Telstra Just Won An Important Case About Your Metadata

Image: iStock

A long-running case on whether you're allowed access to view your own mobile phone metadata — retained by Australia's telecommunications companies for government snooping, including comprehensive call logs and location data — and whether that data is classified as "personal information" has come to an unceremonious end.

Australia's Federal Court has put a stop to a final attempt by Australia's peak privacy advocates to restrict the retention and access of information by Australia's telcos, and the judgment will have wide-ranging implications for what information is considered personal under the terms of the Privacy Act.

The judgment, delivered earlier this morning by the full bench of Justices Dowsett, Kenny and Edelman from Victoria's Federal Court, dismissed the appeal made against Telstra by the Privacy Commissioner just over a year ago. With that, the matter has been closed and a final ruling laid down on a long-running test case.

In 2013 Ben Grubb, at the time a technology journalist and editor at Fairfax Media, petitioned Telstra for access to the same metadata that Australia's largest telco already retained for access by government agencies on request, but was rejected by the telco's own privacy department. A complaint to Australia's Privacy Commissioner led to a protracted court stoush.

In May of 2015, the OAIC Privacy Commissioner Tim Pilgrim ruled that Telstra interfered with Grubb's privacy by failing to provide him access to the metadata, a position that Telstra immediately appealed. That appeal was upheld by the Administrative Appeals Tribunal, and then escalated to the Federal Court after the Privacy Commissioner appealed that.

In the appeals process which saw the initial ruling overturned in favour of Telstra, AAT deputy president Stephanie Forgie likened the metadata situation to her own car's service history, saying that the records kept at a mechanic responsible for maintaining the vehicle were about the vehicle but not the owner of the vehicle: "It is information about the car, or the repairs, but not about me".

Telstra's essential position was that the metadata attached to Grubb's mobile phone number and Telstra account was not metadata specifically about Grubb; it was "not information about an individual whose identity can reasonably be ascertained from the information in isolation". Instead, the metadata that Telstra retained — and continues to retain — is in reference to the account but not the account owner, even if the owner is inextricably tied to the account.

The Court's dismissal of the appeal and finalising of the existing judgment today effectively enshrines that into law, drastically narrowing the definition of "personal information" under the Privacy Act.

The Australian Privacy Foundation pushed hard, including in submitting documents to the Court, for telecommunications metadata to be classified as personal information under the Act — saying its "highly revelatory" and valuable nature, as well as the potential for deidentified metadata to be re-linked with individual profiles through data matching, should necessarily impose limits on its collection and use by governments and private enterprises alike.

[ComCourts / AustLii]

This story originally appeared on Gizmodo.


Comments

    I think this sets a dangerous precedent in many industries, especially at the moment the Automotive industry. With the big moral debate about who owns vehicle information (with most cars now containing lots of data with connected car systems) this means that the customer won't own their own data, and that is could land in the hands of the vehicle manufacturers or service companies.

    Kind of stupid. We don't live in a police state, nor do we want to. We give up a lot of freedoms to be able to live in a stable and reasonably weel-regulated society. However, the powers that be should not have the right to be non-transparent about the information they hold on us.

    The Court's interpretation seems ridiculous because if the information isn't personal information about the account holder then what is it? As far as the other government agencies and the secret agencies are concerned, the whole point is that it DOES provide - or can be very easily used to determine - personal information about the account holder.

    I'm confused

    Instead, the metadata that Telstra retained — and continues to retain — is in reference to the account but not the account owner, even if the owner is inextricably tied to the account.

    So if the government alleges that a person is involved in criminal activity using metadata tied to an account, it is the account that is tied to the criminal activity, not the account owner, even if the owner was inexplicably tied to the account???

    doesn't that draw questions over alot of those terrorism cases?

      Exactly, haven't they just raised the bar for the burden of proof? The call/sms is no longer directly linked to the owner of the account, but just related to the account, so wouldn't they now have to provide more evidence to draw a clear link between the owner of the account and the activity e.g. capture images of the owner making calls/sms at the same time as the recorded data?

      Correct.
      If the phone shows it in a certain location, it's the phone in that location, not the owner. The court would have to prove he had the phone at the time.

      If the phone was used for criminal activity, the owner can be held responsible and charged, if it was just in the location, they have to prove who had it at the time.

        Could this logic also apply to say pirate downloads?

        The account downloaded the material, not the name of the account.

          IANAL. I don't see why not. Many judges have ruled "IP address does not equal person". It's like how people can get away with traffic offences, they can only charge the person doing the offence, not the owner.

Join the discussion!

Trending Stories Right Now