On 18 December 2015, the Administrative Appeals Tribunal1 held that metadata does not constitute Personal Information under the Privacy Act, thereby overturning the Privacy Commissioner's decision that Telstra hand over personal mobile data to those who requested it.
THE STORY SO FAR
Two and a half years ago Mr Ben Grubb, then a technology journalist with Fairfax, wrote to Telstra seeking access to metadata held by Telstra regarding his mobile phone service, on the basis that this constituted personal information about him and, under the Privacy Act 1988 (Cth) (Privacy Act), he was entitled to access it. At that time, the definition of personal information was:
In particular, Mr Grub wanted access to various metadata, including the cell tower he was connected to at any given time, URLs he had visited and longitude and latitude information regarding the cell towers used in the communications.
In short, Telstra provided to Mr Grubb the following information:
- call data records in relation to outgoing calls, Short Message Service (SMS) messages and Multimedia Messaging Service (MMS) messages from Mr Grubb's mobile telephone service including:
- the originating number, described as the "A-party number", being Mr Grubb's mobile number;
- the A-party location being the mobile cell location;
- the number of the recipient of the communication, the "B-party number";
- the date of the communication;
- the time of the communication; and
- the duration of the communication in seconds in the case of a call and, in the case of an SMS or MMS, the fact that it was made.
- Personal information held in Telstra's Customer Relationship System including details of Mr Grubb's full name, address, date of birth, mobile number, email address(es), billing account number, customer ID (identity), IMSI (International Mobile Subscriber Identity), PUK (personal unlocking key), marketing opt outs, SIM (Subscriber Identity Module) category and password.
- Sample longitude and latitude coordinates of mobile cells under the following headings:
- CGI (computer-generated imagery);
- Base Station Name;
- Billing name;
- MSA Name (Metropolitan Statistical Areas);
- Antenna Latitude;
- Antenna Bearing;
- Cell Name;
- Base Station Type; and
What Telstra did not provide was:
- call data records in relation to incoming calls, SMS messages or MMS messages; and
- network data retained by Telstra in relation to communications passing through its mobile networks and the IP address allocated to Mr Grubb's mobile device for each communication.
Telstra did not provide details of incoming calls, SMS and MMS messages as this would have disclosed the personal information of the calling or messaging party in breach of privacy obligations owed to those parties (Mr Grubb acknowledged this).
Telstra did not disclose network data, or allocated IP address, as it considered this network information metadata was not personal information as Mr Grubb's identity was not apparent nor could it reasonably be ascertained from that data.
Not satisfied with this, Mr Grubb lodged a complaint with the Privacy Commissioner (Commissioner) in August 2013. Following a lengthy process, in May 2015 the Commissioner found that the network information metadata was personal information, and declared that Telstra must provide the requested information to Mr Grubb.
Perhaps concerned about the floodgates the decision might open, Telstra appealed the Commissioner's decision to the Australian Administrative Tribunal (AAT). On 18 December 2015, the AAT allowed Telstra's appeal, thereby finding that metadata did not constitute personal information.
THE COMMISSIONER'S DECISION
In his decision, the Commissioner found that metadata was personal information as an individual's identity can reasonably be ascertained from network data such as an international mobile subscriber identity (ISMI), IP Addresses, accessed URLs, longitude and latitude information or other network identifier as the information can be cross matched with information on other databases operated by Telstra. Specifically, the Commissioner found that:
In finding Mr Grubb's identity could "reasonably be ascertained" from the metadata, the Commissioner placed significant emphasis on the fact that:
- Telstra regularly responds to requests from law enforcement agencies to cross-match metadata to identify individuals;
- between 1 July 2013 and 30 June 2015, Telstra responded to around 85,000 requests for customer information; and
- prior to the decision being handed down, Telstra announced that customers may access their metadata for a fee.
Ultimately, the Commissioner took the view that if you could combine the metadata with other information, and it did not constitute an unreasonable burden to do so, then the person's identity could reasonably be ascertained from the metadata and thus constituted personal information.
THE AAT'S DECISION
In allowing Telstra's appeal, the AAT adopted a different and much narrower approach in its decision.
The AAT considered that the first issue to be dealt with is whether the information to which access is being sought is information "about an individual". If it is not, that is the end of the matter. If it is, the next question is whether the identity of that individual "is apparent or can reasonably be ascertained, from the information or opinion."4
In terms of whether information is about an individual, the AAT stated:
In adopting this approach, the AAT found that the mobile network data requested by Mr Grubb was not personal information but instead information about the service Telstra provides to Mr Grubb. In particular, the AAT held that
Similarly, the AAT found that the IP addresses requested by Mr Grubb were not personal information, but instead was information about the way in which the data was transmitted to Mr Grubb's phone via the internet. In particular, the AAT stated that:
Lastly, although the Commissioner placed significant emphasis on the fact that Telstra responds to regular requests from law enforcement agencies to cross-match metadata to identify individuals, the AAT stated that the entitlements of those agencies and Mr Grubb are subject to different legislative regimes. In particular, "each regime seeks to achieve a balance of policy considerations and desirable outcomes. Those policy considerations include protection of an individual's privacy, search and rescue, security and law enforcement issues and public safety."8
SO WHAT DOES THIS MEAN IN PRACTICE?
In summary, this was a comprehensive win for Telstra and significantly narrowed the scope of personal information in terms of metadata. It also appears unlikely that either Mr Grubb or the Commissioner will appeal this decision. Mr Grubb is no longer working as a journalist (and so has less incentive to run an appeal as part of an ongoing story) and the Commissioner appears reluctant to run an appeal.
That said, there may not be much that is of practical use for carriers, CSPs and ISPs from the AAT's decision for the following reasons.
Firstly, we are now operating with a revised definition of Personal Information. It now reads:
- whether the information or opinion is true or not; and
- whether the information or opinion is recorded in a material form or not. (emphasis added)
As a result, it is uncertain how the AAT's reasoning regarding the previous definition should apply to the current definition. The AAT noted this change of definition but expressly stated that it was not required to deal with the issues at hand under the revised definition. That said, it would appear reasonable to suggest that the analysis of whether the information is "about an individual" would still be relevant, although it would now be a question of whether the information is about an "identified" individual or an individual who is "reasonably identifiable".
Secondly, and of more significance, there is now a new relationship between metadata retention by carriage service providers and content service providers (service providers) such as Telstra, and personal information under the Privacy Act following the coming into operation of the Telecommunications (Interception and Access) Act 1979 (TIA Act) as amended by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Data Retention Act).
From 13 October 2015, when section 187LA of the TIA Act came into force, the Privacy Act applies to all carriers, carriage service providers and internet service providers (big and small alike) to the extent that their activities relate to retained data and that, for the purposes of the Privacy Act, that information is regarded as personal information.
The AAT did not consider whether or not a different decision would have been made had the amendments applied in the circumstances of the case. Instead, the AAT noted that it had been agreed by the parties that the amendments did not apply and that it is not the role of the AAT to consider matters "entirely in the abstract".9
Therefore, the interaction between the Privacy Act and the metadata retention provisions of the TIA Act are untested, but have already elicited comment about their uneasy relationship.
As always with privacy issues, watch this space.
1 Telstra Corporation Limited v Privacy Commissioner  AATA 991, a copy of which can be found here.
2 Privacy Act 1988 (Cth) section 6(1) prior to 12 March 2014. Note that the definition changed on and from that date as set out below.
3 Ben Grubb v Telstra Corporation Limited  AICmr 35 at 
4 Ibid at 
5 Ibid at 
6 Ibid at 
7 Ibid at 
8Ibid at 
9Ibid at 
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
|Most awarded firm and Australian deal of
Australasian Legal Business Awards
|Employer of Choice for
Equal Opportunity for Women
in the Workplace (EOWA)