While at first glance you might think that the Privacy Commissioner losing an appeal would be bad news for privacy, the decision in Privacy Commissioner v Telstra Corporation Limited  FCAFC 4 is not quite the train wreck that some have suggested. It has not gutted the definition of ‘personal information’, nor has it said that metadata from telecoms is not protected by the Privacy Act. It simply clarified that the word ‘about’ is an important element in the definition of ‘personal information’.
This article is by Anna Johnston, Director of Salinger Privacy and is republished here with permission. Anna is a former Deputy Privacy Commissioner for NSW, and a former Chair of the Australian Privacy Foundation. Salinger Privacy consult, present, publish, train and blog on privacy law and practice. Follow Anna on Twitter @SalingerPrivacy or subscribe to her excellent newsletter. See the original article
That might not sound like something worth arguing about, but understanding this little word ‘about’ has been critical in the on-going case involving Telstra and the definition of ‘personal information’ – upon which all our legislated privacy principles rely.
First, the background. When the Australian Government was preparing in 2013 to introduce its mandatory data retention laws, to require telcos to keep ‘metadata’ on their customers for two years in case law enforcement types needed it later, tech journo Ben Grubb was curious as to what metadata, such as the geolocation data collected from mobile phones, would actually show. He wanted to replicate the efforts of a German politician, to illustrate the power of geolocation data to reveal insights into not only our movements, but our behaviour, intimate relationships, health concerns or political interests.
While much fun was had replaying the video of the Attorney General’s laughable attempt to explain what metadata actually is, Ben also worked on a seemingly simple premise: “the government can access my Telstra metadata, so why can’t I?”
Exercising his rights under what was then National Privacy Principle (NPP) 6.1, Ben sought access from his mobile phone service provider, Telstra, to his personal information – namely, “all the metadata information Telstra has stored about my mobile phone service (04…)”.
At the time of his access request, the definition of ‘personal information’ was “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.
(Since then, the definition of ‘personal information’ has changed slightly, NPP 6.1 has been replaced by APP 12, and the telecom data retention laws were passed with a provision making it very clear that data that is required to be kept under the new data retention provisions is to be considered ‘personal information’ under the Privacy Act. Nonetheless, Ben Grubb’s case has ramifications even under the updated laws, because the breadth of the definition of ‘personal information’ was at issue.)
Telstra refused access to various sets of information, including location data on the basis that it was not ‘personal information’ subject to NPP 6.1. Ben lodged a complaint with the Australian Privacy Commissioner. While the complaint was ongoing, Telstra handed over a folder of billing information, outgoing call records, and the cell tower location information for Ben’s mobile phone at the time when Ben had originated a call, which is data kept in its billing systems.
What was not provided, and what Telstra continued to argue was not ‘personal information’ and thus need not be provided, included ‘network data’. Telstra argued that that geolocation data – the longitude and latitude of mobile phone towers connected to the customer’s phone at any given time, whether the customer is making a call or not – was not ‘personal information’ about a customer, because on its face the data was anonymous.
The Privacy Commissioner ruled against Telstra on that point in May 2015, finding that a customer’s identity could be linked back to the geolocation data by a process of cross-matching different datasets. Privacy Commissioner Timothy Pilgrim made a determination which found that data which “may” link data to an individual, even if it requires some “cross matching … with other data” in order to do so, is “information … about an individual”, whose identity is ascertainable, meaning “able to be found out by trial, examination or experiment”. The Privacy Commissioner ordered that Telstra hand over the remaining cell tower location information.
Telstra appealed the Privacy Commissioner’s determination, and in December 2015 the Administrative Appeals Tribunal (AAT) found in Telstra’s favour – but not for the reason you might have expected. The case clearly turns on how the definition of ‘personal information’ should be interpreted, with both parties arguing about whether or not Ben was ‘identifiable’ from the network data, including how much cross-matching with other systems or data could be expected to be encompassed within the term ‘can reasonably be ascertained’.
Indeed the AAT judgment went into great detail about precisely what data fields are in each of Telstra’s different systems, and what effort is required to link or match them up, and how many people within Telstra have the technical expertise to even do that, and how difficult it might be. But then – nothing. Despite both parties making their arguments on the topic of identifiability, the AAT drew no solid conclusion about whether or not Ben was actually identifiable from the network data in question.
Instead, the AAT veered off-course, into questioning whether the information was even ‘about’ Ben at all. Using the analogy of her own history of car repairs, Deputy President Stephanie Forgie stated:
“A link could be made between the service records and the record kept at reception or other records showing my name and the time at which I had taken the care (sic) in for service. The fact that the information can be traced back to me from the service records or the order form does not, however, change the nature of the information. It is information about the car … or the repairs but not about me”.
The AAT therefore concluded that mobile network data was about connections between mobile devices, rather than “about an individual”, notwithstanding that a known individual triggered the call or data session which caused the connection. Ms Forgie stated:
“Once his call or message was transmitted from the first cell that received it from his mobile device, the data that was generated was directed to delivering the call or message to its intended recipient. That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb but not about him”.
Well. That was a curve ball no-one saw coming.
(Even Telstra had proceeded through to the AAT on the assumption that the data they held was at least about Ben, with legal counsel for Telstra saying “I’m dealing here with the question of mobile network data in relation to Mr Grubb’s mobile telephone service. It’s difficult for me to see how that could not be information about him. It’s information about his service”. Telstra had instead been arguing the point that whether or not Ben was identifiable from that data in a pragmatic sense, given the way the data was held in separate systems, and not necessarily indexed with reference to the customer.)
The AAT’s interpretation seemed to conflate object with subject, by suggesting that the primary purpose for which a record was generated is the sole point of reference when determining what that record is ‘about’. In other words, the AAT judgment appears to say that what the information is for also dictates what the information is about.
In my view, the AAT’s interpretation of ‘about’ was ridiculous. Why can’t information be generated for one reason, but include information ‘about’ something or someone else as well? Why can’t information be ‘about’ both a person and a thing? Or even more than one person and more than one thing?
But more importantly, the AAT’s interpretation was damaging. It completely undermined our privacy laws.
Even car repair records, which certainly have been created for the primary purpose of dealing with a car rather than a human being, will have information about the car owner. At the very least, the following information might be gleaned from a car repair record: “Jane Citizen, of 10 Smith St Smithfield, tel 0412 123 456, owns a green Holden Commodore rego number ABC 123”.
If the AAT’s position – that a car repair record has no information ‘about’ Jane Citizen – had been left unchallenged by the Privacy Commissioner, then Jane would have no privacy rights in relation to that information, and the car repairer would have no privacy responsibilities either.
If Jane’s home address was disclosed by the car repairer to Jane’s violent ex-husband, she would have no redress. If the car repairer failed to secure their records against loss, and Jane’s rare and valuable car was stolen from her garage as a result, Jane would have no cause for complaint. Jane wouldn’t even have the right to access the information held by the car repairer, to check that it was correct.
Imagine how far you could you take this argument. Banks could avoid their privacy responsibilities by arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions. Hospitals could claim that medical records are ‘about’ clinical procedures, not their patients. Retailers could claim their loyalty program records are ‘about’ products purchased, not the people making those purchases.
Fortunately, the Privacy Commissioner quickly moved to appeal the AAT’s ruling to the Federal Court. But unfortunately, the grounds on which the Privacy Commissioner appealed were too narrow.
Instead of arguing that information could be ‘about’ more than one thing – i.e. that metadata could be ‘about’ both the delivery of a network service and the customer receiving that service – the Privacy Commissioner’s legal team argued that the phrase ‘about an individual’ was redundant, and should simply be ignored.
The Court summarised the submission made on behalf of the Privacy Commissioner as “that if there is information from which an individual’s identity could reasonably be ascertained, and that information is held by the organisation, then it will always be the case that the information is about the individual … In other words, the words ‘about an individual’ would ‘do no work’ and have no substantive operation”.
The Federal Court, in an unanimous decision by Justices Dowsett, Kenny and Edelman, flatly rejected that line of argument: “We do not accept this submission”.
So the Privacy Commissioner played a high stakes game, and lost. The result is a decision that ultimately takes us nowhere.
The Federal Court made it clear that it was not deciding whether or not the metadata to which Ben Grubb was seeking access actually met the definition of ‘personal information’ – because it was not asked to. (And indeed, appeals to the Federal Court from the AAT can only be brought on questions of law.)
The Court noted: “There was no ground of appeal which alleged that the AAT erred in its conclusion that none of the information was about Mr Grubb. In other words, the Privacy Commissioner did not seek to establish that any of the information was about Mr Grubb”. And just to hammer home the point, the Court said: “this appeal concerned only a narrow question of statutory interpretation which was whether the words ‘about an individual’ had any substantive operation. It was not concerned with when metadata would be about an individual”.
If the Federal Court had actually been asked or allowed to apply the definition to the facts of this case, we might have had a proper answer. We might even have had a broader answer than that proffered by the AAT, because the Federal Court diverged from the AAT’s view in one critical respect: unlike the ludicrously narrow, binary ‘information can only be about one thing’ view taken earlier by the AAT, the Federal Court judges said that information and opinions “can have multiple subject matters”.
That’s right: if only they had been asked (or allowed) to do so, the Federal Court might have overturned the AAT’s case, on the basis that the information in question could be about both “the way in which Telstra delivers the service or product for which Mr Grubb pays” and “about Mr Grubb”.
So, to re-cap …
The court made no decision about whether or not the metadata was ‘about’ Ben Grubb, because it wasn’t asked to.
The court made no decision about whether or not Ben Grubb’s identity could be ascertained from the metadata (alone or in conjunction with other data), because it wasn’t asked to.
The court made no decision about whether or not Ben Grubb’s metadata was ‘personal information’, because it wasn’t asked to.
This case was about a question of law, not the application of that law to a particular set of facts.
The only thing decided today was that the phrase “about an individual” is an important element in the definition of personal information, as the definition existed in 2013.
The Court reiterated that there are two elements: an ‘identifiability’ element, and an ‘about’ element. The Federal Court said this: “The words ‘about an individual’ direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters”.
So where does this leave us?
First, I doubt that any organisations – not even Telstra – will start popping champagne corks in the belief that they are somehow off the hook in terms of their privacy obligations. I saw no evidence of reckless abandonment of privacy obligations in the wake of the AAT judgment, and rightly so. Whether government or business, organisations are pragmatic. They know that maintaining customer trust is essential, and so arguing the toss with a customer or citizen about whether or not a record is ‘about’ that individual is not going to engender that trust.
Second, remember that the definition of ‘personal information’ changed in 2014. It now says “information or an opinion about an identified individual, or an individual who is reasonably identifiable…”. So that element of ‘about’ is still there, but it is now a little more intertwined with the element of ‘identifiability’. It’s not clear whether that subtle change in language makes any practical difference, but you cannot just assume that today’s Federal Court judgment directly applies to the law as it stands today.
So if Ben Grubb were to tomorrow ask Telstra anew for access to his metadata, things could end up very differently. Since he first asked in 2013, the definition of ‘personal information’ has changed; a law has been passed to state explicitly that metadata kept by telecoms under the new data retention rules is personal information subject to the Privacy Act (where it relates to an individual or a communication to which the individual is a party); and the Federal Court has said that information can be about ‘about’ more than one thing or person at a time, so the AAT’s more binary characterisation can probably be ignored.
But finally, that element of ‘about’ is still problematic. By saying that the individual needs to “be a subject matter” of the information, this judgment may have had the effect of slightly narrowing the definition of ‘personal information’, more so than if the language of “relating to” had been used instead. (By contrast, the latest European privacy law, the GDPR, defines ‘personal data’ more simply as “any information relating to an identified or identifiable natural person”. Neat, huh?)
However importantly, the judges also said this: “even if a single piece of information is not ‘about an individual’ it might be about the individual when combined with other information”. In my view, this has left open the possibility that a piece of data might still be captured by the definition of ‘personal information’, even though at first glance it appears to have as its subject matter/s not an individual, but a network, a communication or a device. The judges stressed the need to consider “the totality of the information”. In other words, linkability to an identifiable individual might still make something ‘personal information’, and thus within the scope of our privacy laws.
So what next … will the Privacy Commissioner appeal to the High Court? Or will he ask the Government to introduce an amendment to the legislation, to make our definition more like the GDPR’s?
Perhaps instead of muddying the waters further with yet more legislative or judicial activity, what we need first is some updated guidance from the Privacy Commissioner.