In a decision published this week, the Australian Privacy Commissioner has clarified that 'metadata' may be personal information, where an organisation has the capacity and resources to link that information to an individual. Partner Michael Pattison, Associate Priyanka Nair and Law Graduate Leah Wickman report on the Commissioner's determination, which found that Telstra breached the Privacy Act by failing to provide an individual with access to his metadata.
How does it affect you?
- Organisations that collect user 'metadata' (such as mobile device identifiers and IP addresses) will need to reassess whether this information will be considered 'personal information' in their hands under the Privacy Act.
- The Commissioner appears to take the view that metadata will be 'personal information' in the hands of an organisation if:
- that organisation has in place a process that would allow it to cross-match its different system records to link the individual to metadata collected on them; and
- that process would not 'exceed the bounds of what is reasonable' for the organisation to perform in light of its resources and operational capacities.
- This determination is particularly relevant for organisations that already have in place processes for providing an individual's metadata to law enforcement agencies.
Mr Grubb, a journalist, made a request almost two years ago to Telstra for access to 'metadata' Telstra stored about his mobile phone service, having learned that law enforcement agencies could access such records. Telstra provided Mr Grubb with some of his metadata but refused to provide him with access to Internet Protocol (IP) address, Uniform Resource Locator (URL) and cell tower location information. In his determination, the Australian Privacy Commissioner (the Commissioner) found that these types of metadata are 'personal information' under the Privacy Act 1988 (Cth) and that Telstra had breached the Privacy Act by failing to provide Mr Grubb with access to such metadata. The Commissioner also required Telstra to grant Mr Grubb access to this metadata.
On 15 June 2013, Ben Grubb requested access under the Privacy Act to all metadata Telstra stored about him in relation to his mobile phone service. His request included cell tower logs, inbound call and text details, duration of data sessions and telephone calls, and the URLs of websites visited. His request acknowledged that Telstra may charge him a fee. Telstra's initial response notified him that he could access information on his outbound mobile call details and the length of his data usage sessions via online billing, but that his inbound call, text metadata and other metadata would not be released.
Mr Grubb lodged a complaint against Telstra with the Office of the Australian Information Commissioner (OAIC) on 8 August 2013, seeking a declaration that Telstra meet its access obligations under the Privacy Act. Between the lodging of the complaint and the time of the Commissioner's decision, Telstra's policy on customer access to metadata changed, allowing customers to access the same metadata about them that Telstra would provide to law enforcement agencies on request. Telstra's new policy aligns with upcoming changes to the Telecommunications (Interception and Access) Act 1979 (Cth) (TIA) that will require service providers to retain specified metadata and treat such metadata as 'personal information' that is subject to the Privacy Act. Telstra then released much of the requested metadata to Mr Grubb.
However, Telstra continued to refuse access to:
- IP address information;
- URL information; and
- cell tower location information beyond that which Telstra retains for billing purposes.
The Commissioner found that IP address information, URL information and cell tower location information relating to Mr Grubb's use of his mobile phone service was his 'personal information' under the Privacy Act. There was also a question of whether inbound call information could be accessed; the Commissioner ultimately found that this information could not be released because it would compromise the privacy of other individuals.
The Commissioner declared under section 52(1)(b) of the Privacy Act that Telstra:
- had breached NPP 6.1 (now APP 12.1) of the Privacy Act by failing to provide Mr Grubb with access to personal information that Telstra held on him;
- must provide Mr Grubb with access to his personal information in the form of IP address, URL and cell tower location information (to the extent it had not already done so); and
- must provide Mr Grubb with access to the above information free of charge given that resolution of the matter had been drawn out by Telstra maintaining that metadata sought by Mr Grubb was not personal information.
The Australian Privacy Principles (APPs) came into effect on 12 March 2014 and replace the National Privacy Principles (NPPs). The Commissioner's determination on this matter, however, was made under the NPPs because the matter related to events that occurred prior to 12 March 2014.
Information about Mr Grubb
The Commissioner first assessed whether the metadata was information about Mr Grubb and found that it was because the relevant URLs, IP address and cell tower location information could be linked to Mr Grubb.
The identity of Mr Grubb was reasonably ascertainable
In making his determination, the Commissioner broke his consideration of 'reasonably ascertainable' into two parts:
- is it possible for the identity of the individual to be ascertained; and
- if it is possible, is the process of ascertaining the identity of the individual reasonable in the circumstances.
The Commissioner found that it was not only possible for Telstra to ascertain an individual's identity through inquiries and cross matching against different network and records managements systems, but that it already had processes in place to do so in order to allow it to respond to requests from law enforcement agencies. The Commissioner rejected Telstra's arguments that the processes involved in retrieving such information were not reasonable given the complexity, time and cost required. He instead found that such processes are not 'beyond what is reasonable relative to the resources [Telstra] has at its disposal and its existing operational capacities.'
It is unlikely that the Commissioner's analysis would be any different under the new definition of 'personal information' that was introduced on 12 March 2014. The new definition would require the Commissioner to assess whether the metadata is information about an individual who is 'reasonably identifiable'. The narrower definition of personal information, which applied prior to 12 March 2014, was applied in this case, with the Commissioner concluding that the metadata in question amounted to information from which the individual's identity can be 'reasonably ascertained'. This finding suggests that metadata becomes personal information by its association with other personal information of the individual, such as their name. If anything, the grounds for such metadata being personal information have strengthened under the new definition, which only requires such metadata to be information about an individual who is 'reasonably identifiable', and not information from which the individual's identity can be 'reasonably ascertained'.
Telstra has already announced that it will appeal the Commissioner's determination. It is supported by the Communications Alliance, a telecommunications industry body that represents the communications industry. The Communications Alliance has described the Commissioner's decision as a 'stark example of regulatory overreach', and flagged that this decision will only increase the cost burden for telecommunication companies already facing the burden of hundreds of millions of dollars in additional costs due to the incoming mandatory data-retention scheme. The Communications Alliance has also pointed out that law enforcement agencies are likely to use the Commissioner's determination as grounds for seeking broader access rights to metadata than those currently provided for under the new mandatory data retention scheme, which is being introduced through amendments to the TIA1.
The incoming amendments to the TIA, which you can read more about here, restrict the types of metadata that service providers (telecommunications carriers, carriage service providers and internet service providers) are required to retain for the purposes outlined in the TIA. This limited data set is deemed personal information for the purposes of the Privacy Act, and service providers must disclose this retained data to the person to whom it relates. The Commissioner's determination that URLs also fall within metadata that an individual has rights to access, goes beyond what was envisaged as metadata in the amendments to the TIA. Retention of URLs had been purposely excluded from the new mandatory data retention scheme to ensure that only data that does not go to the content of a communication is retained for the mandatory two year period.