Telco industry organisation Communications Alliance says that a recent ruling by the Privacy Commissioner, under which a journalist won access to the so-called 'metadata' associated with his mobile phone service, has "disturbing ramifications for the telecommunications sector and for its millions of customers throughout Australia".
Privacy Commissioner Timothy Pilgrim late last week ruled that Telstra had breached the Privacy Act 1988 "by failing to provide the complainant with access to his personal information".
The ruling related to an almost two-year struggle by Fairfax technology editor Ben Grubb. Grubb had sought access to some of the types of 'metadata' held by telcos that are accessed by law enforcement agencies during investigations.
The Office of the Information Commissioner published the ruling today.
Pilgrim ruled last week that within 30 business days of the his decision the telco must "provide the complainant with access to his personal information held by Telstra in accordance with his request dated 15 June 2013".
As documented in the Privacy Commissioner's ruling (PDF), made on 1 May, Grubb had in 2013 requested "all of the metadata information" associated with his mobile phone service that Telstra had stored.
"The metadata would likely include which cell tower I’m connected to at any given time, the mobile phone number of a text I have received and the time it was received, who is calling and who I’ve called and so on," Grubb requested.
"I assume estimated longitude and latitude positions would be stored too. This is the type of data I would like to receive."
Telstra eventually handed over some of the data requested by Grubb, but said he would need to get a subpoena to access all of the data relevant to his request.
However Pilgrim ruled that Telstra will have to hand over data associated with Grubb's mobile service including IP address information, URL information, and cell tower location information.
In an entry on the telco's Exchange blog, Telstra's chief risk officer, Kate Hughes, said the company would seek a review of Pilgrim's decision.
"As it stands, this determination would require us to go well beyond the lawful assistance we provide to law enforcement agencies today," Hughes wrote.
"It also goes well beyond what we have to retain under the Government’s data retention regime.
"Given the broad implications of the decision on the Australian economy and its potential impact on the continued evolution of new technologies in our sector, we feel we need clarification on some important points in the decision. We look forward to gaining that certainty through a review process."
Pilgrim said that the metadata covered by Grubb's request constituted "personal information" as defined by the National Privacy Principles.
"If an organisation holds personal information about an individual, it must provide the individual with access to the information unless an exception applies to the information in question," Pilgrim's ruling stated.
"There are no exceptions to the obligation to provide access that are relevant to the metadata sought after by the complainant which Telstra has labelled ‘network data’," the ruling stated.
"Accordingly I find that Telstra’s refusal to provide that information in breach of [National Privacy Principle 6.1 of the Privacy Act. "
"Applying the declaration that all metadata is personal information would layer additional costs and complexity on telecommunications service providers, without any tangible benefit in terms of protecting privacy," Communications Alliance argued in a statement issued today.
"Asserting that every single trace of network data - no matter how obscure, unintelligible or remote it is, or whether it reveals anything about a person at all — is captured under the Privacy Act is impractical, unnecessary and will be very costly for industry to manage.
"This is a stark example of regulatory overreach. In making this decision the Privacy Commissioner has stepped into the realm of setting policy, without any consultation with industry and seemingly without a mandate from Government to extend the reach of regulatory obligations deep into the operations of communications service providers."
If the ruling stands it is likely to increase the amount of information handed over to law enforcement agencies by telcos under the government's data retention regime, Communications Alliance argued.
Among the amendments to the data retention bill that the government made before it became law was that individuals would be able to access their own 'metadata'.
That amendment was made in the wake of a parliamentary inquiry that recommended changes to the proposed legislation "to make clear that individuals have the right to access their personal telecommunications data retained by a service provider under the data retention regime".
Telstra announced in March it would establish an online portal that would offer its customers the ability to access their own metadata. However, that data did not include the full range of information requested by Grubb.
"I acknowledge that Telstra’s approach to customer access to metadata has shifted significantly since this complaint was lodged," Pilgrim's ruling stated.
"It is particularly pleasing to note Telstra’s recent online announcement to its customers regarding its policy on customer access to metadata, which states that Telstra customers will now be able to access the same metadata about them (save for shared information) that Telstra would provide to law enforcement agencies, on request without a warrant.
"What this has meant for the complainant is that some information initially withheld has subsequently been provided to him over an 18 month period. Nonetheless, the complainant has still not been provided with all of the personal information that falls within his request and to which I have decided he is entitled."