Kick-starting the privacy debate in Australia in 2017, the Full Federal Court has handed down its judgment in Privacy Commissioner v Telstra Corporation Limited  FCAFC 4.
History of appeal
The decision concerns the now infamous dispute (in the privacy world at least!) concerning the meaning of 'personal information'. A request (described by one of the judges as 'misconceived') was made by journalist Ben Grubb to Telstra in 2013 pursuant to the information access principle in the Privacy Act 1988 (Cth) (Privacy Act) for access to metadata about his mobile phone service.
While providing Grubb with some information in response to his request, Telstra had refused Grubb access to information including mobile phone network data recording IP, URL and cell tower information. Grubb complained about the refusal to the Privacy Commissioner and his complaint was upheld. Telstra then sought review of the Privacy Commissioner's decision to the Administrative Appeals Tribunal (AAT), who found (in favour of Telstra) that the information was not 'personal information' as that term was then defined in the Privacy Act. (Grubb did not participate in the AAT review or the Federal Court appeal. The Court considered the submissions of the Australian Privacy Foundation and NSW Council for Civil Liberties who had applied for leave to be heard as amicus curiae.)
The bench of three Federal Court judges unanimously dismissed the Privacy Commissioner's appeal, making short work of the grounds of appeal, which they boiled down to (in their words) 'one very narrow question' of law. This was, whether the words 'about an individual' in the pre-2014 definition of 'personal information' in the Privacy Act have any substantive operation of their own. The Court found that they did, and that there was no appeal question before it that required re-consideration of the factual question of whether any of the metadata requested by Grubb was 'about an individual' and therefore Grubb's personal information. That said, the Court did express views on some of the information.
The outcome to what was the Australian Privacy Commissioner's first appeal to a superior court on the interpretation of the provisions in the Privacy Act is unlikely to be warmly welcomed, and its impact is uncertain. The judgment also leaves Australia out of step with other countries whose jurisprudence is moving towards expanding the breadth of personal information. While confined to a very narrow question of statutory interpretation about a definition that has since been amended, the Court's findings do not acknowledge the reality of the nature of technology driven data, and provide little practical guidance for organisations grappling with the question of when data they collect and hold will be personal information (and thus subject to the Privacy Act). This is a missed opportunity. However, it may ultimately matter little in practice, given the amended definition of personal information that has applied since March 2014 (set out in the comparison table below).
Definitions of personal information pre and post March 2014
Pre-March 2014: definition considered by the Court
Post-March 2014: definition that applies now
'information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.'
'information or an opinion about an identified individual, or an individual who is reasonably identifiable: (a) whether the information or opinion is true or not; and (b) whether the information or opinion is recorded in a material form or not.'
[our emphasis added)
Definition of personal information is a two-step process
The Court effectively endorsed the approach taken by the AAT, who had decided that the metadata was not 'personal information' (within the meaning of the pre-March 2014 definition), because it was not 'about an individual'. In reaching this conclusion, the AAT found there were two steps to determine whether information is personal information:
- first, determine if the information is 'about an individual'; and if so
- second, determine whether the identity of that individual 'is apparent or can reasonably be ascertained, from the information or the opinion'.
Many saw this as throwing a spanner in the works, particularly as Telstra had conceded before the AAT that the metadata was about Grubb. Organisations (and agencies) that are subject to the Privacy Act have learnt to consider whether an individual can be reasonably ascertained from information, rather than focussing on whether it is 'about' the individual.
In appealing this finding, the Privacy Commissioner contended that splitting the question into two steps in this way was the incorrect test. Rather, if there is information from which an individual's identity could reasonably be ascertained, then it will always be the case that the information is about the individual. In other words, 'about an individual' has no substantive operation itself. But the Court firmly rejected this approach, finding that 'about an individual' does have substantive operation.
When information is 'about' a person
The Court went on to discuss and consider the required degree of connection between information and an individual for the information to be 'about an individual'. It held that these words mean 'the individual [needs] to be a subject matter of the information or opinion' and 'information or opinions can have multiple subject matters'.
The Court said that considering the totality of the information requested requires an 'evaluative conclusion' and it accepted that a single piece of information could otherwise become information 'about an individual' when combined with other information. Examples of Grubb's phone colour and network type were not, it said, whether alone or together with other information, information about him. The Court did not need to consider the AAT's conclusions that none of the metadata, such as an IP address allocated to Grubb's mobile device, was about him, as this conclusion had not been challenged in the appeal. Had this fallen for consideration, it is not clear whether the Court, in applying the test above, would have found that the AAT erred in this regard. Its judgment suggests not.
A key difference in the current definition of personal information is that the individual does not need to be identifiable from the information or opinion. However, in relation to this, the Court stated as follows:
… whether information is “about an individual” might depend upon the breadth that is given to the expression “from the information or opinion”. In other words, the more loose the causal connection required by the word “from”, the greater the amount of information which could potentially be “personal information” and the more likely it will be that the words “about an individual” will exclude some of that information from National Privacy Principle 6.1. [para 64] (our emphasis added)
This statement could have unintended consequences for the interpretation of the current Privacy Act definition, because that definition does not include the word 'from'. Arguably, therefore, the causal connection the Court refers to is now even looser. Although it is not entirely clear, the Court seems to be of the view that, in such circumstances, there will be more information that will not be 'about an individual' and therefore excluded from the scope of the Australian Privacy Principles. This is concerning.
These key passages in the judgement do not make easy reading and appear to be out of step with the approach that organisations, lawyers and privacy professionals have generally taken to their assessment of when data will be personal information. It is difficult to know how the Court's approach would be implemented in practice because it separates two concepts that are, in reality, not mutually exclusive (which the new definition addresses). While it may be correct that information can be 'about anindividual' without identifying that individual, it is difficult to contemplate circumstances where the converse will be true. If an individual is identifiable from particular information, how can it be that the information is not 'about' them?
Does it all really matter anyway?
More guidance would certainly be useful for organisations and agencies to better understand how they should assess when, having regard to all the information they hold, particular information becomes personal information. The current guidance given by the OAIC in the (non-binding) APP Guidelines (at B79) refers to examples of information 'about a person'. It states that:
- 'the personal information 'about' an individual may be broader than the item of information that identifies them'; and
- 'what constitutes personal information will vary depending on whether an individual can be identified or is reasonably identifiable in the particular circumstances'.
But, however confusing and concerning it is, the impact of the decision may in practice not be so significant because:
- the new definition of personal information does not invite the two step assessment;
- as far as metadata that must be retained by the telecommunications industry under the amendments made to the Telecommunications (Interception and Access) Act 1979 is concerned, the metadata is deemed to be personal information for the purposes of the Privacy Act; and
- the value of the voluminous and often sensitive data that many organisations and agencies seek to collect and hold, and the importance of customer trust, should mean that where there is any doubt, they should treat information they collect and hold as personal information and take care to protect and handle it in a transparent, secure and fair manner.