy Act.
It remains to be seen how the Privacy Commissioner will respond to the Federal Court decision. It is also unclear at this stage whether the Privacy Commissioner will draw upon this decision to provide updated guidance on the interpretative approach that should be taken to the current version of the definition of ‘personal information’. The Privacy Commissioner has released a brief statement on its website that it is currently considering the decision.
We will keep you updated on any changes the Privacy Commissioner makes to its guidance material in light of the Federal Court decision. A current version of the Privacy Commissioner’s guidance material, the APP Guidelines can be found on the OAIC website.
This article was written with the assitance of Cameron Forsyth, Law graduate.