Australia: Much ado about an individual: Full Federal Court delivers anticipated privacy decision

What you need to know

• Privacy officers have awaited a decision handed down last month by the Full Federal Court, eager to see how the Court would interpret the meaning of 'personal information' and in particular whether (and when) metadata would be personal information of an individual.
• But the Court did not need to consider this issue and instead decided a very narrow issue only – the words 'about an individual' are an important aspect of the definition of personal information as it existed before March 2014.
• While the decision does not break new ground about whether metadata is personal information, it does provide some guidance about that important concept.

Last month, the Full Federal Court published a decision that many privacy officers had hoped would address the question of whether metadata would be personal information about an individual – a topical question in an era where so much information is collected online and the Internet of Things is growing.

However, in Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4, the Court held that:

1. the words 'about an individual' are an important aspect of the definition of personal information as it existed before March 2014, when the current privacy regime came into effect; and
2. it did not need to determine whether and if so when metadata would be personal information about an individual.

Background

In June 2013, Mr Ben Grubb, at that time a technology journalist, requested access to "all metadata information Telstra has stored about my mobile phone service".

He made this request to Telstra under the previous privacy regime, which was in force until March 2014. His request was made under National Privacy Principle 6.1 (NPP 6.1), on the basis that metadata fell within the definition of personal information, being "information or an opinion about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion".

Telstra produced some information but refused to provide access to its mobile network data, which included Internet Protocol (IP) address information, Uniform Resource Locator (URL) information and cell tower location information beyond that information that Telstra retained for billing purposes (to which Mr Grubb had already been given access). Telstra argued that this mobile network data was not personal information about Mr Grubb.

Mr Grubb lodged a complaint with the Office of the Australian Information Commissioner (OAIC).

The OAIC investigated the complaint and the Privacy Commissioner made a determination in May 2015. The Privacy Commissioner held that the information requested by Mr Grubb was personal information as it could be cross-referenced with other information held by Telstra to identify Mr Grubb. Telstra's refusal to give access to Mr Grubb was a breach of NPP 6.1.

Telstra applied to the Administrative Appeals Tribunal (AAT) to set aside the Privacy Commissioner's determination.

The AAT held that the first question to be determined was whether the information was 'about an individual'. If not, that would be the end of the matter. If so, then the second question to be determined was whether the identity of that individual was apparent or could reasonably be ascertained from the information. The AAT went on to find that mobile network data was not personal information because it was not information 'about an individual' (Mr Grubb) within the terms of NPP 6.1. Rather, it was information about the way in which Telstra delivered the mobile services to Mr Grubb.

The Privacy Commissioner appealed the AAT's decision to the Full Federal Court of Australia.

Decision

For the Court, the "real issue" was a "very narrow question of statutory construction" concerning the words "about an individual".¹

On that issue, the Privacy Commissioner argued that if Telstra held information from which an individual's identity was apparent or could be reasonably ascertained, then it would always be the case that the information was 'about an individual'.

The Court rejected the Privacy Commissioner's argument, and decided that the words 'about an individual' had their own substantive effect. The Court held that in every case where an individual requests access to their information, it is necessary to consider whether that information, on its own or in combination with other pieces of information, is about the individual, just as it is also necessary to consider whether the individual's identity is apparent or can be reasonably ascertained.

What was not decided

The Court did not need to decide whether:

• metadata was information 'about an individual'
• the identity of an individual was apparent or could be reasonably be ascertained from metadata
• metadata was personal information or
• individuals are entitled to access metadata under the Privacy Act

because "the appeal was argued only at the high level of generality concerning whether the AAT was correct to give content to the words 'about an individual'".₂

So in the end, the long running case is not actually 'about' whether metadata is personal information protected by the Privacy Act.

So what do we know?

Some months before the matter came before the Court, the Privacy Commissioner expressed the view that clarity and certainty around the definition of personal information are critical to operation of the Act and to the fair and reasonable expectations or businesses and agencies that are required to be accountable to it.³

So is there any clarity and certainty from the Court's decision?

The Court endorsed the AAT's interpretation that there are two aspects to personal information, at least as it applied before March 2014 - it must:

• be 'about' an individual and
• identify an individual (in that their identity is apparent or can reasonably be ascertained).

More importantly, the Court acknowledged that information can have multiple subject matters. This was not the view of the AAT, which decided that information was about an individual, or about a service provided to an individual, but not both. The AAT's decision was problematic because it meant that information generated by an individual using services through a device was not information about that individual, and was not protected by the Privacy Act. Though the Court's decision does not tackle this issue head on, it does provide some guidance that information generated about an individual through devices – and in this world of the Internet of Things - should be managed as personal information under the Privacy Act.

What next?

Organisations dealing with requests for access to personal information made before 2014 will need to apply the Court's two step test.

However, the current definition of personal information connects the two steps. Personal information is now defined as "information or an opinion about an identified individual, or an individual who is reasonably identifiable". The concept of being 'about' an individual is linked with identifying the individual. The new definition does not lend itself to a two-step test as the old definition was found to do.

On balance, the Court's decision will have little practical significance for organisations governed by the Privacy Act. In order to handle personal information in a responsible way and protect the privacy of individuals, organisations should apply a broad understanding to the concept of personal information. If in doubt, it is best to err on the side of characterising information as personal information subject to the Privacy Act.

What about metadata? To some extent, the issue of whether metadata is personal information has been overtaken by legislation since Mr Grubb first made his request to Telstra. Since 2015, amendments to the
provide that metadata retained by the telecommunications industry is to be considered as personal information under the Privacy Act. Had Mr Grubb made his request for access to metadata now, the result may have been very different.

Footnotes

¹ Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4 at [5].

²Ibid at [65].

³Speech by Timothy Pilgrim to the PAW Business Breakfast, Sydney, 16 May 2016 at https://www.oaic.gov.au/media-and-speeches/speeches/privacy-awareness-week-launch-2016.

This article is intended to provide commentary and general information. It should not be relied upon as legal advice. Formal legal advice should be sought in particular transactions or on matters of interest arising from this article. Authors listed may not be admitted in all states and territories