On 18 December 2015, the Administrative Appeals Tribunal[1]held that metadata does not constitute Personal Information under the Privacy Act, thereby overturning the Privacy Commissioner’s decision that Telstra hand over personal mobile data to those who requested it.

THE STORY SO FAR

Two and a half years ago  Mr Ben Grubb, then a technology journalist with Fairfax, wrote to Telstra seeking access to metadata held by Telstra regrading his mobile phone service, on the basis that this constituted personal information about him and, under thePrivacy Act 1988 (Cth) (Privacy Act), he was entitled to access it.  At that time, the definition of personal information was:

“… information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion.”[2]

In particular, Mr Grub wanted access to various metadata, including the cell tower he was connected to at any given time, URLs he had visited and longitude and latitude information regarding the cell towers used in the communications.

In short, Telstra provided to Mr Grubb the following information:

  1. call data records in relation to outgoing calls, Short Message Service (SMS) messages and Multimedia Messaging Service (MMS) messages from Mr Grubb’s mobile telephone service including:
    1. the originating number, described as the “A-party number”, being Mr Grubb’s mobile number;
    2. the A-party location being the mobile cell location;
    3. the number of the recipient of the communication, the “B-party number”;
    4. the date of the communication;
    5. the time of the communication; and
    6. the duration of the communication in seconds in the case of a call and, in the case of an SMS or MMS, the fact that it was made.
  2. Personal information held in Telstra’s Customer Relationship System including details of Mr Grubb’s full name, address, date of birth, mobile number, email address(es), billing account number, customer ID (identity), IMSI (International Mobile Subscriber Identity), PUK (personal unlocking key), marketing opt outs, SIM (Subscriber Identity Module) category and password.
  3. Sample longitude and latitude coordinates of mobile cells under the following headings:
    1. CGI (computer-generated imagery);
    2. Base Station Name;
    3. Billing name;
    4. MSA Name (Metropolitan Statistical Areas);
    5. State;
    6. Antenna Latitude;
    7. Antenna Bearing;
    8. Technology;
    9. Cell Name;
    10. Base Station Type; and
    11. Date

What Telstra did not provide was:

  1. call data records in relation to incoming calls, SMS messages or MMS messages; and
  2. network data retained by Telstra in relation to communications passing through its mobile networks and the IP address allocated to Mr Grubb’s mobile device for each communication.

Telstra did not provide details of incoming calls, SMS and MMS messages as this would have disclosed the personal information of the calling or messaging party in breach of privacy obligations owed to those parties (Mr Grubb acknowledged this).

Telstra did not disclose network data, or allocated IP address, as it considered this network information metadata was not personal information as Mr Grubb’s identity was not apparent nor could it reasonably be ascertained from that data. 

Not satisfied with this, Mr Grubb lodged a complaint with the Privacy Commissioner (Commissioner) in August 2013.  Following a lengthy process, in May 2015 the Commissioner found that the network information metadata was personal information, and declared that Telstra must provide the requested information to Mr Grubb. 

Perhaps concerned about the floodgates the decision might open, Telstra appealed the Commissioner’s decision to the Australian Administrative Tribunal (AAT).  On 18 December 2015, the AAT allowed Telstra’s appeal, thereby finding that metadata did not constitute personal information.

THE COMMISSIONER’S DECISION

In his decision, the Commissioner found that metadata was personal information as an individual’s identity can reasonably be ascertained from network data such as an international mobile subscriber identity (ISMI), IP Addresses, accessed URLs, longitude and latitude information or other network identifier as the information can be cross matched with information on other databases operated by Telstra. Specifically, the Commissioner found that:

... the process of ascertainment of an individual’s identity involving inquiries from and cross-matching against different network management and records management systems is not only possible, but is in fact, a process that Telstra already puts into practice, not only for network assurance purposes but also in responding to large numbers of requests for metadata by law enforcement agencies and other regulatory bodies.[3]

In finding Mr Grubb’s identity could “reasonably be ascertained” from the metadata, the Commissioner placed significant emphasis on the fact that:

  • Telstra regularly responds to requests from law enforcement agencies to cross-match metadata to identify individuals;
  • between 1 July 2013 and 30 June 2015, Telstra responded to around 85,000 requests for customer information; and
  • prior to the decision being handed down, Telstra announced that customers may access their metadata for a fee.

Ultimately, the Commissioner took the view that if you could combine the metadata with other information, and it did not constitute an unreasonable burden to do so, then the person’s identity could reasonably be ascertained from the metadata and thus constituted personal information.

THE AAT’S DECISION

In allowing Telstra’s appeal, the AAT adopted a different and much narrower approach in its decision.

The AAT considered that the first issue to be dealt with is whether the information to which access is being sought is information “about an individual”. If it is not, that is the end of the matter.  If it is, the next question is whether the identity of that individual “is apparent or can reasonably be ascertained, from the information or opinion.[4]

In terms of whether information is about an individual, the AAT stated:

There is a connection between an individual and the information that means that it is “about” that individual.  Just how strong need that connection be between the two for it to be about an individual?  Putting the issue another way, how tenuous can the link be before information or opinion is not about an individual but about something else or, if still about an individual, not about a particular individual but another?[5] 

In adopting this approach, the AAT found that the mobile network data requested by Mr Grubb was not personal information but instead information about the service Telstra provides to Mr Grubb. In particular, the AAT held that

Once his call or message was transmitted from the first cell that received it from his mobile device, the [mobile network] data that was generated was directed to delivering the call or message to its intended recipient. That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it.  It is not about the content of the call or the message…It is information about the service it provides to Mr Grubb but not about him. (Emphasis added)[6]

Similarly, the AAT found that the IP addresses requested by Mr Grubb were not personal information, but instead was information about the way in which the data was transmitted to Mr Grubb’s phone via the internet. In particular, the AAT stated that:

I am satisfied that an IP address is not information about an individual.  Certainly, it is allocated to an individual’s mobile device so that a particular communication on the internet can be delivered by the Internet Service Provider to that particular mobile device but, I find, an IP address is not allocated exclusively to a particular mobile device and a particular mobile device is not allocated a single IP address over the course of its working life.  It changes and may change frequently in the course of a communication. The connection between the person using a mobile device and an IP address is, therefore, ephemeral.  In the context of this case, it is not about the person but about the means by which data is transmitted from a person’s mobile device over the internet and a message sent to, or a connection made, with another person’s mobile device. (Emphasis added)[7]

Lastly, although the Commissioner placed significant emphasis on the fact that Telstra responds to regular requests from law enforcement agencies to cross-match metadata to identify individuals, the AAT stated that the entitlements of those agencies and Mr Grubb are subject to different legislative regimes. In particular, “each regime seeks to achieve a balance of policy considerations and desirable outcomes.  Those policy considerations include protection of an individual’s privacy, search and rescue, security and law enforcement issues and public safety.”[8] 

SO WHAT DOES THIS MEAN IN PRACTICE?

In summary, this was a comprehensive win for Telstra and significantly narrowed the scope of personal information in terms of metadata.  It also appears unlikely that either Mr Grubb or the Commissioner will appeal this decision. Mr Grubb is no longer working as a journalist (and so has less incentive to run an appeal as part of an ongoing story) and the Commissioner appears reluctant to run an appeal.

That said, there may not be much that is of practical use for carriers, CSPs and ISPs from the AAT’s decision for the following reasons.

Firstly, we are now operating with a revised definition of Personal Information.  It now reads:

personal information means information or an opinion about an identified individual, or an individual who is reasonably identifiable:

a) whether the information or opinion is true or not; and

b) whether the information or opinion is recorded in a material form or not. (emphasis added)

As a result, it is uncertain how the AAT’s reasoning regarding the previous definition should apply to the current definition.  The AAT noted this change of definition but expressly stated that it was not required to deal with the issues at hand under the revised definition.  That said, it would appear reasonable to suggest that the analysis of whether the information is “about an individual” would still be relevant, although it would now be a question of whether the information is about an “identified” individual or an individual who is “reasonably identifiable”.

Secondly, and of more significance, there is now a new relationship between metadata retention by carriage service providers and content service providers (service providers) such as Telstra, and personal information under the Privacy Act following the coming into operation of the Telecommunications (Interception and Access) Act 1979 (TIA Act) as amended by the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015(Data Retention Act).

From 13 October 2015, when section 187LA of the TIA Act came into force, the Privacy Act applies to all carriers, carriage service providers and internet service providers (big and small alike) to the extent that their activities relate to retained data and that, for the purposes of the Privacy Act, that information is regarded as personal information.

The AAT did not consider whether or not a different decision would have been made had the amendments applied in the circumstances of the case. Instead, the AAT noted that it had been agreed by the parties that the amendments did not apply and that it is not the role of the AAT to consider matters “entirely in the abstract”.[9]

Therefore, the interaction between the Privacy Act and the metadata retention provisions of the TIA Act are untested, but have already elicited comment about their uneasy relationship. 

As always with privacy issues, watch this space.