Commentary
Personal information
- This decision supports the argument that an IP address does not constitute personal information because it is not ‘about’ a person but the device used to connect to the internet. It follows other cases on this position including in Victoria GMW v Victoria Legal Aid [2022] VCAT 992 (see case note), and Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 at the Commonwealth level.
- While neither State nor Commonwealth privacy legislation generally recognises an IP address in isolation, as personal information, there are other laws that designate telecommunications metadata as personal information in specific contexts (e.g., s 187LA of the Telecommunications (Interception and Access) Act 1979 (Cth.)). This decision also recognises that a dataset containing IP addresses amongst other identifying details could, when taken together, be considered personal information, depending on the circumstances.
- It is anticipated that reforms to the Commonwealth Privacy Act will clarify that certain types of metadata are considered personal information. It is also anticipated that the reforms will include an expanded definition of ‘personal information’ in line with the European Union’s approach, whereby information merely must ‘relate to’ an individual, rather than be ‘about’ them. In the interim, the treatment of metadata in relation to privacy laws is an area requiring caution.
Costs
- In this decision, VCAT was critical of Mr Ellis’ motivation to bring the complaint stating: “It is unclear what [Mr Ellis’] motivation [was] to self-engineer a set of circumstances for the purposes of bringing this litigation. However… [t]his has caused [OVIC] to invest the time of its staff and expenses of engaging solicitors and counsel. Thus, resources that might have been used for the protection of the community were diverted to the defence of this complaint.” Accordingly, VCAT indicated that OVIC could seek an adverse cost order.
Facts and decision
- Mr Ellis accessed the OVIC’s website multiple times over the course of a month. During this time, OVIC recorded various meta-data about his visit, including: his IP address, cookie-based identifier, date and time of access, browser details, operating system details, screen resolution, and action (e.g., document downloaded or viewed).
- Mr Ellis claimed that OVIC interfered with IPP 1.1, 1.2, 1.3, and 1.4 when it collected this meta-data, as well as IPP 4.1 because it failed to secure this meta-data. The decision primarily turned on whether the IP address was ‘personal information’ as, if it was, coupled with the other meta-data, it would describe Mr Ellis’ interactions with OVIC’s website.
Allegation
Submissions
- Mr Ellis contended that the IP address was personal information as he was ‘reasonably ascertainably’ from it because:
- Mr Ellis had configured his computer so that he had a static (as opposed to dynamic) IP address meaning that it would not be altered over time and remain consistent over multiple browsing sessions.
- Mr Ellis owned the IP address, as it was licensed from his internet service provider (ISP) to his company, which he was the sole director and shareholder.
- Mr Ellis also drew VCAT’s attention to a number of other decisions dealing with IP addresses, contending that they demonstrated that “the tide of legal opinion has moved or is moving towards” a finding that IP addresses are personal information.
- OVIC contended that the IP address was not personal information as his identity was not ‘reasonably ascertainable’ from it because:
- The IP address was not owned by Mr Ellis, IP addresses being community resources given the way they are licensed. In this instance, the IP address was assigned to Mr Ellis’ device by his ISP, this IP address was delegated to the ISP by a registration body known as the Asia Pacific Internet Address registration.
- OVIC had no way of knowing or ascertaining that Mr Ellis had fixed his IP address or that the IP address belonged to his company unless either Mr Ellis told them or it was disclosed to them by the ISP.
- After Mr Ellis had told OVIC his IP address, it was possible for OVIC to link the IP address to its records, however, OVIC had not done so as it was contrary to its policy to do so.
Decision
- VCAT held that there was no breach of the IPPs as it was not satisfied that the IP address was personal information.
- VCAT highlighted that the first question as to whether information is personal information, is whether it is ‘about’ a person, following the approach espoused in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991. Similar to that decision, VCAT held that the IP address in this case was not ‘about’ Mr Ellis, but rather, identified the device used to access OVIC’s website. The function and purpose of the IP address not differing just because the IP address is static or dynamic.
- VCAT then went on to consider, even if the IP address was ‘about’ Mr Ellis, whether his identity was ‘reasonably ascertainable’ and highlighted:
- Mr Ellis’ argument that he was the owner of the IP address was flawed, as it attempted to do away between the issue that the company was a separate legal entity from himself. Further, VCAT accepted OVIC’s position that IP addresses are community resources.
- OVIC had no means of knowing who had been operating the device that the IP address was assigned to, until Mr Ellis had told them.
- An IP address is a useful tool in identifying possible users, but it is only a fragment of the information that is needed to provide identity.
About this decision
Venue: VCAT
Date of decision: 23/09/2024
Tags: