Last week the Privacy Commissioner, Timothy Pilgrim, (Commissioner) made a determination that metadata held by Telstra is 'personal information' for the purposes of the Privacy Act 1988 (Cth) (the Act).  Our blog post earlier this week outlined the determination by the Commissioner and his reasoning behind the decision.  Telstra argues that the decision has the potential to hamstring telecommunication companies and ISPs (Telcos) in a sea of compliance red tape (ultimately leading to higher prices for consumers). 

Telcos had already expressed their concerns about the additional cost of the Federal Government's mandated two year metadata storage regime (under the Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth)) - see our earlier blog post here.

The Commissioner's decision means that the metadata stored under this regime will also need to be treated as 'personal information' under the Privacy Act as well as the Telecommunications Consumer Protections Code (at least when the metadata is held by organisations who have resources and operational capabilities that are similar to Telstra's).

The following APPs will no doubt be on the minds of the regulatory departments of Telcos across the country:

APP 1 – open and transparent management of personal information

An APP entity's privacy policy must contain the kinds of personal information that the entity collects and holds.  No doubt, many Telco's will need to update their privacy policies to refer to metadata.

Perhaps more significantly, APP entities are required to take reasonable steps to implement practices, procedures and systems to ensure compliance with the APPs.  These practices, procedures and systems are likely to need updating across the board to include metadata within their ambit (including, for example, training staff, updating internal manuals and putting in place systems to identify uses and disclosures of metadata and to mitigate any associated privacy risks).

APP 6 – use or disclosure of personal information

An APP entity is only permitted to use or disclose personal information for certain purposes without the consent of the individual, unless an exception applies.  Telcos will need to consider if their current use and disclosure of metadata is for a purpose permitted under APP 6.  If not, they may need to seek their customers' consent to the use or disclosure, or put in place de-identification processes so that the information is no longer personal information when it is used or disclosed for the particular purpose.

APP 8.1  cross-border disclosures

Unless an exception applies, before an APP entity discloses personal information about an individual to a person (the overseas recipient):

  1. who is not in Australia or an external Territory; and
  2. who is not the entity or the individual,

the entity must take such steps as are reasonable in the circumstances to ensure that the overseas recipient does not breach the APPs in relation to the information. 

Telcos may have to think twice about storing metadata offshore as, if the circumstances are such that this storage is a 'disclosure' (see Chapter 8 of the APP Guidelines), the Telco will have to comply with APP 8.1. 

Unless an exception to APP 8.1 applies, under section 16C of the Act, a Telco is deemed to be liable for any acts of the offshore storage provider (that would otherwise be a breach of the APPs) as if they were the Telco's acts.  This of itself has the potential to drive up costs, as Telcos face the dilemma of bearing the additional risk of using offshore data centres, or the potentially greater costs of relying local data centres or storing the data themselves.  The same considerations will also apply to the use of international technical support or helpdesks.

APP 11 – security of personal information

If an APP entity holds 'personal information', the entity must take such steps as are reasonable in the circumstances to protect the information:

  1. from misuse, interference and loss; and
  2. from unauthorised access, modification or disclosure.

The Privacy Commissioner has a (succinct) 46 page guide on securing 'personal information' which is designed to provide APP entities with assistance around what the phrase 'steps as are reasonable in the circumstances' may mean in the context of this APP 11.  It's not hard to see why the Telcos might be reaching for the Panadol by now.

APP 12 – access to personal information

As we've seen from journalist Ben Grubb's case, individuals will have the right to access their metadata.  According to Telstra, this is no easy process for Telcos to engage in, and will likely be a significant burden on Telco resources.

It's perhaps no surprise, then, that Telstra plans to challenge the Commissioner's ruling.  Moreover, in light of the ongoing publicised corporate failure, across multiple industries, to comply with Australia's new privacy laws, it's likely that Telstra will not be the only organisation interested in the further clarification - or reversal - of this decision.