We need to talk about Ben.
Specifically, about Ben Grubb, the tech journo who triggered an on-going legal case, the resolution of which might yet either reinforce or undermine Australia’s privacy laws. (We’ll get onto Stephanie and her troublesome car shortly.)
Actually, we really need to talk about the word ‘about’ – what it means for information to be ‘about’ Ben. Because it is that one little word – about – which has caused such a ruckus.
When is information ‘about’ Ben, and when is it ‘about’ a device or a network?
First, the background. When the Australian Government was preparing in 2013 to introduce mandatory data retention laws, to require telcos to keep ‘metadata’ on their customers for two years in case law enforcement types needed it later, Ben Grubb was curious as to what metadata, such as the geolocation data collected from mobile phones, would actually show. He wanted to replicate the efforts of a German politician, to illustrate the power of geolocation data to reveal insights into not only our movements, but our behaviour, intimate relationships, health concerns or political interests.
While much fun was had replaying the video of the Attorney General’s laughable attempt to explain what metadata actually is, Ben also worked on a seemingly simple premise: “the government can access my Telstra metadata, so why can’t I?”
Exercising his rights under what was then NPP 6.1, Ben sought access from his mobile phone service provider, Telstra, for his personal information – namely, “all the metadata information Telstra has stored about my mobile phone service (04…)”.
At the time of his request, the definition of ‘personal information’ was “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”.
(Since then, the definition of ‘personal information’ has changed slightly, NPP 6.1 has been replaced by APP 12, and the metadata laws have been passed, including a provision that metadata is to be considered ‘personal information’ under the Privacy Act. Nonetheless, this case has ramifications even under the updated laws.)
Telstra refused access to various sets of information, including location data on the basis that it was not ‘personal information’ subject to NPP 6.1. Ben lodged a complaint with the Australian Privacy Commissioner. While the complaint was ongoing, Telstra handed over a folder of billing information, outgoing call records, and the cell tower location information for Ben’s mobile phone at the time when Ben had originated a call, which is data kept in its billing systems.
What was not provided, and what Telstra continued to argue was not ‘personal information’ and thus need not be provided, included ‘network data’. Telstra argued that that geolocation data – the longitude and latitude of mobile phone towers connected to the customer’s phone at any given time, whether the customer is making a call or not – was not ‘personal information’ about a customer, because on its face the data was anonymous.
The Privacy Commissioner ruled against Telstra on that point in May 2015, finding that a customer’s identity could be linked back to the geolocation data by a process of cross-matching different datasets. Privacy Commissioner Timothy Pilgrim made a determination which found that data which “may” link data to an individual, even if it requires some “cross matching … with other data” in order to do so, is “information … about an individual”, whose identity is ascertainable, meaning “able to be found out by trial, examination or experiment”. The Privacy Commissioner ordered that Telstra hand over the remaining cell tower location information.
Telstra appealed the Privacy Commissioner’s determination, and in December 2015 the Administrative Appeals Tribunal (AAT) found in Telstra’s favour. Now here is where it gets interesting.
We knew that the case would turn on how the definition of ‘personal information’ should be interpreted, and I for one expected that the argument would centre on whether or not Ben was ‘identifiable’ from the network data, including how much cross-matching with other systems or data could be expected to be encompassed within the term ‘can reasonably be ascertained’.
And at first, that looked like how the case was going. The AAT judgment goes into great detail about precisely what data fields are in each of Telstra’s different systems, and what effort is required to link or match them up, and how many people within Telstra have the technical expertise to even do that, and how difficult it might be. But then – nothing. Despite both parties making their arguments on the topic of identifiability, the AAT drew no solid conclusion about whether or not Ben was actually identifiable from the network data in question.
Instead, the AAT veered off-course, into questioning whether the information was even ‘about’ Ben at all. Using the analogy of her own history of car repairs, Deputy President Stephanie Forgie stated:
“A link could be made between the service records and the record kept at reception or other records showing my name and the time at which I had taken the care (sic) in for service. The fact that the information can be traced back to me from the service records or the order form does not, however, change the nature of the information. It is information about the car … or the repairs but not about me”.
The AAT therefore concluded that mobile network data was about connections between mobile devices, rather than “about an individual”, notwithstanding that a known individual triggered the call or data session which caused the connection. Ms Forgie stated:
“Once his call or message was transmitted from the first cell that received it from his mobile device, the data that was generated was directed to delivering the call or message to its intended recipient. That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb but not about him”.
Well. That was a curve ball I did not see coming.
This interpretation seems to conflate object with subject, by suggesting that the primary purpose for which a record was generated is the sole point of reference when determining what that record is ‘about’. In other words, the AAT judgment appears to say that what the information is for also dictates what the information is about.
In my view, this interpretation of ‘about’ is ridiculous. Why can’t information be generated for one reason, but include information ‘about’ something or someone else as well? Why can’t information be ‘about’ both a person and a thing? Or even more than one person and more than one thing?
Even car repair records, which certainly have been created for the primary purpose of dealing with a car rather than a human being, will have information about the car owner. At the very least, the following information might be gleaned from a car repair record: “Jane Citizen, of 10 Smith St Smithfield, tel 0412 123 456, owns a green Holden Commodore rego number ABC 123”.
If we accept the AAT’s view that the car repair record has no information ‘about’ Jane Citizen, then Jane has no privacy rights in relation to that information, and the car repairer has no privacy responsibilities either. If Jane’s home address was disclosed by the car repairer to Jane’s violent ex-husband, she would have no redress. If the car repairer failed to secure their records against loss, and Jane’s rare and valuable car was stolen from her garage as a result, Jane would have no cause for complaint. Jane won’t even have the right to access the information held by the car repairer, to check that it is correct.
How far could you take this argument? Could banks start arguing that their records are only ‘about’ transactions, not the people sending or receiving money as part of those transactions? Could hospitals claim that medical records are ‘about’ clinical procedures, not their patients? Could retailers claim their loyalty program records are ‘about’ products purchased, not the people making those purchases?
Surely, this is not what Parliament intended in 1988 when our privacy laws were first drafted – or indeed, when they were updated in 2014, when the amendments were claimed to bring Australia’s privacy protection framework into the modern era.
In this era of Big Data, it is the digital breadcrumbs left behind in operational or transactional systems which can yield the business insights with the most value – and are thus in need of privacy protection.
The Privacy Commissioner is appealing the AAT’s decision to the Federal Court. I can only hope the Federal Court can see that information created for an operational purpose might also contain both deliberate and incidental information ‘about’ individuals – individuals who expect their privacy to be protected, no matter how or why the records were created in the first place.
The alternative is to let Stephanie’s broken-down car throw a major spanner in the works of privacy protection in Australia.
Photograph (c) Shutterstock