Freelancer International Pty Ltd and Australian Information Commissioner

Freelancer International Pty Ltd and Australian Information Commissioner [2017] AATA 2426 (30 November 2017)

Division:FREEDOM OF INFORMATION DIVISION

File Number(s):       2016/0206

Re: Freelancer International Pty Ltd

APPLICANT

Australian Information Commissioner And  

RESPONDENT

Decision

Tribunal:Mr P W Taylor SC, Senior Member

Date:30 November 2017

Place:Sydney

The decision under review is set aside.  In substitution for that decision I make a determination that the 9 July 2013 complaint is substantiated.  I declare that Freelancer’s conduct in making the August 2012 disclosures constituted an interference with Mr Szczepanski’s privacy, and that Freelancer should not repeat or continue such conduct.  I declare that it would be inappropriate for any further action to be taken in the matter.

............................[sgd]............................................

Mr P W Taylor SC, Senior Member

Catchwords

PRIVACY - whether there was a breach of the National Privacy Principles – breach of National Privacy Principle 2.1 in August 2012 – no other breaches occurred – determination set aside

Legislation

Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth)

Privacy and Personal Information Protection Act 1998 (NSW) ss 4, 8, 9, 18
Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth) s 29
Privacy Act 1988 (Cth) ss 6, 6A, 6C, 13A, 16A, 16B, 36, 40, 41, 42, 43, 43A, 50, 51, 52, 55A, 61, 96, Sch 1, Sch 3, Sch 6

Administrative Appeals Tribunal Act 1975 (Cth) ss 2A, 33(1), 33(1AA), 33(1AB)

Cases

Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4

Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991
Lobo and Department of Immigration and Citizenship (2011) 124 ALD 238
ZR v Department of Education and Training (GD) [2010] NSWADTAP 75
Twining v Curtis [2009] ACTSC 106
OA v New South Wales Department of Housing (No 2) [2006] NSWADT 94 
OA v New South Wales Department of Housing [2005] NSWADT 233
WL v La Trobe University [2005] VCAT 2592
Seven Network (Operations) Limited v Media Entertainment and Arts Alliance [2004] FCA 637
MT v Director General, NSW Department of Education & Training [2004] NSWADT 194
KD v Registrar NSW Medical Board [2004] NSWADT 5
Vice-Chancellor, Macquarie University v FM (GD) [2003] NSWADTAP 43
Bailey v Hinch [1989] VicRp 9; [1989] VR 78

Gale v New [1937] 4 All ER 645

Secondary Materials

Australian Law Reform Commission - Report No (2008)

REASONS FOR DECISION

Mr P W Taylor SC, Senior Member

1. Freelancer operates a website marketplace for service projects.  The services involved range from clerical and administrative functions through to highly skilled activities in the disciplines of computer science, information technology, engineering, accounting and law.   The website is accessible only to registered users, who are categorised as either project “employers” / “hirers” or “users” / “freelancers” / “(freelance) workers”.  Registered users include both organisations and individuals.  Freelancer claims that its registered users are located all over the world and number in the millions.

2. Users register online at the freelancer.com website.  Prospective registrants must provide at least a name, email address and a unique “username”.  Registrants may also provide their geographical address, phone number and payment account details but, in many instances details of those kinds, particularly payment account details, are added during the course of transactions they subsequently conduct in the market place.

3. Use of the Freelancer site is conditional on a registrant’s acceptance of Freelancer’s User Agreement.  The Agreement specifically informs registrants that Freelancer has discretion to close or suspend user’s accounts, or restrict site access where it considers they have engaged in “fraudulent, immoral or illegal” activities, or activities contrary to the User Agreement.  (Relevant to the present matter Freelancer asserted the User Agreement prohibited the use of multiple registrations and usernames.  That assertion was complemented by clause 7.1 of the January 2011 version of the Agreement.  It provided that users agreed to provide “true, accurate and complete information” when they undertook their registration process.  Clause 10.6 of the March 2012 version of the User Agreement contained an explicit prohibition on the creation and use of multiple accounts.)

4. The Freelancer website stipulated that the site was merely a market venue and that the only contractual parties to a service project transaction were the respective “employers” / “hirers”, on the one hand, and “users” / “freelancers” / “freelance workers”, on the other.  (This stipulation implicitly assumed that users could not purport to contract projects between their own accounts.  Such a prohibition was made explicit in the March 2012 version of the User Agreement.)  Another aspect of the User Agreement required users to negotiate all fees, and make and receive all project payments, “directly through the mechanisms available on the (web)site”.  Those mechanisms permitted registered users to make and receive payments via Paypal and payment card accounts.  Access to them was subject to various security verification procedures, related to Freelancer’s own contractual obligations to users, the security standards imposed by payment service providers, and statutory obligations under the Anti-Money Laundering and Counter Terrorism Financing Act 2006 (Cth).  Freelancer reserved the right to suspend withdrawals from any user account where it suspected the source of the funds was fraudulent. 

   Mr Szczepanski’s Freelancer registrations

5. Mr Szczepanski first became a registered Freelancer user in November 2009.  By January 2011 he had established, or linked himself with, at least three other Freelancer accounts.  Two of those various other accounts he concededly registered in different names, by providing what he euphemistically called aliases and “dummy data”. 

6. In early March 2011, using one of these “dummy data” accounts, Mr Szczepanski advertised on the Freelancer website to purchase a Paypal account (i.e. an account in someone else’s name).  In March and April 2011 he purported to make various payments to and from one of the “dummy data” accounts.  But both the payment source and recipient accounts were in fact linked to Mr Szczepanski’s email address, and thus to his own Paypal account.  Those two events (the advertising to acquire a false account and the apparently circular payments) were contrary to the User Agreement and triggered Freelancer’s intervention.  Subsequent investigation resulted in the temporary suspension of both accounts, and Freelancer’s issue, in mid April 2011, of “please explain” enquiries to the registered users.  Mr Szczepanski’s response to the enquiry directed to him (as the November 2009 account user) provided an explanation, which he concedes was dishonest, and maintained the fiction of two separate individuals as the registered users.  Freelancer required Mr Szczepanski to provide specific photographic evidence of his own identity.  After he complied, Freelancer re-instated his November 2009 account.  (Mr Szczepanski did not respond to the “please explain” enquiry sent to the other “username”, and Freelancer terminated that account in June 2011.)

7. In March 2012 Mr Szczepanski returned funds to another Freelancer user account from which he had received a payment.  This activity resulted in Freelancer again temporarily suspending his account on 26 March 2012, and sending another “please explain” enquiry.  Mr Szczepanski gave another false explanation in response to this enquiry and, after a series of further communications, Freelancer re-instated his account on 28 or 29 March 2012:-  see paragraph 165 below.

8. Following that temporary suspension of his November 2009 account, Mr Szczepanski continued to use the account (he made 18 withdrawals in the next four months) but professed an increasing dissatisfaction with, and disapproval of, aspects of Freelancer’s business practices.  His numerous published criticisms were part of what he ultimately self-described as a “war” on Freelancer:-  see paragraph 86 below.  That contest led to, but did not end with, Freelancer’s termination of his account on 14 August 2012.

   The 2013 complaint and the 2015 Determination

9. On 9 July 2013, Mr Szczepanski lodged a written complaint with the Commissioner about Freelancer.  His complaint related to seven specific matters which he said involved the collection, misuse and disclosure of his personal information, in breach of various provisions of the National Privacy Principles (“NPP”):–  see paragraph 23 below.  Those matters were:-

   (a)the unnecessary collection of “internet protocol (“IP”) addresses he asserted were “his” personal information

   (b)collecting his personal information unfairly and / or in an unreasonably intrusive way by freezing his user account until he provided photographic identification

   (c)not taking reasonable steps to ensure he was aware of the matters required by NPP 1.3 (broadly speaking, the purposes for the information was collected)

   (d)misusing his personal information by identifying him through his use of a number of accounts, in a way unrelated to the primary collection purpose

   (e)disclosing his personal information online  (This involved 14 separate instances of alleged disclosure.)

   (f)disclosing his personal information to Freelancer’s overseas legal representatives

   (g)not taking reasonable steps to destroy his personal information after Freelancer closed his accounts.

10. On 18 December 2015, the Commissioner published a 97 page “Determination and reasons for determination”.  In that document the Commissioner rejected many of Mr Szczepanski’s assertions but found that Freelancer had breached the NPP in the following four respects:-

    (a)NPP 1.3:-  the collection of Mr Szczepanski’s IP address without taking reasonable steps to ensure he was aware of the purposes of the collection

    (b)NPP 2.1-  the 13 and 14 August 2012 disclosure of Mr Szczepanski‘s name, in comments posted on edits of Freelancer’s Wikipedia page entry

    (c)NPP 2.1:-  the 15 October 2012 disclosure of names, and pseudonyms, in comments posted on the “R2L” blog (a third party blog site)

    (d)NPP 2.1-  the 19 January 2013 disclosure of Mr Szczepanski‘s name, in further edit comments posted on Freelancer’s Wikipedia page entry.

11. In determining Mr Szczepanski’s complaint the Commissioner’s December 2015 document formally recorded the following declarations:- 

    391. I declare in accordance with s 52(l)(b)(i)(B) of the Privacy Act that the complainant's complaint is substantiated in part. I declare that Freelancer has breached NPP 1.3 by providing the complainant with no or insufficient notice about its collection of his IP address information. I further declare that Freelancer has breached NPP 2.1 by improperly disclosing personal information about the complainant on publicly accessible websites.

    392. The complainant has not sought a declaration by me that Freelancer issue an apology for the distress caused to him by its actions in this matter. Nonetheless Freelancer has in my view demonstrated a reckless indifference to the privacy rights of the complainant. In my view, an apology is warranted and appropriate.

    393. I therefore declare, in accordance with s 52(l)(b)(ii) of the Privacy Act that Freelancer must issue a written apology to the complainant within six weeks of this determination, acknowledging its interference with the complainant's privacy.

    394. I acknowledge that since the time of the privacy breaches Freelancer has undertaken a comprehensive review of the information handling policies made available on its website. In light of that review, I do not consider that any declaration is warranted in relation to its information handling policies.

    395. Nonetheless I am of the view that Freelancer must train its staff in accordance with its updated policies and procedures.  I therefore declare under s 52(l)(b)(ii) that Freelancer must have its staff undertake training in its updated information handling policies, and must confirm to me no later than six months from the date of this determination that this training has been completed.

    396. I declare in accordance with s 52(l)(b)(iii) that the complainant is entitled to $20,000 for the non-economic loss suffered as a result of Freelancer's interference with his privacy, comprised of:

    (a) $15,000 in general damages

    (b) $5,000 in aggravated damages.

    The review application

12. On 15 January 2016 Freelancer applied to the Tribunal to review the Commissioner’s decision.  Freelancer disputed the Commissioner’s

    (a)breach finding in relation to the collection of Mr Szczepanski’s IP address (see paragraph 28 below)

    (b)breach finding in relation to the 13 & 14 August 2012 disclosure of Mr Szczepanski’s various names:-  the “August disclosure” issues (see paragraphs 114 & 123 below)

    (c)breach finding in relation to the 15 October 2012 disclosure of Mr Szczepanski’s name(s):-  the “October disclosure” issue (see paragraphs 116 and 138 below)

    (d)breach finding in relation to the 19 January 2013 disclosure of Mr Szczepanski’s name(s):-  the “January disclosure” issue (see paragraphs 118 and 143 below)

    (e)damages declaration:-  the “damages” issue (see paragraph 0 below).

13. Mr Szczepanski took an active part in the review proceedings.  He sought to support the Commissioner’s findings and declarations, and to sustain aspects of his complaint the Commissioner had rejected.  He first identified those aspects in an undated document proffered in March / April 2012, then in his August 2016 Statement of Facts, Issues and Contentions, and finally in a “list of alleged breaches” I required him to provide in April 2017 at the beginning of the hearing.  In the last of those documents the additional contested matters were that the following aspects of Freelancer’s conduct involved NPP breaches:- 

    (a)making a number of disclosures additional to those that the Commissioner found involved breaches:-  the “other disclosure” issues (see paragraph 147 below)

    (b)failing to take reasonable steps to maintain the accuracy, completeness and currency of its collected personal information:-  the “data quality” issue (see paragraph 149 below)

    (c)making disclosures that were allegedly defamatory:-  the “out of jurisdiction” issue (see paragraph 154 below)

    (d)failing to take reasonable steps to delete personal information that was no longer required to be retained:-  the “data retention” issue (see paragraph 156 below)

    (e)misusing personal information:-  the “blackmail issue” (see paragraph 161 below).

14. The purpose of requiring Mr Szczepanski to provide the “list of alleged breaches” was to distil from his various previous, lengthy and somewhat discursive, complaint and contention statements a clear understanding of the matters he wanted to pursue.  Such a distillation was necessary to assist the Tribunal, in attempting to fulfil its statutory objective, and to assist the parties, in discharging their respective responsibilities:-  see Administrative Appeals Tribunal Act 1975 (Cth) ss 2A, 33(1), 33(1AA), 33(1AB).  Mr Szczepanski’s April 2017 list of alleged breaches did not include a number of his previously articulated assertions.  On one view, he had effectively abandoned them.  But some of them were the subject of cross examination, all of them were apparently addressed in various versions of the parties’ respective submissions, and at least Freelancer encouraged the Tribunal to deal with them.  For those reasons, and to avoid any controversy about the reality of any abandonment, I have also made findings in relation to those additional matters.  They involve Mr Szczepanski’s contentions that Freelancer had:

    (a)in April 2011, required him to provide photographic, and other, identification in an unfair or unreasonable way, and had failed to take reasonable steps to inform him about the reasons for requiring that identification verification:-  the “photographic ID issues” (see paragraph 165 below)

    (b)improperly used Mr Szczepanski’s IP address to identify his use of multiple Freelancer user accounts:-  the “IP misuse issue” (see paragraph 169 below)

    (c)on 13 August 2012 improperly attempted to disclose his personal information on Mr Szczepanski’s blog:-  the “blog disclosure attempt issue” (see paragraph 174 below)

    (d)on 16 August 2012, improperly disclosed personal information to Mr Szczepanski’s clients:-  the “clientele disclosure issue” (see paragraph 181 below).

    The pre March 2014 Legislative scheme

15. Subject to some (presently immaterial) qualifications, the Privacy Act 1988 (Cth) (“PrivAct 88”) required organisations to comply with the NPP:  see PrivAct 88 s 16A(2).  They were set out in PrivAct 88 Schedule 3.

16. The term “organisation” was defined to include a wide range of legally recognised entities.  (The definition excluded, amongst other things, small business operators, and government authorities:  PrivAct 88 s 6C.)  An organisation’s “act or practice” breached an NPP if it was inconsistent with the Principle:  Priv Act s 6A(1).  Such a breach “in relation to personal information that relates to the individual”, also constituted an interference with individual privacy[1]:-  PrivAct 88 s 13A(1)(b). 

    [1]Where the organisation was not bound by a privacy code the Commissioner had approved:- see Priv Act s 18BB)

17. The concepts of “personal information”, “collection”, a “record” and “holding a record” were critical to the scope of PrivAct 88 and the NPPs.  The term “personal information” had a defined meaning:-  see PrivAct 88 s 6.  It was in the following terms:-

    personal information means information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.

18. Prior to the amendments made by the Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth), (see paragraph 24 below) neither the concept of collection, nor that of holding a record, had a defined meaning.  But the (presently relevant) provisions of PrivAct 88 applied to the collection of personal information “only if the information is collected for inclusion in a record…”.  Similarly, those provisions applied to personal information that had been collected “only if the information is held … in a record”:-  see PrivAct 88 s 16B.

19. A “record” was (subject to presently immaterial exceptions) any document, database or pictorial image of a person.  But it did not include letters or other articles in the course of transmission by post:-  see PrivAct 88 s 6.

20. Individuals could make written complaints to the Commissioner about “an act or practice that may be an interference with the privacy of the individual” by a specified “respondent”:  PrivAct 88 s 36(1),(3)&(5)  If the complainant had previously complained to the “respondent”, or the Commissioner was satisfied that a prior complaint to the respondent was “not appropriate”, such a complaint conditionally obliged the Commissioner to investigate the “act or practice” involved:-  PrivAct 88 s 40(1), 40(1A), 49 - 50 and 51. The conditions (relevant to the present matter) included the Commissioner’s discretion not to investigate an act or practice if satisfied that (amongst other things) the complaint either (i) had been made more than 12 months after the complainant became aware of the conduct, or (ii) was frivolous, vexatious or lacking in substance:-  PrivAct 88 ss 41(1)(c)&(d).  For the purpose of determining whether any particular complaint either required or merited investigation, the Commissioner could make “preliminary enquiries”:-  PrivAct 88 s 42.

1. The Commissioner could conduct an investigation by making “such enquiries as he or she thinks fit”:  PrivAct 88 s 43(3) - after giving notice to the person to be investigated of “a matter to which a complaint relates”:  PrivAct 88 s 43(1).  A complainant or respondent could request the Commissioner to hold a hearing in relation to a complaint.  But the Commissioner had a general statutory discretion to proceed without a hearing:-  PrivAct 88 ss 43(4) & 43A(1).

2. Irrespective of whether or not the Commissioner conducted a hearing, after “investigating a complaint” the Commissioner could either make “a determination dismissing the complaint” or a finding that the complaint was substantiated.  In the latter event, the Commissioner could make a consequential determination.  A determination had to include a statement of any findings of fact upon which it was based:  PrivAct 88 s 52(2).  It could also include one or more specified kinds of declaration:  PrivAct 88 s 52(1).  The relevant Priv Act 88 provisions (as at July 2013) were in the following terms:

   52 Determination of the Commissioner

   (1)       After investigating a complaint, the Commissioner may:

   (a)       make a determination dismissing the complaint; or

   (b) find the complaint substantiated and make a determination that includes one or more of the following:

   (i) a declaration:

   (A) …

   (B) … that the respondent has engaged in conduct constituting an interference with the privacy of an individual and should not repeat or continue such conduct;

   (ii) a declaration that the respondent should perform any reasonable act or course of conduct to redress any loss or damage suffered by the complainant;

   (iii) a declaration that the complainant is entitled to a specified amount by way of compensation for any loss or damage suffered by reason of the act or practice the subject of the complaint;

   (iv) a declaration that it would be inappropriate for any further action to be taken in the matter.

   (1A) The loss or damage referred to in paragraph (1)(b) includes injury to the complainant’s feelings or humiliation suffered by the complainant.

3. A determination by the Commissioner was neither binding on, nor conclusive between, any of the parties to the determination:  PrivAct 88 s 52(1B).  A complainant could, however, bring proceedings (either in the Federal Court or the Federal Circuit Court) to enforce a determination:  Priv Act s 55A(1).  In addition, either party to a complaint could apply to this Tribunal to review any compensation declaration made by the Commissioner:-  PrivAct 88 s 61(1).

   The 2014 Legislative scheme

4. The Privacy Amendment (Enhancing Privacy Protection) Act 2012 (Cth) (“PrivAm 2012”) made numerous amendments to PrivAct 88.  One of those amendments changed the wording of PrivAct 88 ss 52(1)(b)(ii) from “should” to “must” - a wording change that was adopted in the Commissioner’s formal declarations:- see paragraph 11 above.  The more significant amendments replaced the National Privacy Principles with the Australian Privacy Principles (“APP”).  Other amendments involved various new or altered definitions.  These included substituting a definition of “collects” for the previous provision in PrivAct 88 s 16B, inserting a definition of “holds”, and amending the definitions of “personal information” and “record”:- see PrivAm 2012 s 3 & Schedule 1.  Those new and altered definitions were in the following terms:-

   collects: an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.

   holds: an entity holds personal information if the entity has possession or control of a record that contains the personal information.

   personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

   (a) whether the information or opinion is true or not; and

   (b) whether the information or opinion is recorded in a material form or not.

   record means:

   (a)  a document; or

   (b)  an electronic or other device

   but does not include:

   (d) a generally available publication; or

   …

   (h) letters or other articles in the course of transmission by post.

   Note: For document, see section 2B of the Acts Interpretation Act 1901.

5. Another relevant amendment was the introduction of the concept of a “permitted general situation”, in which an “APP entity” was conditionally permitted to collect, use or disclose “personal information”.  Those conditional permissions included situations where an entity had reason to suspect the prospect of unlawful activity or serious misconduct and the collection was reasonably believed to be necessary to take appropriate action in relation to the matter:-  PrivAct 88 s 16A

6. The PrivAm 2012 amendments also enlarged the review jurisdiction of this Tribunal.  Under the amended provisions either party could apply for the review of any determination made by the Commissioner under PrivAct 88 s 52(1):- see PrivAct 88 s 96.  That extended review jurisdiction applied to any determination made after 12 March 2014:-   see PrivAm 2012 s2 & Schedule 6, Parts 1 and 5.  Despite that enlarged review jurisdiction, the Commissioner (and hence this Tribunal) could deal with the July 2013 complaint as if the other PrivAct 88 amendments had not been made:-  see PrivAm 2012 s3 & Schedule 6, Part 7 cl 16.

   The National Privacy Principles - relevant provisions

7. The contents of the National Privacy Principles, to the extent they are relevant to the review of the December 2015 decision, were as follows:

   1 Collection

   1.1An organisation must not collect personal information unless the information is necessary for one or more of its functions or activities.

   1.2An organisation must collect personal information only by lawful and fair means and not in an unreasonably intrusive way.

   1.3 At or before the time (or, if that is not practicable, as soon as practicable after) an organisation collects personal information about an individual from the individual, the organisation must take reasonable steps to ensure that the individual is aware of:

   (a)       the identity of the organisation and how to contact it; and

   (b)       the fact that he or she is able to gain access to the information; and

   (c)       the purposes for which the information is collected; and

   (d) the organisations (or the types of organisations) to which the organisation usually discloses information of that kind; and

   (e)       any law that requires the particular information to be collected; and

   (f) the main consequences (if any) for the individual if all or part of the information is not provided.

   1.4 If it is reasonable and practicable to do so, an organisation must collect personal information about an individual only from that individual.

   1.5 If an organisation collects personal information about an individual from someone else, it must take reasonable steps to ensure that the individual is or has been made aware of the matters listed in subclause 1.3 except to the extent that making the individual aware of the matters would pose a serious threat to the life or health of any individual.

   2 Use and disclosure

   2.1 An organisation must not use or disclose personal information about an individual for a purpose (the secondary purpose) other than the primary purpose of collection unless:

   (a) both of the following apply:

   (i) the secondary purpose is related to the primary purpose of collection and, if the personal information is sensitive information, directly related to the primary purpose of collection;

   (ii) the individual would reasonably expect the organisation to use or disclose the information for the secondary purpose; or

   (b) the individual has consented to the use or disclosure; or

   (c) if the information is not sensitive information and the use of the information is for the secondary purpose of direct marketing:

   …. or

   (d)if the information is health information ….  or

   (e) …  necessary to lessen or prevent  

   (i) a serious and imminent threat …

   or

   (ea) … genetic information … obtained … in the course of providing a health service …. or

   (f) the organisation has reason to suspect that unlawful activity has been, is being or may be engaged in, and uses or discloses the personal information as a necessary part of its investigation of the matter or in reporting its concerns to relevant persons or authorities; or

   (g) the use or disclosure is required or authorised by or under law; or

   (h) the organisation reasonably believes … the use or disclosure is reasonably necessary (for specific purposes) …. by or on behalf of an enforcement body:

   3 Data quality

   An organisation must take reasonable steps to make sure that the personal information it collects, uses or discloses is accurate, complete and up-to-date.

   The IP address receipt and characterisation issue

8. In this section I consider the nature and purpose of an IP address, the typical circumstances of Freelancer’s receipt of IP addresses, whether or not that receipt constituted collection for the purposes of NPP 1.1, and whether those considerations merit the characterisation of an IP address as information “about” an individual for the purposes of the PrivAct 88 definition of “personal information”.

9. The technology involved in computer network communication (whether it be a mere visit to a website, the delivery or exchange of messages, or “logging on” to an account) requires the participating network interface devices to exchange their respective network addresses.  That exchange of network addresses, is automatically logged and recorded by the network interface devices.

10. There are recognised protocols for expressing the addresses of interface devices on public computer networks, and for the transmission of communications between those devices.  The most commonly used address protocol is Internet Protocol version 4 (“IPv4”).  An “IP address” in IPv4 format is typically a numerical label, containing a sequence of four sets of numbers (between 1 and 255) expressed in what is described as “dotted-decimal notation”.  (A less commonly encountered protocol version, known as IPv6, permits the use of both alpha and numeric characters in a longer “dotted-decimal” sequence.)  The IPv4 protocol format is remarkable - in the sense that there is no other similar “dotted-decimal” sequence commonly used to facilitate internet communications.

11. The following propositions apply in attempting to describe the nature, allocation and the exchange of IP addresses:-

    (a)any device participating in public computer network communications must be assigned an IP address

    (b)the IP address is that of the communicating network interface device rather than that of the actual originating / destination device, or the individual using that device.

    (c)public IP addresses are typically allocated by a user’s internet service provider (“ISP”) and that allocation

    (i)may be from a “dynamic” pool of available addresses, allocated for a time limited period in response to a connection session request, and regularly the subject of re-allocation

    (ii)may be from a static pool, and allocated to a specific device for an extended period of time

    (iii)is likely to be from a “dynamic” pool where the user is a private individual accessing the internet for personal purposes.

    (d)communications between recipient devices on public networks, on the one hand, and originating devices on private computer networks, on the other, must typically be facilitated by a “gateway” / “router” / “network interface” device, and in such a case the public IP address of the private network user

    (i)will be the address of the private network’s “gateway” or “network interface” device, rather than that of the individual user’s actual terminal device (i.e., their computer, tablet or phone)

    (ii)may be common to other users on the private network

    (iii)may be common to other users of the terminal device

    (e)the public IP address of any device may change over time, but typically (and subject to the exception of a mobile communication device) the IP address is unlikely to vary during any one specific communication session

    (f)a network device may use a “proxy server” which relays that server’s IP address to the destination / recipient server, in substitution for the IP address of the proxy server user’s device

12. A necessary consequence of the propositions set out in the preceding paragraph is that an IP address describes neither a particular terminal device directly operated by a user, nor a particular user.  Therefore, as a “standalone” piece of information it would not fall within the PrivAct 88 conception of “personal information”:-  see Australian Law Reform Commission - Report No (2008) paragraph 6.60 page 203.   Freelancer emphasised that the PrivAct 88 definition of “personal information” had two distinct components.  The first component was that the information had to be “about” an individual.  The second component was that the identity of the individual had to be apparent, or reasonably ascertainable, from the information:-  see paragraph 17 above.  In emphasising those two distinct components of the statutory definition Freelancer submitted that information was not “about an individual” merely because it was possible to ascertain a person’s identity from the information.

13. Feelancer’s submissions about the two components of the “personal information” definition were based on the decision of this Tribunal in Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991, and that of the Full Court of the Federal Court of Australia in the unsuccessful appeal from that decision:- see Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4.

14. In Telstra Corporation Limited and Privacy Commissioner [2015] AATA 991 a Telstra subscriber had sought to enforce the qualified access entitlement to “personal information about an individual” provided for in NPP 6.1. The particular access request related to “all the metadata information … about my mobile phone service”. The subscriber speculated that the “metadata information” would include (i) the identification of cell tower connections, (ii) the time and originating phone number of SMS messages, (iii) URL’s of websites he had accessed using his phone and, (iv) a log of incoming and outgoing phone calls. Telstra ultimately provided, amongst other things, (i) the subscriber’s customer ID, unlocking key, SIM password and IMEI number, and (ii) a detailed log of the subscriber’s outgoing phone calls and messages. The two contentious categories of information that Telstra did not provide were (i) records detailing incoming phone calls and, (ii) “network data”. In response to the subscriber’s complaint the Commissioner determined that Telstra should provide the subscriber with the three categories of information - (i) IP address information, (ii) URL information and, (iii) cell tower information (additional to the information contained in the subscriber’s billing records). Telstra subsequently succeeded in review proceedings in this Tribunal, and in appeal proceedings in the Federal Court:- see Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4; (2017) 249 FCR 24.

15. The subscriber’s basic proposition in the Telstra matter was that the mobile phone metadata fell within the PrivAct 88 concept of “personal information” if Telstra could associate it with his account.  Telstra’s evidence conceded that it did retain relevant metadata, and that it could be interrogated to provide IP addresses relating to the subscriber’s communications.  However, Telstra said that (i) it only retained the metadata for limited periods, (ii) the data was usually only resorted to by its quality assurance personnel, and (iii) the data could be, but was not typically, used to correlate IP addresses with individual subscriber’s mobile phone devices.

16. In the Tribunal decision Deputy President Forgie accepted that the “about an individual’ component of the PrivAct 88 definition of “personal information” was a broad descriptive category that extended to include information “concerning or relating to” an individual.  Using that broad description, telephone numbers and residential addresses, as well as general descriptions of a person’s activities, interests and beliefs could readily fall within the definition of “personal information”.  But the ultimate question of characterisation, in determining whether any particular information was “about” an individual, was not answered by the mere fact that the contentious information could be used to identify a particular individual.  Rather it involved an impressionistic assessment of the degree of connection between the information and the individual.

17. Despite the breadth of the “about an individual’ component DP Forgie characterised Telstra’s “network data” (including the IP address information it contained) as information about the transmission method of the subscriber’s mobile phone communications, rather than information “about” the subscriber. Referring specifically to the IP address information DP Forgie said (at [2015] AATA 991 [113]):-

    I am satisfied that an IP address is not information about an individual.  Certainly, it is allocated to an individual’s mobile device so that a particular communication on the internet can be delivered by the Internet Service Provider to that particular mobile device but, I find, an IP address is not allocated exclusively to a particular mobile device and a particular mobile device is not allocated a single IP address over the course of its working life.  It changes and may change frequently in the course of a communication.  The connection between the person using a mobile device and an IP address is, therefore, ephemeral. In the context of this case, it is not about the person but about the means by which data is transmitted from a person’s mobile device over the internet and a message sent to, or a connection made, with another person’s mobile device.

18. In the subsequent appeal the Privacy Commissioner unsuccessfully submitted that the words “about the individual” in the PrivAct 88 definition of personal information were redundant.  The only relevant characterisation question was said to be whether or not the person could be identified from the contentious information.  The Full Court of the Federal Court rejected this submission, and pointed out that the “about the individual” criterion was both a component of the “personal information” definition and a specific requirement of the access entitlement in NPP 6.1.  (That observation is pertinent to the present matter, because the “about the individual” criterion is also separately expressed in NPP 1.3, 1.5 and 2.1:-  see paragraph 27 above.)  The Full Court said the following about the content of that requirement (see Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4; (2017) 249 FCR 24

    [63] The words “about an individual” direct attention to the need for the individual to be a subject matter of the information or opinion. This requirement might not be difficult to satisfy.  Information and opinions can have multiple subject matters. Further, on the assumption that the information refers to the totality of the information requested, then even if a single piece of information is not “about an individual” it might be about the individual when combined with other information. However, in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

    [64] In some instances the evaluative conclusion will not be difficult. For example, although information was provided to Mr Grubb about the colour of his mobile phone and his network type (3G), we do not consider that that information, by itself or together with other information, was about him. In other instances, the conclusion might be more difficult.  Further, whether information is “about an individual” might depend upon the breadth that is given to the expression “from the information or opinion”. In other words, the more loose the causal connection required by the word “from”, the greater the amount of information which could potentially be “personal information” and the more likely it will be that the words “about an individual” will exclude some of that information from National Privacy Principle 6.1.

1. In the present matter the parties proceeded on the basis that frequent changes in the allocation of IP addresses were probably unlikely in the course of typical online communication sessions between Freelancer’s web servers and the gateway devices of its registered users:- see paragraph 3131(e) above.  In that particular respect DP Forgie’s reasoning in the Telstra matter (because it related only to mobile phone communications) is distinguishable from the circumstances of the present matter.  But in other respects the reasoning is directly applicable.  IP addresses are very likely to be assigned by user’s ISPs.  They are likely to change over time, not necessarily unique to a particular network gateway device, and incapable of being categorised as indicating any particular individual.  They are allocated and used to facilitate a user’s communication, rather than forming part of the content of that communication.  Furthermore, apart from the circumstances involved in mobile phone communications (of the kind that were involved in the Telstra decision) an IP address cannot reliably be associated with any particular originating or receiving device.  Those considerations present a considerable obstacle to the characterisation of any IP address as information “about an individual”. 

2. The Commissioner implicitly conceded that an IP address would generally not merit characterisation as being “about an individual”.  But the Commissioner invoked the Full Court’s contemplation that “information and opinions can have multiple subject matters”, and contended that Mr Szczepanski was sufficiently the subject matter of the contentious IP address information to merit that characterisation in the present case.  That contention was based on the nature and circumstances of Freelancer’s use of the IP address information it received.

3. When registered users accessed the Freelancer website their loginn screen displayed a window with a “Welcome” message that acknowledged the person’s username and stated that “your last login was on …”.  The following part of the message (i) gave the date and time of the “last login” and, (ii) said that “last login” had been “from” a specified IP address (ie., the message displayed a “dotted-decimal” sequence in IPv4 format).  Freelancer’s login software was able to display the user’s last login IP address because other software extracted the address from the automatically recorded access log and included it in a database.  From that database it could be matched with a user’s registered name.

4. The Commissioner’s submissions suggested the artificiality of approaching the concept of “personal information” as if the contentious information could be taken in isolation.  Taking up the point that neither phone numbers nor geographical addresses were necessarily “personal information” the Commissioner contended that the IP addresses logged at the time of Mr Szczepanski’s Freelancer “logins” were “associated” with him, had been so recorded by Freelancer, and thus fell within the PrivAct 88 definition of “personal information”.  The essence of the Commissioner’s argument was that the IP addresses were “about” Mr Szczepanski because Freelancer had recorded them in a way that intentionally correlated his logins with his account name.

5. The Commissioner’s submissions implicitly asserted that Mr Szczepanski’s identity could reasonably be ascertained from the IP address.  That assertion was significant in characterising the IP address as “about” an individual.  The assertion is inherently problematic, given the nature of an IP address.  Moreover, the Commissioner’s submissions appeared to overlook the significance of the last sentence in paragraph [64] of the Full Court’s reasons in the Telstra case – which suggested the more loose the causal connection involved in the potential for identification, the more likely the “about” criterion would limit the content of the relevant NPP access obligation: -  see paragraph 38 above.

6. The Commissioner’s submissions also assumed that, for the purpose of the NPP 1.1 and 1.3 collection and notification obligations, all of the information held by Freelancer could be taken into account in determining whether information is “about an individual” at the time it is collected.  However, the reasoning of the Full Court in Telstra shows that a factual enquiry is required to determine the scope of the information that may be relied in determining whether particular information is “about an individual”:- see [2017] FCAFC 4; (2017) 249 FCR 24 at [63].

7. It was in that context of the Telstra matter that the Tribunal had considered the permissibility of regard to the totality of the available information, in order to assess whether or not the information was “about” an individual whose identity “is apparent or can reasonably be ascertained”. The relevant consideration was in the following passage of the Tribunal’s reasons (at [2015] AATA 991)

   108. Beyond what might be considered to be general knowledge, I do not think that regard needs to be had to the wide range of information and means of searching information that is available in the public arena in determining whether an individual’s identity is reasonably ascertainable from the information or opinion held in an organisation. … The Privacy Act regulates the collection, handling and use of information about individuals and also provides means by which those individuals may obtain access to his or her own personal information and to ask that it be corrected for accuracy, relevance and completeness. In deciding whether the identity of an individual is apparent or can reasonably be ascertained from that information, regard needs to be had to the information held by the organisation. If that were not the case, an organisation could attempt to defeat the purposes of the Privacy Act by allocating a code of some sort to each individual and keeping a separate record of that.

8. The thrust of DP Forgie’s reasoning in the latter part of that passage was directed at a hypothetical situation where an access request was undoubtedly concerned with information “about” an individual, but where their identity was not apparent and it was problematic whether it could reasonably be ascertained from the particular information.  The Deputy President’s point was that an access request could not be refused merely because the organisation kept the identifying information it in fact used, in a form that apparently masked its relationship with the individuals concerned.

9. The justification for permissive resort to the totality of information available to the holding organisation, in determining whether the contentious information is “about” an individual, is clear in the case of an access request under NPP 6.1, and especially where the access request is widely expressed.  It is apparently for that reason the Full Court in Telstra was content to proceed on the basis of an assumption that, in determining whether information was “personal”, regard could be had to the totality of the information the organisation held relating to individual:-  see [2017] FCAFC 4; (2017) 249 FCR 24 at [61].  But the later passage in the Full Court’s reasons (set out in paragraph 38 above) indicates the potential impermissibility of that assumption where the access request relates to specific information.  That impermissibility is even more apparent where the contentious breach concerns the disclosure of information and the potential application of NPP 2.1, rather than an access claim under NPP 6.  In such a case the characterisation of information as “personal” will depend on the content of the information disclosed, and whether or not that information - together with “what might be considered to be general knowledge” (see paragraph 45 above) - is both “about” an individual and provides a basis from which their identity can “reasonably be ascertained”. 

10. Substantially similar reasoning applies to assessment of the circumstances involved in the “collection” of information.  The Full Court in Telstra emphasised (at [2017] FCAFC 4; (2017) 249 FCR 24 at [63] that

    … in every case it is necessary to consider whether each item of personal information requested, individually or in combination with other items, is about an individual. This will require an evaluative conclusion, depending upon the facts of any individual case, just as a determination of whether the identity can reasonably be ascertained will require an evaluative conclusion.

11. That passage was directed at an access request.  But the substance of the reasoning it contains applies with equal force to the assessment involved in the characterisation of (i) information that has been “disclosed” (and to which NPP 2.1 may apply) and, (ii) information that has been “collected” (to which NPP 1.1 may apply).

12. In this context it is important to determine when, and by what process, Freelancer received the contentious IP addresses associated with Mr Szczepanski’s login events.  Schedule 1 lists the 12 different IP addresses recorded in relation to his initial registration, the three login events that occurred in the following four hours, and the approximately 150 subsequent sporadic login events.  Those subsequent login events were mostly after October 2010.  Over that period, the same IP address was sometimes recorded for logins that occurred months apart.  In other instances, different IP addresses were recorded for logins that occurred on the same day (sometimes within hours of each other).

13. The propositions summarised earlier (see paragraph 31) require the conclusion that Freelancer would have received the IP address associated with each login at the beginning of each communication session.  That receipt would have been an automatic and inevitable consequence of Mr Szczepanski’s own decision to access the Freelancer website.  Furthermore, neither during the process of initial registration, nor in any subsequent login process, did Freelancer require a user to provide, confirm, acknowledge or adopt any IP address:-  see paragraph 2 above.  Finally, the “control panel” information Freelancer compiled for registered users (apparently as a summary of each user’s material details and identifiers) did not include any IP address.

14. The circumstances described in the preceding paragraph provide an important distinction between the present matter and the circumstances involved in the Telstra decision.  The Commissioner’s submissions emphasised that in Telstra it had at least been assumed that Telstra relevantly “collected” the IP address information.  This assumption was said to point strongly towards the same conclusion in the present matter.  It does not.  Telstra had a contractual obligation to provide the subscriber with access to its mobile phone network.  Freelancer had no similar obligation to provide visitors with access to its website (and no demonstrated means of preventing such visits).

15. Freelancer’s unsolicited and automatic receipt of an IP address at the beginning of an individual’s online visit to its website did not constitute collection for the purposes of NPP 1.1.  The explicit, but qualified, collection prohibition in NPP 1.1 could not sensibly be regarded as directed towards the mere receipt of unsolicited information.  Freelancer had “no opportunity to define or set the parameters under which it was received:  see Vice-Chancellor, Macquarie University v FM (GD) [2003] NSWADTAP 43 at [86]. That view is re-inforced by PrivAct 88 s 16B(1), which expressly provided that the Act only applied to information “collected for the purpose of inclusion in a record”. Such a limitation connotes a requirement for the organisation to have acquired the information for a recording purpose. And such a requirement is not met where the information is received merely as an inherent and inevitable part of the communication technology involved.

16. Broader considerations point in the same direction.  The ordinary connotation of collection is that of intentional acquisition, and especially for the purpose of gathering or assembling the acquired things in a particular place, or associating them in a particular grouping.  The familiar usage describes the activity of a collector of art or a fundraiser soliciting donations.  In the context of testamentary dispositions, wills typically direct an executor to “collect” the deceased’s assets, and plainly direct a purposive activity and gathering together.  Sometimes the concept of “collection” requires the actual use of objects, and not their mere gathering together:-  Gale v New [1937] 4 All ER 645. In the context of privacy usages, some legislative regimes explicitly exclude the receipt of unsolicited information from the concept of “collection”:- see Privacy and Personal Information Protection Act 1998 (NSW) (“NSW_PPI_Act”) s 4(5).

17. In KD v Registrar NSW Medical Board [2004] NSWADT 5 the substantial issue was whether the Board had breached the NSW_PPI_Act s 18 disclosure prohibition by providing a doctor with various documents KD had sent to it supporting her complaint about the doctor. The Board characterised its receipt of those documents as unsolicited and contended (relying on NSW_PPI_Act s 4(5)) that it had not “collected” the documents, and was not therefore subject to the disclosure prohibition. Judicial Member Britton accepted the Board’s contentions that it had not “collected” the information in the documents, but pointed out that NSW_PPI_Act s 18(1) operated as a complete prohibition on the disclosure of “personal information” held by an agency. That prohibition was subject to three exceptions. One of those exceptions (in NSW_PPI_Act s 18(1)(a)) related only to “collected” information. The other exceptions were not so confined. That difference reinforced the view that the disclosure prohibition in fact could apply to all personal information held by an agency, irrespective of the circumstances of its acquisition.

18. Penfold J expressed a similar view about “collection” in Twining v Curtis [2009] ACTSC 106. That case involved a situation where a public servant had sent an unsolicited email to a senior officer, who had forwarded it to the sender’s immediate supervisor. The privacy complaint was about the officer’s conduct in forwarding the email. It was a complaint about disclosure. Nevertheless, in the course of her reasons Penfold J addressed the meaning of “collect” in the Information Privacy Principles (IPP) 1-3 in s 14 of the Privacy Act. (Those principles relevantly paralleled NPP 1.1 to 1.3.) Penfold J observed that

    [87] “Collect” does not appear to be defined for the purposes of the Principles, but it seems to me to require active obtaining rather than passive and unsolicited receiving, and in the absence of submissions to the contrary I consider that receiving an email volunteered by another person does not amount to collecting that email.

19. In Seven Network (Operations) Limited v Media Entertainment and Arts Alliance [2004] FCA 637 at [45] there were two pieces of contentious information. One was a Seven Network phone list. The other was a record of responses to a telephone poll the Alliance had commissioned and which had used the phone list. The Alliance had obtained the list in circumstances which, perhaps understandably, it refused to disclose. The points at issue were whether the Alliance had “collected” (i) the list and, (ii) the poll responses. In relation to the telephone poll responses, Gyles J held that the Alliance’s action in commissioning the poll, and receiving the poll report, constituted “collection” for the purposes of NPP 1. But, in relation to the phone list Gyles J observed (at [45]) it “would not always be the case that the passive receipt of information could be described as ‘collecting’ information”. His Honour went on to draw a positive inference, in the absence of specific explanatory evidence from Alliance, that it had in fact taken “some active step … to obtain the information”.

20. As my earlier reference to the decision in KD v Registrar NSW Medical Board [2004] NSWADT 5 suggests, the NSW Privacy and Personal Information Protection Act 1998 (“NSW_PPI_Act”) contains information protection principles that broadly parallel the NPP provisions relating to the collection, use and disclosure of personal information. Like the corresponding NPP provision, the NSW restrictions on use are directed at purposes “other than that for which (the information) was collected”:- see NPP 2.1 & NSW_PPI_Act s 17. But, in relation to the provisions about disclosure, only one aspect of those provisions had a similar restriction relating to the collection purpose:- see NPP 2.1 & NSW_PPI_Act s 18(1)(a).

21. The Commissioner referred to the decision in MT v Director General, NSW Department of Education & Training [2004] NSWADT 194 where another member of the NSW Tribunal had expressed dissatisfaction with Judicial Member Britton’s view that the NSW_PPI_Act s 18(1)(a) disclosure restriction related only to “collected” information. The suggestion was that a beneficial construction required the conclusion that the word “collected” to be interpreted differently in the statutory provisions relating to “collection” on the one hand, and those relating to “disclosure”, on the other. In the former provisions the statutory direction that unsolicited information was not to be regarded as “collected” had to be acknowledged. But in the latter provisions the word “collected” should be understood as merely meaning “obtained”.

22. Properly understood, nothing in the “MT” decision detracts from the general force of the proposition that unsolicited information ought not be regarded as having been “collected”.  Furthermore, the dissatisfaction expressed in the MT decision about the reasoning of Judicial Member Britton in the KD decision is unpersuasive.  Both decisions in fact came to the same conclusion in relation to disclosure – that personal information held by an agency was subject to disclosure restrictions, irrespective of its characterisation as unsolicited or “collected”.  In arriving at her conclusion, Judicial Member Britton had undertaken an entirely orthodox analysis paying careful attention to the actual statutory wording and, specifically, to the differences in the wording of the relevant exception provisions in NSW_PPI_Act s 18(1)(a)&(b).

23. In two subsequent decisions the President of the NSW ADT effectively adopted the same view as Judicial Member Britton about the ordinary characterisation of the receipt of unsolicited information.  It did not merit characterisation of the information as having been “collected”:-  see OA v New South Wales Department of Housing [2005] NSWADT 233;  OA v New South Wales Department of Housing (No 2) [2006] NSWADT 94 In the former decision O’Connor DCJ said:-

    [36]  The mere receipt of a communication from the member of the public does not constitute a ‘collection’ of personal information, as it does not involve an act on the part of the agency of ‘assembling’ or ‘gathering’ the information (see definitions of ‘collect’ and ‘collection’ in Macquarie Dictionary, (1st ed, 1980). Any doubt as to this matter is resolved by the Act, which provides in s 4(5) that:

    ‘For the purposes of this Act, personal information is not collected by a public sector agency if the receipt of the information by the agency is unsolicited’.

24. There is no warrant for regarding the word “collected” in NSW_PPI_Act s 18(1)(a) as meaning merely “obtained” or “received”. In any event there is no support for the view that the term “collected” bears anything other than its ordinary meaning, and excludes the mere receipt of unsolicited information, in the NSW_PPI_Act ss 8 & 9 provisions relating to the collection of personal information. There is similarly no warrant for regarding the various decisions on the NSW legislation as supporting a construction of NPP 1.1 as extending to the unsolicited receipt of information.

25. An IP address received in the manner typical of activities involving visits to Freelancer’s website does not merit characterisation of the IP address as being “about an individual”.  Neither does it merit characterisation as being information from which an individual’s identity can reasonably be ascertained.  This is so because of the inherent characteristics of IP addresses and the practices involved in their allocation and use.  As the Schedule 1 summary shows, any particular user’s recorded IP address may change over time, and do so in apparently idiosyncratic fashion.  It may also stay the same, over significant periods of time.  But because the recorded IP address is only that of a network interface device (including potentially, the address of a “proxy server”) there is no way of discerning either the use of any particular terminal device, or an individual’s identity, from an IP address. 

    The IP address “collection” and characterisation  issue

1. In this section I consider whether Freelancer’s retention of IP address details, and their association with historical login events, constituted collection for the purposes of NPP 1.1, and whether, in those circumstances the IP address details became information “about” an individual. 

2. The Freelancer login screen responded to users with the “Welcome” greeting and IP address message I have previously described -  see paragraph 41 above. This feature, and the use of the software applications and database that enabled it, provided the basis for the Commissioner’s submission that, irrespective of the nature of its original receipt, Freelancer had subsequently “collected’ the IP address information.  That subsequent collection was said to permit resort to the totality of a registrant’s collected “personal information” and to permit characterisation of the IP address as being both “about” an individual, and information from which their identity could reasonably be ascertained.

3. The Commissioner’s basic point about the possibility of “collection” after the initial receipt of information receives some support from findings in various decisions concerning the NSW_PPI_Act.  In OA v New South Wales Department of Housing (No 2) [2006] NSWADT 94 at [17], O’Connor DCJ thought there would be a “collection” for the purposes of the relevant privacy principles where the recipient of otherwise unsolicited information decided to make use of it. A similar, but less precisely worded, conclusion was expressed in ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 at [71].

   In the cases raising this issue the Tribunal has usually held, adopting a purposive approach, that the limitation in s 4(5) ought not be applied to the entirety of the information handling cycle. Information that was unsolicited at origin, once taken under the control of the agency for one of its administrative purposes should be treated as 'collected' and no longer retaining the character of 'unsolicited' information. See for example, KD v Registrar NSW Medical Board   [2004] NSWADT 5 , MT v Director General, NSW Department of Education & Training [2004] NSWADT 194 and BN v Hornsby Shire Council [2008] NSWADT 249. We agree with that approach.

4. The proposition that the KD decision endorsed the proposition that unsolicited information subsequently became “collected” information mis-states the effect of Judicial Member Britton’s decision and misunderstands her reasoning, particularly the critical difference between the disclosure restrictions in NSW_PPI_Act s 18(1)(a) and 18(1)(b). The “BN” decision also involved a “disclosure” complaint, and provided no explicit justification for the view that subsequent retention of information involved relevant “collection”.  Furthermore the previously cited passage from the reasons in ZR v Department of Education and Training (GD) [2010] NSWADTAP 75 was in a section of the reasons dealing with the use of information. Earlier passages in the reasons had specifically addressed the receipt of unsolicited information, and the question whether that receipt involved collection. That discussion included specific endorsement of the view of Gyles J that the passive receipt of information should not be regarded as collection (see paragraph 57 above).  It also endorsed the proposition that information should not be regarded as having been “collected” where the recipient had “no opportunity to define or set the parameters under which it was received”:-  Vice-Chancellor, Macquarie University v FM (GD) [2003] NSWADTAP 43 at [86]. The discussion noted that the proposition had been consistently applied in a number of subsequent decisions. Those decisions included instances where the retention of unsolicited information, and its inclusion in a written record, had been held not to constitute relevant “collection:- LB v Hunter New England Area Health Service [2010] NSWADT 82. Indeed, in ZR v NSW Department of Education and Training (GD) [2009] NSWADTAP 69 at [62]-[69] the Appeal Panel had described as “artificial” the proposition that the internal recording of unsolicited information should be regarded as collection for the purposes of the privacy principles.

5. That conclusion of artificiality is equally applicable in the present case.  It is strengthened by the wording of both PrivAct 88 s 16B(1)(a) (which refers to collection for inclusion in a record) and NPP 1.3 & 1.4 (which appear to contemplate that the concept of collection involves the receipt of information either “from the individual” or “from someone else”. None of those criteria readily extends to either the automatic receipt of unsolicited information, or its merely internal recording and organisation.

6. Even if the circumstances involved in Freelancer’s login “Welcome” message indicated a use of IP address information that could be regarded as collection, the information itself was still not “about” an individual.  It was information “about” the login itself.  The disconnect between the IP address record and any individual is rather underscored by two considerations.  The first is the evident variability in the IP addresses attributed to Mr Szczepanski’s various logins:-  see paragraph 50 above and  Schedule 1.   The second is the disconformity between the IP addresses recorded by Freelancer, and those published by Wikipedia in relation to the “edits” of whose authorship Mr Szczepanski acknowledged: -  see paragraph 172 below and Schedule 2.  The fact that Freelancer’s software “associated” the historical login IP address with particular registrant accounts meant that, in the kind of loose causal relationship alluded to by the Full Court in Telstra, a user’s identity might reasonably be ascertained “from” the totality of the information available to Freelancer.  But that possibility is not determinative.  Indeed, as the Full Court emphasised in the Telstra decision, the “about” requirement operates as an additional substantive qualification on the concept of “personal information”:- see Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4; (2017) 249 FCR 24 at [63], [64] (especially the last sentence of [64]).

   IP address collection – reasonable notice

7. The NPP 1.3 obligation in relation to collected information is to take “reasonable steps” to ensure the individual providing their personal information is aware of various matters, including the “purposes for which the information is collected”.  The time for performing that obligation is either before, or as soon as practicable after, the information is collected: -  see paragraph 27 above.  In this section, and on the assumption that Freelancer should be regarded as having “collected” IP address information “about” Mr Szczepanski, I consider whether Freelancer complied with the NPP 1.3 obligation.

8. Freelancer’s User Agreement notified users that participation in the marketplace was conditional on acceptance of the terms of the Agreement.  One aspect of the User Agreement provided for Freelancer to make “bonus” payments for user referrals.  However, clause 5.2 expressly excluded from the referral entitlement both self-referrals and referrals of an individual who had the same IP address as the putative referrer.  Clause 12 of the Agreement informed users that Freelancer would use personal information for the purpose of fulfilling the User Agreement.  In addition, it invited users to contact Freelancer if they required any further information regarding its use of their personal information.  Freelancer’s User Agreement incorporated Freelancer’s formal privacy policy document. That document disclosed that Freelancer automatically recorded some, non-identifying, data and “volunteered” information including “site registrations”.  It also stated that all the information Freelancer “collected” was only used for Freelancer’s purposes and was not shared with third parties.  The last part of the privacy statement disclosed that “with respect to security” Freelancer used industry standard encryption technologies when transferring and receiving data exchanged with the Freelancer site.

9. When these various provisions of both the User Agreement and the Privacy Policy are understood against the background of the propositions relating to the nature of IP address information (see paragraph 31 above) Freelancer had taken reasonable steps to ensure that Mr Szczepanski was aware of the collection of the information and the general purpose of that collection, and complied with NPP 1.3.  The assessment of what constitutes “reasonable steps” must be influenced by the nature of the information itself, the likelihood of the user’s awareness of the collection, the nature and extent of the collector’s collection explanations, the nature and potential utility of any invitation to request further information, and the disclosed purposes of information use.  Reasonable steps do not require a collector to provide an audit list detailing every detail of collected personal information and the specific purposes for which it may be used.

10. That general assessment is confirmed in the circumstances of the present case by two further considerations.  The first is that Mr Szczepanski’ was at all relevant times well aware of Freelancer’s recording of IP address information, and its association of that information with registrant’s logins.  I have previously referred to the 12 different IP addresses Freelancer recorded in relation Mr Szczepanski’s various logins.  They included the three login events that occurred in the four hours immediately after his user registration on 8 November 2009:-  see Schedule 1 row 8.  Each of those logins would have displayed the Welcome message, and the IP address history, to which I have previously referred:-  see paragraph 41 above.

11. Mr Szczepanski asserted that this particular feature of the Freelancer website only began to appear in late 2012, just before his account had been closed.  He also asserted that he understood the statement “your last log in” referred to his current login, and that the display did not reveal that Freelancer had an historical record of user’s IP addresses.  He asserted that there was a significant distinction between Freelancer “displaying” a user’s current IP address and “storing” a user’s addresses.  I reject all four of those assertions. 

12. Mr Barrie said that the “welcome” window feature, with the IP address display, had been a feature of the Freelancer login process since November 2009.  Freelancer corroborated his evidence by producing the underlying coding page that amended the login display screen to include the IP address display.  (Both Mr Barrie and Mr de Jong explained that this display was a feature commonly used by other online services - including Facebook and Google - and was intended to provide users with information of potential use to them in monitoring access to their accounts.)  This evidence was clear and provides a compelling contradiction of Mr Szczepanski’s claim that the IP login display message only began to appear during 2012.

13. The unreliability of Mr Szczepanski’s evidence about the login screen message was highlighted by his professed understanding that the words “your last log in” referred to his “current” login session.  That understanding is contrary to the ordinary meaning of the welcome message.  There is no context to suggest the message bears any other meaning.  Indeed the display of a date and time after the reference to “your last login” is much more consistent with being a reference to a past, rather than to a contemporaneous, event.  Moreover in evaluating the reliability of Mr Szczepanski’s professed understanding of the meaning of the “last login” message it is relevant to take into account the fact that he had a reasonably sophisticated knowledge of the purpose and use of IP addresses, and their assignment to network devices.  His knowledge extended to awareness of the distinction between “dynamic” and “static” IP addresses and to the likelihood that a “dynamic” address would be allocated to his login communication sessions:-  see paragraph 3131(c) above.  In the totality of those circumstances I am completely satisfied that the content of the typical Freelancer login display message was substantially the same between November 2009 and August 2012.  That message in fact conveyed to Mr Szczepanski the knowledge that (i) the IP address displayed was that of his last account login and, (ii) Freelancer had a record of that address, and was able to match it with his login events.  One other matter strongly support that view.  It is provided by the explanation that Mr Szczepanski gave for his “guess” about how Freelancer determined the existence of his multiple accounts.  Mr Szczepanski said he had surmised that Freelancer had matched the IP addresses related to his various account activities.  As I set out elsewhere in these reasons, that asserted “guess” has no foundation:-  see paragraph 172 below.  But it has a present relevance in corroborating the apparent significance of the login “welcome” message, and in adding to the likelihood that Mr Szczepanski was at all times aware of Freelancer’s recording of his IP address logins.

14. The second reason tending to confirm an assessment that Freelancer had taken “reasonable steps” in relation to the collection of IP address information is the absence of enquiry or complaint by Mr Szczepanski at any time after his initial registration in November 2008.  This includes the contents of his April 2011 exchanges with Freelancer, his communications with Mr Barrie in March 2012, and in his later public criticisms of Freelancer in the course of his self-declared “war”:- see paragraphs 78 to 79 and 166 below.

    The narrative context of the disclosure issues

15. Prior to the March 2012 re-instatement of his account Mr Szczepanski, using the pseudonym Piotr Kowalczyk, sent a message to Freelancer.  He claims he posted the initial message on Freelancer’s corporate Facebook and was surprised to receive a response from Mr Matthew Barrie, Freelancer’s Chief Executive Officer.  Mr Barrie’s specific recollection, and the explanation for his direct response, was that he had received a message on his personal Facebook account.  The fact of Mr Barrie’s direct response, his specific recollection, and the uncontentious fact that the subsequent exchange of messages indeed occurred on Mr Barrie’s personal Facebook account, suggest his version of events is the more reliable.  On the other hand, it is also clear that Mr Barrie responded to the initial communication by inviting Mr Szczepanski to provide more specific details (apparently of his “problem” with Freelancer) and that he passed the contents of Mr Szczepanski’s later messages on to appropriate personnel within Freelancer.

16. Mr Szczepanski answered Mr Barrie’s question, and detailed his concerns about Freelancer, in a second Facebook message he sent to Mr Barrie on 27 March 2012.  Mr Szczepanski preceded his list of concerns with two significant observations.  First, he acknowledged having been a Freelancer user for two years and declared that “from my point of view” Freelancer did its job well.  Second, he explicitly disavowed any request for Mr Barrie’s “intervention concerning my case”.  Mr Szczepanski actually described his concerns as “annoyances” rather than problems.  He then outlined (i) criticisms that Freelancer’s account suspension policy was applied in an unjustifiably peremptory manner, (ii) suggestions that Freelancer provide notice and reasons before suspending user accounts over identity verification issues, (iii) dissatisfaction with the quality of Freelancer’s customer support and, (iv) a suggestion for improving the prioritisation of user’s support enquiries. 

17. Despite having used the Kowalczyk pseudonym to originate the contact with Mr Barrie, and despite claiming that he liked to protect his privacy, Mr Szczepanski provided his own name (with “Charles/Chaim” variations of his first name) and his email address to Mr Barrie.  For his part, Mr Barrie passed the contents of Mr Szczepanski’s second message on to three people involved in Freelancer’s customer support team, and reported the fact of that referral to Mr Szczepanski.  Mr Szczepanski then sent Mr Barrie two more Facebook messages.  The first contained some minor elaboration on his previous criticisms of Freelancer’s customer support.  It also emphasised that he was making suggestions about the quality of service and that his approach was “not about the money”. The second, sent after Freelancer had re-instated Mr Szczepanski’s account, volunteered (but foreshadowing a potential USD500 fee) to provide a constructive review of problems he perceived with Freelancer’s current policies and practices.  Mr Barrie passed these two messages on to the customer support team, but Freelancer did not take up Mr Szczepanski’s offer.

18. After April 2012, and despite the continuing use of his November 2009 account, Mr Szczepanski was responsible for numerous public criticisms of Freelancer.  These appeared in his own “blog” and in “posts” he made on other internet sites.  The timing and nature of Mr Szczepanski’s publications, and the responses they elicited, provide relevant context to the specific NPP disclosure breaches about which he complained.  That context is summarised in the following paragraphs.

19. 30 July 2012 to 7 August 2012:- various (effectively anonymous) posts on another person’s blog (the “R2L blog”).  The posts criticised Freelancer, encouraged press complaints about it and asserted that the people running Freelancer were “crooks”

20. 31 July 2012:- brief comments (by an author identified as “Chaim S”) on an online “complaints board” forum.  The comments were to the effect that Freelancer had suspended a user account containing uncollected funds and had a “humiliating and potentially dangerous privacy policy”.  The author recommended that complaints about Freelancer be sent to the press.

21. 1 August 2012:- a recommendation posted on an internet article that rated Freelancer.com as number one of the “Top 5 freelance websites”.  Mr Szczepanski’s recommendation (posted under the name “Chaim S”) was to avoid Freelancer “at all costs”.  The post contained an assertion that the most notable of Freelancer’s “arsenal of dirty tricks” was the suspension of accounts despite the fact that they contained uncollected funds.

22. post 1 August 2012:-  an internet article had been published in April 2012 alerting “employer” users to the fraudulent practices (spurious reviews and illusory advertising services) of some service providers using the Freelancer site.  Several months later (apparently around about 2 August 2012) and again using the “Chaim S” name, Mr Szczepanski posted a comment complaining that Freelancer was a “scam”, not a legitimate company, had lousy customer service and was known to suspend accounts containing uncollected funds.  He provided a link to a “manual” he commended to disaffected users.

23. 2 August 2012:-  The link referred to in the preceding paragraph was to a blog entitled “getahindu” which Mr Szczepanski, under the name Chaim Kovalsky, had apparently published sometime in July 2012.  On 2 August 2012 Mr Szczepanski posted another entry on the blog.  In this post he described Freelancer as a “bunch of hyenas and bozos” whose behaviour could not practically be challenged by legal action.  He suggested a number of tactics to dis-satisfied Freelancer users.  They included (i) contacting entities likely to commend Freelancer and ask them whether they liked being linked to a company “accused of stealing, ripping off, ignoring and humiliating its customers, (and) lying”, (ii) informing media outlets that Freelancer “engages in immoral and (potentially) criminal behaviours”, (iii) removing what he referred to as “sugar glaze” from Freelancer’s Facebook, Twitter, YouTube and Wikipedia entries, (iv) complaining to consumer organisations, (v) signing a petition asking the Australian government to “stop the atrocities of freelancer.com”, (vi) complaining to credit card companies about Freelancer’s “illegal fees” and, (vii) providing him with stories and links “suitable for our cause”.  That “cause” was, according to the penultimate line in the manual, a “war” on Freelancer.

1. Mr Szczepanski’s August 2016 Statement pointed out that NPP 2.1 applied to both the use and disclosure of personal information.  He contended that the intercepted message evidenced that Freelancer had relevantly “used” his personal information, and had done so in breach of NPP 2.1.  Neither of these contentions is correct.  Whatever breadth one ordinarily would accord to the concept of use, its meaning in PrivAct 88 is restricted. It does not include “mere disclosure”:- PrivAct 88 s 6. In addition, the conditional NPP 2.1 prohibition on improper “use” applies to “information” that has been collected. This implies that “use” for the purposes of PrivAct 88 requires more than just possession or restatement of the information.

2. The intercepted 12 August 2012 message about which Mr Szczepanski complained contained three presently relevant statements:-

   (a)That he had published the “getahindu” blog site

   (b)That his name was Karol Szczepanski and he was also known as "Chaim Kovalsky"

   (c)That he had established “fake” accounts on the Freelancer web site.

3. The first of those statements was simply not “information” that Freelancer had relevantly collected.  The self-proclaimed author of the “getahindu” blog was “Chaim Kovalsky”.  So far as the evidence reveals, Freelancer’s assertion in the 12 August 2012 message was an inference, rather than the use of personal information.  The same applies to the use of the “Kovalsky” name in the second statement. 

4. In relation to the third statement, if the assertion that Mr Szczepanski had created “fake” accounts was a relevant “use” of his personal information (which in my view it was not) it was a use which was both consistent with the primary purpose for which Freelancer had obtained his personal information, and a reasonably expected use - having regard to the contents of the Freelancer User Agreement.  (The particularly relevant provisions of the User Agreement were (i) the obligations to provide Freelancer with truthful information (cl 7.1), (ii) the prohibition on the creation of multiple accounts (cl 10.6 - after March 2012) and (iii) the prohibition on unfair criticism (cl 10.6).

5. In the light of the above, there is no substance in Mr Szczepanski’s contention that the intercepted message of 12 August 2012 involved any NPP breach by Freelancer.

   The disclosure to clientele issue

6. Freelancer closed Mr Szczepanski’s November 2009 account on 14 August 2012.  Two days later he says he sent an email to 15 of his “customers” informing them that Freelancer had “deleted” his account.  He produced a message, which he said was from one client, who responded to his disclosure by asking “what happened”.  He produced another message in which another asserted customer, who described himself as a first time Freelancer user, said he had “also received notification from Freelancer.com about your account suspension”.  However, in cross examination, Mr Szczepanski conceded that his claim that Freelancer had “deleted” his account was inaccurate.  He also conceded that he was not aware of anyone, other than himself, who had published the fact of the closure of his account.

7. The Commissioner rejected this asserted breach on the basis that (i) there was no primary evidence of Freelancer’s asserted disclosure, and (ii) in the absence of evidence of the specific disclosure, there was no satisfactory basis to find that the “customer’s” assertion was factually accurate as distinct from a conclusion they drew from the combined effect of (a) Mr Szczepanski’s own disclosure and (b) their own inability to access his account once it had been closed by Freelancer.

8. Contrary to the Commissioner’s view that there was a mere lack of evidence of disclosure by Freelancer, there were good reasons to reject the factual basis of Mr Szczepanski’s assertion.  One of those was the fact that, given Freelancer’s log of events relevant to the management of Mr Szczepanski’s account, the absence of any record of such a disclosure was inconsistent with it having occurred.  Another was the fact that Mr Barrie denied any such communication with Mr Szczepanski’s clients about the account closure.  An additional reason was the discrepancy between Mr Szczepanski’s disclosure that his account had been “deleted” and the “customer’s” assertion that the account had been “suspended”.  This discrepancy is significant because the evidence discloses that the account had in fact been closed late in the afternoon of 14 August 2012.  Another reason was that the “customer” described themselves as a “first time” Freelancer.com user.  If that was correct, then there would have been no apparent means by which Freelancer could ever have identified this “first time” user as a “customer” of Mr Szczepanski.  He had not become identifiable to Freelancer as “customer” prior to the account cancellation on 14 August 2012, and he could not possibly have become one after that date.

9. In those circumstances there is no basis on which to find that Freelancer made any disclosure to any of Mr Szczepanski’s customers about the closure or suspension of his account.  On the contrary, there is good reason to infer that the otherwise unproven and imprecise indication that the account had been “suspended” was merely an inference that the “first time” user drew from being unable to contact Mr Szczepanski on the freelancer.com site after the account had been closed.  For all these reasons there is no basis for finding that the circumstances involved Freelancer in any NPP breach of the kind asserted.

   The damages issue

10. The Commissioner’s determination involved findings that Freelancer had demonstrated a reckless indifference to Mr Szczepanski’s privacy rights and that the appropriate damages declaration amounts were $15,000 in general damages and $5,000 in aggravated damages.  Those damages awards did not include any compensation for economic loss, because the Commissioner was not satisfied that the evidence disclosed any basis for such an award.  Subject to one important qualification, the general damages amount awarded by the Commissioner did not result from any specification of the loss or damage attributable to any particular breach finding.  It was substantially based on a vague declaration of satisfaction, in relation to the amorphous totality of Mr Szczepanski’s allegations, that he had suffered “some type of emotional distress”.  In the review proceedings Mr Szczepanski supported that approach.  He suggested that Freelancers conduct should be viewed as a “whole continuum” and disavowed any attempt to articulate the asserted consequences of any particular breaches.

11. The qualification to which I have referred is that the Commissioner regarded Freelancer’s collection of Mr Szczepanski’s IP address as a major contributor to the asserted deterioration in his wellbeing.  The Commissioner also found that Freelancer’s breaches had occurred over a prolonged / five month period (from August / September 2012 to January 2013).  The Commissioner thought that Mr Szczepanski’s “voluminous communiques” about and to Freelance “during and subsequent to his its improper conduct” clearly and sufficiently evidenced his “escalating levels of distress, hurt and frustration”.  The Commissioner determined that “for reasons of convenience” it was appropriate to treat Freelancer’s privacy breaches as “a whole continuum” and decided that, despite the rejection of a number of his claims as unsubstantiated, it was appropriate to treat his various criticisms as “parts of a single complaint” that “did not require different considerations to be applied to each” substantiated breach finding. 

12. Despite that declared satisfaction, the Commissioner also expressed the view that Mr Szczepanski’s reactions to Freelancer’s conduct “intensified with each ensuing privacy breach”.  Furthermore, and also despite his earlier expressed satisfaction that the impact of the breaches should be treated as a progressive continuum, the Commissioner attached particular significance to Mr Szczepanski’s complaint that Freelancer had been “singled out” and “tracked down” by Freelancer.  The Commissioner also gave significant weight in the damages assessment to his view that there had been a “prolonged period” of privacy breaches.

13. The Commissioner’s declaration relating to aggravated damages proceeded partly on the basis of an ambiguously worded sequence of findings about the 15 October 2012 post.  One of those findings was that the post involved a disclosure of information that was “of a more sensitive nature than other kinds of personal information”.  The second finding involved (i) the double negative proposition that the Commissioner was not prepared to say that Freelancer’s conduct did not involve the disclosure of any sensitive information and (ii) an additional observation that the racist allegation in the post was “at the very least information of a sensitive nature”.  The other declared bases for the aggravated damages award were that Freelancer (i) had committed multiple, widespread and prolonged privacy breaches, (ii) had made malicious abusive attacks and, (iii) had taken pleasure in Mr Szczepanski’s distress.  The Commissioner concluded that Freelancer had continued to publish Mr Szczepanski’s information online “despite being made aware…that such action breached privacy legislation”.

14. On the basis of the findings I have made, there is no justification for characterising Freelancer as having engaged in a prolonged series of privacy breaches.  Rather its breaches occurred only in relation to the August 2012 disclosures, and occurred within a span of about 40 hours.  Furthermore, far from being either malicious, or engaged in for the purposes of Freelancer’s sadistic entertainment, they were essentially defensive tactics in combatting the considerable attacks Mr Szczepanski had made on Freelancer in his self-declared “war”.  That defence was understandable given the debate, obvious from the contents of the Wikipedia “talk” page edits (see Schedule 2 rows 23, 25, 30, 31, 32 and 39) as to whether there was a justification for the inclusion of the critical edits posted by Mr Szczepanski.  There is certainly no basis, given the findings I have made, for concluding that Freelancer persisted in conduct involving privacy breaches after being put on notice by Mr Szczepanski.  Nor is there any basis for concluding that Freelancer’s 15 October 2015 post involved the disclosure of personal information, let alone personal information of a sensitive nature.  If the 15 October 2015 post involved an accusation of racism, as the Commissioner thought, it was not an accusation that involved the disclosure of information or opinion that Freelancer had collected for inclusion in a record.  It was merely an impression Freelancer had formed from its reading of the “getahindu” blog.  It did not constitute “personal information”, and its expression did not involve a disclosure, for the purposes of PrivAct 88.

15. I accept the accuracy of the Commissioner’s view that Mr Szczepanski asserted that his distress began with the knowledge of Freelancer’s collection of IP address information, was significantly aggravated by his understanding of being “tracked down” and was compounded by the August 2012 disclosures, and by Freelancer’s subsequent conduct.  But Mr Szczepanski’s assertion is itself not at all reliable.

16. One reason for that unreliability is well illustrated by reference to Mr Szczepanski’s claims in relation to the IP misuse issue.  I have previously found that those claims were highly improbable and actually inconsistent with the available evidence:-  see paragraph 173 above.  In addition to those findings, it is appropriate to point out, that Mr Szczepanski knew that the focus of Freelancer’s concern in April 2011 was the Paypal account common to his accounts.  He also understood the nature of IP addresses.  In particular, he understood the distinction between “dynamic” and “static” addresses.  He also had the expectation that his ISP would have allocated a “dynamic” ISP address for his internet device connections.  He nevertheless insisted in his oral evidence that it would have been both possible and “easier” for Freelancer to have identified his common Freelancer accounts by utilising IP address records, than by discovering the fact of his shared Paypal account.  Mr Szczepanski’s avowal of this proposition, together with his conceded past use of “dummy data” in his dealings with Freelancer, contribute to a convincing demonstration of the fact of his commitment to his own cause and self-interest.  They provide an indication of the extent to which his perspective of self-interest is undisciplined by the requirement of regard to objective reality. 

17. A further indication is provided by (i) Mr Szczepanski’s incredible claim that he understood the IP address display on the Freelancer login screen to be that of his current login and, (ii) his professed recollection of the belated introduction of this login screen feature.  As I have set out earlier in these reasons, the evidence demonstrates that the login screen feature had been introduced in 2009.  Mr Szczepanski’s numerous logins over the period between November 2009 and August 2012 tend to demonstrate that for years prior to his July 2013 complaint Mr Szczepanski had been aware of the fact that Freelancer maintained a record of login IP addresses.  Indeed that knowledge was the asserted basis for his “guess” as to how Freelancer had “matched” his accounts in April 2011:-  see paragraphs 73 to 76 above.  Notwithstanding that knowledge, it was not the subject matter of any of the criticisms Mr Szczepanski conveyed to Mr Barrie in their March 2012 communications.  Nor did it feature as an item of criticism in any of the many posts Mr Szczepanski made in conducting his “war” on Freelancer.  In these circumstances the suggestion that the fact of Freelancer’s log in IP address recording was something that caused significant distress to Mr Szczepanski is one strongly motivated by perceived self-interest and not at all credible.

18. Yet another indication of the unreliability of Mr Szczepanski’s evidence was his explanation for his advertising to acquire a “discreet” Paypal account in someone else’s name:-  see paragraphs 6 and 161 above.  When he was challenged about the impropriety of this activity Mr Szczepanski asserted that he had just being doing research.  He also asserted that Paypal account trading was common place on the Freelancer website.  The first of these assertions is so difficult to reconcile with the content of the series of communications in which Mr Szczepanski took part that I have no hesitation in rejecting it as incredible.  The second assertion only confirms that view.  If, as Mr Szczepanski suggested, Paypal account trading had been commonplace on the Freelancer site, it is difficult to comprehend either the nature or the purpose of Mr Szczepanski’s supposed research.  When specifically asked that question in these proceedings, Mr Szczepanski said he was “just investigating the possibilities of what could be done”.  Properly understood, that response suggested an activity that was more than just “research”, and re-inforces my view of the unreliability of his evidence. If any further re-inforcement is necessary it is amply provided by the evidence that no such transactions were permitted, and that detected attempts to effect them were prevented.

19. Another remarkable feature of the evidence is the stark contrast between the specifically acquiescent and complimentary content of Mr Szczepanski’s March 2012 messages to Mr Barrie, and the content of the assertions and complaints in the various “posts” Mr Szczepanski made when he was conducting his “war” against Freelancer.  These included complaints that Freelancer suspended accounts containing uncollected funds and had a humiliating privacy policy.  They also included (i) encouragement to avoid Freelancer “at all costs”, (ii) an accusation that it had an arsenal of dirty tricks and (iii) repeated assertions that Freelancer was “scam” not a legitimate company and “a bunch of hyenas and bozos.  The suggestions he made in the “getahindu” blog on 2 August 2012 was that people should inform media companies that Freelancer engaged in “immoral and (potentially) criminal behaviours”.  None of these complaints and accusations by Mr Szczepanski was ever substantiated.  Each of them was starkly inconsistent with the content of his complimentary communications with Mr Barrie in March 2012.  They bear the hallmarks of a belligerent combatant emboldened with enthusiasm for his cause, but blind to the objective reality of his own experience.  Mr Szczepanski’s motivated enthusiasm for his “war”, and the lack of objectivity with which he conducted it, is particularly evident in (i) his elaborately distasteful and unjustified depiction of one of Freelancer’s employees as a Nazi sympathiser and (ii) his pathetic public criticism of Mr Barrie’s physical appearance:- see paragraph 107 above.

20. These are all matters that reflect adversely on Mr Szczepanski’s reliability as a witness.  They cause me to express the view that I should be extremely careful before accepting his evidence on any genuinely contentious matters.  And Freelancer’s submissions made it abundantly clear that one such contentious matter was whether or not Mr Szczepanski had suffered any compensable loss or damage.

21. The only breaches that provide a potential basis for any compensation award in favour of Mr Szczepanski are the August 2012 disclosures.  But it is far from clear that those disclosures were the cause of any significant distress or hurt to Mr Szczepanski.  His response to the first of the August 2012 disclosures was that it was “funny”, and contained no complaint about the posting of his given name and his family name.  His second response raised a query about privacy, but made no complaint.  His third response was perhaps a complaint.  His fourth was an implicit threat to add to his previous posts a publication about invasion of his privacy, but it was also an explicit acknowledgement of his responsibility for the contentious edits.  In totality, Mr Szczepanski’s responses rather tend to convey a sense of triumph that his combative forays had provoked what he saw as a mis-step by Freelancer that he could potentially exploit in pursing his “war”.  That view is rather corroborated by two further matters.  The first is the content of Mr Szczepanski’s approach to Mr de Jong in November 2012:- see paragraph 109 above.  The second is his description of Freelancer’s December 2012 and January 2012 Wikipedia posts – when he characterised them as “incompetence or sheer paranoia”.

22. In the months after August 2012, and apart from the approach to Mr de Jong, Mr Szczepanski appears to have made no complaint to Freelancer about the August 2012 disclosures.  Nor do they appear to figure in the subsequent posts that formed part of his “war”.  Instead he reverted to previously expressed assertions to the effect that Freelancer “was a bunch of liars” and “a scam”.

23. In his final oral submissions Mr Szczepanski contended that the 13 August 2012 disclosures should be regarded as several separate breaches, rather than as a single episode.  But he declined to attribute any particular causal significance to those disclosures – irrespective of whether they were viewed separately or together.  He reverted to his primary position that Freelancer’s conduct, and its effect on him should be viewed as a whole.  His view was that if any separate causal attribution exercise was to be undertaken, that was a matter for the Tribunal to undertake.

24. The attribution of causal significance to any particular breach is a matter of obvious difficulty, and it is perhaps understandable that Mr Szczepanski, as an unrepresented party was reluctant to embark upon such an exercise in advance of knowledge of the actual breach findings.  Nevertheless, it would be quite wrong to undertake any damages assessment on the basis of some composite view of Freelancer’s conduct.  There was, in my view, only one breach (the events I have described as the August 2012 disclosure.  And that disclosure was, in my view, not one that the evidence shows was the cause of any significant distress, hurt or loss to Mr Szczepanski.  On his own contemporaneous assertion, he had declared “war” on Freelancer and, as the narrative section of these reasons shows, he was an extremely enthusiastic, undisciplined combatant.  In those circumstances I am left unsatisfied that the use of his name in the August 2012 disclosures occasioned any identifiable and significant hurt or distress. (I am rather inclined - for the reasons I have set out earlier - to the positive view that it did not).  Consequently, in the particular circumstances of this matter I consider that, rather than embarking upon an essentially speculative exercise, the preferable course is to declare that it would be inappropriate to taken any further action in the matter.

    Conclusion

1. The decision under review is set aside.  In substitution for that decision I make a determination that the 9 July 2013 complaint is substantiated.  I declare that Freelancer’s conduct in making the August 2012 disclosures constituted an interference with Mr Szczepanski’s privacy, and that Freelancer should not repeat or continue such conduct.  I declare that it would be inappropriate for any further action to be taken in the matter.

I certify that the preceding 200 paragraphs are a true copy of the reasons for the decision herein of Mr P W Taylor SC, Senior Member

..........................[sgd].............................................

Dated:  30 November 2017

Date(s) of hearing:	18, 19, 20, 21 April 2017; 22, 23 June 2017
Counsel for the Applicant:	Ms K Richardson SC, Mr Peter Gaffney
Solicitors for the Applicant:	Mr T Lange, Piper Alderman
Counsel for the Respondent:	Ms R Higgins, Mr A O'Brien
Solicitors for the Respondent: Joined Party:	Mr G Wrobel, Holding Redlich  In person

Schedule 2 – Freelancer – Wikipedia page entries