In October 2015, after much debate and public comment, the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Data Retention Act) was enacted by the Commonwealth parliament.
This amended the Telecommunications (Interception and Access) Act 1979 to require, amongst other things, a telecommunications service provider to keep and store ‘metadata’ relating to communications transmitted using that service for a period of two years. Metadata is variously described as the digital ‘footprint’ of a communication (as opposed to the content of the communication itself) and includes:
- telephone numbers;
- the time and length of a telephone call;
- IP addresses;
- email addresses (to and from) on emails;
- start and finish times of internet sessions; and
- the location of an individual involved in communications.
Since the passage of the Data Retention Act in October, the issue has continued to simmer in the background of the public debate. Now a decision by the Administrative Appeals Tribunal (AAT) – Telstra Corporation Limited and Privacy Commissioner  AATA 991 – shortly before Christmas may thrust the legal implications of storing metadata back into the political spotlight.
In June 2013 (that is, before the passage of the Data Retention Act), Mr Ben Grubb, a Fairfax technology journalist, wrote an email to Telstra requesting access to his metadata under the Privacy Act 1988. Telstra responded to the request by providing information that was broadly similar to the standard information provided to all mobile customers in their monthly bill.
Mr Grubb complained to the Privacy Commissioner, who subsequently ruled that Telstra was in breach of the Privacy Act by failing to provide Mr Grubb with all his metadata. Telstra then applied to have the matter considered by the AAT.
The AAT considered whether metadata could be termed “personal information” within section 6(1) of the Privacy Act (as it then was). At the time, this definition read:
“… information or an opinion (including information or an opinion forming part of a database), whether true of not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”. (emphasis added).
This definition was subsequently amended in March 2014 to read:
“personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:
a) whether the information or opinion is true or not; and
b) whether the information or opinion is recorded in material form or not.”
Mr Grubb argued, in essence, that he should have been entitled to access his metadata under the Privacy Act, on the basis that the information that he generates whilst using Telstra services is personal information. If he were not to exist, nor would that data. He noted that every site visited by him reveals a little of his identity. Whilst one site he visits may not identify him, when all the metadata he generates is combined, patterns emerge which could identify him personally and enable his privacy to be infringed.
The AAT, after hearing detailed evidence about the nature of Telstra’s mobile network data, and examining a suite of case law relating to privacy infringement, rejected Mr Grubb’s submissions, and set aside the decision of the Privacy Commissioner. Whilst accepting that it may sometimes be possible to identify a customer using mobile network data alone, it noted that this does not necessarily lead to the conclusion that the data is “personal information”.
It noted that “…the data is all about the way in which Telstra delivers the call or message. That is not about Mr Grubb. … It is information about the service that it provides to Mr Grubb but not about him”. The Tribunal therefore denied Mr Grubb access to his metadata.
The AAT noted that it had not considered how this issue would be decided in light of the passage of the Data Retention Act, and it is not immediately clear if the amended definition of “personal information” would alter the decision were the same complaint to be brought today. Nevertheless, it is a signal that the Privacy Act may not be available as a safeguard against extensive “data trawling” in the service of national security.
The case is sure to generate controversy amongst the community and in the media, and could once again re-ignite the debate about the appropriate balance between surveillance and liberty in the brave new digital age.
If you would like to discuss your rights in more detail, contact our Intellectual Property team today.