Australia: Metadata - it's not about you after all

On 18 December 2015, the Administrative Appeals Tribunal1 held that metadata does not constitute Personal Information under the Privacy Act, thereby overturning the Privacy Commissioner's decision that Telstra hand over personal mobile data to those who requested it.

THE STORY SO FAR

Two and a half years ago Mr Ben Grubb, then a technology journalist with Fairfax, wrote to Telstra seeking access to metadata held by Telstra regarding his mobile phone service, on the basis that this constituted personal information about him and, under the Privacy Act 1988 (Cth) (Privacy Act), he was entitled to access it. At that time, the definition of personal information was:

"... information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion."2

In particular, Mr Grub wanted access to various metadata, including the cell tower he was connected to at any given time, URLs he had visited and longitude and latitude information regarding the cell towers used in the communications.

In short, Telstra provided to Mr Grubb the following information:

  1. call data records in relation to outgoing calls, Short Message Service (SMS) messages and Multimedia Messaging Service (MMS) messages from Mr Grubb's mobile telephone service including:
    1. the originating number, described as the "A-party number", being Mr Grubb's mobile number;
    2. the A-party location being the mobile cell location;
    3. the number of the recipient of the communication, the "B-party number";
    4. the date of the communication;
    5. the time of the communication; and
    6. the duration of the communication in seconds in the case of a call and, in the case of an SMS or MMS, the fact that it was made.
  1. Personal information held in Telstra's Customer Relationship System including details of Mr Grubb's full name, address, date of birth, mobile number, email address(es), billing account number, customer ID (identity), IMSI (International Mobile Subscriber Identity), PUK (personal unlocking key), marketing opt outs, SIM (Subscriber Identity Module) category and password.
  2. Sample longitude and latitude coordinates of mobile cells under the following headings:
    1. CGI (computer-generated imagery);
    2. Base Station Name;
    3. Billing name;
    4. MSA Name (Metropolitan Statistical Areas);
    5. State;
    6. Antenna Latitude;
    7. Antenna Bearing;
    8. Technology;
    9. Cell Name;
    10. Base Station Type; and
    11. Date

What Telstra did not provide was:

  1. call data records in relation to incoming calls, SMS messages or MMS messages; and
  2. network data retained by Telstra in relation to communications passing through its mobile networks and the IP address allocated to Mr Grubb's mobile device for each communication.

Telstra did not provide details of incoming calls, SMS and MMS messages as this would have disclosed the personal information of the calling or messaging party in breach of privacy obligations owed to those parties (Mr Grubb acknowledged this).

Telstra did not disclose network data, or allocated IP address, as it considered this network information metadata was not personal information as Mr Grubb's identity was not apparent nor could it reasonably be ascertained from that data.

Not satisfied with this, Mr Grubb lodged a complaint with the Privacy Commissioner (Commissioner) in August 2013. Following a lengthy process, in May 2015 the Commissioner found that the network information metadata was personal information, and declared that Telstra must provide the requested information to Mr Grubb.

Perhaps concerned about the floodgates the decision might open, Telstra appealed the Commissioner's decision to the Australian Administrative Tribunal (AAT). On 18 December 2015, the AAT allowed Telstra's appeal, thereby finding that metadata did not constitute personal information.

THE COMMISSIONER'S DECISION

In his decision, the Commissioner found that metadata was personal information as an individual's identity can reasonably be ascertained from network data such as an international mobile subscriber identity (ISMI), IP Addresses, accessed URLs, longitude and latitude information or other network identifier as the information can be cross matched with information on other databases operated by Telstra. Specifically, the Commissioner found that:

... the process of ascertainment of an individual's identity involving inquiries from and cross-matching against different network management and records management systems is not only possible, but is in fact, a process that Telstra already puts into practice, not only for network assurance purposes but also in responding to large numbers of requests for metadata by law enforcement agencies and other regulatory bodies.3

In finding Mr Grubb's identity could "reasonably be ascertained" from the metadata, the Commissioner placed significant emphasis on the fact that:

  • Telstra regularly responds to requests from law enforcement agencies to cross-match metadata to identify individuals;
  • between 1 July 2013 and 30 June 2015, Telstra responded to around 85,000 requests for customer information; and
  • prior to the decision being handed down, Telstra announced that customers may access their metadata for a fee.

Ultimately, the Commissioner took the view that if you could combine the metadata with other information, and it did not constitute an unreasonable burden to do so, then the person's identity could reasonably be ascertained from the metadata and thus constituted personal information.

THE AAT'S DECISION

In allowing Telstra's appeal, the AAT adopted a different and much narrower approach in its decision.

The AAT considered that the first issue to be dealt with is whether the information to which access is being sought is information "about an individual". If it is not, that is the end of the matter. If it is, the next question is whether the identity of that individual "is apparent or can reasonably be ascertained, from the information or opinion."4

In terms of whether information is about an individual, the AAT stated:

There is a connection between an individual and the information that means that it is "about" that individual. Just how strong need that connection be between the two for it to be about an individual? Putting the issue another way, how tenuous can the link be before information or opinion is not about an individual but about something else or, if still about an individual, not about a particular individual but another?5

In adopting this approach, the AAT found that the mobile network data requested by Mr Grubb was not personal information but instead information about the service Telstra provides to Mr Grubb. In particular, the AAT held that

Once his call or message was transmitted from the first cell that received it from his mobile device, the [mobile network] data that was generated was directed to delivering the call or message to its intended recipient. That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message...It is information about the service it provides to Mr Grubb but not about him. (Emphasis added)6

Similarly, the AAT found that the IP addresses requested by Mr Grubb were not personal information, but instead was information about the way in which the data was transmitted to Mr Grubb's phone via the internet. In particular, the AAT stated that:

I am satisfied that an IP address is not information about an individual. Certainly, it is allocated to an individual's mobile device so that a particular communication on the internet can be delivered by the Internet Service Provider to that particular mobile device but, I find, an IP address is not allocated exclusively to a particular mobile device and a particular mobile device is not allocated a single IP address over the course of its working life. It changes and may change frequently in the course of a communication. The connection between the person using a mobile device and an IP address is, therefore, ephemeral. In the context of this case, it is not about the person but about the means by which data is transmitted from a person's mobile device over the internet and a message sent to, or a connection made, with another person's mobile device. (Emphasis added)7

Lastly, although the Commissioner placed significant emphasis on the fact that Telstra responds to regular requests from law enforcement agencies to cross-match metadata to identify individuals, the AAT stated that the entitlements of those agencies and Mr Grubb are subject to different legislative regimes. In particular, "each regime seeks to achieve a balance of policy considerations and desirable outcomes. Those policy considerations include protection of an individual's privacy, search and rescue, security and law enforcement issues and public safety."8

SO WHAT DOES THIS MEAN IN PRACTICE?

In summary, this was a comprehensive win for Telstra and significantly narrowed the scope of personal information in terms of metadata. It also appears unlikely that either Mr Grubb or the Commissioner will appeal this decision. Mr Grubb is no longer working as a journalist (and so has less incentive to run an appeal as part of an ongoing story) and the Commissioner appears reluctant to run an appeal.

That said, there may not be much that is of practical use for carriers, CSPs and ISPs from the AAT's decision for the following reasons.

Firstly, we are now operating with a revised definition of Personal Information. It now reads:

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
  1. whether the information or opinion is true or not; and
  2. whether the information or opinion is recorded in a material form or not. (emphasis added)

As a result, it is uncertain how the AAT's reasoning regarding the previous definition should apply to the current definition. The AAT noted this change of definition but expressly stated that it was not required to deal with the issues at hand under the revised definition. That said, it would appear reasonable to suggest that the analysis of whether the information is "about an individual" would still be relevant, although it would now be a question of whether the information is about an "identified" individual or an individual who is "reasonably identifiable".

Secondly, and of more significance, there is now a new relationship between metadata retention by carriage service providers and content service providers (service providers) such as Telstra, and personal information under the Privacy Act following the coming into operation of the Telecommunications (Interception and Access) Act 1979 (TIA Act) as amended by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Data Retention Act).

From 13 October 2015, when section 187LA of the TIA Act came into force, the Privacy Act applies to all carriers, carriage service providers and internet service providers (big and small alike) to the extent that their activities relate to retained data and that, for the purposes of the Privacy Act, that information is regarded as personal information.

The AAT did not consider whether or not a different decision would have been made had the amendments applied in the circumstances of the case. Instead, the AAT noted that it had been agreed by the parties that the amendments did not apply and that it is not the role of the AAT to consider matters "entirely in the abstract".9

Therefore, the interaction between the Privacy Act and the metadata retention provisions of the TIA Act are untested, but have already elicited comment about their uneasy relationship.

As always with privacy issues, watch this space.

Footnotes

1 Telstra Corporation Limited v Privacy Commissioner [2015] AATA 991, a copy of which can be found here.

2 Privacy Act 1988 (Cth) section 6(1) prior to 12 March 2014. Note that the definition changed on and from that date as set out below.

3 Ben Grubb v Telstra Corporation Limited [2015] AICmr 35 at [82]

4 Ibid at [97]

5 Ibid at [99]

6 Ibid at [112]

7 Ibid at [113]

8Ibid at [114]

9Ibid at [115]

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Most awarded firm and Australian deal of the year
Australasian Legal Business Awards
Employer of Choice for Women
Equal Opportunity for Women
in the Workplace (EOWA)

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Bartier Perry
 
Some comments from our readers…
“The articles are extremely timely and highly applicable”
“I often find critical information not available elsewhere”
“As in-house counsel, Mondaq’s service is of great value”

Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Bartier Perry
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions