Ben Grubb and Telstra Corporation Limited  AICmr 35 is a fascinating decision – issued on 1 May 2015 by Timothy Pilgrim, the Australian Privacy Commissioner – especially in the light of our recent posts, such as this one concerning Internet Service Providers (ISPs) and their roles as mere conduits and/or data controllers, or that one concerning the definitions of metadata.
Telstra Corporation Limited (Telstra) describes itself as “Australia’s leading telecommunications and information services company, offering a full range of communications services and competing in all telecommunications markets” and, in particular, in the mobile market.
The complainant in this case argued that Telstra had interfered with his privacy “by failing to provide [him] with access to his personal information held by Telstra in breach of National Privacy Principle (NPP) 6.1 of the Privacy Act 1988 (Cth) (the Privacy Act)” [Principle 6 is one of ten NPPs contained in Schedule 3 of this Australian Act. To note, however, the NPPs were replaced by the Australian Privacy Principles (APPs) on 12 March 2014].
The complainant’s original access request (which had been refused by Telstra) concerned metadata information. [The content of the communications at stake was, according to the Privacy Commissioner, outside the complainant’s original access request and, as Telstra had not been given an opportunity to deal with this specific demand, the Privacy Commissioner opined that he was not required to examine it, although he did recognise that content of communications was personal data]. The Privacy Commissioner found in favour of the complaint and ordered Telstra to
- “within 30 business days after the making of this declaration, provide the complainant with access to his personal information held by Telstra in accordance with his request dated 15 June 2013, save that Telstra is not obliged to provide access to inbound call numbers;”
- “provide the complainant with access to the above information free of charge”.
In essence, the Privacy Commissioner had thus to tackle and answer the question whether metadata information was personal information for the purposes of section 6 of the Privacy Act. As the matter related to events having occurred prior to reforms to the Privacy Act, the pre-reform privacy regime was applicable (and in particular the NPPs).
As a reminder, the pre-reform definition of personal information found in s.6 of the Privacy Act encompasses: “information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion”. [In the new statutory definition post 12 March 2014, the last bit “from the information or opinion” has disappeared].
And one of the general rules under NPP 6.1 is that “access must be provided to the individual upon that individual’s request”.
Two types of metadata were at stake: incoming call records, and network data [these two categories are the creation of Telstra]. As regards incoming call records although the Privacy Commissioner held the view that these was personal information about the complainant, it was also the personal information of other individuals and deemed worthy of protection from disclosure to him for that reason. Access requests could thus be refused.
But this is not the end of the story. The Privacy Commissioner had also to deal with “network data”. By network data, one must understand, in particular, cell tower location information (latitude and longitude positions), IP addresses and URLs.
Telstra argued that because a “customer’s identity is not apparent from Telstra’s network data nor can it reasonably be ascertained from that metadata”, the data could not be characterised as personal information. Besides, network data was not kept in a single repository [which meant for Telstra that “retrieving this type of data would be impractical, tie up its resources and would have an adverse impact on Telstra’s business”].
And the complainant was retorting that “[i]f an Australian law enforcement authority (RSPCA, ATO, local council, etc.) can request access to certain aspects of my metadata that is personal to me then I too should also be able to access that information. This information is able to be mined out of Telstra’s systems and given to agencies and is identifiable. I should be able to access that data because it is mine”.
Setting aside the argument relating to ownership which is not really addressed by the decision, it struck the Privacy Commissioner that if law enforcement authorities were after such information to identify individuals, network data should be considered as information from which the complainant could reasonably be ascertained. It was therefore personal information within the meaning of s.6 of the Privacy Act, although each type of network data – when taken individually – might not be information from which the complainant’s identity was apparent.
Indeed, as Telstra’s NIO General Manager explained it, “it is possible to extract the data that is held on various network elements and network management systems spread across Telstra’s mobile network, and ascertain a customer’s identity with a good degree of certainty by cross-referencing this metadata with other data held in Telstra’s customer management and subscriber record systems”.
The Privacy Commissioner reached such a conclusion despite the transient nature of the network data and the “relative” length and complexity of the metadata retrieval process. [which by the way were put into question as the “Information provided by Telstra’s LEL Operations Manager [had] indicated that the costs associated with complying with requests from law enforcement agencies and other regulatory bodies for subscriber information and call charge records are not onerous and depending on the nature of the request may range from $10 for a simple request to at most $200”].
Does this decision imply, therefore, that “mere conduits” are also the “data controllers” of the traffic data they generate (to use the European vocabulary)? And, if they are deemed the data controllers of their traffic data, should they not be required to make sure they both generate and retain only what is necessary (unless they are subject to retention obligations) [necessary for what? the conveyance of communications, subscriber billing, traffic management….?] But, if they are the data controllers of their traffic data, and if they have to answer to – and in a timely fashion – both law enforcement access requests and data subject requests, are we telling them that it would be better if they had only one comprehensive repository?