Key Points:

More types of data could be considered "personal information" than businesses previously thought, and thus covered by the Privacy Act.

Businesses may be forced to invest in better data analysis and retrieval systems to comply with their obligation under the Privacy Act to provide a customer with information held about the customer’s identity, after the Privacy Commissioner determined that a journalist was entitled to receive metadata from his mobile service provider.

In Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015), the Privacy Commissioner held that Telstra breached National Privacy Principles under the Privacy Actbecause it refused to provide the journalist with access to network data relating to him, even though the data by itself revealed nothing about the journalist's identity.

Background

In June 2013, Fairfax journalist Ben Grubb emailed a request to Telstra for "all the metadata information Telstra has stored" about his mobile phone service. Grubb noted that the metadata "would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on".

Telstra replied to Grubb that his online Telstra account showed outbound phone calls and length of data usage sessions. However, without a subpoena, Telstra refused to provide Grubb with most of the other information he sought.

In August 2013, Grubb lodged a complaint against Telstra with the Office of the Australian Information Commissioner (OAIC). Grubb sought a declaration that Telstra meet its access obligation under the Privacy Act and provide him with access to all the information he had requested.

In December 2013, the OAIC began investigating Telstra’s actions. Telstra subsequently provided Grubb with more of the information than he had initially requested, but refused to give him two categories of information:

  • Grubb’s network data, including his internet protocol (IP) address information, the Uniform Resource Locator (URL) information of websites he visited, and cell tower location information; and
  • Grubb’s inbound call records, including the numbers of people who called him.

The question for the Privacy Commissioner was whether Telstra breached its privacy obligations by failing to provide Grubb with his network data and inbound call records.

The Privacy Commissioner’s determination

The Privacy Commissioner determined that Telstra had breached the Privacy Act when it failed to provide Grubb with access to his network data, but not when it withheld Grubb’s inbound call records.

The Privacy Commissioner considered Grubb’s complaint under the National Privacy Principles (NPPs), the predecessor to the current Australian Privacy Principles. The three questions for the Privacy Commissioner were:

  1. Is network data "personal information", for the purposes of the Privacy Act?
  2. Are inbound call records "personal information", for the purposes of the Privacy Act?
  3. If yes, did Telstra breach the NPPs when it withheld that personal information from Grubb?

Network data is "personal information"

The Privacy Commissioner decided that Grubb’s network data was personal information. Under the Privacy Act, "personal information" is information that is—

  • "about an individual", which the Commissioner interpreted as meaning "in some way concerning or connected with an individual"; and
  • recorded in a way that makes the individual’s identity apparent, or reasonably ascertainable.

First, Grubb's network data provided information about Grubb, because the data could be linked with other data held by Telstra’s networks and records to establish what websites he had visited, which was information about Grubb.

Second, the Commissioner decided that Grubb’s identity could be reasonably ascertained from network data. By itself, network data such as cell tower location information or IP addresses contained nothing about Grubb’s identity. However, ascertaining Grubb’s identity from network data was:

  • possible, because Telstra had responded to law enforcement agency requests for metadata by inquiring and cross-matching against different network management and records management systems to ascertain an individual’s identity; and
  • reasonable, because Telstra did not demonstrate that the process was beyond what was reasonable given its operational capacities and resources as a large organisation with over 120 staff with data retrieval expertise.

Telstra argued that none of Grubb's network data was linked in a way that would allow it to reasonably ascertain Grubb's identity. Telstra provided evidence that identifying an individual customer from network data was a "difficult, time-consuming and costly" process that would demand "a great deal of forensic effort".

The Commissioner was unconvinced that this was enough to make the process of ascertaining Grubb's identity unreasonable. He pointed out that Telstra could charge Grubb for the resources required to provide him with his network data, and just because ascertaining someone's identity would be complex or time-consuming did not make the process unreasonable.

Inbound call records are "personal information"

The Privacy Commissioner decided that inbound call records were Grubb’s personal information. First, an inbound call number was about Grubb because Telstra recorded inbound caller numbers in a way that associated the number with Grubb. Second, Grubb’s identity could be reasonably ascertained, as Telstra regularly responded to law enforcement agencies’ requests to identify individuals by associating inbound call numbers to an individual’s phone service and the individual’s identity.

Telstra breached the National Privacy Principles by withholding Grubb’s network data, but not by withholding inbound caller records

Under the NPPs, an organisation that holds personal information about an individual must give the individual access to his or her personal information on the individual's request. The Privacy Commissioner decided that network data was personal information, so Telstra breached the NNPs by failing to provide Grubb access to his network data. The Privacy Commissioner declared that Telstra had to provide Grubb with his network data within 30 business days from 1 May 2015.

However, the Commissioner decided that Telstra’s refusal to give Grubb access to his inbound caller records did not breach the NPPs. The NPPs permitted Telstra to withhold from Grubb any of his personal information which would have an unreasonable impact on the privacy of others. While some callers intended to call Grubb with their number freely identifiable, Telstra pointed out that other callers may have dialled the wrong number, or may have chosen to block their number or pay for a silent line to remain unidentifiable from their number alone. The Commissioner accepted Telstra's evidence that it was impossible for it to edit the incoming callers’ numbers to provide only the numbers of those individuals who intentionally contracted Grubb and did not have a silent line.

Next steps

Telstra can either:

  • provide Grubb with his network data; or
  • apply to have the determination reviewed by the Administrative Appeals Tribunal, the Federal Circuit Court, or the Federal Court of Australia.

The Administrative Appeals Tribunal provides independent merits review, while the Federal Circuit Court and Federal Court of Australia conduct judicial review (ie. they could consider whether the Privacy Commissioner’s decision was wrong in law or his powers were not exercised properly).

Telstra's chief risk officer Kate Hughes has written that the company will seek a review of the determination for "clarification on some important points in the decision". She did not indicate whether Telstra would apply to the Administrative Appeals Tribunal or a Court for the review.

Impact on Australian businesses

The Privacy Commissioner’s determination is highly relevant to the current Privacy Act, because the wording of the current Australian Privacy Principles largely mirror the NPPs under the old Privacy Act.

In light of the determination, more types of data could be considered "personal information" than businesses previously thought. Like Grubb's network data, even data that does not include names or other identifiers may be "personal information" if this data can be linked with other datasets to ascertain an individual’s identity.

The scope of datasets captured by the broader definition is unclear. Telstra's media release, in light of this decision asserted that "personal information" would now include "every single piece of data in our networks, regardless of whether the data reveals the identity or anything else about someone". That claim may be overstated, because data would still need to at least make an individual’s identity reasonably ascertainable before it became "personal information", but even anonymised datasets stripped of its identifiers can be cross-matched with other data to re-identify individuals. For example, in 2010 two researchers were able to re-identify 500,000 Netflix subscribers from a Netflix dataset containing supposedly anonymous movie ratings from those subscribers, which Netflix had released as part of a public competition.

Similarly, it is unclear what steps would be considered unreasonable for a business to take to ascertain an individual’s identity. If complex and time consuming steps can be involved to "reasonably ascertain" an individual’s identity, then businesses that collect data on their customers could be forced to invest more money into improving the way they store, retrieve and supply this data to their customers. The Communications Alliance, the primary telecommunications industry body in Australia, has said these additional measures will be "impractical, unnecessary and will be very costly".