In this day and age, a lot of our personal information is stored digitally or online. Records of our online habits and communications are stored as data and used by companies for advertising and marketing purposes, among others. But this begs the question – what rules are there surrounding what companies can and can’t do with your personal information?
In Australia, personal information is covered by the Privacy Act and the Australian Privacy Principles. These impose significant obligations on business entities regarding the collection, storage and use of personal information. It also contains the framework of what access you as an individual have to the personal information that businesses collect and store. As a consumer, you have the right to access the information if it is considered to be ‘about you’. Below, we put this principle of privacy law under the microscope.
Ben Grubb, Telstra and the Privacy Commission
In June 2013, Fairfax journalist Ben Grubb, a Telstra mobile customer, asked for access to all of the personal information that Telstra had stored about him. Telstra delivered a range of information to Mr Grubb, including call records, billing information and other metadata including mobile cell locations.
Mr Grubb did not consider this sufficient, and nor did the Privacy Commissioner, who deemed Telstra in breach of National Privacy Principle 6.1 (now the Australian Privacy Principles). Mr Grubb sought access to all network data retained by Telstra in relation to his mobile service, to which Telstra refused on several grounds.
Telstra contended that the information Mr Grubb sought, including incoming calls, were not his ‘personal information’ and were that of third parties and would put Telstra in breach of the Telecommunications Act 1997 (Cth). Telstra also said that it would be unreasonably difficult for them to identify any one individuals’ network data, as it is near impossible to determine an individual’s identity from the data storage system. Telstra said that to provide this information, it would need to cross-reference different databases that Telstra uses for network assurance purposes. Telstra’s objections included that very few of its employees had both the right to access the relevant databases and did not possess the knowledge to extract the data. Also, the information in the databases is kept for different periods of time, from between 3 to 30 days. Telstra said that it could not be sure that it would obtain all the information required to do cross-reference checks. It also explained that this cross-referencing was not part of standard business operations.
Mr Grubb’s position was that if it was theoretically possible to connect the network data held by Telstra and perform the cross-references, then it should be treated as his personal information and that they should provide the information.
In May 2015, the Privacy Commissioner held that this type of network data was indeed personal information about Mr Grubb, and so should be provided to him. This would have meant that the Privacy Act applied to mobile network data information and consequently, would have attracted a new suite of laws alongside existing telecommunications regulation. The Administrative Appeals Tribunal, however, overturned the decision.
The Administrative Appeals Tribunal
Telstra appealed to the Administrative Appeals Tribunal. In December 2015, the Administrative Appeals Tribunal overturned this decision and found that mobile network data held by Telstra is not personal information about Telstra’s customers. This was no doubt a great relief for the telecommunications providers who collect operational data about services they provide to individual end users.
Deputy President Forgie, who heard the matter, considered the definition of personal information. The Deputy President felt that the first question to consider is whether the information is in fact “’about’ an individual”. If not, then it is not considered personal information. The Deputy President then considered the second step was to ask whether the relevant individual can be reasonably identified. Mr Grubb argued that Telstra could have identified him, using a combination of information sources that Telstra owned. The Deputy President’s view was that the mobile network data was not technically ‘about’ Mr Grubb and so could not be held to be personal information. The Deputy President set aside the Privacy Commissioner’s earlier ruling that had reached the opposite conclusion.
The Deputy President said that there must be “more that a mere tenuous link” between the information and the individual for the information in question to be said to be ‘about the individual’. While Mr Grubb argued that the information would not have existed if it was not for his use of the Telstra mobile service, the Deputy President did not consider that this was sufficient.
The Deputy President used the analogy of car servicing records. She said that car servicing records are about the car. Including, for example, repairs, but the records are not about the owner of the car personally, even though the car registration details show who is the owner of the car.
Is Mobile Network Data Personal Information?
The Deputy President found that in Mr Grubb’s case:
- The mobile network data Telstra held was not information about him, once the call from his phone or message from his phone or another device transmitted to the first cell in Telstra’s mobile network; and
- From then on in the process, data generated in the network was about delivering the call or message, not personal information about Mr Grubb or the person that he was in contact with.
The Deputy President concluded that mobile network data held by Telstra was not personal information, which meant that Telstra was not obliged to disclose mobile network data in response to a request by Mr Grubb.
What are the Implications For Telecommunication Providers?
The telecommunications industry currently enjoys the decision made in the Grubb case, as it means that operational data, including mobile network data that is routinely generated and stored by telecommunications companies, is not caught by Australian privacy laws. If privacy laws applied, there could be a considerable additional regulatory burden.
What are the Implications for Customers?
This may give these companies more freedom in how they manage and use the metadata they collect about you. It also means that individual consumers may find that they have restricted access to personal information or metadata that is collected about them and their digital activity. It is, therefore, important to be aware of this fact so as to protect your personal information and privacy.
What is considered to be personal information, and how should it be treated, it not set in stone in legal terms. It is as fluid as the types of data which are created, used, stored and changed over time. If you are an online business that collects, stores and uses personal information, it is prudent to get advice on how Australian privacy law will affect your business and the data security obligations that it may impose on you.
If your business receives requests for personal information, it is important to seek legal advice to understand what information you are required to provide, and what information is not caught by the Privacy Act and the APPs. Questions? Our IT lawyers have considerable expertise in privacy law and telecommunications. Get in touch on 1300 544 755.