The Administrative Appeals Tribunal has overturned the Grubb determination of the Commonwealth Privacy Commissioner and found that mobile network data from an individual's phone activity does not constitute 'personal information' under the Privacy Act 1988 (Cth). Partners Michael Pattison and Gavin Smith and Associate Priyanka Nair and Lawyer Tom Kavanagh report on this important decision that provides further guidance on the requirement for personal information to be information 'about an individual'.
How does it affect you?
- Organisations will welcome this decision because it reduces the scope of 'personal information' which they are required to make accessible to individuals under the Privacy Act 1988 (Cth). Crucially, this decision reinforces that 'personal information' must be information 'about an individual'. Information will not meet the threshold of being 'about an individual' merely because an organisation has the resources and means to link that information to an individual.
- For telecommunications service providers, this decision may not change much given that the Federal Government's new data retention laws already mandate the types of metadata which are deemed 'personal information' for the purposes of the Privacy Act. This decision does, however, provide guidance that IP address information need not be regarded as 'personal information' about an individual if, for example, the IP address may change or be shared by different individuals.
In June 2013, Fairfax journalist Ben Grubb requested that Telstra provide him with access rights to all 'metadata' stored by Telstra about his mobile phone usage on the basis that this data was his 'personal information' under the Privacy Act. Telstra provided Mr Grubb with access to some of the data which he requested but refused him access to the following types of mobile network data:
- IP address; and
- cell tower location information.
In May 2015, the Privacy Commissioner issued his determination that such information did constitute personal information for the purposes of the Privacy Act and that Telstra had breached NPP 6.1 (now APP 12.1) by failing to provide Mr Grubb with access to this information. Telstra appealed this decision.
On appeal to the Administrative Appeals Tribunal (the AAT), the Deputy President set aside the determination of the Privacy Commissioner and substituted it with a determination that Telstra was not required to provide Mr Grubb with access to Telstra mobile network data on his phone activity because this information was not 'personal information'. The Deputy President reasoned that Telstra mobile network data would need to be information 'about an individual' in order for it to fall within the definition of 'personal information' in the Privacy Act. She found that mobile network data on Mr Grubb's phone activity was not information 'about an individual' as such, but rather, information about the way in which Telstra delivers its services. It therefore could not be characterised as 'personal information' under the Privacy Act and did not need to be disclosed to customers like Mr Grubb upon request.
Deputy President Forgie focused on the first limb of the definition of 'personal information' under the Privacy Act, which requires the information or opinion to be 'about an individual'. The Deputy President did not strictly need to consider the second limb to the definition of 'personal information' because she found that Telstra mobile network data on Mr Grubb's phone activity was not information 'about an individual'. However, her comments on the second limb will nonetheless be of interest to organisations that collect personal information.
Under the pre-12 March 2014 definition of 'personal information' (which applied for the purposes of this case), the second limb required information to be information or an opinion from which the identity of that individual is apparent or can reasonably be ascertained. Factors working against this limb being made out include the rarity with which Telstra linked its mobile network data to information which identified its customers.
Although the AAT's decision was made with respect to the definition of 'personal information' which applied under the Privacy Act prior to 12 March 2014, the changes to the definition of 'personal information' since are unlikely to have altered the requirement for 'personal information' to be information 'about an individual'.
We note, however, that the second limb to the new definition of 'personal information' requires information to be 'information or an opinion about an identified individual, or an individual who is reasonably identifiable'. In a recent case in the Federal Court of Appeal (Baptist Union of Queensland – Carity v Roberts), it was noted that the amended definition of personal information expands the scope of information which falls within the second limb (as stated below):
The former definition of 'personal information' was limited to information from which the identity of an individual was apparent or could reasonably be ascertained. One purpose of the amendment of the definition under the Amending Act was to ensure the modernisation of scope of the protected information to information which can be linked with other information to identify an individual.
Based on Justice Rangiah's analysis in the above case, the revised definition of 'personal information' may provide greater scope for Ben Grubb's argument that Telstra mobile network data is 'personal information'. This is because, under the revised definition, Telstra's ability to link mobile network data to other personal information it holds on Mr Grubb points toward that information being 'personal information', even if Telstra has not, in fact, performed such linking often.
At first instance, the Privacy Commissioner had determined that information could be characterised as 'about an individual' if it is 'in some way concerning or connected with the individual'. As we reported last year, this broad interpretation of the term 'about an individual' meant that mobile network data generated by Telstra as a result of Mr Grubb's phone activity could be characterised as 'personal information' because Telstra had the resources and capability to cross-match its different system records to link that mobile network data to Mr Grubb.
In overturning the Privacy Commissioner's decision, the Deputy President decided that mobile network data (including metadata, such as IP addresses, URL information and cell tower location information) is not information 'about an individual' but rather, information about a service provided to that individual. Such information could not therefore be 'personal information' as defined under the Privacy Act.
The Deputy President accepted that it might be possible to identify a particular Telstra customer by reference to mobile network data and other data held by the service. However, it did not necessarily follow that mobile network data would constitute 'personal information'. This depended on whether the data could be characterised as being 'about an individual'. If the information was not sufficiently about the individual, then the information would not be 'personal information', and the Privacy Act would not apply.
The Deputy President noted that Telstra's mobile network data (including metadata) has two features:
- it records transactions between mobile devices and Telstra's mobile network in order to ensure that the network connection remains; and
- it creates, upholds and/or disconnects connections between mobile devices and the destination with which the devices are seeking to communicate.
In reaching the conclusion that certain mobile network data on Mr Grubb's phone activity was not 'personal information', the Deputy President acknowledged that the mobile network data would not have been generated had Mr Grubb not made calls or messages on his mobile device. She highlighted, however, that as soon as a phone call or message was transmitted from the first cell which received it from Mr Grubb's device, the data in question was no longer about Mr Grubb, but was directed towards delivering the message to its intended recipient. In short, it was information about the way in which Telstra delivered the service or product for which Mr Grubb had paid, but was not about him.
Finally, Deputy President Forgie also considered whether the IP address allocated to Mr Grubb's mobile device could be characterised as personal information. She noted that while an IP address is necessarily allocated so that an internet communication can be delivered to a device, such an address is not exclusively allocated to a particular mobile device, nor does one mobile device have a single IP address over the course of its working life. In the present scenario, the IP address was not about Mr Grubb, but about the way in which data was transmitted from his device over the internet and a connection made with another person's mobile device. The connection to Mr Grubb as an individual was merely transient.
This decision reinforces that 'personal information', as defined in the Privacy Act, must meet the preliminary threshold of being information 'about an individual'. In this case, the Deputy President found that Telstra mobile network data was merely information about the way in which services were delivered and not information 'about an individual' as such, even though the data was generated from Mr Grubb's phone activity.
In coming to the conclusion that Telstra mobile network data generated by Mr Grubb's phone activity was not 'personal information', the Deputy President appears to have been influenced by evidence from Telstra that its mobile network data was 'kept separate and distinct' from customer databases, rarely linked to these databases and not ordered or indexed by reference to particular customers, their names or telephone numbers. These factors provide some guidance for organisations implementing systems which quarantine databases that contain personal information from those that don't.
Deputy President Forgie noted that the deeming provisions under the data retention laws represent an adjustment of the balance between various public and private interests. However, the Deputy President did not expressly consider whether a different outcome would have been reached had the question arisen under the revised definition of 'personal information' which has been in force since 12 March 2014.
It remains to be seen whether a more broadly encompassing approach to personal information will be taken in light of the increasing swathe of powers granted to law enforcement authorities and the additional obligations placed upon telecommunications service providers under the Telecommunications (Interception and Access) Act 1979 (Cth.).
We acknowledge the assistance of Summer Clerk Natalie Czapski and Specialist Paralegal Amandine Philippart de Foy.