CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
CPO Magazine - News, Insights and Resources for Data Protection, Privacy and Cyber Security Leaders
  • Home
  • News
  • Insights
  • Resources
Image of the Telstra logo on shop front representing how the court rejected the Autralian Privacy Commissioner's position on metadata
Watching the Watchman Court Rejects Australian Privacy Commissioner's Stance on Metadata
Data PrivacyInsights
·5 min read

Watching the Watchman: Court Rejects Australian Privacy Commissioner’s Stance on Metadata

Philip Catania and Tim Lee·February 22, 2017
TwitterFacebookLinkedIn

In Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4, Australia’s Full Federal Court set down a new test for determining whether metadata constitutes ‘personal information’ under Australia’s Privacy Act 1988 (Cth).

The decision arguably puts Australia out of sync with international regulatory trends on metadata, and represents a setback for the Australian Privacy Commissioner’s efforts to assume a more comprehensive role in regulating new data collection and aggregation technologies.

The new test for “personal information” in Australia

The case concerned a dispute between the Australian Privacy Commissioner and Telstra Corporation (Australia’s largest telco) over whether certain mobile network data (including IP addresses and URL data) held by Telstra constituted ‘personal information’ under the Privacy Act.

In December 2015 the Administrative Appeals Tribunal (AAT) ruled in favour of Telstra.  The AAT held that the test for determining whether the metadata constituted “personal information” involved two discrete steps – first, assessing whether an individual person was the subject matter of the data (i.e. that the metadata was information ‘about an individual’, as opposed to being ‘about’ something else), and only then considering whether the individual’s identity could be reasonably ascertained from the data.

The AAT’s test was based on the specific wording of the Privacy Act, which defined ‘personal information’ in section 6(1) as:

‘information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion’ (emphasis added)1

The Commissioner appealed the AAT’s decision to the Full Federal Court, arguing that the words ‘about an individual’ were effectively redundant, and should be read as part of the broader phrase ‘about an individual whose identity is apparent, or can be reasonably ascertained.’

The Full Federal Court rejected the Commissioner’s analysis, upholding the AAT’s two-step test and finding that the words ‘about an individual’ were intended to ‘direct attention to the need for the individual to be a subject matter of the information or opinion’.2

Due to the limited grounds of appeal (which focused on the correct formulation of the test), the Court was not required to rule on whether any of the metadata in dispute actually constituted ‘personal information’ and the AAT’s findings on these matters continue to stand3.

Where to from here?

Assuming that the Full Federal Court’s decision is allowed to stand4, we see five key takeaways for businesses that are based in, or doing business with, Australia:

1.    This is not the end of the discussion on metadata

The Full Federal Court’s decision does not, as some reports have suggested, categorically exclude metadata such as IP addresses and URLs from being regulated as personal information under any circumstances.

The AAT’s finding that the mobile network data was not ‘personal information’ was based on technical evidence regarding the architecture and function of Telstra’s mobile network database. It is possible that metadata generated in systems that are architected in a different way (e.g. in a way that creates a clearer association between data points and individual data subjects) could still be captured as ‘personal information.’

The Court made it clear that the test must be applied on a case-by-case basis, and that the Commissioner is required to make an ‘an evaluative conclusion’ when applying the test. This gives the Commissioner some scope to exercise discretion, subject to the general parameters imposed by administrative review.

2.    An incentive to implement Privacy By Design (but not necessarily the one that the Commissioner wanted)

The Full Federal Court’s decision gives businesses further clarity regarding the ‘goalposts’ for architecting their systems and databases to minimise their exposure to regulatory obligations under the Privacy Act.

This may actually serve as an incentive for businesses to conduct appropriate privacy and technical due diligence (such as Privacy Impact Assessments) at the outset of technology projects to inform decisions on system design.

3.    New challenges for cross-border arrangements

The Full Federal Court’s decision runs contrary to the trend in other jurisdictions for greater regulation of telecommunications metadata (such as cookie and IP address data).5

The Full Federal Court made it clear that the Privacy Act will be interpreted as a domestic piece of legislation, and that overseas case law will be of limited relevance – even where such legislation derives from common international instruments such as the OECD Privacy Principles.

It remains to be seen what impact the Full Federal Court’s decision will have on cross-border data transfers. However, the decision does serve as a clear reminder that Australian privacy law requirements must be considered individually, and that international harmonisation on privacy issues cannot be assumed.

4.    A reminder of the statutory limits of the Commissioner’s jurisdiction

While it’s difficult to fault the Court’s application of established statutory interpretation principles to the Privacy Act, the practical outcome of this decision will undoubtedly pose some challenges for the Commissioner in managing his regulatory response to data collection and aggregation technologies.

The Court’s “black letter” approach towards construing the Commissioner’s jurisdiction could also result in the Commissioner adopting a more conservative approach towards emerging or “borderline” privacy issues.  There are still many important issues under the Privacy Act that are currently awaiting judicial clarification, such as the cross-border data transfer rules and the scope of the Privacy Commissioner’s extra-territorial jurisdiction.

5.     Time for a more specific legislative response to new technologies?

This decision may also serve to highlight the gap between the general public’s expectations regarding the Commissioner’s role and the technical limits of his jurisdiction.

During the Full Federal Court hearing various submissions were made in relation to the potentially invasive nature of database aggregation and data linking technologies, but the Court ultimately gave little weight to those concerns and noted that it was ‘unclear how any of those matters…had any bearing on the issues raised in this appeal.’

The Full Federal Court’s decision could lead to calls for a review of the Privacy Commissioner’s role (or some other form of specific legislative response to the privacy challenges raised by new technologies).

 


1 The Privacy Act’s definition of “personal information” was amended in March 2014 as part of the amendments that replaced the National Privacy Principle regime with the current Australian Privacy Principle regime.

2 Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 at [62]. The Court also noted that the words “about an individual” were repeated in the text of NPP 6.1, which weighed against the Commissioner’s argument that they had no independent content of their own.

3 The AAT held that neither the mobile network data generated by the customer’s calls and text messages, nor the IP addresses assigned to the customer’s mobile device when accessing the Internet, constituted ‘personal information’ in the context of Telstra’s systems.

4 At the time of writing this article, the Commissioner has not announced whether he intends to appeal the Full Federal Court’s decision.

5 For example, the recent EU Court of Justice decision in Case 582/14 – Patrick Breyer v Germany which held that dynamic IP addresses constituted personal information.

 

TwitterFacebookLinkedIn
Tags
AustraliaMetadata
Philip Catania
Partner at Corrs Chambers Westgarth
Philip Catania is a Partner at Corrs Chambers Westgarth, and is recognised for his practical, proactive and risk-focussed approach, Phil has acted for some of Australia’s leading organisations in their technology and data privacy matters. He has dual qualifications in law and computer science, is a former President of the Victorian Society for Computers and the Law and is Australia’s representative on the Board of the International Technology Law Association.
Tim Lee
Senior Associate at Corrs Chambers Westgarth
Tim Lee is a Senior Associate at Corrs Chambers Westgarth, and an experienced technology lawyer with a particular focus on privacy, cyber security and digital transformation. He regularly advises on the implementation of complex, data-driven technology solutions, and has developed broad experience in procuring, protecting and commercialising database assets. Tim also has expertise in cyber incident management, and has advised clients on investigations by the Australian Privacy Commissioner and other regulators.
Related
Interior view of the House of Representatives in Parliament House, Australia showing penalties for privacy breaches
Data ProtectionNews

Privacy Breaches to Cost More in Australia as Maximum Penalty Increases to AUD 50 Million

December 14, 2022
Australia flag on screen with the program code showing cyber task force for data breach
Cyber SecurityNews

Australian Cyber Task Force Looks to “Hack the Hackers” After Data Breach Crime Wave

November 24, 2022
Medibank health insurance company branch showing refusal of ransom payments led to leak of health data on dark web
Cyber SecurityNews

Medibank Refuses Ransom Payments, Hackers Leak Stolen Health Data to Dark Web

November 14, 2022
Judge gavel near Australia flag showing privacy act changes from data breaches
Data ProtectionNews

Data Breaches To Become More Costly in Australia as OAIC Calls for Higher Penalties in Privacy Act Draft

October 28, 2022
Australia's Medibank logo on wall showing health insurance provider data breach of medical records
Cyber SecurityNews

Australia’s Medibank Health Insurance Data Held for Ransom, 200 GB of Medical Records Stolen

October 24, 2022
Telstra logo on shopfront showing data breach after Optus hack
Cyber SecurityNews

Following Optus Hack, Another Data Breach for Australia’s Biggest Telcos as Telstra Exposes Employee Data

October 7, 2022
Parliament House in the evening in Canberra, Australia showing privacy rules review due to Optus data breach
Data ProtectionNews

Massive Optus Data Leak Prompts New Privacy Rules in Australia

October 3, 2022
Illuminated Optus sign hanging in front of a store showing cyber attack expose personal data in data breach
Cyber SecurityNews

Optus Cyber Attack Potentially Exposed Personal Data of up to 40% Of Australians, Negligence Suspected

September 30, 2022

Latest

Yellow crime scene tape on computer keyboard showing law enforcement operations on Hive ransomware gang

Hive Ransomware Shut Down by Law Enforcement Operation; FBI in Possession of Decryption Keys, Group’s Public-Facing Website

Woman holding glasses showing data privacy regulations

Navigating the Data Privacy Landscape in 2023

WhatsApp app icon on a smartphone showing GDPR violations

WhatsApp Receives €5.5 Million Fine for GDPR Violations

League of Legends website page showing security breach of game cheats and source code

Security Breach at Riot Games Reveals Game Cheats, Source Code for Popular eSport “League of Legends”

- Advertisement -

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use

Stay Updated

CPO Magazine

News, insights and resources for data protection, privacy and cyber security professionals.

Learn More

About
Contact
Our Advertising
Privacy Policy
Cookie Policy
Terms of Use
Do Not Sell My Data

Stay Updated

Follow Us

© 2022 Rezonen Pte. Ltd.
CPO Magazine - News, Insights and Resources for Data Privacy, Protection and Cybersecurity Leaders
  • Home
  • News
  • Insights
  • Resources
    Start typing to see results or hit ESC to close
    U.S. Data Breach Regulations EU GDPR Facebook
    See all results