In Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4, Australia’s Full Federal Court set down a new test for determining whether metadata constitutes ‘personal information’ under Australia’s Privacy Act 1988 (Cth).
The decision arguably puts Australia out of sync with international regulatory trends on metadata, and represents a setback for the Australian Privacy Commissioner’s efforts to assume a more comprehensive role in regulating new data collection and aggregation technologies.
The new test for “personal information” in Australia
The case concerned a dispute between the Australian Privacy Commissioner and Telstra Corporation (Australia’s largest telco) over whether certain mobile network data (including IP addresses and URL data) held by Telstra constituted ‘personal information’ under the Privacy Act.
In December 2015 the Administrative Appeals Tribunal (AAT) ruled in favour of Telstra. The AAT held that the test for determining whether the metadata constituted “personal information” involved two discrete steps – first, assessing whether an individual person was the subject matter of the data (i.e. that the metadata was information ‘about an individual’, as opposed to being ‘about’ something else), and only then considering whether the individual’s identity could be reasonably ascertained from the data.
The AAT’s test was based on the specific wording of the Privacy Act, which defined ‘personal information’ in section 6(1) as:
‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’ (emphasis added)1
The Commissioner appealed the AAT’s decision to the Full Federal Court, arguing that the words ‘about an individual’ were effectively redundant, and should be read as part of the broader phrase ‘about an individual whose identity is apparent, or can be reasonably ascertained.’
The Full Federal Court rejected the Commissioner’s analysis, upholding the AAT’s two-step test and finding that the words ‘about an individual’ were intended to ‘direct attention to the need for the individual to be a subject matter of the information or opinion’.2
Due to the limited grounds of appeal (which focused on the correct formulation of the test), the Court was not required to rule on whether any of the metadata in dispute actually constituted ‘personal information’ and the AAT’s findings on these matters continue to stand3.
Where to from here?
Assuming that the Full Federal Court’s decision is allowed to stand4, we see five key takeaways for businesses that are based in, or doing business with, Australia:
1. This is not the end of the discussion on metadata
The Full Federal Court’s decision does not, as some reports have suggested, categorically exclude metadata such as IP addresses and URLs from being regulated as personal information under any circumstances.
The AAT’s finding that the mobile network data was not ‘personal information’ was based on technical evidence regarding the architecture and function of Telstra’s mobile network database. It is possible that metadata generated in systems that are architected in a different way (e.g. in a way that creates a clearer association between data points and individual data subjects) could still be captured as ‘personal information.’
The Court made it clear that the test must be applied on a case-by-case basis, and that the Commissioner is required to make an ‘an evaluative conclusion’ when applying the test. This gives the Commissioner some scope to exercise discretion, subject to the general parameters imposed by administrative review.
2. An incentive to implement Privacy By Design (but not necessarily the one that the Commissioner wanted)
The Full Federal Court’s decision gives businesses further clarity regarding the ‘goalposts’ for architecting their systems and databases to minimise their exposure to regulatory obligations under the Privacy Act.
This may actually serve as an incentive for businesses to conduct appropriate privacy and technical due diligence (such as Privacy Impact Assessments) at the outset of technology projects to inform decisions on system design.
3. New challenges for cross-border arrangements
The Full Federal Court’s decision runs contrary to the trend in other jurisdictions for greater regulation of telecommunications metadata (such as cookie and IP address data).5
The Full Federal Court made it clear that the Privacy Act will be interpreted as a domestic piece of legislation, and that overseas case law will be of limited relevance – even where such legislation derives from common international instruments such as the OECD Privacy Principles.
It remains to be seen what impact the Full Federal Court’s decision will have on cross-border data transfers. However, the decision does serve as a clear reminder that Australian privacy law requirements must be considered individually, and that international harmonisation on privacy issues cannot be assumed.
4. A reminder of the statutory limits of the Commissioner’s jurisdiction
While it’s difficult to fault the Court’s application of established statutory interpretation principles to the Privacy Act, the practical outcome of this decision will undoubtedly pose some challenges for the Commissioner in managing his regulatory response to data collection and aggregation technologies.
The Court’s “black letter” approach towards construing the Commissioner’s jurisdiction could also result in the Commissioner adopting a more conservative approach towards emerging or “borderline” privacy issues. There are still many important issues under the Privacy Act that are currently awaiting judicial clarification, such as the cross-border data transfer rules and the scope of the Privacy Commissioner’s extra-territorial jurisdiction.
5. Time for a more specific legislative response to new technologies?
This decision may also serve to highlight the gap between the general public’s expectations regarding the Commissioner’s role and the technical limits of his jurisdiction.
During the Full Federal Court hearing various submissions were made in relation to the potentially invasive nature of database aggregation and data linking technologies, but the Court ultimately gave little weight to those concerns and noted that it was ‘unclear how any of those matters…had any bearing on the issues raised in this appeal.’
The Full Federal Court’s decision could lead to calls for a review of the Privacy Commissioner’s role (or some other form of specific legislative response to the privacy challenges raised by new technologies).
1 The Privacy Act’s definition of “personal information” was amended in March 2014 as part of the amendments that replaced the National Privacy Principle regime with the current Australian Privacy Principle regime.
2 Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 at [62]. The Court also noted that the words “about an individual” were repeated in the text of NPP 6.1, which weighed against the Commissioner’s argument that they had no independent content of their own.
3 The AAT held that neither the mobile network data generated by the customer’s calls and text messages, nor the IP addresses assigned to the customer’s mobile device when accessing the Internet, constituted ‘personal information’ in the context of Telstra’s systems.
4 At the time of writing this article, the Commissioner has not announced whether he intends to appeal the Full Federal Court’s decision.
5 For example, the recent EU Court of Justice decision in Case 582/14 – Patrick Breyer v Germany which held that dynamic IP addresses constituted personal information.