21 February, 2016
Key points
On 18 December 2015, the Administrative Appeals Tribunal (AAT) handed down an independent merits review reversing the Office of the Australian Information Commissioner's (OAIC) earlier determination that certain metadata relating to journalist Ben Grubb constituted personal information under the Privacy Act 1988 (Act).
This decision raises two interesting propositions under Australian privacy law, namely that:
a) information may only be personal information regulated by the Act where the information is properly characterised as being "about" an individual rather than "about" something else; and
b) where this threshold test is not met, the fact that an individual can be identified by reference to the data or by collecting and linking separate information may be irrelevant.
Context of complaint
In June 2013, journalist Ben Grubb contacted Telstra claiming a right of access under the Act to "all the metadata information Telstra has stored" about him in relation to his mobile phone service. Telstra provided much of the requested metadata but withheld certain categories of information. Mr Grubb lodged a complaint with the OAIC claiming that Telstra had breached his rights under the Act in failing to provide all of the requested information. The key information in dispute related to certain network data and incoming call records.
In its determination of 1 May 2015, the OAIC ruled that the disputed "network data" was personal information under the Act, on the basis that Telstra was capable of cross-referencing it with other data held in its system to identify Mr Grubb from the data. The OAIC also held that the incoming call records were personal information "about" Mr Grubb. However, Telstra was not obliged to provide access to incoming call numbers as this would have an unreasonable impact upon the privacy of the other individuals contained in the records1.
The AAT decision relates to Telstra's appeal of the OAIC determination. As the matters relate to events that occurred prior to the Privacy Act reforms which commenced on 12 March 2014, the National Privacy Principles (NPPs) rather than the current Australian Privacy Principles were the subject of the determination and the AAT decision.
Mr Grubb stated at the hearing that he was not seeking access to the phone numbers of incoming callers, and the AAT focussed on whether Telstra's network data was personal information regulated by the Act. The question of whether personal information about incoming callers could be required to be disclosed or whether this would unreasonably impact on the privacy of others was therefore only considered in passing and the AAT did not make a finding on the issue.
Network data: information "about" an individual?
Under the pre-reform Act, "personal information" was defined to include information "about" an individual, from which the individual's identity is apparent, or can reasonably be ascertained2. Telstra argued that Mr Grubb’s identity was not apparent and could not be ascertained when regard was had solely to the mobile network data.
In turning to a construction based analysis of the definition of personal information under the Act, the AAT Deputy President focused on the threshold question of whether the information was "about" an individual, or whether the information was about some other matter.
In applying this test, the Deputy President considered whether the relevant Telstra mobile network data relating to the use of Mr Grubb's Telstra account was in fact information "about" Mr Grubb. The Deputy President noted that Telstra had "generated that data in order to transmit his calls and his messages", but stated that "[o]nce his call or message was transmitted … the data that was generated was directed to delivering the call or message" and was no longer "about" Mr Grubb but rather "about the way in which Telstra delivers the call or the message" for which Mr Grubb pays.
Similarly, the Deputy President was satisfied that an IP address was not information about an individual on the basis that an IP address "is not about the person but about the means by which data is transmitted from a person’s mobile device over the internet and a message sent to, or a connection made, with another person’s mobile device."
As such, the AAT found that Telstra’s mobile network data was not information "about" Mr Grubb, and so was not personal information for the purposes of the Act. Accordingly, Telstra was not in breach of NPP 6.1 in refusing to give Mr Grubb access to mobile network data relating to Mr Grubb.
In reaching this conclusion, the Deputy President highlighted that a tenuous link between information and an individual will not be sufficient to meet the requirement for the information to be properly characterised as being "about" the individual. The fact that the network data relating to Mr Grubb would not have been generated without his use of Telstra's mobile network was determined not to be a relevant factor in the determination of whether the information was "about" Mr Grubb.
Comment
The AAT's decision that the relevant metadata was not personal information because it was not "about" an individual raises some interesting questions. Prior to the AAT decision it was commonly thought that:
if an individual could be identified by particular information, or if information could otherwise be linked to an identified individual, it was most likely information "about" that individual; and
personal information could be "about" more than one thing (for example, about both a telecommunications network and an individual, rather than just one or the other).
The AAT's decision raises some questions over these propositions.
As noted above, the definition of personal information has now changed and the old definition examined in the AAT decision is not relevant to new circumstances or claims. However, it is important to note that even if the AAT decision had considered the current definition, it may not necessarily have resulted in a changed outcome given that the requirement for the information to be "about" an individual is retained in the current Act.
Although the AAT decision provides some guidance, the treatment of the definition of personal information is in its formative stages in Australia given the changes made to the definition and its limited judicial consideration. As such, some caution should be exercised in relying on a narrow interpretation of the definition of personal information.
In addition, there have also been relevant changes by way of section 187LA of the Telecommunications (Interception and Access) Act 1979. That provision deems metadata required to be retained for law enforcement purposes to be personal information. Although not considered in the AAT decision, the scope of the information to be retained is extensive and would likely cover most if not all of the information that was sought by Ben Grubb.
Mr Grubb has indicated via social media that he does not intend to appeal the AAT determination.
For further information, please contact:
Anne-Marie Allgrove, Partner, Baker & McKenzie
anne-marie.allgrove@bakermckenzie.com
