Australia - Metadata found to constitute "personal information" under the Privacy Act On 1 May 2015, the Privacy Commissioner Timothy Pilgrim handed down a significant ruling that considered the meaning of 'personal information' under the Privacy Act 1988 (Cth) (Act) as it applies to 'metadata' held by internet service providers (ISPs). In Ben Grubb and Telstra Corporation Limited  AICmr 35, the Commissioner found that Telstra had breached its privacy obligations by failing to provide access to the metadata it stored in relation to the mobile phone services of its customer (and Fairfax journalist), Ben Grubb. As the matter relates to events that occurred prior to the Privacy Act reforms which commenced on 12 March 2014, the National Privacy Principles (NPPs) rather than the Australian Privacy Principles (APPs) apply and the comparatively narrow definition of "personal information" under the pre-reform Act, being information that is "about" the complainant, from which the complainant’s identity is apparent, or can reasonably be ascertained. Mr. Grubb had requested access to all metadata stored by Telstra in relation to his mobile phone service on 15 June 2013, under NPP 6.1. Telstra responded by granting access to outbound call details and the length of data usage sessions, but refused access to other types of metadata. Subsequently, Mr. Grubb lodged a privacy complaint with the OAIC in August 2013, in which he claimed that Telstra was refusing access to his own personal information that it held and would otherwise have provided to government agencies, and which Telstra was obligated to provide to him under NPP 6.1. Telstra's main defence was that it was not required to comply with Mr. Grubb's request because the metadata was not 'personal information' under the Act. The Commissioner found in favour of Mr. Grubb on this point, and ordered Telstra to provide all of the metadata requested within 30 business days (except for inbound call numbers). In forming this view, the Commissioner held that: ● the metadata sought by Mr. Grubb was 'personal information' as defined in the Privacy Act, as his identity could be reasonably ascertained by cross-matching the data with other data held on Telstra's various records management systems; and ● as a practical matter, Telstra had the resources and operational capacities (with over 120 staff versed in metadata retrieval), to retrieve and provide the metadata to Mr. Grubb, responding to over 85,000 requests from law enforcements and government agencies each year for metadata of this nature. The Commissioner found however that Telstra was within its rights to refuse Grubb's access to inbound call numbers, on the basis that inbound call numbers are also the personal information of the caller and providing access to this data could have an unreasonable impact on the privacy of the caller. Notably, the definition of 'personal information' under the post-reform Act is even broader than the definition of 'personal information' considered by the Commissioner in this matter, while APP 12 (effective since 12 March 2014) contains equivalent provisions for access to 'personal information' as the former NPP 6.1. As a result, a complaint brought today under the equivalent access provision in APP 12 would more then likely have the same outcome, requiring ISPs to provide individuals with access to all of their metadata (other than inbound call numbers) upon request. Telstra is now appealing the decision of the Privacy Commissioner, and has industry support from the Communications Alliance, who has expressed concern that a broad interpretation of the definition of 'personal information' will have significant cost implications for telecommunications companies. A copy of the ruling is available here. The Communications Alliance media release (4 May 2015) is available here. For more information, please contact Anne-Marie Allgrove, Toby Patten, Jarrod Bayliss-McCulloch or Grace Loukides.