On 19.01.2017, in the case of Privacy Commissioner v Telstra Corporation Limited – [2017] FCAFC 4 – the Australian Supreme Court has interpreted the definition of “personal
information” in the National Privacy Principles (“NPP”) by requiring “personal information” to be “about the individual”. The NPP were set out in the Privacy Act 1988 (Cth) (“Privacy
Act”), and regulated how certain private organisations can handle, use and manage personal information. The NPP have since been replaced by the Australian Privacy Principles (APP). The use of the legal test to determine what amounts to “personal information” potentially has the impact of excluding “metadata” held by private
organisations as information that could be protected by the APP.
The Privacy Commission v Telstra case commenced with a request by a journalist to access information held about him by his telecommunications provider Telstra. According
to NPP 6.1, which was used by the journalist as the basis for his request to access the information, individuals have the right to access, and correct their personal information
held by private organisations. Part of the reason for the journalist’s request was to demonstrate an individual’s capacity to access personal information in comparison to, e.g.
governmental private organisations.
Telstra denied the journalist’s request partially; it did not provide information relating to mobile phone network data (IP addresses, uniform resource locator information,
information on cell tower locations, and inbound call numbers and location information). Telstra was of the opinion that it did not have an obligation to disclose this information
because it was not “about the individual”, and therefore, did not qualify as “personal information” according to the NPP.
The Supreme Court agreed with Telstra’s argument. According to the Court’s definition of “personal information” in the Privacy Act it is required that the information is “about the
relevant applicant” and that “the applicant’s identity is apparent or could reasonably be ascertained from the information”. The Court points out that not all information which is
held by an organisation and from which the identity of an applicant is apparent or could reasonably be ascertained qualifies as information “about” the applicant. Rather, the Court stated that the information requested needs to have the individual as its subject matter.
Although, the case discusses metadata, the Court did not explore the issue of whether metadata is covered by the definition of “personal information”. Rather, the Court focussed
on whether the information was “about an individual”. However, by requiring the information to have the individual as its subject matter, the Court limited the possibility of metadata to be considered “personal information”. Thereby, the Court ignores the possibility, for example, of data linking and data matching of information held by an entity, which may allow the identity of an individual to be ascertained, despite the information’s subject matter.
The judgment of the Australian Supreme Court from 19.01.2017 – [2017] FCAFC 4 – is available at:
http://www.judgments.fedcourt.gov.au/judgments/Judgments/fca/full/2017/2017fca
fc0004
Author Kristine Biason, lawyer at Legal Vision in Surry Hills, New South Wales/Australia
priminarily published in the EMR-Newsletter 05/2017