The Commonwealth Privacy Commissioner (the Commissioner) late last week released a determination that considers the meaning of 'personal information' under the Privacy Act 1988 – a term that has been the subject of scant jurisprudence to date.
The Commissioner found that metadata held by Telstra was 'personal information', and that Telstra breached the Privacy Act when it did not provide access to that metadata to the individual to whom the metadata related.
From the Commissioner's determination, it appears that metadata can be – but may not always be – personal information, depending (perhaps) on the resources and operational capacities of the entity holding the information. Entities should be mindful that the determination indicates that the Commissioner is taking a broad approach to the interpretation of personal information.
The complaint and the determination
On 8 August 2013, journalist Ben Grubb lodged a complaint with the Office of the Australian Information Commissioner claiming that Telstra had breached his privacy by refusing him access to metadata Telstra stores in relation to his mobile phone service. In his access request to Telstra, Mr Grubb observed the following in relation to the 'metadata' the subject of his request:
The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on. I assume estimated longitude and latitude positions would be stored too.
Over a period of time Mr Grubb was provided with some, but not all, of this metadata.
The Commissioner made a determination last week that Telstra had interfered with Mr Grubb's privacy by failing to provide him with access to his personal information (being the metadata) in breach of National Privacy Principle 6.1. Telstra is now required to provide Mr Grubb with access to the following metadata:
- Internet Protocol (IP) address information;
- Uniform Resource Locator (URL) information; and
- cell tower location information beyond the cell tower location information that Telstra retains for billing purposes (to which Mr Grubb had already been given access).
Inbound call numbers have been excluded from the list above, on the basis that the provision of this information to Mr Grubb would have an unreasonable impact on the privacy of others.
The Commissioner's determination turned on whether the metadata referred to above is 'personal information'.
The meaning of 'personal information'
As Mr Grubb's complaint related to events that occurred prior to the reforms to the Privacy Act which commenced in March 2014, the previous definition of 'personal information' was considered by the Commissioner. Nonetheless, because the new definition is actually broader than the previous definition, we think it unlikely that the outcome of the determination would have been different had the new definition been applied.
The Commissioner considered that the previous definition of personal information had the following two key elements:
- the information must be about the individual; and
- the information must be information from which the individual's identity is apparent, or can reasonably be ascertained.
Information about Mr Grubb
The Commissioner had little difficulty finding that the metadata (including the inbound call numbers) was information about Mr Grubb as the information could be linked to Mr Grubb and his mobile phone activity. In reaching this conclusion, the Commissioner cited the Macquarie Dictionary Online definition of 'about' meaning 'in regard to, concerning or connected with'.
Information from which Mr Grubb's identity is apparent, or can reasonably be ascertained
The second element of personal information required closer examination. The Commissioner found that the metadata was information from which Mr Grubb's identity could reasonably be ascertained because Mr Grubb could be identified from inquiries from, and cross-matching against, Telstra's various network management and records managements systems.
There is a credible argument that the process of cross-matching does not really fit within the previous definition of personal information, given the individual's identity is required to be ascertained from the information. However, as the updated definition of personal information no longer requires this nexus – instead merely requiring that the individual be reasonably identifiable – this argument is unlikely to be effective going forward.
In contrast, the Commissioner's consideration of reasonableness can, and most likely will, have an ongoing impact. The Commissioner accepted Telstra's evidence that extracting some of the metadata may take some time and require interrogation of several of Telstra's information systems by a group of specifically qualified personnel. However, the considerations of time and cost were given little weight by the Commissioner having regard to Telstra's resources and operational capacities, which led the Commissioner to conclude that Mr Grubb's identity was reasonably ascertainable from the metadata.
The Commissioner seemed to be in part swayed by the fact that the inquiries and cross-matching required were processes already implemented by Telstra for network assurance purposes and in responding to requests for metadata by law enforcement agencies and other regulatory bodies. The Commissioner saw this as indicative of Telstra's ability to ascertain an individual's identity from the metadata.
It is somewhat questionable whether the Commissioner's conclusion on reasonableness is consistent with industry practice which, in turn, is heavily shaped by the Office of the Australian Information Commissioner's Australian Privacy Principles guidelines (Guidelines). In providing guidance on the meaning of 'reasonably identifiable' (as used in the new definition of personal information), the Guidelines state:
Even though it may be technically possible to identify an individual from information, if doing so is so impractical that there is almost no likelihood of it occurring, the information would not generally be regarded as ‘personal information’. An individual may not be reasonably identifiable if the steps required to do so are excessively time-consuming or costly in all the circumstances. [at B.93, citations omitted]
This would appear to apply equally to the former equivalent of 'reasonably identifiable', being that the individual's identity can 'reasonably be ascertained'. The difficulty in aligning the Commissioner's determination with the Guidelines is likely to heighten the uncertainty faced by organisations in deciding if information they hold is personal information. It is possible that the result in the determination was an outcome of Telstra failing to discharge its evidentiary burden rather than a departure from the guidance in the Guidelines, but this is not clear on its face from the determination.
Telstra, as well as the telecommunications industry more broadly, are unhappy with the determination. Telstra has stated that the determination would require it to go beyond the lawful assistance it currently provides to law enforcement agencies, which seems inconsistent with the Commissioner's understanding (from the determination) that the inquiries and cross-matching process is already substantially implemented.
Telstra has also argued that the determination goes beyond what it is required to retain under the data retention regime. This argument appears a bit misplaced, as the fact that metadata may be personal information does not mean (of itself) that Telstra is required to retain the information under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (which you can read about here). Nonetheless, the intersection between these two regimes is now undeniably heightened.
Telstra has indicated that it will be seeking a review of the determination. Hopefully any review will resolve the uncertainty created around the meaning of 'reasonableness' in the definition of personal information.