Data Must Be “About A Person” To Be Personal
Grubb v. Tesltra – Journalist Ben Grubb filed a Subject Access Request (SAR) with his telecom provider Telstra. He had requested metadata be included in the request. Telstra declined to share Network Metadata (e.g., IMSI, IP address, URLs, Cell Tower Locations) on the grounds it was not personal. It also declined to share metadata on incoming calls arguing it constituted the personal information of others, and would have an unreasonable impact upon the privacy of those other individuals. In both cases, Telstra advised that a subpoena would be required for the requested information.
Privacy Commissioner Timothy Pilgrim issued an opinion that metadata was ‘personal’ and must be disclosed as part of a SAR.
Commissioner Pilgrim determined although an identity was not apparent, an identity could be reasonably ascertained from Network Metadata. The fact that Telstra currently had processes in place to identify individuals based on this data confirmed the reasonableness analysis. Telstra was thus obligated to disclose this Network Metadata to the complainant as part of the SAR.
Incoming Call Metadata
Telstra appealed, arguing that even if the data could be linked to a person, the ephemeral nature of the data made it very difficult to use for (re)identification purposes.
The Administrative Appeals Tribunal (AAT) declined to declined to engage in a discussion of reasonableness or difficulty of (re)identification, and instead framed the issue in terms of whether data was ‘about a person’ in the first place. The AAT determined the metadata in question was data about the connections between devices and about the services provided Mr. Grubb, rather than data about Mr. Grubb.
Commissioner Pilgrim appealed.
The Federal Court affirmed the AAT finding. While the court conceded information could become ‘about a person’ when combined, there had to be a nexus to the person for any individual piece of data to be ‘personal.’ Such a determination required a case-by-case analysis. In this case the analysis revealed the data was not about Mr. Grubb, thus not personal.
“The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy. Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not “about an individual” it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion … (f)or example, although information was provided to Mr Grubb about the colour of his mobile phone and his network type (3G), we do not consider that that information, by itself or together with other information, was about him.”
jbho: It appears Commissioner Pilgrim will not appeal the ruling, taking solace in the admission that combinations of data can be personal. https://www.oaic.gov.au/media-and-speeches/statements/privacy-commissioner-v-telstra-corporation-limited-federal-court-decision.
Other interesting developments down under: