The judgment of the Federal Court of Australia, in Privacy Commissioner v Telstra Corporation Pty Ltd, that key metadata is not “personal information” is “disastrous for ordinary Australians and misunderstands how a digital footprint identifies person”, the Australian Privacy Foundation said today.
This decision will severely impair the Privacy Commissioner in regulating privacy on line.
In what may be the most important Australian privacy decision to date, the Federal Court has effectively gutted the Privacy Act.
The judgment means that a person’s internet browsing history (URL addresses visited), assigned IP addresses, and geo-location (cell tower) data is not personal information because it did not identify that person’s name or telephone number. The reality however is that those pieces of information taken together do identify a person.
The judgment effectively introduces a new hurdle in determining whether personal information is protected by requiring a person to be the subject matter of each piece of information. This
very narrow reading ignores how data matching and data linking works, permitting a person to be identified from pieces of information each of which does not necessarily specifically refer to
him or her.
“The approach taken by the Federal Court ignores the effect of significant technological developments in data matching and linking. It is an analog decision for a digital age. The decision leaves Australia with one of the weakest and least effective privacy protections in the Western World” said Jake Goldenfein, board member of the Australian Privacy Foundation. Dr Goldenfein said that the approach taken by the Court ignores overseas court decisions which have identified and recognised the reality of linking different items of digital information which has the effect of identify
ing a person.
Dr Goldenfein said today’s judgement was a bad day for privacy protection in Australia. This data is very valuable to security and law enforcement but there are now no protections for
ordinary citizens as to the use of such data.
“This judgment has rendered Australia an outlier in the protection of privacy on line” said Mr Goldenfein. “It reduces the protections ordinary Australians should expect and have. It is a
boon for organisations to collect vast amounts of information about individuals but not be accountable to the regulator for it.”
The Australian Privacy Foundation called on the Commonwealth Government to amend the Privacy Act to fix the damage the Federal Court judgement may cause without delay.
This case began when in 2013 Ben Grubb, then a reporter with the Fairfax press, sought metadata information regarding his mobile phone held by Telstra Corporation. Telstra refused to provide it to him claiming it was not personal information. He complained to the Privacy Commissioner who held that the metadata was personal information. Telstra successfully appealed that decision in the Administrative Appeals Tribunal in 2015. In 2016 the Privacy Commissioner appealed that decision to the Full Bench of the Federal Court.
The Australian Privacy Foundation, together with the New South Wales Council for Civil Liberties, applied to be heard as an amicus curiae, a friend of the court.