Australian Federal Court Privacy Decision
On 19 January 2017 the Full Bench of the Federal Court of Australia handed down its decision in Privacy Commissioner v Telstra Corporation Limited  FCAFC 4.
This case is the first significant judicial decision to consider the meaning of "personal information" under the Privacy Act 1988 (Act) and departs from the commonly held view that all information which identifies an individual must necessarily be information "about" that individual.
In moving away from this view, the Court instead emphasised that these are separate requirements that must both be met in order for information to be classified as "personal information" under the Act. This involved a two stage test asking:
- whether the individual's identity is apparent or could reasonably be ascertained from the information; and
- then, separately, whether the information is "about" the individual.
Although the definition of personal information has subsequently been amended (in the March 2014 amendments to the Act), there remains both an identification requirement and a requirement that the information be "about" the individual in the definition.
However, the precise scope of the concept of personal information under the Act remains unclear: the Court stated that determining whether information is "about" an individual requires an evaluative conclusion, determined upon the facts of each case.
In June 2013, journalist Ben Grubb contacted Telstra claiming a right of access under the Act to "all the metadata information Telstra has stored" in relation to his mobile phone service. Telstra provided much of the requested metadata but withheld certain categories of information.
As the matter related to events that occurred prior to the Privacy Act reforms which commenced on 12 March 2014, the National Privacy Principles (NPPs) rather than the current Australian Privacy Principles (APPs) apply.
Mr Grubb lodged a complaint with the Office of the Australian Information Commissioner (OAIC) claiming that Telstra had breached his rights under the Act in failing to provide all of the requested information. The key finding in the determination handed down by the OAIC (OAIC Determination) was that the metadata (including network data and cell records) was "personal information" for the purposes of the Act.
This conclusion in the OAIC Determination largely turned on the fact that Telstra was capable of cross-referencing the data in question with other information held in its system to identify Mr Grubb from that data. Our Client Update on the OAIC Determination can be found here.
Telstra then appealed the OAIC determination. In December 2015, the Administrative Appeals Tribunal (AAT) handed down an independent merits review reversing the OAIC's Determination in finding that the relevant metadata was not personal information because it was not "about" Mr Grubb. Our Client Update on the AAT decision can be found here.
The OAIC subsequently appealed the decision of the AAT to the Full Bench of the Federal Court.
Grounds for appeal
The OAIC's grounds for judicial review in the appeal before the Federal Court were limited to relatively narrow questions of law. The substantive grounds for review pressed by the OAIC were that the AAT:
- erred by misconstruing the expression “about an individual” in s 6 of the Act by failing to consider whether the information in dispute related to or concerned the complainant;
- erred by posing a test that it had to determine whether the information was about the complainant or about something else; and
- posed the incorrect test and if it had posed the correct test, it should have found that the information held by Telstra was about the Mr Grubb because the information could be used to identify Mr Grubb.
Relevantly, on these central substantive points, the OAIC submitted that if there was information from which an individual’s identity could reasonably be ascertained, and that information was held by the organisation, then it will always be the case that the information is "about the individual" and therefore is personal information.
The Court dismissed the appeal as well as the applications of Australian Privacy Foundation and the New South Wales Council for Civil Liberties who made submissions as amici curiae.
The key definition under consideration here was the definition of "personal information" in the Act. Whilst it has subsequently been amended, at the relevant time, it read:
personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.
With regard to statutory interpretation principles, the Court rejected the proposition that information from which an individual's identity could be reasonably ascertained would always be personal information. The Court considered that to find otherwise would render the words "about an individual" redundant.
Whilst it is unclear whether it made any significant difference to the outcome, it is worth noting that this view was influenced by the fact that the definition of personal information was being considered in the context of the old NPP 6.1 (the NPP giving individuals a right of access to their information). NPP 6.1 repeated these words, stating that the access right arose if an organisation held personal information "about an individual", and the Court considered that this repetition meant that they could not be ignored.
The Court held that the concept of personal information, whilst broad, was "constrained" by the requirements of the definition, including that : (i) it must be “about” the individual; and (ii) the identity of the individual must be apparent, or reasonably ascertainable, from the information or opinion.
The Court found that the words “about an individual” directed attention to the need for the individual to be a subject matter of the information or opinion, noting that information and opinions can have multiple subject matters.
However, the Court did not provide much guidance as to when information will be "about" an individual, stating that in each case it is necessary to consider whether information, individually or in combination with other items, is "about an individual". This will require an evaluative conclusion on the facts.
The only example provided was information about Mr Grubb's mobile phone colour and network type (3G), neither of which the Court considered to be information "about" Mr Grubb in the current context. However, the Court noted that "[i]n other circumstances, the conclusion might be different".
The Court provided only limited guidance on when information will be considered to be "about" an individual or not, making the application of this requirement quite unclear.
This is nonetheless a significant decision, given that the Court has acknowledged the requirement that information must be "about" an individual adds something substantive to the definition - that is, that there may be some information that identifies an individual that nonetheless is not about that individual. Information falling into this "gap" would not be regulated as personal information under the Act.
However, beyond this, the size and scope of that gap is unclear. The Court noted that the "about" requirement may not always be difficult to satisfy, suggesting that the gap might be very small (or potentially non-existent) in some instances, although potentially more significant in others.
It is important to note that the Court did not make a determination on whether any of the particular information requested by Mr Grubb (including the metadata retained by Telstra) was “personal information”. The Court stated that the question of whether the relevant data was personal information was not covered in the OAIC's grounds for appeal (and that the OAIC argued only “at a high level of generality” regarding whether the AAT was correct to give “content” to the words “about an individual”).
As stated above, whilst the decision does open up some potential avenues for argument around when "identified" or "identifiable" information is nonetheless unregulated under the Act if the relevant individual is not a subject matter of the information, given the scope of any "gap" in coverage is unclear, it is unlikely to result in many organisations taking a significantly different view as to whether information they hold is personal information or not than would have previously been the case.
Further, we note that the decision does not have implications for personal information held by carriage service providers as, when introducing metadata retention laws in 2015, the government deemed metadata required to be retained under such laws to be personal information under the Act.
Thanks to Associate Mary-Cate Byrne for her assistance in preparing this alert.