How about me? The scope of personal information under the Australian Privacy Act 1988
Introduction
In 2012, the department store Target made headlines when it was revealed that it was able to identify, via her buying and browsing history, a teenage girl's pregnancy before even her father knew.1 A recent study found that it was relatively easy to draw complete location information about a single person from an anonymized dataset of 1.5 million mobile phone users in Europe.2 It has even been alleged that big data3 has been used to influence public votes for the recent Brexit campaign in the United Kingdom and the Trump presidential campaign in the United States.4
Governments collect alarmingly detailed datasets about millions of people worldwide,5 and the extent of personal data available is such that even the futures of individuals can be predicted with an unnerving degree of accuracy.6 Individuals are leaving behind complex data trails that can reveal even the most intimate details of their lives,7 bringing greater risks to citizens.8 We appear to be inching closer to the totalitarian vision referred to by Browne-Wilkinson VC:
If the information obtained by the police, the Inland Revenue, the social security services, the health service and other agencies were to be gathered together in one file, the freedom of the individual would be greatly at risk. The dossier of private information is the badge of the totalitarian state.9
Accordingly the need for privacy regulation, both in Australia and abroad, is as great as ever, so that the public can have confidence that their personal data is being handled securely.
Foundational to data protection regulation is a clear understanding of what personal information is, as the Privacy Act 1988 (Cth) (Privacy Act) only applies to such information.10 As Cheung notes, “data that do not constitute personal data are subject to far less, if any, legal regulation.”11 This question arose when former Fairfax technology journalist Ben Grubb applied to Telstra for the metadata concerning him that Telstra held. This matter went all the way to the Full Federal Court of Australia until the Court released its decision on 20 January 2017.12
This decision has significant implications for the use of personal information generated by members of the public and held by organisations,13 particularly in light of the new mandatory data breach reporting legislation requiring the reporting of unauthorised access to or disclosure of personal information.14 While some claim the decision has “drastically narrow[ed] the definition of personal information under the Privacy Act”,15 and has “gutt[ed] Australia's privacy laws,”16 others are less certain of the impact of this decision.17 Given this uncertainty and the scant jurisprudence on key components of the Privacy Act 1988 (Privacy Act),18 I will address two questions:
- 1.
How do decision-makers, organisations and individuals determine whether information is “about” an individual under the Privacy Act?
- 2.
How should personal information, and the link required by the word “about” between the information and the individual, be interpreted in the future to better give effect to the objects of the Privacy Act?
Section snippets
Previous definition
The definition of personal information under the Act when Mr Grubb made his initial request for information to Telstra read as follows:
Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.19
According to the Explanatory Memorandum of the
When information should be about an individual
In Part 2 I demonstrated that neither the Federal Court nor the Information Commissioner have sufficiently clarified the meaning of personal information in the Privacy Act. This has left the public unclear as to whether information they provide to organisations, whether intentionally or unintentionally, is protected under the Act. In Part 3, I review approaches from other jurisdictions that the Australian courts and legislature can take into account to provide clarity, informing the public as
Final conclusion
After the Federal Court's decision, it is unclear what types of information will be considered about individuals under the Privacy Act. The Court did not directly denounce the Tribunal's considerably narrow approach to this question. If adopted, this could result in categories of information from which people can be identified, such as IP addresses and mobile network data, being unprotected by the Privacy Act and vulnerable to misuse.
Encouragingly, the Commissioner has provided guidance on the
Author Information
Joshua Yuvaraj currently practices as a litigation solicitor in New Zealand. He is a graduate of Monash University in Melbourne, Australia (BA/LLB (Hons)). His research interests are privacy, technology, intellectual property and international law. He is particularly interested in the intersection between domestic information law and international law. His writing has previously been published in the Utrecht Journal of International and European Law (September 2016) and the Australian
Conflict of interest
The author declares that he has no actual or potential conflict of interest or interest including any financial, personal or other relationships with other people or organisations within three years of beginning the submitted work that could inappropriately influence, or be perceived to influence, his work.
Acknowledgements
The author wishes to acknowledge the comments of the anonymous reviewer, which have been instrumental in the drafting process. The author declares that no external individual or organisation has provided funding for the conduct of the research and/or preparation of the article.
References (0)
Cited by (6)
Code as personal data: implications for data protection law and regulation of algorithms
2023, International Data Privacy LawDoes personal data protection matter in data protection law? A transformational model to fit in the digital era
2023, Handbook of Big Data Research MethodsThe Regulation of Personal and Non-Personal Data in the Context of Big Data
2023, Journal of Human Rights, Culture and Legal SystemPersonal Privacy Data Protection in Location Recommendation System
2021, Journal of Physics: Conference SeriesCode as Personal Data
2021, SSRN