This article was written by Agatha Moczulski, Michael Swinson, Patrick Gunning and Kate Jackson-Maynes.
The Full Court of the Federal Court of Australia has confirmed that information will only be regulated as “personal information” under the Privacy Act 1988 (Cth) (Privacy Act) if there is a sufficient nexus between the information and a relevant individual so that the information can be said to be “about” the individual (in the sense that the individual is the subject matter of that information). If the information is not “about” the individual, it will not be personal information, and the Privacy Act will not apply.
This is the first time that the Full Court of the Federal Court of Australia has made a decision of any significance under the Privacy Act since that law was introduced almost 30 years ago. The decision clarifies the scope of data that may be regulated by the Act and, therefore, carries significance for any organisation that is subject to the Act and has any interest in analysing the data they collect.
In particular, the decision clarifies that the Privacy Act will not extend to information that has no substantive relation to an individual, even if the information was created in response to some action taken by that individual and could potentially be traced back to that individual. As a consequence, organisations may now be more comfortable in analysing data about systems and processes without having to always consider potential consequences under the Privacy Act.
How it all started
This case arose out of a request by Mr Grubb, a journalist, to Telstra Corporation Limited (Telstra) for access to “all the metadata information Telstra has stored about my mobile phone service”. Telstra gave Mr Grubb some information (for example, call data records in relation to all outgoing calls) but refused to provide access to all of the data that may have been generated within Telstra’s mobile network in the course of carrying calls and other communications made using Mr Grubb’s mobile service. Mr Grubb filed a complaint with the Office of the Australian Information Commissioner in August 2013 and, following an investigation, the Privacy Commissioner held that Telstra’s refusal was a breach of National Privacy Principle 6.1.
Telstra applied to the Administrative Appeals Tribunal (AAT) to set aside the Privacy Commissioner’s determination. Telstra submitted that Mr Grubb’s identity could not be ascertained only by reference to mobile network data. In particular, Telstra stated that it would be necessary to cross-reference information in several different Telstra networks and systems in order to link that data back to Mr Grubb, that this information was retained in the network for a short period and may not always be available, and that the whole process would require significant time and effort that would not form part of any ordinary business operation carried out by Telstra. On this basis, Telstra said the network data was not information about a person who could be reasonably identified and, therefore, was not personal information for the purposes of the Privacy Act.
Ultimately, the AAT decided that although it may technically be possible to identify Mr Grubb from the network data held by Telstra, that data would only qualify as personal information if it satisfied the threshold requirement of being information “about” an individual. If not (i.e. if there was not a sufficient nexus between the information and the individual), then that would the end of the matter and it would be of no consequence that the data could hypothetically be combined with other information to identify the individual.
Applying this reasoning to the facts of Mr Grubb’s case the Deputy President concluded that the mobile network data in question was not about an individual within the meaning of NPP 6.1. In this regard, the Deputy President stated that:
“once [Mr Grubb’s] call or message was transmitted… the data that was generated was directed to delivering the call or message to its intended recipient. That data is no longer about Mr Grubb or the fact that he made a call or sent a message… the data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb.”
We have written about the AAT’s decision previously.
The Privacy Commissioner’s appeal concerned the narrow question of statutory construction of the words “about an individual” as they applied in the definition of “personal information” under the Privacy Act.
The Privacy Commissioner argued that if there is information from which an individual’s identity can reasonably be ascertained, then it will always be the case that the information is about the individual. Following this reasoning, the Privacy Commissioner said the words “about an individual” have no substantive operation in the context of the Privacy Act definition of “personal information”.
The Federal Court did not accept this submission and stated that the words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. According to this approach, in assessing whether a given piece of information is personal information, it will always be necessary to consider whether or not that information is about an individual. While a given piece of information may be about one or more topics, if the only true subject matter of the information is a process or system rather than an individual, then that information cannot qualify as personal information for the purposes of the Privacy Act.
On this basis, the Federal Court dismissed the Privacy Commissioner’s appeal and determined that it was unnecessary to descend to the detail of whether any of the specific network data in question could qualify as personal information, as there was no ground of appeal which alleged that the AAT erred in its conclusion that none of the information was about Mr Grubb.
One point of interest in the court’s reasons is that Telstra’s counsel before the AAT initially conceded that the metadata held by Telstra in relation to Mr Grubb’s use of the network was in fact information about Mr Grubb. It was the Deputy President herself who identified the key point which ultimately decided the case. The Deputy President illustrated the point with an example regarding the service records for a car she had purchased. The information in these records was information about the car, or about the repairs that had been carried out on the car, but was not information about the Deputy President, even though the records may have referred to the registration number of the car and even her name. A variant of the car repair example appears in the European Article 29 Data Protection Working Party’s Opinion on the concept of personal data (opinion 4/2007).
The Australian Privacy Foundation and the NSW Council for Civil Liberties appeared in the trial as amici curiae and raised a number of examples of how concepts of “personal data” have been interpreted in various overseas jurisdictions. While the Federal Court judges found that much of what was presented was not truly on point, they did note that their decision was consistent with a similar approach taken by the Canadian Federal Court of Appeal when finding that records of air traffic control communications concerning various aviation incidents were not personal information for the purposes of Canadian privacy legislation and therefore did not need to be disclosed under that legislation. The Canadian court said that the information was not “about” the individuals caught up in the relevant incidents, but rather was about matters such as the operation of the aircraft in question, prevailing weather conditions and the actions of pilots and air traffic controllers. As the court said “these are not subjects that engage the right of privacy of individuals.”
Although the decision considered the pre-12 March 2014 definition of “personal information”, the decision remains relevant as the current definition of “personal information” retains the concept of information being “about” an individual.
The decision confirms that organisations considering the use and disclosure of a particular data set need to approach the potential application of the Privacy Act to their conduct by asking two questions. The first question is whether the relevant data about an individual (or, put differently, whether the individual is the subject matter of the information). If this is answered in the affirmative, the second question is whether the individual is reasonably identifiable.
For organisations that had until now acted consistently with the Privacy Commissioner’s view that only the second question was relevant, the effect of the decision may be to narrow the application of the Privacy Act to their existing data analysis and commercialisation practices. These organisations may now find they have greater room to innovate and use system and process data for broader purposes without having to worry about compliance with the Privacy Act. However, they will still need to make judgement calls about whether the various categories of information that they collect should be treated as personal information, which may not always be easy to do.
It is interesting to note that the draft report on open data released by the Productivity Commission late in 2016 proposed the introduction of a new concept of “consumer data” that would be subject to enhanced data sharing and access rights. It may be confusing for business to have to deal with a multiplicity of different categories of data. Businesses that are not confident about where the boundaries of each category lie may take a conservative approach that leads to potentially valuable data assets being under-utilised. This would clearly be an undesirable outcome and, in our view, law makers should focus on ensuring future changes to the law in this area provide more rather than less certainty for business.
Although the Federal Court’s decision did not consider the meaning of “personal information” in the various state and territory privacy laws that apply to state and territory government agencies, the Court’s reasoning will be persuasive when interpreting the state and territory laws, as those laws also require information to be “about” and individual in order to be “personal information”.
As at the date of this publication, the Privacy Commissioner’s office has not given any substantive reaction to the decision. In our view, there is no prospect that the High Court of Australia would grant special leave to appeal.