Federal Court narrows the scope of the phrase “personal information”
- Ben Grubb had requested information about himself and his browsing history from Telstra. Telstra had refused to supply it.
- The Privacy Principles that relate to personal information say that any person has the right to access what personal information about them is stored by organisations such as Telstra, so they can know what information is stored and correct any inaccurate information.
3.“Personal information” is generally defined as whether or not a person is identified or identifiable by the data. The wording of the relevant law is that it covers information “about an individual whose identity is apparent, or can be reasonably ascertained, from theinformation.”
4.The Court clarified the “personal information” definition. Focusing on the word “about”, the Court decided that data would only be classed as personal if it was directly about the person concerned, and it would not be classed as personal information if someone could only be identified by it being linked and put together with other data. Data such as your IP address, URLs of websites you have visited and your geolocation data are therefore not protected by our data privacy laws, because you are not personally the subject of them – even though this kind of information can identify you, because it can be linked with things such as customer data that identifies you as the owner of that IP address on your computer or phone.
5.The Court’s reason for the decision focused on the part of the law that said the information needed to be “about” a person – this is why it did not include information that could be used to identify a person even though it wasn’t technically about them. The Court noted that information could become about a person if it was combined with other information, but this was not included in the meaning of the section.
6.Media reports on the case referred to privacy laws being “gutted” by it, because failing to take into account data-linking and cross-referencing gives us the weakest data privacy laws in the Western world.
7.The definition given is out-of-step with recent international decisions – such as the case of Patrick Brever v Germany, in which data was defined as personal if it could become personal information when linked with other data. The wording of the law in that case was similar to the wording in the Australian case, except for the fact that it referred to the individual being directly or “indirectly” identifiable – so the court in that case decided it was necessary to take into account how likely or possible it was for data to be matched.