TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tracker | Personal information in Australia: When is data 'about' an individual? Related reading: Hearing on 702: Gavels swinging and questions lingering

rss_feed
Webcon_Identity_Guard_PA_300x250_ad_June_2017
APF17_WebBanner_300x250-COPY
PrivacyTraining_ad300x250.Promo1-01

Most information privacy laws or data protection regulations have as their starting point some notion of identifiability. Legal obligations will typically only apply to data that relates to an identifiable person.

European privacy law uses the term “personal data”; in the United States, the phrase commonly used is “personally identifiable information,” or PII; Australian, New Zealand and Canadian privacy laws create privacy principles that apply only to “personal information.”

The commonality between these different laws, jurisdictions and legal definitions is that if no individual is readily identifiable from a set of data, then the relevant privacy principles (or other legal obligations, however expressed) simply won’t apply.

This notion of identifiability was the starting point for a case about metadata in Australia, but by the time it concluded with a landmark judgment from the Federal Court in January, the argument had morphed into something quite different: an argument about the word “about."

Background

In 2013, the Australian government was preparing to introduce its mandatory data retention laws, to require telecommunication providers to keep metadata on their customers for two years in case the data was needed later for national security or law enforcement purposes.

Technology journalist Ben Grubb was curious as to what metadata, such as the geolocation data collected from cell phones, would actually reveal about an individual. Exercising his rights under the Privacy Act 1988, Grubb sought access from his cell phone service provider, Telstra, to his personal information — namely, “all the metadata information Telstra has stored about my cell phone service (04…).” 

Telstra provided some information, but refused access to geolocation data — the longitude and latitude of cell towers connected to a customer’s phone at any given time, whether the customer is making a call or not — arguing that that geolocation data was not personal information about a customer, because on its face the data is anonymous.

Grubb lodged a complaint with Australian Privacy Commissioner Timothy Pilgrim, who ruled against Telstra, finding that a customer’s identity could be linked back to the geolocation data by a process of cross-matching different datasets. Pilgrim found that data which “may” link to an individual, even if it requires some “cross matching … with other data” in order to do so, is “information … about an individual,” whose identity is ascertainable, meaning “able to be found out by trial, examination or experiment.” Pilgrim ordered that Telstra hand over the remaining cell tower location information. 

Telstra appealed the privacy commissioner’s determination, and in December 2015 the Administrative Appeals Tribunal found in Telstra’s favour — but not on the grounds argued up to that point.

The AAT Decision

While the crux of the case until this point had been whether or not Grubb was identifiable from the network data, and how much cross-matching with other systems or data could be expected to be encompassed within the term “can reasonably be ascertained,” the AAT drew no solid conclusion on that issue.Instead, the AAT questioned whether the information was even “about” Grubb at all.

The AAT judgment found that there was a two-step process to meeting the definition of personal information; the information must be about an individual, and in a separate inquiry, that the individual must be reasonably identifiable from that information. 

In other words, the AAT’s position was that the fact the information might relate or link back to an individual does not necessarily make it “about” that individual. The AAT concluded that network data was about connections between devices, rather than “about an individual.”

“The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb but not about him” (at [112]).

Not surprisingly, the privacy commissioner sought an appeal.

The Federal Court decision

The privacy commissioner’s appeal fell flat, and the Federal Court, in a unanimous decision, confirmed the AAT’s finding that personal information must be “about” an individual and that individual’s identity must be reasonably ascertainable. 

The Federal Court stated:

“in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion” (at [63]). 

Adding, 

“The words ‘about an individual’ direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters” (at [63]).

However, and importantly, the Federal Court also said, “even if a single piece of information is not ‘about an individual’ it might be about the individual when combined with other information,” stressing the need to consider “the totality of the information.” In other words, linkability to an identifiable individual might still make something personal information. 

On the decisions

The narrow, binary formulation from the AAT — that information can only be “about” one thing — could lead to some disastrous applications. For example, banks could avoid their privacy responsibilities by arguing that their records are only “about” transactions, not the people sending or receiving money as part of those transactions; or hospitals could claim that medical records are “about” clinical procedures, not their patients.

The Federal Court decision is frustrating in many ways. Because the case was only about a question of law, not the application of that law to a particular set of facts, we are left with unanswered questions:

  • Is the metadata “about” Ben Grubb?
  • Could Ben Grubb’s identity be ascertained from the metadata (alone or in conjunction with other data)? And thus,
  • Is Ben Grubb’s metadata personal information?

The only thing decided by the Federal Court was that the phrase “about an individual” is an important element in the definition of personal information.

If it had been allowed to examine the merits of the case, the Federal Court might have overturned the AAT’s decision on the basis that the information in question could be about both “the way in which Telstra delivers the service or product for which Mr Grubb pays” and “about Mr Grubb."

However, it does seem the Federal Court left the door open to a more expansive view than that of the AAT. Without overturning the AAT decision, the Federal Court diverged from the AAT’s narrower view, by allowing that (i) information may have multiple subject matters, and (ii) the construction of the subject matter can be influenced by the context: if the data is combined with other data, it might then become “about” an individual.

Global implications

Organizations that operate globally might assume that phrases like PII, personal data and personal information are interchangeable. However, this case shows that judicial interpretation of the scope of privacy and data protection laws can potentially turn on subtle differences in language. 

It will be interesting to see whether this case will influence other jurisdictions with similar constructions of the phrase personal information or PII as well as how case law develops in Europe under the GDPR by comparison.

photo credit: Ted's photos - For Me & You 2016 - Sydney - CBD via photopin (license)

Comments

If you want to comment on this post, you need to login.