In Australia, our information privacy rights turn on the threshold definition of ‘personal information’. If data meets the definition of ‘personal information’, there will be privacy obligations attached to it; otherwise, all bets are off.
The components of the definition include that the information must be ‘about an individual’, and that the individual must be ‘identified … or … reasonably identifiable’. This identifiability test boils down to: is an individual reasonable identifiable from the information at issue?
But what our statutory definition doesn’t make clear is: identifiable by whom? In other words – is identifiability to be assessed from the perspective of the organisation holding or disclosing the data? Or from the perspective of a third party who is receiving or has access to the data?
It’s a similar story in other jurisdictions, including Europe, where a recent Court of Justice of the European Union (CJEU) case has answered the question.
The ultimate conclusion reached by the CJEU is this. With reference to assessing compliance with privacy principles, identifiability – and thus, the question of whether or not data constitutes ‘personal data’ (the European term) which attracts legal obligations and protections – is to be assessed from the perspective of the entity handling the data at that time.
So, a disclosing entity must comply with all its disclosure (and pre-disclosure) privacy obligations if the data is identifiable to them; and a recipient entity must comply with all its collection (and post-collection) privacy obligations if the data is identifiable to them.
Even if a piece of data is not identifiable to the recipient, the disclosing entity’s legal obligations will apply in full, if the disclosing entity knows who the data relates to.
This means that you can’t disclose personal information simply because the recipient won’t know who the data relates to.
Let me give you a hypothetical scenario to illustrate this point, applying it to entities regulated under the Australian Privacy Act.
Company A holds clearly identified customer data. For example, their records show that Jane Smith, born 14 July 1985, holds a home and contents insurance policy with Company A. This is clearly ‘personal information’ about Jane.
Company A wants to disclose information about Jane to Company B.
Company A wants to minimise privacy risk to Jane, and it also wants to comply with its data security obligations under APP 11. So Company A decides to pseudonymise its records to offer a degree of privacy protection to the data in transit, and perhaps also for once the data reaches Company B. Using the pseudonymisation technique known as SLK 581, Company A refers to Jane not by her name, but by a unique code, when it prepares the data for disclosure to Company B. Company A tells Company B that customer MIHAN140719852 has a home and contents insurance policy.
If we were to apply the CJEU’s line of thinking here, then regardless of whether Company B can figure out Jane’s identity from that code (whether or not they use that code in combination with any other data), Company A’s obligations have not changed, simply because they coded the data. The data remains ‘personal information’ in the eyes of Company A, because they know it is about Jane, even if Company B doesn’t.
Company A must therefore:
- ensure that the disclosure of the personal information to Company B has lawful authority to proceed under APP 6, and
- give Jane a collection notice as per APP 5 at the time of collecting the data from her, to let her know that they intend to disclose her data to Company B.
Does Company A have lawful authority to disclose personal information to Company B? It will depend of course on the circumstances. Maybe they have consent from Jane, or maybe they can meet a different test under APP 6 (such as: the disclosure is for a directly related secondary purpose to the purpose for which Company A originally collected it, and this disclosure is within Jane’s reasonable expectations). Or perhaps the disclosure meets one of the exemptions in s.16A.
But – following the CJEU’s logic – if Company A couldn’t disclose Jane’s name to Company B without breaching APP 6, then it wouldn’t be able to disclose the coded data either. In other words: pseudonymising data is not a ‘get out of jail free’ card to magically allow disclosures to occur, if they would not otherwise be authorised. It’s a useful strategy for complying with APP 11 (data security), but not for complying with APP 6 (use and disclosure).
In Europe, this case may yet represent the death-knell of some AdTech and data brokering services, and other business activities which rely on a ‘don’t worry it’s de-identified’ strategy to side-step legal obligations.
Will this case have the same impact here?
It’s harder to tell, because interestingly the OAIC took a different approach in the I-MED case.
There the OAIC applied the identifiability test from the perspective not of the discloser, but of the recipient. I-MED had argued that the data they disclosed was not ‘personal information’ once they had applied de-identification techniques to it, and therefore they did not need to comply with the APP 6 prohibition on disclosure. In order to determine whether or not the data disclosed was ‘personal information’, the OAIC effectively stood in the shoes of the recipient, to determine whether the recipient organisation could reasonably identify any of I-MED’s patients from the dataset it received.
This interpretation matters, given the stated intention of the OAIC to focus regulatory attention on “sectors and technologies that compromise rights and create power and information imbalances” including the data brokerage sector.
One of the issues highlighted in the 2024 Singled Out report from the Consumer Policy Research Centre and Dr Katharine Kemp is the legal argument being made when data is shared by two or more businesses via a ‘middleman’ data linkage service, data broker or data ‘clean room’. A legitimate question is: if the middleman can’t identify an individual, but the two or more businesses either side can, are these data transactions regulated under the Privacy Act?
Putting this another way: can two or more businesses lawfully disclose and collect information about their known, identifiable customers via a middleman who deals in pseudonymised versions of their data, if the relevant privacy principles would prohibit them from swapping the same data with each other directly?
We know that in Europe the answer would be ‘no’, because the CJEU has said that identifiability is in the eye of the discloser, not the beholder. It remains to be seen if the OAIC or Australian courts will follow suit if directly tested – or if the Australian Government will step in to tighten up this aspect of the law, as part of its long-promised Tranche 2 reforms to the Privacy Act.
Photograph by Oscar Keys on Unsplash
