Privacy, metadata and the new landscape
Barely underway and the new year is already delivering some interesting things. On 19 January the Federal Court of Australia handed down its long-awaited decision in the Privacy Commissioner’s submission: Grubb vs Telstra – a case of some significance to privacy.
For those of you who may have missed it, here’s a quick précis:
This case was initiated by Fairfax tech journalist Ben Grubb who asked Telstra in June 2013 for all of the Personal Information (PI), including metadata they had on his customer file for his mobile phone service, including (but not only) cell tower logs, inbound call and text details, duration of data sessions and telephone calls and the URLs of websites visited. He was curious to discover what that metadata might show.
Personal information is defined, according to law firm Minter Ellison as “information or an opinion about an identified individual, or an individual who is reasonably identifiable.”
Telstra fulfilled the request however without the requested metadata, citing that it was unidentifiable ‘network data’ and their compliance with the Privacy Act (2003). Metadata, so you know, can be best defined as a set of data that describes and gives information about other data, like geolocation data for example.
At this point Mr Grubb asked the Office of the Australian Information Commissioner (OAIC i.e. the Privacy Commissioner) for a determination. The OAIC investigated and agreed with his position and instructed Telstra in May 2015, to surrender the information. However, Telstra appealed in December 2015 via the Administrative Appeals Tribunal (AAT), arguing that metadata was not personal information as it was unidentifiable and therefore not subject to the Privacy Act (2003) thus rendering the initial decision invalid.
In it’s finding, the AAT, somewhat unexpectedly concluded that mobile network data was “about connections between mobile devices” and the manner in which that service is delivered rather than “about an individual” therefore proving Telstra’s position.
The Privacy Commissioner appealed to the Federal Court where its submission was denied on a point of law.
So what does it mean in an increasingly data-driven world?
• The AAT judgement has effectively narrowed the definition of PI to when an individual is the subject of the information.
• In effect, the definition of PI remains as it was in 2014: “information or an opinion about an identified individual, or an individual who is reasonably identifiable.” However, this is now more intertwined with an element of identifiability and it remains to be seen whether a small change in language will make any practical difference to the application of the law.
• If you consider your situation is not covered by this definition of PI, then tread warily. The Privacy Act has broad application and lawyers are tending to take a conventional approach.
• If you are covered by definition, then the full effects of the Privacy Act apply.
The Association for Data-driven Marketing and Advertising (ADMA) has factsheets on the Privacy Act covering Rights, Responsibilities and Spam, that can be downloaded from the Compliance Hub. If you find that you’re not sure, get in touch with DGA via email.