S17_Banner_300x250-COPY
IAPP_Salary-Survey_300x250_FINAL
Radar_Webcon_Generali_300x250_ad_3.7.17Radar-01
Personal information in Australia: When is data 'about' an individual?

Most information privacy laws or data protection regulations have as their starting point some notion of identifiability. Legal obligations will typically only apply to data that relates to an identifiable person.

European privacy law uses the term “personal data”; in the United States, the phrase commonly used is “personally identifiable information,” or PII; Australian, New Zealand and Canadian privacy laws create privacy principles that apply only to “personal information.”

The commonality between these different laws, jurisdictions and legal definitions is that if no individual is readily identifiable from a set of data, then the relevant privacy principles (or other legal obligations, however expressed) simply won’t apply.

This notion of identifiability was the starting point for a case about metadata in Australia, but by the time it concluded with a landmark judgment from the Federal Court in January, the argument had morphed into something quite different: an argument about the word “about."

Background

In 2013, the Australian government was preparing to introduce its mandatory data retention laws, to require telecommunication providers to keep metadata on their customers for two years in case the data was needed later for national security or law enforcement purposes.

Technology journalist Ben Grubb was curious as to what metadata, such as the geolocation data collected from cell phones, would actually reveal about an individual. Exercising his rights under the Privacy Act 1988, Grubb sought access from his cell phone service provider, Telstra, to his personal information — namely, “all the metadata information Telstra has stored about my cell phone service (04…).” 

Telstra provided some information, but refused access to geolocation data — the longitude and latitude of cell towers connected to a customer’s phone at any given time, whether the customer is making a call or not — arguing that that geolocation data was not personal information about a customer, because on its face the data is anonymous.

Grubb lodged a complaint with Australian Privacy Commissioner Timothy Pilgrim, who ruled against Telstra, finding that a customer’s identity could be linked back to the geolocation data by a process of cross-matching different datasets. Pilgrim found that data which “may” link to an individual, even if it requires some “cross matching … with other data” in order to do so, is “information … about an individual,” whose identity is ascertainable, meaning “able to be found out by trial, examination or experiment.” Pilgrim ordered that Telstra hand over the remaining cell tower location information. 

Telstra appealed the privacy commissioner’s determination, and in December 2015 the Administrative Appeals Tribunal found in Telstra’s favour — but not on the grounds argued up to that point.

The AAT Decision

While the crux of the case until this point had been whether or not Grubb was identifiable from the network data, and how much cross-matching with other systems or data could be expected to be encompassed within the term “can reasonably be ascertained,” the AAT drew no solid conclusion on that issue.Instead, the AAT questioned whether the information was even “about” Grubb at all.

The AAT judgment found that there was a two-step process to meeting the definition of personal information; the information must be about an individual, and in a separate inquiry, that the individual must be reasonably identifiable from that information. 

In other words, the AAT’s position was that the fact the information might relate or link back to an individual does not necessarily make it “about” that individual. The AAT concluded that network data was about connections between devices, rather than “about an individual.”

“The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb but not about him” (at [112]).

Not surprisingly, the privacy commissioner sought an appeal.

The Federal Court decision

The privacy commissioner’s appeal fell flat, and the Federal Court, in a unanimous decision, confirmed the AAT’s finding that personal information must be “about” an individual and that individual’s identity must be reasonably ascertainable. 

The Federal Court stated:

“in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion” (at [63]). 

Adding, 

“The words ‘about an individual’ direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters” (at [63]).

However, and importantly, the Federal Court also said, “even if a single piece of information is not ‘about an individual’ it might be about the individual when combined with other information,” stressing the need to consider “the totality of the information.” In other words, linkability to an identifiable individual might still make something personal information. 

On the decisions

The narrow, binary formulation from the AAT — that information can only be “about” one thing — could lead to some disastrous applications. For example, banks could avoid their privacy responsibilities by arguing that their records are only “about” transactions, not the people sending or receiving money as part of those transactions; or hospitals could claim that medical records are “about” clinical procedures, not their patients.

The Federal Court decision is frustrating in many ways. Because the case was only about a question of law, not the application of that law to a particular set of facts, we are left with unanswered questions:

  • Is the metadata “about” Ben Grubb?
  • Could Ben Grubb’s identity be ascertained from the metadata (alone or in conjunction with other data)? And thus,
  • Is Ben Grubb’s metadata personal information?

The only thing decided by the Federal Court was that the phrase “about an individual” is an important element in the definition of personal information.

If it had been allowed to examine the merits of the case, the Federal Court might have overturned the AAT’s decision on the basis that the information in question could be about both “the way in which Telstra delivers the service or product for which Mr Grubb pays” and “about Mr Grubb."

However, it does seem the Federal Court left the door open to a more expansive view than that of the AAT. Without overturning the AAT decision, the Federal Court diverged from the AAT’s narrower view, by allowing that (i) information may have multiple subject matters, and (ii) the construction of the subject matter can be influenced by the context: if the data is combined with other data, it might then become “about” an individual.

Global implications

Organizations that operate globally might assume that phrases like PII, personal data and personal information are interchangeable. However, this case shows that judicial interpretation of the scope of privacy and data protection laws can potentially turn on subtle differences in language. 

It will be interesting to see whether this case will influence other jurisdictions with similar constructions of the phrase personal information or PII as well as how case law develops in Europe under the GDPR by comparison.

photo credit: Ted's photos - For Me & You 2016 - Sydney - CBD via photopin (license)

Written By

Anna Johnston

Comments

If you want to comment on this post, you need to login.

Related

Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

CIPP/E + CIPM = DPO

The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»