The Complaint
June 2013: Ben Grubb asked Telstra for access to the metadata it held on him in relation to his mobile phone. Telstra granted him access to data contained in his bills, but refused access to any other information. This is despite the fact that government agencies and law enforcement bodies would be able to access this information without a warrant (which they do hundreds of thousands of time per year) under data retention laws. Mr Grubb lodged a complaint to the Privacy Commissioner under the Privacy Act, which at that time required organisations which hold ‘personal information about an individual’ to ‘provide the individual with access to the information on request by the individual’ under National Privacy Principle (NPP) 6.1. This was before legislation was passed requiring telecommunication companies to retain the data for two years and amendments were made to the Privacy Act.
The Outcome
May 2015: Privacy Commissioner, Timothy Pilgrim, found in favour of Mr Grubb, agreeing that IP addresses, web browsing history and cell tower location information (beyond what Telstra retains for billing purposes) are all personal information and therefore Telstra had breached the Privacy Act by not providing the information. The Commissioner did not grant Mr Grubb access to the phone number of incoming callers because this would infringe upon others’ privacy. Telstra appealed the determination to the AAT.
December 2015: The AAT found in favour of Telstra. The AAT focused on the construction of NPP 6.1. There were two issues: firstly, the threshold question of whether the information sought was about an individual and if so, whether the relevant person can be reasonably identified from the information. The AAT construed the information sought as being not about Mr Grubb but “all about the way in which Telstra delivers the call or message… It is information about the service it provides to Mr Grubb but not about him”. The AAT noted that to determine whether information was about an individual requires an analysis of the subject matter of that information. The focus of the information, the reason for it being generated as well as the connection between the person concerned and the information itself are all relevant factors. The AAT therefore denied Mr Grubb’s request for information.
You can read the AAT’s full decision here.
The Implications
This decision sheds light on the way that future decisions may be reasoned under the amendments of the Privacy Act which have superseded the NPPs. The new Australian Privacy Principles (APPs) still refer to ‘personal information about an individual’ which means that the construction of these provisions by the AAT may provide some indication that this phrase will be narrowly construed in the future and viewed as a threshold requirement for further analysis.
This decision however did not clearly articulate a test that organisations can apply in order to correctly characterise customer data. The factors of how the information is used and why the information is generated are good starting points but are not a definitive test. As such, companies should continue to exercise caution and bear in mind that information may still be personal information and subject to privacy laws.
This decision also does little to rectify the perceived imbalance between individuals’ rights to access information and authorities’ rights. The AAT claimed that equilibrium is achieved when the NPPs, which assert individual rights, are balanced against the access which public officials are given for the purposes of ‘search and rescue, security and law enforcement issues and public safety’. This demonstrates that the AAT at least prefers to allow the legislature to define the balance between public and private interests.