A recent decision by the Privacy Commissioner could have big implications for any business that collects so-called ‘metadata’ about their customers or other members of the public – and in a digital economy that increasingly means every business.
The case related to a complaint by an individual against Telstra for not providing him with access to certain Telstra information. The decision required Telstra to provide him with all metadata information associated with his mobile phone services for free. Metadata is not the content of a communication – it’s information about time and duration and the identifiers of the parties involved.
At first glance, this case appears to be a telco concern relating to their obligations under the Privacy Act. However, it actually turns on the meaning of “personal” information under the Privacy Act. The Privacy Commissioner appears to have taken a broader interpretation, including metadata that Telstra states to be beyond the policy intent and purpose of the Privacy Act, and beyond what Telstra is required to provide to law enforcement agencies under the Federal Government’s new data retention laws. Telstra intends to appeal this decision on principle.
If the appeal confirms a very broad definition of personal information, this has potentially wide implications for non-telco businesses, as well as Government. As businesses and Government become more digitised and engaged with customers online, they will naturally gather more data and metadata. Based on the Privacy Commissioner’s broad definition of “personal” data, businesses and Government may be exposed to greater risks and costs under the Privacy Act.
For instance, organisations could be required to allocate additional resources to respond to more complex customer access requests, and need to rethink how they manage such data. New regulatory burdens and red tape for businesses and Government would discourage investment in a digitally enabled economy.
Providing unreasonable access to the metadata of things for the sake of access with no other practical use or purpose to the user raises a broader question about the ability of the current policy and regulatory framework to adapt to a digitised economy. We encourage Government to lead in this area and work with industry to strike a clear and fair balance between promoting investment into a digitised economy while reasonably protecting consumers’ rights and privacy. Without Government direction, it is questionable whether the Office of the Australian Information Commissioner is the suitable body to provide this policy equilibrium.
The situation bears watching. Ai Group will provide further analysis of how this may affect businesses once the appeal is resolved.
Have you considered how this recent decision may affect your business’s current privacy practices? Share your thoughts and experiences below.