Ben Grubb v Telstra Corporation Ltd [2015] AICmr: access to personal information, meta data, Privacy Act 1988
May 5, 2015 |
The Privacy Commissioner has found that Telstra Corporation Ltd (“Telstra”) has breached National Privacy Principle 6.1 in failing to provide to the applicant, Ben Grubb (“Grubb”) access to his personal information in Ben Grubb v Telstra Corporation Limited [2015] AICmr 35.
FACTS
On 15 June 2013 Grubb sought access under the Privacy Act 1988 to
‘all the metadata information Telstra has stored’
On 16 July 2013 Telstra told Grubb that he could access his outbound mobile call details and the length of his data usage sessions via online billing. What one sees on one’s bills. Telstra said any further material could not be provided due to the Privacy Act and that he would need a subpoena for that information.
On 8 August 2013 Grubb lodged a complaint with the Office of the Australian Information Commissioner under section 36 [6].
Since the determination hearing Telstra provided, at [27], the following categories of information/documents to Grubb:
- call data records in relation to all outgoing calls, short message service (SMS) messages and multimedia messaging service (MMS) messages from the complainant’s mobile telephone service since 2011. Outgoing call records include the following information:
- subscriber information including name, address, date of birth, mobile number, email address, billing account number, customer ID, IMSI (International Mobile Subscriber Identity) number, PUK (Personal UnlockKey) number, SIM (Subscriber Identity Module) category and requested password for account
- the complainant’s International Mobile Station Equipment Identity (IMEI)
- the colour of his mobile device
- his Handset ID
- his Mobile Device Payment Option (that is, the payment method for the mobile device) and his Network type (the mobile network utilised by his mobile phone service).
and, at [28]
DECISION
Telstra did not provide categories of data described, at [30], as:
- network data
- incoming call records
which has been broken down into 3 sub types of data described, at [32], as:
- Internet Protocol (IP) address information
- Uniform Resource Locator (URL) information
- Cell tower location information beyond the cell tower location information that Telstra retains for billing purposes (to which the complainant has beengiven access).
NPP 6.1 relevantly provides, at [18];
It now finds its expression in Australian Privacy Principle 12.1.
It was common ground, at [19], that:
Telstra’s position
Telstra’s overall position is summarised at [34] (see also [44] – [46]) as:
Grubb’s position
Grubb submitted, at [35], that the metadata stored about him:
- is his personal information
- in relation to inbound call numbers, would not have an unreasonable impact on the privacy of other individuals in cases where the calling number display has not been blocked or the option of a silent line not taken
Information about Grubb
After considering Telstra’s submissions regarding the ability to ascertain a customer’s identity from the data it obtains the Commissioner found:
- network data like IMSI may by cross matching be linked to a particular individual [52];
- network data in the context of customer transactions on Telstra’s network is information about an individual [53];
- while a person’s identity is not apparent from longtitudunal and latitudunal data alone [63] and that network data such as IP addresss and URLs is unlikely to be information from which an identity can be perceived [64] by making inquiries from and cross matching against different network management and records management systems Telstra is able, and does, ascertain a person’s identity[82] ;
- Telstra’s response to law enforcement agency requests is “indicative of its ability to ascertain with accuracy an individuals identity from metadata linked to that individual which exists on a its mobile tower and to which an individual might seek access [83];
Telstra contended that the identity of a customer cannot be reasonably be ascertained, that the retrieval process was burdensome in complexity, time and cost [86] – [90]. The Commissioner stated that it is necessary to consider the issue in a practical context relative to Telstra’s resources and capacities [93]. In that context he noted:
- Telstra had a pool of over 120 staff with expertise in data retrieval and who are specifically involved in such tasks [94];
- Telstra received and responded to around 85,000 requests for customer information within a 12 month period [95] (see also [101]);
- that the process of data retrieval has not been demonstrated to be beyond what is reasonable relative to Telstra’s resources and that it can charge for that retrieval [100];
- the fact that Telstra is recently stated that customers may access their metadata on request [101];
The Commissioner rejected Telstra’s submission finding, at [102] that:
The Commissioner found that:
- Grubb’s identity can be identified from inbound call numbers to his mobile service in the context of those subscriber and call charge records [119];
-
Requests for call charges records are regularly made by law enforcement agencies and provided without excessive inquiry or delay [120];
- the association between inbound call numbers to an individual’s phone service and that individual’s identity can be made with certainty [120]
and accordingly he was satisfied that the process of ascertaining Grubb’s identity is reasonable in the circumstances and that inbound calls constitute personal information [121].
Telstra argued that providing inbound call information would have an unreasonable impact on the privacy of others, here incoming callers [124] – [125], [130] & [132] – [133].
The Commissioner cited Smallbone v New South Wales Bar Association where Yates J identified the following relevant factors:
- whether the individuals would expect that their information would be disclosed to a third party, including whether an assurance of confidentiality was provided
- the extent of the impact on the individuals’ privacy
- callers with a silent line/who have opted to block their line or CND could not reasonably expect that their numbers may be disclosed to the recipient of the incoming call on the recipient’s subsequent request [134];
-
calls being made to the complainant’s mobile service creates an associa tion between the complainant and the incoming caller, and may of itself say something, whether true or not, about the parties to the call [143];
-
where the creation of such an association is unintentional (i.e. wrong number dialled) granting subsequent access to the phone information of those callers would prejudice their privacy [144] – [145]
-
where callers do not have a silent number/CND/line blocking and intentionally call the recipient it is likely that in many circumstances, it might reasonably be expected that these callers would consent to the disclosure if they were aware of it [146].
-
costs associated with complying with requests from law enforcement agencies and other regulatory bodies for subscriber information and call charge recordsrange from $10for a simple request to at most $200 [160]
-
Telstra did not provide any detailed information relating to the potential diversion of additional staff from their regular duties to meta data retrieval duties or what financial impact this might have on its operations [162].
In determining whether Telstra is entitled to charge for access the Commissioner noted that:
-
the resolution of this matter has been protracted because of Telstra’s persistent hold to itsinitial position that metadata does not constitute personal information [167];
-
because of the drawn- out and incremental approach that Telstra has taken to the provision of personal information to the complainant in relation to his access request [168]
and found that Telstra should provide that information free of charge.
ISSUE
This quite long and involved decision is significant. The Privacy Commissioner has considered the means by which an organisation can, through cross matching, identify the personal information of an individual.
Not surprisingly the Fairfax press has reported on the case with Grubb providing a personal/analysis piece with Me and my metadata: How I beat Telstra after my 22-month legal battle which provides:
Monday marks 688 days since I first asked Telstra for the metadata generated by my mobile phone – the same information it routinely gives law-enforcement and intelligence agencies without a warrant when investigating crime.
Monday also marks the start of Privacy Awareness Week 2015, which usually goes by each year without too much fuss and, to be quite frank, is a little boring. But this year’s Privacy Awareness Week is different.
You see, Monday also marks the day the Office of the Australian Information Commissioner has made public a landmark decision in relation to my battle with Telstra for access to my metadata.
Advertisement
You might remember how I detailed my tussle with the telco last year, in which I explained how spies, councils, the RSPCA and others could gain access to my phone’s metadata but I couldn’t, as Telstra was refusing me access.
I wanted access to the data in light of the data retention laws, which recently passed parliament, so that I could show Australians exactly what metadata was, considering not even George Brandis could explain it. I wanted to put my metadata on a map like German politician Malte Spitz did after he successfully sued his telco in 2011 to show just how invasive having all of your metadata stored was in the wake of mandatory data retention in his country.
The decision
It turns out by refusing me access to my metadata Telstra breached the Privacy Act. I’ve won (at least in the eyes of the Privacy Commissioner)! ?
“Telstra has breached [National Privacy Principle] 6.1 by failing to provide the complainant with access to his personal information in breach of [National Privacy Principle] 6.1 of the Privacy Act,” Privacy Commissioner Timothy Pilgrim states in his 37-page decision, handed to both Telstra and myself on Friday and made public on Monday.
Mr Pilgrim goes on to state in his ruling that Telstra must within 30 business days provide me with access to my metadata, including Internet Protocol (IP) address information, Uniform Resource Locator (URL) information, and cell tower location information beyond what is on my bills.
This is in addition to some of the information Telstra handed over to me while the complaint was ongoing, including outgoing call records and some cell tower location information.
Telstra must also provide the data free of charge, Mr Pilgrim said, “because of the drawn-out and incremental approach that Telstra has taken to the provision of personal information to the complainant in relation to his access request”.
As I didn’t ask for damages, none will be awarded.
I won’t be able to access incoming call data though (which law-enforcement agencies can access) as it was successfully argued by Telstra that this would breach the privacy of the person calling. Fair enough (though a bit annoying I won’t be able to identify/call back pesky telemarketers).
Telstra appeals decision
But it may be a short-lived win. Shortly after the decision was made public, Telstra said it would appeal the decision. It had 28 days to announce whether it would do so.
“We respect the role the Privacy Commissioner plays and we share his commitment to transparency, but we will be seeking a review of the determination,” Telsta said in a blog post.
Meanwhile, it recently backflipped and allowed others to gain access to some of their metadata for a fee, likely as a direct result of my case.
What it means
So what does this all mean and will it have wider consequences for businesses? I asked former Deputy Privacy Commissioner for NSW, Anna Johnston, who is now director of Salinger Privacy.
“This is a ground-breaking decision,” she says.
“Telstra argued that geo-location data – the longitude and latitude of cell towers connected to the customer’s phone at any given time – was not ‘personal information’ about a customer, because on its face the data was anonymous. They lost that argument, because the Privacy Commissioner found that a customer’s identity could be linked back to the geo-location data by a process of cross-matching different datasets.”
Ms Johnston went on to say that the implications of the case go well beyond the telcos, which will have to comply with the new metadata retention laws.
“It even goes beyond just geo-location data,” she says. “This case has far-reaching consequences for any organisation which deals in any form of ‘big data’. No-one should think that privacy can be protected simply by leaving out customer names or other identifiers from a database. Any dataset which holds unit-record level data can potentially be linked to data from other sources, which can then lead to someone’s identity being ascertainable. “
As a result of the case, the cautious thing for organisations to do now was to assume that even ‘anonymised’ data meets the definition of “personal information”, she said.
That data must therefore “be treated in accordance with the Australian Privacy Principles”, she said, which would mean that if it was lost the organisation could be fined by the Privacy Commissioner if it didn’t take reasonable steps to protect it.
While the ruling was made under the old National Privacy Principles — since replaced by the Australian Privacy Principles — Ms Johnston told me that she couldn’t see why the Privacy Commissioner’s decision would be any different under the new principles, considering the definition of personal information only changed slightly. If anything, the revised definition was a more expansive, pro-consumer definition of what constitutes personal information, she said.
Lateline covered the case in Privacy Commissioner rules metadata ‘personal’, Telstra must hand over personal data to journalist Ben Grubb which provides:
The Privacy Commissioner has ruled that metadata is personal, finding that Telstra must hand over information it holds about a journalist, two years after he exercised his legal right to see his personal metadata.
Fairfax journalist Ben Grubb requested access to personal metadata Telstra held about him two years ago.
At the time there was a debate about how police and spy agencies had gathered this information.
“This is a landmark decision. There’s never been a ruling like this before,” Grubb said after Monday’s ruling.
Telstra said it would appeal the decision.
The telecommunications company said the decision “would require us to go well beyond the lawful assistance we provide to law enforcement agencies [and the] Government’s data retention regime”.
Telstra also said the decision would have broad implications for the Australian economy and the development of new technologies.
I think that privacy policies are pretty much useless. You wouldn’t sit down and read Hamlet, you’re not very likely to sit down and read the privacy policy.
Professor Fred Cate, information and security law specialist
Australian privacy commissioner Timothy Pilgrim revealed that half the major companies he had recently examined failed to comply with rules and guidelines regarding privacy policies.
The audit did not identify which companies were non–compliant.
The Telstra decision comes amid a global shift over what constitutes privacy and how much control individuals have over their personal data.
Metadata does not show the content of emails, calls or web searches.
But it records when, where and for how long individuals are active and who they communicate with.
Fred Cate, a specialist in information privacy and security law issues, is highly critical of company privacy policies and says they are used to shift liability from the company to the customer.
“I think that privacy policies are pretty much useless,” Professor Cate told Lateline.
“You wouldn’t sit down and read Hamlet, you’re not very likely to sit down and read the privacy policy.
“There was a recent research study in the United States showing that if you just read the privacy policies of the top 100 websites that most people visit, it would take over 30 days a year just to stay on up on those.
“So you’d be giving effectively your month’s vacation just to be reading privacy policies and that’s not going to work.”
Individual privacy rights currently ‘pretty well unenforceable’
Origin Energy, Gumtree Australia and Veda were three of the 20 companies on the Privacy Commissioner’s hit list.
Origin Energy is Australia’s largest energy retailer and its customers hand over sensitive information like bank and credit card details and credit history.
Origin’s privacy policy states “personal and credit-related information” may be held in up to 11 different countries including Vietnam, China, Chile, Botswana, Indonesia and Papua New Guinea.
In the hands of the individual at the moment in Australia, your privacy rights such as they are, are pretty well unenforceable.
David Vaile, UNSW’s Cyberspace Law and Policy Centre
Origin says it takes “reasonable steps” to ensure information is handled according to Australian law. It also says the Privacy Commissioner found no fault.
Online classified ad giant Gumtree Australia — owned by the eBay group — says it collects information including but not limited to device ID, device type, geo-location information, name, email, address, phone, financial information, social media and demographic data.
It also says it collects “additional data … from other sources such as public authorities to the extent permitted by the law”.
Veda, a credit giant that deals in sensitive personal financials, says that “your personal information may not receive the same protection as it does in Australia under Australian law”.
David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of New South Wales, said Australia’s privacy enforcement is under-resourced and needs broader powers.
“In the hands of the individual at the moment in Australia, your privacy rights such as they are, are pretty well unenforceable,” Mr Vaile said.
Grubb said the implication of the decision today went beyond the telecommunications companies that would have to comply with the new metadata retention laws.
“No-one should think that privacy can be protected simply by leaving out customer names of other identifiers from a database,” he said.
“The cautious thing for organisations to do is assume that even ‘anonymised’ data meets the definition of ‘personal information’ and thus must be treated in accordance with the Australian Privacy Principles.”
Statement from Origin Energy
Origin is an Australian-based, international energy company with employees and operations in 10 of the 11 countries identified in our privacy policy.
Where a business partner completes work for us from an overseas location, personal and credit information is accessed within Origin’s own system, used for an agreed, discrete purpose and not duplicated nor shared without our permission.
Origin places a number of controls on this data, and our expectations of how it is used are enforced with employees and business partners regardless of where they are located.
The Privacy Commissioner was interviewed on Lateline. Alberici did touch on the key current issues, lack of enforcement and failure to comply. The Privacy Commissioner has acknowledged he has the power but was not particularly full throated in endorsing theuse of them. The interview provides:
EMMA ALBERICI, PRESENTER: The Privacy Commissioner Timothy Pilgrim joined me here in the studio just a little earlier.
Timothy Pilgrim, welcome to Lateline.
TIMOTHY PILGRIM, PRIVACY COMMISSIONER: It’s good to be here.
EMMA ALBERICI: Now, more than half of all the major Australian companies audited failed to comply with privacy rules. What consequences do they face as a result of that?
TIMOTHY PILGRIM: Well at this point we’ve undertaken an assessment of those organisations. The aim is to help educate them to improve their privacy policies. It’s only been 12 months since the New York laws came into place and what we want to do is get them some guidance and hopefully they will improve their policies and in another 12 months we’ll go back and have a look at how they’ve improved them.
EMMA ALBERICI: When we talk about the digital space, what exactly is considered private and personal in a legal sense?
TIMOTHY PILGRIM: Well personal information basically is any information that can identify an individual or from which an individual can be easily identifiable. So there is a vast amount of information in the technological sphere now, which when it can be brought together, can actually identify us in ways in the past it was never able to. And we see that quite often now in the broad debate around issues such as metadata.
EMMA ALBERICI: So, speaking of metadata, in the case of Fairfax journalist Ben Grubb, Telstra says it will appeal your decision because, in their words, having to disclose a journalist’s metadata to them would, quote, “have broad implications for the Australian economy”. How significant is this case?
TIMOTHY PILGRIM: Well from my perspective tip of the issue we had before us was that this individual wanted to seek their personal information held by Telstra. Now, people have a right under the Privacy Act to see their personal information and get access to it. The question here was that the information was being described broadly as metadata and the decision came down to what bits of information were actually going to form personal information. So which bits of this information Telstra held could identify this particular individual? And my decision was that the information that was being sought did constitute personal information and should be handed over to him.
EMMA ALBERICI: In your view, as the Privacy Commissioner, how significant is metadata in terms of privacy and trying to maintain some level of personal secrecy around certain things?
TIMOTHY PILGRIM: Well I think the whole issue of data and information about us is getting very complex for all of us in the community and I do get a bit worried when there’s terms like metadata are used often because I think what we’re going to see in years to come is that the information which some people would now lump under the definition of metadata is going to broaden significantly. So what we focus on is what bits of that information is personal information, how’s it going to identify the individual and the individual should then have rights to be able to access it.
EMMA ALBERICI: Privacy policies are around 3,400 words. How many people would ever read those?
TIMOTHY PILGRIM: Well, we did a survey recently in 2013 and we found that just over 50 per cent of people were saying that they were reading privacy policies. Now this is clearly not enough because they’re an important document that we all should take time to read, because at the end of the day, they’re going to tell us where our information is going. So we’d like to see that number improved and a way of improving it would be to get the companies to actually shorten their policies and put upfront the most important information a person needs to know. So we want to work with organisations to make sure that they get those policies right so that they’re useful for people and easily accessible.
EMMA ALBERICI: But just telling someone that you’re going to disseminate information to – in the case of Origin Energy, we hear in Margot O’Neill’s story that it went off to 11 different countries and this is personal information and credit-related information even – the mere fact of the company telling us that doesn’t necessarily provide us much comfort.
TIMOTHY PILGRIM: Well, it doesn’t necessarily provide comfort to everybody. What it does do is tell you where the information is going and you may want to think twice if you want to deal with a particular company. We found that 60 per cent of Australians have actually made a conscious decision not to deal with an organisation because they didn’t like the way that they were going to handle their personal information. But in terms of information going overseas, one thing that’s important to remember is that at the end day, if an Australian company sends information overseas, it will remain accountable for what happens to it and if something goes wrong, they will be accountable at the end of the day.
EMMA ALBERICI: Do we need law reform in this area so that perhaps your office doesn’t necessarily appear quite as much of a toothless tiger as perhaps some people might think it is?
TIMOTHY PILGRIM: Well, I certainly don’t think we’re a toothless tiger. We do have quite a number of powers that are there for us to use to resolve complaints. And we’ve just been through a long law reform process and the result of that law reform process was actually to give me more powers to be able to resolve and remedy complaints from individuals and large systemic investigations that I undertake. So I think we need just after 12 months to watch these work a bit longer before we go to looking at doing any more reform.
EMMA ALBERICI: So I guess you wouldn’t necessarily agree with US cyber security expert Fred Cate who describes privacy law as a, quote, “fantasy world” and that we’re perhaps better to just give up any notion of privacy online?
TIMOTHY PILGRIM: No, I certainly don’t agree with that. I think that there are responsibilities out there for organisations to comply with the law we have and people have a right of recourse, and at the end of the day, we have one of the most powerful tools to us, which is to say, “I’m not going to deal with that organisation because I don’t like what they’re going to do with my personal information.”
EMMA ALBERICI: Timothy Pilgrim, thank you very much.
TIMOTHY PILGRIM: You’re welcome.
Telstra has announced in mediareleasespeak its intention to appeal when it stated:
At Telstra we work hard every day to meet your expectations that we will protect your privacy and keep your data secure, while also acting with transparency and living up to our legal obligations.
To back this up, we already make the personal information we hold available to you through our bills and My Account service and we are the only telco in Australia to run a metadata access system for you to be able to access more network information than ever before.
The Privacy Commissioner has recently released a decision relating to Telstra and one of our customers that would create some uncertainty for the Australian technology and communications sector, Telstra and our customers.
We already provide access to personal information, but this decision could extend this practice to every single piece of data in our networks regardless of whether the data reveals the identity or anything else about someone.
We respect the role the Privacy Commissioner plays and we share his commitment to transparency, but we will be seeking a review of the determination. As it stands, this determination would require us to go well beyond the lawful assistance we provide to law enforcement agencies today. It also goes well beyond what we have to retain under the Government’s data retention regime.
Given the broad implications of the decision on the Australian economy and its potential impact on the continued evolution of new technologies in our sector, we feel we need clarification on some important points in the decision. We look forward to gaining that certainty through a review process.
That has been reported on in Telstra to appeal Fairfax journalist Ben Grubb’s metadata ruling which provides:
Telstra will appeal a ruling by the privacy commissioner forcing it to hand over the metadata? of a Fairfax Media journalist, a decision the peak telecommunications industry group says will pave the way for law-enforcement agencies to gain yet more access to customer data.
The verdict from commissioner Timothy Pilgrim, published on Monday, ruled that Telstra had breached the Privacy Act by failing to provide Fairfax’s technology editor Ben Grubb with access to his personal information.
The decision followed a 22-month stand-off between Mr Grubb and Telstra, which had refused to disclose the metadata? it collected on him as a Telstra customer, despite routinely handing such information over to government agencies when complying with data requests.
Advertisement
But the Communications Alliance, which represents Telstra and other Australian telecommunications retailers, slammed the decision, saying the classification of Mr Grubb’s metadata as “personal” information was “regulatory overreach” that would drive up costs for telcos in complying with the Privacy Act.
“In making this decision the privacy commissioner has stepped into the realm of setting policy, without any consultation with industry and seemingly without a mandate from government to extend the reach of regulatory obligations deep into the operations of communications service providers,” the alliance said.
Further, it argued the decision would likely backfire by increasing the amount of personal data available to law-enforcement agencies, because some of the data Mr Grubb requested was not currently provided to them on the basis they were “very difficult to extract”.
“If telcos have to provide this much broader suite of data to customers, it is likely only a matter of time before agencies will start asking for it as well,” the alliance warned.
The federal government failed to clearly define the term “metadata?” in its recently passed mandatory data retention legislation, which requires telcos to retain customers’ metadata? for up to two years for the purpose of aiding intelligence operations.
Telstra chief risk officer Kate Hughes said the decision in Mr Grubb’s case could extend the definition of personal data to “every single piece of data in our networks, regardless of whether the data reveals the identity or anything else about someone”.
“We respect the role the privacy commissioner plays and we share his commitment to transparency, but we will be seeking a review of the determination,” Ms Hughes said.
Telstra has already been found to have willingly disclosed to authorities more information about its customers than was necessary.
Last year it emerged the telco was divulging details of URLs? its customers had visited to law-enforcement agencies, without the agencies getting a warrant – judicial oversight then ASIO chief David Irvine said was necessary.
[…] Ben Grubb v Telstra Corporation Ltd [2015] AICmr: access to personal information, meta data, Privacy… […]