The Australian Privacy Commissioner has ruled that telco metadata on the phone calls a person receives and sends is ‘personal information’ and therefore access rights apply.
The requester, a journalist, wanted access to all the metadata information Telstra, a telecom company, had stored about him in relation to his mobile phone service, including (but not limited to) cell tower logs, inbound call and text details, duration of data sessions and telephone calls and the URLs of websites visited. Timothy Pilgrim, the Privacy Commissioner, said that Telstra’s response to law enforcement agency requests, in addition to its regular practice of extracting metadata for network assurance purposes, is indicative of its ability to ascertain with accuracy an individual’s identity from metadata. He therefore concluded that metadata indeed constituted personal data and access should be granted.
PL&B’s Asia Pacific Editor, Graham Greenleaf, commented that this decision will further complicate the operation of Australia’s new Data Retention law, and is likely to have implications for all organizations involved in data analytics on Australian consumers and Internet users, because all other aspects of the Privacy Act will now apply to such metadata including restrictions on use, disclosure and export of such data. This is particularly concerning for some businesses because Australia’s legislation has extra-territorial effect and under some circumstances applies to companies operating from outside Australia but collecting data on persons in Australia.