Reading time: 5 minutes

In June 2013, Ben Grubb, a Fairfax journalist and Telstra mobile customer, asked Telstra for access to all the personal information that Telstra held about him. Telstra delivered call records, billing information and other metadata including mobile cell locations, to Mr Grubb.

Mr Grubb argued that he had a right to access his mobile network data because it was personal information. He took the matter to the Privacy Commission, which in 2015 held that mobile network data was personal information. However, the Administrative Appeals Tribunal (AAT) overturned this decision. The AAT also discussed whether an IP address can be considered personal information under the Privacy Act. This article looks at whether IP addresses are personal information. 

Is an IP Address Personal Information?

The Deputy President of the AAT discussed on Telstra’s appeal whether an IP address is personal information. The Deputy President stated that an IP address is a kind of information about the means by which data is transmitted over the internet, but it is not, in itself ‘personal information’. The IP address is linked to a particular mobile device at a specific time but is not necessarily connected to a specific person. Even though the device may have only one owner, we can never be certain as to who is using a device at any given time. Accordingly, the Deputy President noted that the IP address of a device may change over time because a particular device is not allocated the same IP address for its whole working life.

The Australian Law Reform Commission (ALRC) had also considered this issue when it looked at the definition of personal information (Discussion Paper 72, Review of Australian Privacy Law). The ALRC suggested that simple contact information, such as a street or postal address, a telephone number, or an IP address, does not and should not, fall within the proposed definition of ‘personal information’.

The Australian Communications and Media Authority

The Australian Communications and Media Authority (ACMA) has also considered whether an IP address should be personal information. The ACMA made submissions to the ALRC to the effect that while IP addresses uniquely identify computers connected to the internet, the address relates to a computer or other device. It is not linked to an individual and cannot alone identify the individual who is using the machine.

ACMA and other commentators have noted that while we cannot determine an individual user’s identity from an IP address alone, it is possible to ascertain someone’s identity with a reasonably high degree of certainty by connecting the IP address with other information the Internet service provider holds. For example, it is possible to collate information about my address, telecommunications package, phone number and IP address, and if I live alone, it is likely that this information does relate to me personally.

What Happens if an IP Address is Considered Personal Information?

The AAT’s Deputy President held that IP addresses are a means by which data is transmitted over the internet, but is not in itself ‘personal information’.

If IP addresses are seen to be ‘personal information’ under the Privacy Act, then the Privacy Act obligations and protections would apply to them, and affect the ability of entities to share IP address information with international authorities in the course of criminal investigations and enforcement actions.

If mobile network data or IP addresses are considered to be personal information, then the Privacy Act would apply to mobile network data information and IP addresses. If that were the case, a suite of new laws would apply, in addition to the existing telecommunications and information technology regulatory framework in Australia.

Organisations collect huge volumes of information and data about individuals, for the purpose of including it in a larger data set for analysis and making business decisions. For example, information about consumer food shopping is relevant to many retail business decisions including product placement, packaging and pricing. This information is de-identified to remove any personal information.

Businesses that collect and store IP address information are not, by law, required to collate, save and use it according to the Privacy Act requirements. The exemption of IP addresses from the definition of personal information also means that businesses are not required to answer requests for access to the information from consumers.

Future Steps

The current definition of personal information in the Privacy Act is information that is “about an individual”. Other countries and Australian regulators are increasingly aware of both: 

  1. Widespread collection of information online and in the telecommunications industry; and 
  2. The ability to determine with reasonable certainty, which person the information relates to.

The Office of the Privacy Commissioner, the ALRC and other industry bodies recognise that the scope of the definition of “personal information” is changing. The ALRC suggests that we need guidance on how the definition applies in different contexts, including information technology and telecommunications industries.

Key Takeaways

What are your business’s obligations under privacy law and are you meeting them? If you are an Australian Privacy Policy entity, then you need a Privacy Policy that your customers can access, so that they are aware of what you’re doing when you collect their personal information. You also need to ensure that your employees or members of your team are complying with the Privacy Policy, typically contained in a Privacy Manual. 

Does your business collect IP addresses? While we have considered that the Privacy Act does not necessarily capture an IP address as it is not personal information, it’s important to realise that the scope of personal information is not set in stone. It is then sensible to seek legal advice on your privacy law and other data security obligations. For example, our Privacy Policy refers to Google Analytics to reflect our client’s increasing use of the tool. If you have any questions about handling personal information, get in touch with our IT lawyers on 1300 544 755.


How Franchisors Can Avoid Misleading and Deceptive Conduct

Wednesday 18 May | 11:00 - 11:45am

Ensure your franchise is not accused of misleading and deceptive conduct. Register for our free webinar today.
Register Now

New Kid on the Blockchain: Understanding the Proposed Laws for Crypto, NFT and Blockchain Projects

Wednesday 25 May | 10:00 - 10:45am

If you operate in the crypto space, ensure you understand the Federal Government’s proposed licensing and regulation changes. Register today for our free webinar.
Register Now

How to Expand Your Business Into a Franchise

Thursday 26 May | 11:00 - 11:45am

Drive rapid growth in your business by turning it into a franchise. To learn how, join our free webinar. Register today.
Register Now

Day in Court: What Happens When Your Business Goes to Court

Thursday 2 June | 11:00 - 11:45am

If your business is going to court, then you need to understand the process. Our free webinar will explain.
Register Now

How to Manage a Construction Dispute

Thursday 9 June | 11:00 - 11:45am

Protect your construction firm from disputes. To understand how, join our free webinar.
Register Now

Startup Financing: Venture Debt 101

Thursday 23 June | 11:00 - 11:45am

Learn how venture debt can help take your startup to the next level. Register for our free webinar today.
Register Now

About LegalVision: LegalVision is a commercial law firm that provides businesses with affordable and ongoing legal assistance through our industry-first membership.

By becoming a member, you'll have an experienced legal team ready to answer your questions, draft and review your contracts, and resolve your disputes. All the legal assistance your business needs, for a low monthly fee.

Learn more about our membership

Need Legal Help? Submit an Enquiry

If you would like to get in touch with our team and learn more about how our membership can help your business, fill out the form below.

Our Awards

  • 2020 Innovation Award 2020 Excellence in Technology & Innovation Finalist – Australasian Law Awards
  • 2020 Employer of Choice Award 2020 Employer of Choice Winner – Australasian Lawyer
  • 2020 Financial Times Award 2021 Fastest Growing Law Firm - Financial Times APAC 500
  • 2020 AFR Fast 100 List - Australian Financial Review
  • 2021 Law Firm of the Year Award 2021 Law Firm of the Year - Australasian Law Awards
  • 2019 Most Innovative Firm - Australasian Lawyer