After two years of campaigning, Fairfax journalist, Ben Grubb,
finally got the decision he was seeking: metadata could be
considered "personal information" under the Privacy Act 1988 (the 'Privacy Act').
The landmark decision by the Australian Privacy
Commissioner came about after Grubb was refused access to metadata
which is available to law enforcement agencies and councils, but
not to individuals. Telstra, the data controller in this case,
refused access to some personal information described as
“metadata” (namely, IP address information, URL
information and cell tower location information beyond that
retained for billing purposes) on the grounds that it was exempt
under the Privacy Act.
The Australian Privacy Commissioner determined otherwise. The
Commissioner found that "personal information" includes
information whereby an individual may be “reasonably
ascertained” from that information. He concluded that, where
an organisation is able to link an individual to metadata it has
collected via cross-matching information across its systems, the
metadata falls within the definition of "personal
information". This decision was based on the National Privacy
Principles (‘NPP’) under the Privacy Act and not the
Australian Privacy Principles (‘APP’) which came into
force in 2014. However, given the APP did not significantly change
the definition of personal information, it is predicted that more
types of data could be considered personal information, and the
decision is expected to carry substantial weight in future cases
considered under the new regime.
This decision is likely to have a significant impact on large
telecommunications companies holding substantial amounts of
metadata; they will have to consider how data are stored, how it
may be cross-referenced, and their capacity to perform such
cross-referencing. As a result, they could face increased costs in
complying with the Privacy Act, as well as a possible rise in
personal information requests requiring wider disclosure.
The implication of the decision extends beyond the
telecommunications industry. As Anna Johnston, former deputy
privacy commissioner for New South Wales, put it, 'any dataset
which holds unit-record level data can potentially be linked to
data from other sources, which can then lead to someone's
identity being ascertainable'. By categorising metadata in such
a way, data controllers in Australia will have to assess whether
the metadata they hold fall within the definition of personal
information under the Privacy Act.
Concerns have already been raised that uncertainty as to the
personal nature of metadata could stifle innovation. Organisations
will not want to risk penalties (financial or otherwise) if they
use data which could be classified as personal information. For
example, for “serious” or “repeated”
interferences, the Commissioner may apply to the Federal Court or
Federal Circuit Court for an order that the organisation pay a
penalty of up to $340,000 for individuals or $1.7 million for
corporations. Telstra has announced its intention to appeal and is
being supported by the Communications Alliance; this
telecommunications industry body represents the communications
industry and has branded the decision a “regulatory
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
Privacy issues require a considered strategy where sets of big data come with ever-increasing regulatory obligations.
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).