Accessing Your Own Metadata: Ben’s Battle

We previously published a series of blogs about the Federal Government’s controversial new metadata laws, which were passed by the Senate in March.

The Telecommunications (Interception and Access) Amendment (Data Retention) Bill 2015 was premised on the notion that it would assist law enforcement agencies to fight organised crime and terrorism-related offences.

It requires internet service providers (ISPs) to store metadata for two years and hand it over to around 13 different security and law enforcement agencies, such as the AFP, ASIO and state police, without a warrant.

The term ‘metadata’ remains undefined by the legislation, but experts agree that it refers to ‘data that describes and gives information about other data,’ such as the source, destination, date, time and duration of a communication. As previously explained, it will essentially allow agencies to know who you communicate with and when, where you are and when, and potentially also allow them to determine every web page that you have been on – despite it currently excluding your ‘search history’ page.

So, given that these agencies are able to easily access your metadata, you might think that you too should be entitled to access that information – after all, it’s your own personal data!

But as one Fairfax journalist found out, it’s not quite as simple as that.

Ben’s Battle

When the new metadata laws were announced, Fairfax journalist Ben Grubb was one of many Australians concerned about the impact of the far-reaching, yet ill-defined laws.

Following a disastrous interview in which even Attorney-General George Brandis struggled to explain the meaning of ‘metadata,’ Ben was inspired to access his own data so that he could show the wider public exactly what kind of information was being stored by ISPs – and just how invasive the new laws are.

So he penned an email to Telstra asking for access to his metadata – information which he assumed would include the cell towers he was connected to at given times, the phone numbers, time and dates of texts and calls received and made, and geographical information relating to his communications.

Ben told Telstra that was prepared to pay the fee incurred to access this information.

Surprisingly, Telstra wrote back a month later stating that it was unable to provide him with the information without a subpoena, due to privacy laws.

Ben was understandably taken aback. As he pointed out in an article last year,

‘access to this type of information by agencies is without judicial oversight and done more than 330,000 times each year. Considering this, you’d think I should be able to access it too, right?’

Undeterred, he lodged a complaint with the Federal Privacy Commissioner, arguing that Telstra had breached the Privacy Act by refusing to hand over his metadata.

After months of failed negotiations, attempts at mediation and numerous requests, Ben found himself facing Telstra’s formidable legal team at a hearing before the Privacy Commissioner, Timothy Pilgrim.

688 days after making his initial request, Ben finally got the decision he had been waiting for.

The Decision

The Privacy Commissioner agreed with Ben, finding on Monday 4th May that Telstra had breached its obligations under the Privacy Act.

The Privacy Act incorporates 10 National Privacy Principles. Principle 6.1 states that:

‘if an organisation holds personal information about an individual, it must provide the individual with access to the information on request by the individual.’

The Act then lists a variety of exceptions to this principle, including where access would have an unreasonable impact on the privacy of other individuals, where providing access would be unlawful, or where denying access is required or authorised by or under law.

Telstra tried to argue that metadata is not ‘personal information’ as alone it does not allow an individual’s identity to be ascertained. They also suggested that complying with Ben’s request would be expensive, time consuming and would have an adverse impact on their network operations.

However, Mr Pilgrim rejected these assertions, finding that Telstra had breached Principle 6.1. He ordered Telstra to hand over the metadata requested to Ben within 30 business days free of charge, except for incoming call data.

Since the decision, Telstra has allowed other individuals to access their own metadata for a fee, despite indicating that it will be appealing the decision. It has 28 days from the 4th May to lodge an appeal.

Does it have the Potential to Backfire?

In the wake of the landmark decision, many have applauded Ben’s efforts.

But others argue that his efforts could backfire, giving law enforcement agencies the right to access even more metadata. Telstra has released a statement saying that the decision requires it to ‘go well beyond what [it has] to retain under the Government’s data retention regime.’

The decision has also been slammed by the Communications Alliance, which represents the interests of ISPs such as Telstra. The Alliance has stated that classifying metadata as personal information is ‘regulatory overreach,’ and that because the information requested by Ben was ‘very difficult to extract,’ ISPs will be required to maintain records of a ‘broader suite of data’ to readily assist law enforcement agencies who demand access to this information.

The Alliance has stated that this will have the implication of driving up costs for telecommunications providers, requiring them to retain ‘every single trace of network data…without any tangible benefit in terms of protecting privacy.’ It’s likely that the additional costs will be borne by customers.

With an appeal likely, it’s too early to speculate on how it will affect individuals and telcos – and whether the concerns raised by the industry will indeed be realised.