A long-running battle over whether or not telcos should have to provide stored metadata to customers on request — which evolved over numerous appeals into a battle over which data should be considered personal — appears to have come to an unsatisfying end this week in Australia's Federal Court.
The case between the Privacy Commissioner and Telstra was sparked two years ago when the former ordered the telco to supply metadata on request, on the grounds that it was the personal data of the customer. With this latest decision, Telstra will not be obliged to obey that order.
As the government was preparing to introduce new rules in 2013 that would oblige telcos to store the data generated when customers used their services (for example not your voice or articles you read online, but information on your calls, location and IP addresses of sites you visit), Ben Grubb, then a journalist at Fairfax Media, asked his telco Telstra for a copy of the data.
Telstra provided some information, but not the complete set it would be required to give to law enforcement if asked under the retention laws.
In 2015 the Privacy Commissioner ruled against Telstra, ordering it to provide the missing data, but the decision was overturned when Telstra appealed to the Administrative Appeals Tribunal (AAT).
A counter appeal from the Privacy Commissioner saw the issue taken to the Federal Court, where it was ultimately dismissed this week.
"It's obviously a disappointing outcome," Grubb says, "but I'm really grateful that the Privacy Commissioner followed this through by going to the Federal Court to appeal it".
Grubb says he believes the protracted, public legal stoush may have influenced the system to change for the better, even if Telstra was ultimately vindicated.
"The point of this case was to get my telco to hand over what they were already providing to law-enforcement agencies on a case-by-case basis. In effect, the case achieved most of this, with Telstra eventually allowing consumers to access a lot of what they had on file about their users," Grubb says, referring to a change the telco made in 2015.
Still, this week's decision means his original request for metadata will ultimately not be fulfilled.
"At first, Telstra refused me access to information beyond my billing information. They then provided further information, but not all of what I was requesting. Wednesday's decision means that I won't be provided with that further information, which included, among other information, IP addresses, URLs, and specific cell tower location information," Grubb says.
"I still worry about scope creep with regards to data retention. The recent discussion paper put out just before Christmas by the government to enable even more entities to access our highly personal information is worrying, and something many privacy advocates warned would likely end up happening once the data retention laws were passed."
Anna Johnston, director of Salinger Privacy and former deputy privacy commissioner for NSW, says people shouldn't interpret this week's decision as the court "gutting" the definition of what "personal information" is. Rather, the court has just declined to resolve questions still up in the air.
In a detailed blog post explaining the case, Johnston argues that the AAT's interpretations in its decision in favour of Telstra were "ridiculous", and "completely undermined our privacy laws". The AAT's view that some metadata was not personal information, and so need not be provided to customers, hinged on the fact that the data was about connections between mobile devices, rather than about a person.
But, Johnston writes, surely the data can be both things at once.
"Even car repair records, which certainly have been created for the primary purpose of dealing with a car rather than a human being, will have information about the car owner", like their address, phone number and car make, Johnston writes.
In this case, though, the Privacy Commissioner failed to make this distinction in its appeal to the Federal Court.
"Instead of arguing that information could be 'about' more than one thing, i.e. that metadata could be 'about' both the delivery of a network service and the customer receiving that service," Johnston wrote, "the Privacy Commissioner's legal team argued that the phrase 'about an individual' was redundant, and should simply be ignored," and the argument was ultimately rejected by the court.
Speaking to Fairfax Media, Johnston said the situation is complicated by the fact that definitions in the Telecommunications (Interception And Access) Act have changed in the time since Grubb first lodged his complaint.
Johnston believes Telstra was in the wrong in refusing to supply the information, but the privacy commissioner went the wrong way about setting things right (although she says the door is not closed for a fix to come in future with another complaint).
With the rules as they currently are, Johnston believes the case could be made for information to be provided if the complainant could show why the data was personal.
"I would argue that the Federal Court left open the possibility that the data Ben Grubb and Telstra were arguing about would be 'personal information', because they said that the individual needs to be a subject matter, not the subject, as the AAT said," Johnston says.
"The judges stressed the need to consider "the totality of the information". In other words, linkability to an identifiable individual might still make something 'personal information', and thus within the scope of our privacy laws."
0 comments
New User? Sign up