Australian privacy practitioners might be forgiven their disbelief at the sudden and uncharacteristic range of privacy issues making the Australian headlines.
Australian Privacy Commissioner overturned in Grubb v Telstra
It started in December 2015, when the Australian Administrative Appeals Tribunal overturned the earlier determination by the Australian Privacy Commissioner granting journalist Ben Grubb access to certain data relating to Mr Grubb’s use of Telstra mobile services.
In May 2015, the Australian Privacy Commissioner, Mr Timothy Pilgrim PSM, had found that Telstra had breached the Australian Federal Privacy Act 1988 by failing to provide Mr Grubb with access to requested metadata relating to his use of Telstra telecommunications services. This data was collected and held by Telstra in various databases for various purposes, some purely technical e.g. operation of the network and monitoring its performance.
It was not in dispute that Mr Grubb as an individual could be linked to relevant network data relating to use by Mr Grubb of his mobile phone through a multi-step process (requiring significant labour input and including manual matching) of tracing and matching records, through multiple databases in Telstra’s systems. What was in dispute before Commissioner Pilgrim was whether Mr Grubb’s identity could reasonably be ascertained from the relevant network data. This was treated as a question as to the reasonableness of the multiple steps required to link the network data back to Mr Grubb. On appeal that issue was again debated, but in addition there was extensive analysis as to whether the relevant network data was information ‘about an individual’, or information about a device that incidentally related to an individual.
Although Mr Grubb’s identity was not apparent in relevant Telstra databases where relevant metadata was held, the device identifiers or IP addresses or other transactional information there held could be traced through from mobile tower records to operational and network databases and on to personally identifying databases (in particular, the Telstra customer billing database). In fact, Telstra regularly complied with requests by law enforcement agencies for lawful assistance as to the use of mobile phones by persons of interest by undertaking the same tracing and matching processes.
Tribunal Deputy President S A Forgie stated that where an individual is not intrinsically identified in information, a two-step characterisation process should be applied. The first step is determining whether relevant information is “about an individual.” The second step is working out whether an individual’s identity “can reasonably be ascertained from the information or opinion”. If relevant information is not “about an individual,” that is the end of the matter. But if information is information “about an individual,” the second step must be applied. The Tribunal then reasoned “The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb but not about him”.
The reasoning of the Tribunal is novel, controversial and apparently reached without reference to relevant international cases. The Australian Privacy Commissioner had appealed the Tribunal’s Decision to the Federal Court of Australia. A Full Bench of the Federal Court will hear the appeal, probably in August 2016.
The Tribunal’s decision throws open the vexed issue of how to work out when device information is ‘about an individual whose identity may be reasonably ascertained from the information’. This is a key issue that arises for many Internet of Things (‘IoT’) applications now entering the market.
Mandatory data breach notification back on the boil
The Australian Government in December 2015 invited public comment on a draft serious data breach notification bill before legislation is introduced in Parliament in 2016. The Bill would require Government agencies and businesses subject to the Privacy Act 1988 (broadly, any business doing business in Australia that had a global group annual turnover in excess of $AU 3 million) to notify the national privacy regulator and affected individuals following a serious data breach.
The Australian Privacy Commissioner received 110 voluntary data breach notifications in 2014-15, up from 67 notifications in 2013-14 and 61 in 2012-13. The Australian Privacy Commissioner’s enquiries into voluntary data breach notifications focus on the nature of a breach (such as the kind of personal information involved, and how the breach occurred), and the steps taken to contain the breach, mitigate harm to affected individuals, and improve security practices in future. However, the OAIC does not have specific powers to deal with data breaches.
Submissions for this consultation closed on 4 March 2016 and the Federal Attorney-General’s Department is currently considering submissions, many of which are likely to be published. The Exposure Draft Bill may then be amended, taking these submissions into account, before the Bill is introduced into the Federal Parliament.
Cause of action for serious invasions of privacy back again
On 3 March 2016 the New South Wales State Parliament Standing Committee on Law and Justice released the findings of its Inquiry into Serious Invasions of Privacy in NSW, recommending that NSW introduce a statutory cause of action for serious invasions of privacy. The Committee went further to recommend a significant expansion of the powers of the NSW Privacy Commissioner to address claims of serious invasions of privacy. The NSW Privacy Commissioner, Dr Elizabeth Coombs, said “This is a win for those people who have had their privacy breached in unimaginable ways and then suffered further indignity in discovering that they had no right to recourse…”.
Although the Australian Law Reform Commission in 20145 recommended introduction of a federal statutory cause of action for serious invasions of privacy, that recommendation was roundly criticised by the Australian media as an undue fetter upon freedom of expression and effectively shelved by the Federal Attorney-General. The State recommendations raise the spectre of State and Territory statute based causes of action with variants, inconsistencies and incomplete coverage, as is the case with surveillance device and tracking device regulation today. It is possible that this New South Wales initiative may re-ignite discussion as to a Federal approach. In the meantime plaintiff’s lawyers seek to shoehorn privacy infractions into the developing equitable doctrine of misuse of confidential information, with varying success in State courts. A number of ‘revenge porn’ cases, where estranged boyfriends have then published photos of videos of intimate active with their former girlfriends, have prompted the courts to extend the doctrine of misuse of confidential information in order to provide a remedy to understandably distressed plaintiffs. New statute laws now being introduced that specifically address such non-consensual publication of intimate material may stem that tide, but until such laws provide remedies across Australia we may expect continued litigation in this area.
The potential for creative expansion of misuse of confidential information to fill the gap of absence of a tort or statutory cause of action for invasion of privacy was illustrated in early March 2016 by novel pleadings filed in the NSW Supreme Court by billionaire mining magnate Gina Rinehart, who is contesting such details as her weight, whether her father cheated at tennis and the colour of her mother’s hair, in her claim against Channel Nine and production company Cordell Jigsaw over the television broadcast of mini-series House of Hancock. Ms Reinhart is suing for injurious falsehood, misleading and deceptive conduct and damages for breach of privacy, claiming she has a right “to live her life without being subject to unwarranted and undesired publicity, including publicity unreasonably placing her in a false light before the public”. Among other remedies, Ms Reinhart seeks an injunction preventing the DVD copy of the program being advertised as a “true story”. Such ’false light’ claims seek to extend the reach of both defamation laws and the doctrine of misuse of confidential information to ‘fill the gap’ and create a right of seclusion for individuals in Australia.
My health record
The Australian government’s move to change its Personally Controlled Electronic Health Record program from an opt-in system to an opt-out system has been vigorously championed by the Federal Government, including in a “major relaunch” last month. In the first phase in March 2016, individuals living in in the Nepean Blue Mountains and Northern Queensland will receive a letter from the Australian Government. “If you do not want a My Health Record automatically created for you, or your family, you will need to tell us to stop a record from being made. You will be able to tell us if you do not want a record from 4 April 2016. You can also customise access to your My Health Record by setting access controls including restricting who can see your information, or cancel your record, at any time.”
That change has brought on stinging criticism from some privacy advocates, including the Victorian Commissioner for Privacy and Data Protection, Mr David Watts. ZDNet reports that speaking at a recent event in Canberra, Mr Watts described the initiative as a “fundamental breach of trust” and continued: “I actually designed the regulatory system for e-health in Australia, and I swore black and blue … that we would never be an opt-out system, and always be an opt-in. And of course it’s now an opt-out system in order to drive take-up of e-health, because AU$4 billion had been spent on it and very few people had registered.”
Expect this issue to run and run.
Privacy Commissioner Pilgrim in Senate Estimates
In his opening statement to the Senate Estimates Committee Mr Timothy Pilgrim, the Australian Privacy Commissioner and Acting Australian Information Commissioner, stated that in 2016 some of the Commissioner’s priority areas in privacy will focus on its continuing oversight role in the eHealth sector, particularly with the trials of the opt-in system with the My Health Record.
Commissioner Pilgrim continued that the office will be working with the Attorney-General’s Department on the security agenda, including specific issues such as national facial biometric matching capabilities, and with the Attorney-General’s Department on the proposed mandatory data breach notification scheme.
Under the category of data usage, the office will be engaging with the Department of the Prime Minister and Cabinet on the public sector data management initiative. The Commissioner will also be working on guidance for both the public and private sectors on big data and privacy, as well as data matching and de-identification.
And that’s on top of dealing with complaints (in the first six months to December 2015 the Commissioner received 1,076 and we have finalised 1,107 in an average time of five months), opening commissioner-initiated investigations (seven), undertaking assessments (formerly known as audits) of both public and private sector entities (nine), lodging 19 submissions to various parliamentary committees and government consultation processes dealing with the use of personal information, and fielding 10,266 inquiries covering both privacy and FOI matters.