When is my information not about me?
The Administrative Appeals Tribunal has delivered Telstra, and many other companies who collect operational data about services they provide to individual end users, an early Christmas present by overturning a determination by the Privacy Commissioner from earlier this year and finding that mobile network data held by Telstra is not personal information about Telstra’s customers.
The AAT’s decision on Friday (18 December 2015) is the latest development in a long-running saga relating to a complaint initiated in June 2013 by Fairfax journalist Ben Grubb. Mr Grubb, a Telstra mobile customer, asked for access to all personal information that Telstra held about him. While Telstra delivered to Mr Grubb a range of information about his service, including call records, billing information and other metadata (such as mobile cell locations), this was not sufficient in the eyes of Mr Grubb or the Privacy Commissioner. Mr Grubb wanted access to all network data retained by Telstra in relation to Mr Grubb’s mobile service, and the Privacy Commissioner supported his request by finding in May 2015 that this type of network data was personal information about Mr Grubb.
Telstra objected to the request for access on a number of grounds. In particular, Telstra said that it would be extremely difficult to identify any individual to whom the relevant network data relates. In order to do so, Telstra would need to cross-reference a number of different databases used for network assurance purposes. Apart from the fact that there are very few Telstra employees (around 12) with an appropriate understanding of and rights to access all of these databases, the information in the databases is kept for different periods of time (from between 3 to 30 days) so there can be no guarantee that all information required to complete cross-reference checks and link the network data to a particular individual will be available. In any case, the evidence was that this type of cross-referencing check is not part of Telstra’s normal business operations.
The counter-argument raised by Mr Grubb was that, even if it was difficult to do, it was still theoretically possible to connect the network data held by Telstra to Mr Grubb as an individual and, therefore, it should be treated as his personal information. Mr Grubb referred to the notorious experiment by AOL to release an “anonymised” database of over 20 million search query logs for public research purposes. Despite AOL’s attempts at anonymisation, reporters from the NY Times were able through clever analysis and cross-referencing to trace a collection of services to a particular end user. This case illustrates that it is easy to underestimate the ability of a person with sufficient motivation and ingenuity to connect usage data to particular users.
Notwithstanding the complex arguments raised by each side about the practicality of linking the relevant network data to Mr Grubb, Deputy President Forgie eventually decided the matter on slightly different grounds. The Deputy President said when deciding whether a particular piece of information is “personal information” the first question to consider is whether the information is in fact “about” an individual”. If not, then that is the end of the matter. If it is information about an individual, then the next question to ask is whether the relevant individual can be reasonably identified (it is at that stage that issues about whether or not Telstra could identify Mr Grubb from a combination of information sources would be relevant). In the present case, the Deputy President said that the mobile network data was not “about” Mr Grubb and, therefore, could not be personal information. As a consequence, she set aside the Privacy Commissioner’s earlier determination that had made an opposite finding.
In her reasoning, the Deputy President said that for information to be about an individual there must be more than a mere tenuous link between the information and the individual. The simple fact that the information would not have existed but for the individual in question (in the way that the data stored on Telstra’s network would not have existed but for Mr Grubb and the use of his mobile service) is not enough. The Deputy President used a number of interesting analogies to illustrate her point:
- In an accident involving a motorist and a pedestrian, any hospital records about the treatment of the pedestrian for injuries sustained in the accident would not be information “about” the motorist, even though the identity of the motorist could potentially be traced by linking the hospital admission records to the ambulance records and then to the accident report.
- Information in service records for a car that the Deputy President had purchased was information about the car, or about the repairs that had been carried out on the car, but was not information about the Deputy President, even though the records may have referred to the registration number of the car and even her name.
In Mr Grubb’s case, the mobile network data held by Telstra was not information about Mr Grubb once the call or message from his device was transmitted to the first cell in Telstra’s mobile network. From that point on, the data generated in the network was about delivering the call or message, rather than about Mr Grubb or the person he was communicating with. As a consequence it was not personal information, and Telstra was not obliged to disclose it in response to a request by Mr Grubb.
The Deputy President also made a number of other interesting points in her decision:
- She said that an IP address allocated to a particular mobile device at a particular time would also not qualify as personal information as it may change over time (as a particular device will not be allocated the same IP address for the whole of its working life). Rather, an IP address would be information about the means by which data is transmitted to or from the device over the internet. This is particularly interesting, as it comes almost on the same day that the EU has agreed on a new General Data Protection Regulation, with a broader concept of “personal data” that is likely to cover identifiers such as IP addresses (although further clarification on this issue is expected in 2016 from the EU Court of Justice).
- While the definition of “personal information” is the same in the Privacy Act and in the FOI Act, its application in each case differs because of the different objectives of the two statutory regimes. Accordingly, the scope of personal information required to be disclosed in response to an FOI request may not necessarily be a reliable guide to the scope of information required to be disclosed in response to a request under the Privacy Act, and vice versa.
This decision is a very significant one. Apart from the fact that it is rare to see a determination made by the Privacy Commissioner challenged in this way, it also means that operational data kept companies in relation to the services they provide to individual customers may well fall outside the scope of Australian privacy laws. This may give these companies more freedom in how they manage and use that data. The practical implications of this may be far-reaching. However, companies should be careful before jumping to any conclusions that the information they hold will not be regulated as personal information. The Deputy President’s decision leaves a degree of doubt as to when there will be a sufficient connection between a piece of information and an individual for the information to be considered as personal information. As such, there may not be a bright line between service data that do and do not qualify as personal information.
You can read the AAT’s decision in this case at: http://www.austlii.edu.au/au/cases/cth/AATA/2015/991.html
Michael Swinson, Partner
King & Wood Mallesons