After two years of campaigning, Fairfax journalist, Ben Grubb, finally got the decision he was seeking: metadata could be considered “personal information” under the Privacy Act 1988 (the ‘Privacy Act’). The landmark decision by the Australian Privacy Commissioner came about after Grubb was refused access to metadata which is available to law enforcement agencies and councils, but not to individuals. Telstra, the data controller in this case, refused access to some personal information described as “metadata” (namely, IP address information, URL information and cell tower location information beyond that retained for billing purposes) on the grounds that it was exempt under the Privacy Act.
The Australian Privacy Commissioner determined otherwise. The Commissioner found that “personal information” includes information whereby an individual may be “reasonably ascertained” from that information. He concluded that, where an organisation is able to link an individual to metadata it has collected via cross-matching information across its systems, the metadata falls within the definition of “personal information”. This decision was based on the National Privacy Principles (‘NPP’) under the Privacy Act and not the Australian Privacy Principles (‘APP’) which came into force in 2014. However, given the APP did not significantly change the definition of personal information, it is predicted that more types of data could be considered personal information, and the decision is expected to carry substantial weight in future cases considered under the new regime.