The ongoing debate surrounding what “metadata” actually is, and how it should be characterised under privacy laws has once again resurfaced. This time, the Federal Court will have a chance to decide on the issue, following a decision by the Privacy Commissioner to appeal a finding that denied a journalist access to metadata on the basis that it was not personal information.
Way back in 2013, a then technology journalist for Fairfax, Ben Grubb, asked Telstra to provide him with metadata and other information held by it in relation to his mobile phone on the basis that it constituted ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act) and he was therefore entitled to it.
Telstra did provide some information to Mr Grubb (including his outgoing call records, bills and the customer details they had stored for him), however it submitted that the “metadata” produced from his mobile phone use on Telstra’s network was not personal information, as it was not linked to him in a way that made his identity apparent or reasonably ascertainable.
Unsatisfied with this answer, Mr Grubb lodged a complaint with the Privacy Commissioner. In May 2015, the Commissioner held that Telstra ‘cross-matched’ data across its mobile network in such a way that it was possible to determine a customer’s identity and that Telstra was therefore in breach on NPP 6.1 (as it then was) by refusing to provide Mr Grubb with access to his personal information.
Telstra appealed to the Administrative Appeals Tribunal of Australia (AATA). Taking a strangely narrow approach to the issue, Deputy President Forgie ruled that the mobile network data was not personal information for the purpose of the Privacy Act. Instead, she said that the metadata was actually information about the service provided by Telstra and the delivery of that service, rather than about Mr Grubb and his mobile phone use. On that basis, Telstra was not obliged to provide Mr Grubb with access to the information, despite it being generated directly from his use of Telstra’s services.
Seem contrary to the deliberately broad concept of personal information that is designed to protect individuals? We agree, and so does the Privacy Commissioner. ‘Stay on the line’ to see how the Federal Court approaches the issue.
Access the determination and reasons for determination of Privacy Commissioner Timothy Pilgrim in Ben Grubb and Telstra Corporation Limited  AICmr 35 (1 May 2015) here.
Access the AATA decision of Deputy President S A Forgie in Telstra Corporation Limited and Privacy Commissioner  AATA 991 (18 December 2015) here.
Access the Office of the Australian Information Commissioner’s Press Release here.
Pacnet, a subsidiary acquired by Telstra in April 2015, was hit by a major data breach affecting thousands of customers including The Australian Federal Police and government agencies. The breach occurred two weeks before the deal to acquire Pacnet by Telstra was finalised but was not disclosed to Telstra. Telstra is reportedly considering its legal options in respect of both the breach and the non-disclosure by the vendors.
See the Sydney Morning Herald article here.
Airline Computer Hacking
The FBI has alleged that a cybersecurity researcher had hacked into airline computers 15-20 times causing aircrafts to climb against pilot instructions.
See the report here.