Just how exactly identifiable does information have to be before it counts as “personal information”? This is the question the full Federal Court is weighing up as the Privacy Commissioner and Telstra battle it out over the metadata of a former Fairfax journalist.
The three-year old case stems back to June 2013, when then-deputy technology editor for Fairfax Ben Grubb asked Telstra under its obligations in the Privacy Act to hand over all the metadata related to his mobile phone. Telstra responded that Grubb could only get access to information contained in his mobile phone bill, and Grubb filed a complaint with Privacy Commissioner Timothy Pilgrim.
Telstra eventually handed over data of Grubb’s call records, the cell tower he first connected to, and SMS information, but not who had called or texted him. In November 2014, the Privacy Commissioner ordered Telstra to hand over the type of data it would provide to law enforcement agencies under the data retention regime — this was before the two-year mandatory data retention law was passed. In May last year, Pilgrim found Telstra in breach of the Privacy Act because the telco failed to provide access to the IP addresses Grubb was assigned on his mobile phone, his web browsing history, and other cell tower information.
[Over 60 agencies apply to snoop into your metadata]
Just before Christmas, the Administrative Appeals Tribunal overturned Pilgrim’s decision, instead arguing that data on Telstra’s mobile network, such as IP addresses and web browsing history, were not considered personal information. Grubb, who has since left Fairfax for a public relations role, did not wish to take the matter further, but the Privacy Commissioner decided to appeal the decision in the full Federal Court.
In the hearing in Melbourne yesterday, counsel representing the Privacy Commissioner said that the issue boiled down to whether Telstra’s network data was information about an individual or not. Telstra, she argued, had originally conceded that network data could contain personal information — but then effectively walked this back later on.
“If Telstra had taken a different approach … and said network information was not personal information the nature of the inquiry would have been different.”
The Privacy Commissioner is seeking as broad a definition of what can be considered personal information as is possible, and that would include network data, such as a dynamic IP address, that on its own is not sufficient to identify a person, and argues the AAT made an error in ruling out network data as personal information from the outset.
Counsel representing Telstra said the metadata created on Telstra’s mobile network encompassed not only who a person was calling and when, but all communications between a phone and a cell tower, IP addresses, and other data that, although created by a person’s mobile communicating with Telstra’s network, was not personal information as Telstra sees it. Telstra’s lawyer argued that the law, defining personal information as being “about” an individual, was specifically worded to mean related to a person.
[Your metadata fair game, but Brandis’ own off limits]
“In the mobile network information data, it’s not organised by reference to an individual or their mobile phone. Collectively if one looks at mobile network information, collectively it’s all about Telstra’s network towers communicating with millions of devices.”
Telstra says some of the information the Privacy Commissioner wants released would not even be given to law enforcement. Generally, law enforcement only gets data on the first cell tower a person connects to when making a call, not all the subsequent tower connections. Telstra also claimed it doesn’t hand over dynamic IP address information or URLs to law enforcement, either, under the scheme.
The court has reserved its decision, but it was flagged that even if the court overturns the decision and sends it back to the AAT, Grubb might not get all his metadata.
Grubb’s decision not to participate in the case will also be a factor in the final outcome if the AAT’s decision is overturned. The Privacy Foundation is also seeking to become part of the case on the grounds that the Privacy Commissioner is a neutral party, and Telstra is opposed, meaning no one party is fully advocating for the data to be handed over. The court has said it will decide on that once the foundation’s submissions and Telstra’s response are reviewed.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.