Telstra Defeats Aussie Privacy Commissioner Over Metadata

Australian Privacy Commissioner Timothy Pilgrim (pictured above) has taken a shellacking in the courts, after trying to stretch the scope of the Australian Privacy Act too far. In a landmark ruling, the federal court judges dismissed the commissioner’s appeal, siding with Telstra and the Administrative Appeals Tribunal over whether the Aussie telco needed to hand a full suite of telecommunications metadata over to Telstra customer and former journalist Ben Grubb. Grubb had asked for the metadata by using the personal information access provisions of the Privacy Act.

Telstra argued they were not required to hand over network information such as IP addresses, URLs visited, the location of cell towers used, and data about inbound calls, because it does not constitute personal information and so falls outside the Privacy Act. The judges agreed, in a decision which hinged on the word ‘about’. Their determination was that telecoms metadata was about the service being provided, without being about the customer.

The case originated when Grubb, seeking to generate a news story as well as define terminology and combat surveillance, used the rights granted by the Privacy Act to lodge a request for all the information that Telstra held about him. When Telstra refused to provide the metadata he wanted, Grubb sought the assistance of the Office of the Australian Information Commissioner (OAIC), headed by Pilgrim. The OAIC backed Grubb, deciding that Telstra had failed to meet their obligations. But when the case went to Australia’s Administrative Appeals Tribunal, they ruled in favor of Telstra. After several rounds of appeal the case was brought before three Federal Court judges, who again favored Telstra’s interpretation of the limits of the law.

If Privacy Commissioner Pilgrim is disappointed, he is not saying so publicly. The official response on the OAIC website is a long-winded version of ‘no comment’.

The case highlights an important and recurring problem with legislation designed to set expectations relating to personal data, privacy, and the management of data by comms providers. Legislators like to pass laws to protect privacy, but lack the skill and finesse to be precise in defining exactly who is entitled to what, and what telcos must do to meet their obligations. Every time they fall short it becomes the job of the courts to close the gap, resolving the meaning of the legislation. And because private citizens lack the resources to effectively bring cases, we end up with offshoots of government, like the OAIC, being paid to fight telcos in courts, only to learn their interpretation of the law is wrong too. I do not expect any miracle solution; the precedents set by courts of law will always need to resolve fine points of interpretation and application of the law. But if legislators spent less time taking credit for protecting privacy, and more time writing better-worded laws, they would save customers, taxpayers and businesses a lot of time, cost and anxiety.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.