Mr Pilgrim goes on to state in his ruling that Telstra must within 30 business days provide me with access to my metadata, including Internet Protocol (IP) address information, Uniform Resource Locator (URL) information, and cell tower location information beyond what is on my bills. This is in addition to some of the information Telstra handed over to me while the complaint was ongoing, including outgoing call records and some cell tower location information. Telstra must also provide the data free of charge, Mr Pilgrim said, "because of the drawn-out and incremental approach that Telstra has taken to the provision of personal information to the complainant in relation to his access request". As I didn't ask for damages, none will be awarded. I won't be able to access incoming call data though (which law-enforcement agencies can access) as it was successfully argued by Telstra that this would breach the privacy of the person calling. Fair enough (though a bit annoying I won't be able to identify/call back pesky telemarketers).

Telstra appeals decision But it may be a short-lived win. Shortly after the decision was made public, Telstra said it would appeal the decision. It had 28 days to announce whether it would do so. "We respect the role the Privacy Commissioner plays and we share his commitment to transparency, but we will be seeking a review of the determination," Telstra said in a blog post. Meanwhile, it recently backflipped and allowed others to gain access to some of their metadata for a fee, likely as a direct result of my case. What it means

So what does this all mean and will it have wider consequences for businesses? I asked former Deputy Privacy Commissioner for NSW, Anna Johnston, who is now director of Salinger Privacy. "This is a ground-breaking decision," she says. "Telstra argued that geo-location data – the longitude and latitude of cell towers connected to the customer's phone at any given time – was not 'personal information' about a customer, because on its face the data was anonymous. They lost that argument, because the Privacy Commissioner found that a customer's identity could be linked back to the geo-location data by a process of cross-matching different datasets." Ms Johnston went on to say that the implications of the case go well beyond the telcos, which will have to comply with the new metadata retention laws. "It even goes beyond just geo-location data," she says. "This case has far-reaching consequences for any organisation which deals in any form of 'big data'. No-one should think that privacy can be protected simply by leaving out customer names or other identifiers from a database. Any dataset which holds unit-record level data can potentially be linked to data from other sources, which can then lead to someone's identity being ascertainable. "

As a result of the case, the cautious thing for organisations to do now was to assume that even 'anonymised' data meets the definition of "personal information", she said. That data must therefore "be treated in accordance with the Australian Privacy Principles", she said, which would mean that if it was lost the organisation could be fined by the Privacy Commissioner if it didn't take reasonable steps to protect it. While the ruling was made under the old National Privacy Principles — since replaced by the Australian Privacy Principles — Ms Johnston told me that she couldn't see why the Privacy Commissioner's decision would be any different under the new principles, considering the definition of personal information only changed slightly. If anything, the revised definition was a more expansive, pro-consumer definition of what constitutes personal information, she said. Here's a speech I recently gave on my battle: