Your Metadata Isn’t Private Personal Information, Federal Court Decides

A long-running case on whether you’re allowed access to view your own mobile phone metadata — retained by Australia’s telecommunications companies for government snooping, including comprehensive call logs and location data — and whether that data is classified as “personal information” has come to an unceremonious end.

Australia’s Federal Court has put a stop to a final attempt by Australia’s peak privacy advocates to restrict the retention and access of information by Australia’s telcos, and the judgment will have wide-ranging implications for what information is considered personal under the terms of the Privacy Act.

Spies Can Access My Metadata, So Why Can’t I?

The judgment, delivered earlier this morning by the full bench of Justices Dowsett, Kenny and Edelman from Victoria’s Federal Court, dismissed the appeal made against Telstra by the Privacy Commissioner just over a year ago. With that, the matter has been closed and a final ruling laid down on a long-running test case.

In 2013 Ben Grubb, at the time a technology journalist and editor at Fairfax Media, petitioned Telstra for access to the same metadata that Australia’s largest telco already retained for access by government agencies on request, but was rejected by the telco’s own privacy department. A complaint to Australia’s Privacy Commissioner led to a protracted court stoush.

In May of 2015, the OAIC Privacy Commissioner Tim Pilgrim ruled that Telstra interfered with Grubb’s privacy by failing to provide him access to the metadata, a position that Telstra immediately appealed. That appeal was upheld by the Administrative Appeals Tribunal, and then escalated to the Federal Court after the Privacy Commissioner appealed that.

In the appeals process which saw the initial ruling overturned in favour of Telstra, AAT deputy president Stephanie Forgie likened the metadata situation to her own car’s service history, saying that the records kept at a mechanic responsible for maintaining the vehicle were about the vehicle but not the owner of the vehicle: “It is information about the car, or the repairs, but not about me”.

Telstra’s essential position was that the metadata attached to Grubb’s mobile phone number and Telstra account was not metadata specifically about Grubb; it was “not information about an individual whose identity can reasonably be ascertained from the information in isolation”. Instead, the metadata that Telstra retained — and continues to retain — is in reference to the account but not the account owner, even if the owner is inextricably tied to the account.

The Court’s dismissal of the appeal and finalising of the existing judgment today effectively enshrines that into law, drastically narrowing the definition of “personal information” under the Privacy Act.

The Australian Privacy Foundation pushed hard, including in submitting documents to the Court, for telecommunications metadata to be classified as personal information under the Act — saying its “highly revelatory” and valuable nature, as well as the potential for deidentified metadata to be re-linked with individual profiles through data matching, should necessarily impose limits on its collection and use by governments and private enterprises alike.

[ComCourts / AustLii]

What The Police Can Get From Mobile Phone Tower Data