February 28, 2017

Metadata Retention – What you need to know.

Metadata retention law

The Full Federal Court confirms that metadata is not all linked in its decision in the case of the Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC4.

The History

In June 2013, a Telstra customer, Mr Grubb, made a request to Telstra for ‘all the metadata information Telstra has stored about my mobile phone service’.

In accordance with the Privacy Act 1988 (Cth), a person has the right to request access to personal information held by an organisation that is bound by the Act.

Over the course of the following year, Telstra provided Mr Grubb with various information about his service including dates and times of communications, his locations and duration of calls.

Telstra, did not, however, provide the metadata concerning the journey of his calls or IP addresses related to his internet usage as Telstra did not view this type of information as personal information within the meaning of the Act.

Mr Grubb disagreed and filed a complaint to the Privacy Commissioner.

Telstra argued that the information relating to the path a call takes or the IP addresses a network uses to access the internet is not personal information as that metadata does not identify a person.  Once a call leaves the original tower, the metadata associated with that journey is not attributable to the individual person.

The Full Court agreed with Telstra deciding that the metadata Mr Grubb requested did not meet the required threshold to be defined as personal information within the scope of the Privacy Act but is rather information about how Telstra provides the service.

What is the impact of this decision?

It is unclear how wide of an impact this decision will have within the general area of privacy law because the statutory definition of personal information has changed since Mr Grubb’s complaint.

However, the case does serve as a reminder of the importance of businesses reviewing their understanding of privacy obligations.

Where to go from here

If your business holds or interacts with personal information, you must have a privacy policy in place and you must comply with the Privacy Act where it applies to your organisation.

Do you know when and how or if you disclose your customers’ personal information in accordance with the Act?

If you are unsure or need a refresher on your privacy obligations, the Privacy Commission website is a good place to start.  The website offers resources regarding all aspect of privacy and includes resources tailored to start-ups and small businesses.

If you need more than the basics or have questions, contact Rouse Lawyers and speak to one of our trusted lawyers.  Our experience in technology, telecommunications and business can help you understand and navigate your privacy obligations.

  1. Decision – http://www.austlii.edu.au/cgi-bin/sinodisp/au/cases/cth/FCAFC/2017/4.html?stem=0&synonyms=0&query=privacy%20commissioner%20telstra
  2. Act – http://www.austlii.edu.au/au/legis/cth/consol_act/pa1988108/
  3. Resources – https://www.oaic.gov.au/agencies-and-organisations/faqs-for-agencies-orgs/start-ups/