How about me? The scope of personal information under the Australian Privacy Act 1988

https://doi.org/10.1016/j.clsr.2017.05.019Get rights and content

Abstract

A recent Australian Federal Court decision has raised the issue of the scope of information protected under the Australian Privacy Act 1988. The Court failed to adequately address this question, leaving Australians unsure as to whether sections of their information, such as the IP addresses allocated to their mobile devices, will be considered personal information under the Act. The main consideration the Court dealt with was what it means for information to be “about” an individual. In this paper I address two questions: a) how is information determined to be “about” an individual under the Act; and b) how should this determination be made in the future? I conclude that currently available guidance from the courts, the Australian Information Commissioner and scholarly commentary are inadequate to enable individuals, organisations and agencies to consistently make such determinations. Accordingly I draw on approaches to this question taken in Canada, New Zealand, the European Union and the United Kingdom to argue that the definition should be broadly interpreted in a technologically-aware manner. This will help to ensure that personal information is more comprehensively protected under the Privacy Act.

Introduction

In 2012, the department store Target made headlines when it was revealed that it was able to identify, via her buying and browsing history, a teenage girl's pregnancy before even her father knew.1 A recent study found that it was relatively easy to draw complete location information about a single person from an anonymized dataset of 1.5 million mobile phone users in Europe.2 It has even been alleged that big data3 has been used to influence public votes for the recent Brexit campaign in the United Kingdom and the Trump presidential campaign in the United States.4

Governments collect alarmingly detailed datasets about millions of people worldwide,5 and the extent of personal data available is such that even the futures of individuals can be predicted with an unnerving degree of accuracy.6 Individuals are leaving behind complex data trails that can reveal even the most intimate details of their lives,7 bringing greater risks to citizens.8 We appear to be inching closer to the totalitarian vision referred to by Browne-Wilkinson VC:

If the information obtained by the police, the Inland Revenue, the social security services, the health service and other agencies were to be gathered together in one file, the freedom of the individual would be greatly at risk. The dossier of private information is the badge of the totalitarian state.9

Accordingly the need for privacy regulation, both in Australia and abroad, is as great as ever, so that the public can have confidence that their personal data is being handled securely.

Foundational to data protection regulation is a clear understanding of what personal information is, as the Privacy Act 1988 (Cth) (Privacy Act) only applies to such information.10 As Cheung notes, “data that do not constitute personal data are subject to far less, if any, legal regulation.”11 This question arose when former Fairfax technology journalist Ben Grubb applied to Telstra for the metadata concerning him that Telstra held. This matter went all the way to the Full Federal Court of Australia until the Court released its decision on 20 January 2017.12

This decision has significant implications for the use of personal information generated by members of the public and held by organisations,13 particularly in light of the new mandatory data breach reporting legislation requiring the reporting of unauthorised access to or disclosure of personal information.14 While some claim the decision has “drastically narrow[ed] the definition of personal information under the Privacy Act”,15 and has “gutt[ed] Australia's privacy laws,”16 others are less certain of the impact of this decision.17 Given this uncertainty and the scant jurisprudence on key components of the Privacy Act 1988 (Privacy Act),18 I will address two questions:

  • 1.

    How do decision-makers, organisations and individuals determine whether information is “about” an individual under the Privacy Act?

  • 2.

    How should personal information, and the link required by the word “about” between the information and the individual, be interpreted in the future to better give effect to the objects of the Privacy Act?

Section snippets

Previous definition

The definition of personal information under the Act when Mr Grubb made his initial request for information to Telstra read as follows:

Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.19

According to the Explanatory Memorandum of the

When information should be about an individual

In Part 2 I demonstrated that neither the Federal Court nor the Information Commissioner have sufficiently clarified the meaning of personal information in the Privacy Act. This has left the public unclear as to whether information they provide to organisations, whether intentionally or unintentionally, is protected under the Act. In Part 3, I review approaches from other jurisdictions that the Australian courts and legislature can take into account to provide clarity, informing the public as

Final conclusion

After the Federal Court's decision, it is unclear what types of information will be considered about individuals under the Privacy Act. The Court did not directly denounce the Tribunal's considerably narrow approach to this question. If adopted, this could result in categories of information from which people can be identified, such as IP addresses and mobile network data, being unprotected by the Privacy Act and vulnerable to misuse.

Encouragingly, the Commissioner has provided guidance on the

Author Information

Joshua Yuvaraj currently practices as a litigation solicitor in New Zealand. He is a graduate of Monash University in Melbourne, Australia (BA/LLB (Hons)). His research interests are privacy, technology, intellectual property and international law. He is particularly interested in the intersection between domestic information law and international law. His writing has previously been published in the Utrecht Journal of International and European Law (September 2016) and the Australian

Conflict of interest

The author declares that he has no actual or potential conflict of interest or interest including any financial, personal or other relationships with other people or organisations within three years of beginning the submitted work that could inappropriately influence, or be perceived to influence, his work.

Acknowledgements

The author wishes to acknowledge the comments of the anonymous reviewer, which have been instrumental in the drafting process. The author declares that no external individual or organisation has provided funding for the conduct of the research and/or preparation of the article.

References (0)

View full text