In June 2013, Ben Grubb, a Fairfax journalist and Telstra mobile customer, asked Telstra for access to all the personal information that Telstra held about him. Telstra delivered call records, billing information and other metadata including mobile cell locations, to Mr Grubb.
Mr Grubb argued that he had a right to access his mobile network data because it was personal information. He took the matter to the Privacy Commission, which in 2015 held that mobile network data was personal information. However, the Administrative Appeals Tribunal (AAT) overturned this decision. The AAT also discussed whether an IP address can be considered personal information under the Privacy Act. This article looks at whether IP addresses are personal information.
Is an IP Address Personal Information?
The Deputy President of the AAT discussed on Telstra’s appeal whether an IP address is personal information. The Deputy President stated that an IP address is a kind of information about the means by which data is transmitted over the internet, but it is not, in itself ‘personal information’. The IP address is linked to a particular mobile device at a specific time but is not necessarily connected to a specific person. Even though the device may have only one owner, we can never be certain as to who is using a device at any given time. Accordingly, the Deputy President noted that the IP address of a device may change over time because a particular device is not allocated the same IP address for its whole working life.
The Australian Law Reform Commission (ALRC) had also considered this issue when it looked at the definition of personal information (Discussion Paper 72, Review of Australian Privacy Law). The ALRC suggested that simple contact information, such as a street or postal address, a telephone number, or an IP address, does not and should not, fall within the proposed definition of ‘personal information’.
The Australian Communications and Media Authority
The Australian Communications and Media Authority (ACMA) has also considered whether an IP address should be personal information. The ACMA made submissions to the ALRC to the effect that while IP addresses uniquely identify computers connected to the internet, the address relates to a computer or other device. It is not linked to an individual and cannot alone identify the individual who is using the machine.
ACMA and other commentators have noted that while we cannot determine an individual user’s identity from an IP address alone, it is possible to ascertain someone’s identity with a reasonably high degree of certainty by connecting the IP address with other information the Internet service provider holds. For example, it is possible to collate information about my address, telecommunications package, phone number and IP address, and if I live alone, it is likely that this information does relate to me personally.
What Happens if an IP Address is Considered Personal Information?
The AAT’s Deputy President held that IP addresses are a means by which data is transmitted over the internet, but is not in itself ‘personal information’.
If IP addresses are seen to be ‘personal information’ under the Privacy Act, then the Privacy Act obligations and protections would apply to them, and affect the ability of entities to share IP address information with international authorities in the course of criminal investigations and enforcement actions.
If mobile network data or IP addresses are considered to be personal information, then the Privacy Act would apply to mobile network data information and IP addresses. If that were the case, a suite of new laws would apply, in addition to the existing telecommunications and information technology regulatory framework in Australia.
Organisations collect huge volumes of information and data about individuals, for the purpose of including it in a larger data set for analysis and making business decisions. For example, information about consumer food shopping is relevant to many retail business decisions including product placement, packaging and pricing. This information is de-identified to remove any personal information.
Businesses that collect and store IP address information are not, by law, required to collate, save and use it according to the Privacy Act requirements. The exemption of IP addresses from the definition of personal information also means that businesses are not required to answer requests for access to the information from consumers.
The current definition of personal information in the Privacy Act is information that is “about an individual”. Other countries and Australian regulators are increasingly aware of both:
- Widespread collection of information online and in the telecommunications industry; and
- The ability to determine with reasonable certainty, which person the information relates to.
The Office of the Privacy Commissioner, the ALRC and other industry bodies recognise that the scope of the definition of “personal information” is changing. The ALRC suggests that we need guidance on how the definition applies in different contexts, including information technology and telecommunications industries.