Case note and commentary: Privacy Commissioner v Telstra Corporation Ltd [2017] FCAFC 4 (Grubb case)

Date: 19 January 2017

Court: Federal Court of Australia, Full Court

Judges: Dowsett, Kenny and Edelman JJ

Material facts

On 15 June 2013, Mr Ben Grubb, a journalist, sent an email to Telstra requesting “all the metadata information Telstra has stored about [his] mobile phone service”,[1] including:

• which cell tower he was connected to at any time
• the mobile number of each text message he had received and the time it was received
• the time each data session began and finished
• Uniform Resource Locators (URLs) of websites he has visited
• the duration of telephone calls he was involved in
• who he had called and who had called him, and
• estimated longitude and latitude positions stored by Telstra.

Telstra responded by informing Mr Grubb that he could access outbound call details and the length of data use sessions from online billing but cited privacy laws as the reason it was unable to provide him with the other requested information.[2]

On 8 August 2013, Mr Grubb filed a complaint with the Office of the Australian Information Commissioner (OAIC) under s 36(1) of the Privacy Act 1988 (Cth) (Privacy Act).[3] During the course of the Privacy Commissioner’s investigation, Telstra provided Mr Grubb with further information (some of its own motion, others in response to Notices to Produce issued by the Privacy Commissioner). Consequently, by the time of the Privacy Commissioner’s determination on 1 May 2015, all that remained in dispute was whether Telstra was required to provide the following information to Mr Grubb:

• mobile phone network data, recording:
• Internet Protocol (IP) address information
• URL information, and
• cell tower location information beyond what Telstra retained for billing purposes, and
• incoming call records containing the following information:
• inbound call numbers and location information including the cell tower involved in the communication
• the date, time and duration of the communication (other than for text or multimedia message communications)
• billing information of incoming callers, and
• subscriber data in relation to the incoming callers.[4]

Litigation history

The Privacy Commissioner determined that the mobile phone network data was ‘information… about an individual’ as it could be cross-matched with information held on Telstra’s various network and records management systems and thereby be linked to a particular individual.[5]

The Privacy Commissioner also held that the mobile phone network data was information from which an individual’s identity could reasonably be ascertained[6] (but not information from which an individual’s identity was apparent[7]) and therefore personal information which a customer such as Mr Grubb was entitled to access on request under National Privacy Principle 6.1 (NPP 6.1). Consequently, Telstra’s refusal to provide Mr Grubb access constituted a breach of NPP 6.1 and therefore an interference with Mr Grubb’s privacy.[8]

In relation to the incoming call records, the Privacy Commissioner held that they were information about Mr Grubb, notwithstanding that they were also information about another individual (the caller),[9] and that Mr Grubb’s identity could reasonably be ascertained from them.[10] The incoming call records therefore were personal information about Mr Grubb but the Privacy Commissioner held that Telstra was entitled to rely on NPP 6.1(c)[11] to deny Mr Grubb access to the phone numbers of incoming callers.[12]

Telstra appealed the Privacy Commissioner’s decision in the AAT. The AAT (Forgie DP) set aside the Privacy Commissioner’s decision and substituted in its place a determination that Mr Grubb’s complaint was not substantiated and that Telstra did not breach NPP 6.1.[13]

In relation to the mobile phone network data, Forgie DP held that it was not ‘information… about [Mr Grubb]’ as it was information about the service that Telstra provided to Mr Grubb, rather than information about Mr Grubb personally.

Relevant to this characterisation of the mobile phone network data was the fact that it was generated for the purpose of supporting the transmission of Mr Grubb’s calls and messages and had Mr Grubb not made calls or sent messages, the data would not have been generated.[14] In relation to IP addresses specifically, Forgie DP noted that as an IP address is not exclusively allocated to a particular mobile device and a particular mobile device is not allocated a single IP address over its entire working life, there is insufficient connection between the IP address and the person using a mobile device to make it information about that person.[15]

The Privacy Commissioner’s decision in relation to the incoming call data did not appear to be in issue before the AAT.

Issues in appeal

At issue in the litigation was whether the mobile phone network information and incoming call information held by Telstra were ‘personal information’ so as to oblige Telstra to give Mr Grubb access to that information on request under NPP 6.1.[16]

The parties agreed that the relevant law was the Privacy Act as it stood on 1 July 2013. Section 6 of the Privacy Act then provided that:

personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

This definition of ‘personal information’ is substantially the same as the definition in section 6 of the Privacy Act as it currently stands.

NPP 6.1 as it then stood provided that:

[i]f an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual…

This formulation of NPP 6.1 is relevantly identical in all material respects to the current formulation of APP 12.1.

In the proceedings in the Administrative Appeals Tribunal (AAT), Forgie DP held that the section 6 definition of personal information raises a threshold question of whether the information or opinion in question is ‘about an individual’.

If the information or opinion is not about an individual, it is not personal information, regardless of whether that information or opinion could be linked with other information to identify a particular individual.[17]

Only if the information or opinion is about an individual is it necessary to inquire whether the individual’s identity is apparent or can reasonably be ascertained from the information or opinion.[18]

The Full Federal Court was required to determine whether the AAT gave the correct operation to the words ‘about an individual’ in NPP 6.1 and the definition of personal information.[19]

Decision

The Full Federal Court (Kenny and Edelman JJ providing the lead judgment, Dowsett J agreeing) dismissed the Privacy Commissioner’s appeal from the AAT’s decision, holding that the Forgie DP did not err by holding that the words ‘about an individual’ have substantive operation in NPP 6.1.[20]

However, the Full Federal Court declined to determine whether the words ‘about an individual’ create a threshold element in the section 6 definition of personal information because it was not necessary to do so in light of its finding about the effect of those words on NPP 6.1.

Reasons for the Full Federal Court’s decision

The Full Federal Court’s decision turned on the role of the words ‘about an individual’ in NPP 6.1. It rejected the Privacy Commissioner’s contention that information from which an individual’s identity is apparent or can reasonably be ascertained is necessarily information about that individual as it would involve the words ‘about an individual’ having no substantive operation.[21] Such an approach is consistent with the ‘rule’ of statutory interpretation that no word, clause or sentence should be held to be superfluous or ‘do no work’ if by another construction it can be given substantive operation.[22] NPP 6.1 provided a right of access to ‘personal information about an individual’. The separate mention of the words ‘about an individual’ in NPP 6.1 reinforced the Court’s view that, whatever their role in the definition of personal information, they could not be dismissed as insignificant when construing NPP 6.1.[23]

In applying NPP 6.1, the Full Federal Court held that “[t]he words ‘about an individual’ direct attention to the need for an individual to be a subject matter of the information or opinion”.[24] Taking the parties’ assumption that the information referred to in NPP 6.1 is the totality of the information held about the individual, it accepted that even if a piece of information is not by itself ‘about an individual’, it may be so when combined with other information. Whether this is so is an evaluative conclusion made in the circumstances of each case,[25] but because the Privacy Commissioner’s grounds of appeal did not allege that the AAT erred in concluding that the mobile phone network data was not about Mr Grubb, the Court did not explore in detail the issue of when information is relevantly about an individual.

The Full Federal Court did, however, comment that whether information is ‘about an individual’ may depend on how broadly ‘from the information or opinion’ is interpreted. The looser the causal connection required by the word ‘from’, the more information which could potentially be personal information and the more likely it is that the words ‘about an individual’ in NPP 6.1 will exclude some of that personal information from the operation of NPP 6.1.[26]

The Full Federal Court rejected the submissions of the prospective amici curiae – the Australian Privacy Foundation and the New South Wales Council for Civil Liberties – that regard should be had to the text of article 17 of the International Covenant on Civil and Political Rights (ICCPR), the OECD Guidelines and international judicial decisions concerning the right to privacy. Leaving aside questions about whether some of the international authorities relied upon by the prospective amici curiae stood for the propositions which they alleged, the Full Federal Court noted that the content of the right of privacy in article 17 of the ICCPR is not defined but rather left to the reasonable discretion of state parties, limiting the value of the ICCPR in interpreting the Privacy Act.[27] The Full Court stressed that the case before it concerned a narrow question of statutory interpretation rather than a broad consideration of the right to privacy.[28]

Commentary about the decision

The decisions of the Privacy Commissioner and the AAT in this case turned on whether the mobile phone network data was personal information – the Privacy Commissioner held that it was personal information of Mr Grubb whereas the AAT held that it wasn’t. This decision was therefore expected to provide appellate court authority (and thereby relative certainty) about the meaning of ‘personal information’ in the Privacy Act. Disappointingly in that sense, the Full Federal Court avoided the issue and decided the case on the narrow grounds of appeal, leaving some uncertainty about what is ‘personal information’. The most it did in that respect was to strongly hint that the AAT’s construction is preferable as it ensures that no word or phrase is superfluous.[29]

The Full Federal Court’s reasons for its decision are cogent, persuasive and uncontroversial. Its decision accords with commonly accepted rules of statutory interpretation. It also determined the minimum amount necessary to decide the case before it and declined to make obiter dicta statements about collateral issues.

The Full Federal Court drew attention to the need to examine the APPs in detail, as many of the APPs use the phrase ‘personal information about an individual’.[30] It can no longer be assumed that information that identifies an individual or from which an individual is reasonably identifiable is necessarily about that individual. Forgie DP’s car analogy[31] provides a good explanation of the distinction between the two concepts.

The Full Federal Court’s decision is likely to be welcomed by entities that collect, use and/or disclose personal information and are subject to the Privacy Act, as, even without conclusively determining the operation of the words ‘about an individual’ in the definition of personal information, it significantly limits the scope of information that they have obligations in respect of and thereby makes compliance with the Act less onerous.

However, the uncertainty around the meaning of ‘personal information’ will be significant in the context of the new mandatory data breach notification regime, which is due to commence in early 2018. As the notification obligation will depend partly on there being a loss of, unauthorised access to or unauthorised disclosure of personal information,[32] a lack of certainty about the scope of what is personal information will make it more difficult to comply with this obligation.

Contact details:

Andrea Beatty, Consulting Principal

andrea.beatty@keypointlaw.com.au

Gabor Papdi, Graduate

Emma Zirkel, Graduate