Telstra has won a court case that could potentially have seen the telco forced to hand over significant amounts of data to individual customers when requested.
For now, Telstra will not have to hand over to a customer who requests it all of the data it retains that is linked to an individual’s use of its mobile services, after the Full Federal Court dismissed an appeal by the Australian Privacy Commissioner.
The commissioner sought to undo a decision by the Administrative Appeals Tribunal, which ruled that certain mobile network data held by Telstra in relation to an individual’s mobile service does not constitute “personal information” about an individual.
Former Fairfax journalist Ben Grubb initially engaged in a 22-month legal stoush with Telstra to gain access to ‘metadata’ associated with his mobile phone service.
The data he sought included some that is currently available, warrant-free, to authorised crime fighting bodies under the government’s data retention regime (prior to the data retention regime, it was accessible warrant-free to an even wider range of organisations; since the regime came into effect in October 2015, some data in Grubb’s request requires a warrant to access).
Grubb sought access to data including cell tower logs, inbound call and text details, the duration of mobile data sessions and phone calls, and the URLs of websites he visited.
In July 2013 Telstra told the then-journalist that he would be able to access details of outbound mobile phone calls and the length of data sessions via its online billing portal. However, it said it would not provide Grubb with the other data he sought unless he filed a subpoena.
In response, in August 2013 Grubb filed a complaint with the Privacy Commissioner on the grounds that Telstra had refused him access to his personal information.
Telstra eventually handed over some of the data sought by Grubb but not what the telco categorised as network data. (Telstra also announced in March 2015 that customers would be able to access more of their personal data.)
Privacy Commissioner Timothy Pilgrim ruled in May 2015 that Grubb’s metadata held by the telco constituted personal information and so was subject to Privacy Act obligations.
The Privacy Commissioner ordered Telstra to hand over additional information relating to IP addresses, URLs and cell tower location information (beyond the cell tower location information that Telstra keeps for billing purposes and which the telco had already handed over to Grubb).
Pilgrim found that Telstra had breached section 6.1 of the National Privacy Principles, which states that if an organisation holds personal information about an individual “it must provide the individual with access to the information on request by the individual”.
The principle includes a number of exceptions (such if it would have an unreasonable impact upon the privacy of other individuals or the request for access is frivolous or vexatious).
In an entry on the telco’s Exchange blog, Telstra’s chief risk officer, Kate Hughes, said the company would seek a review of Pilgrim’s decision.
“As it stands, this determination would require us to go well beyond the lawful assistance we provide to law enforcement agencies today,” Hughes wrote.
“It also goes well beyond what we have to retain under the Government’s data retention regime.”
“Given the broad implications of the decision on the Australian economy and its potential impact on the continued evolution of new technologies in our sector, we feel we need clarification on some important points in the decision. We look forward to gaining that certainty through a review process.”
Telstra appealed the Privacy Commissioner’s ruling and the Administrative Appeals Tribunal overturned Pilgrim’s decision.
The Privacy Commissioner in January 2016 sought a review of the AAT decision by the Full Federal Court.
That appeal was dismissed today, with the Privacy Commissioner lumped with Telstra’s legal costs.
The decision by Justices Kenny and Edelman, and supported by Justice Dowsett, states that it “is unnecessary in this case to descend to the detail of whether any of the requested information was ‘personal information’ or not.”
The judgement adds: “Nor is it necessary to canvass the numerous hypothetical examples concerning whether information is ‘about’ an individual or not. There was no ground of appeal which alleged that the AAT erred in its conclusion that none of the information was about Mr Grubb. In other words, the Privacy Commissioner did not seek to establish that any of the information was about Mr Grubb. The appeal was argued only at the high level of generality concerning whether the AAT was correct to give content to the words [‘about an individual’].”
“Our conclusion that those statutory words have content is therefore sufficient to dismiss this appeal,” the justices concluded.
The AAT had ruled that “IP address is not information about an individual,” for example.
“Certainly, it is allocated to an individual’s mobile device so that a particular communication on the internet can be delivered by the Internet Service Provider to that particular mobile device but, I find, an IP address is not allocated exclusively to a particular mobile device and a particular mobile device is not allocated a single IP address over the course of its working life,” AAT Deputy President S A Forgie ruled
“It changes and may change frequently in the course of a communication,” her December 2015 ruling stated.
“The connection between the person using a mobile device and an IP address is, therefore, ephemeral. In the context of this case, it is not about the person but about the means by which data is transmitted from a person’s mobile device over the internet and a message sent to, or a connection made, with another person’s mobile device.”
“I also accept that it may, but not always, be possible to identify a particular Telstra customer by reference to the mobile network data and other data it maintains,” Forgie stated elsewhere in her ruling.
“That fact does not necessarily lead to the conclusion that the mobile network data is personal information. Whether it is personal information depends upon its characterisation as being about an individual for that is what the definition of ‘personal information’ requires.”
Constellation Research’s Steve Wilson said today’s ruling “still leaves a lot of room for doubt”.
“I’m not satisfied that the logic is clear – above all I’m not satisfied that this is going to produce any clarity,” Wilson said. “The Federal Court appears to accept the OAIC guidelines that workplaces and residences are ‘about’ the individual... so let’s for heaven’s sake have some clarity about what the difference is between a physical address and an IP address.”
IP addresses allocation information is included in the dataset telcos are required to keep for at least two years as part of the data retention regime, he noted.
A spokesperson for Telstra argued that the decision had provided “clarity and certainty”.
“We will continue to act in the best interest of our customers and ensure we do all we can to protect their privacy and security,” a spokesperson for the telco said.
“The Office of the Australian Information Commissioner notes the judgment made by the Federal Court today to dismiss our appeal of the Administrative Appeals Tribunal’s decision in Telstra Corporation Limited and Privacy Commissioner  AATA 991 (18 December 2015),” the OAIC said in a statement.
“The OAIC is currently considering the decision and has no further comment at this time.”