The New Metadata Retention Laws & Privacy
Published on September 10, 2015 by Patricia Monemvasitis and Kim Leontiev
The New Metadata Retention Laws – will your privacy be retained?
Earlier this year Carroll & O’Dea reported in its Not-For-Profit Newsletter on the Telecommunications (Interception and Access) Amendment (Data Retention) Bill which introduced the “Data Retention” provisions (DRA) into the Telecommunications (Interception and Access) Act 1979 (Cth) (TIAA). These provisions commence on 13 October 2015 – six months after first received Royal Assent. Will this 13th day of October also spell the end of privacy in all our communications online and off-line? In this post, we provide a quick recap of the DRA and some important developments that have come to light in respect of the likely interaction between the DRA and the Privacy Act 1988 (Cth).
1. Metadata Retention – in one compact digestible byte
In a nutshell, the core amendment of the DRA is Section 187A which requires “service providers” – or generally speaking telecommunication companies and internet service providers (ISPs), to retain for a mandatory period of (currently) two years, a range of customer information which can be collectively termed “metadata”.
Metadata or the type of information that the service providers are required to retain is described in the new Section 187AA of the TIAA as information as to the:
- Source of communication: identifiers of the service account or device from which the communication was sent by means of that service
- Destination of a communication: identifiers of the account, device or relevant service to which the communication has been sent or forwarded, routed or transferred (including attempt of each)
- Date, time, duration of communication or connection to a device or service
- Type of communication (e.g. voice, sms, email, chat, forum, social media) or of a relevant service used in connection with a communication (e.g. ADSL, Wi-Fi, VoIP, cable, GPRS, VoLTE, LTE).
- Location of equipment used in a connection with a communication.
2. To whom do the laws apply?
As the definition of metadata reveals, the implications of these amendments actually concern a broad range of users and service providers – effectively anyone in Australia communicating or transmitting information whether in the form of speech, music, sound, data, text, visual images (animated or not), signals, as well as any other form or combination of forms.
3. Who can access the retained metadata?
The Amendments largely build on the current interception and access regime under Part 4 of the TIAA but amend the types of agencies to have access to the above information from “enforcement agencies” to “criminal law-enforcement agencies” to be defined by Section110A to specify a range of agencies including: the Australian Federal Police, State Police, Australian Customs and Border Protection, ASIC, the ACCC, ICAC, the Crime Commission amongst others.
These agencies will have on demand access to retained metadata without a warrant except in cases of information held by journalists and whistleblowers.
4. How will retained metadata be stored?
The Amendments themselves are largely silent on any specific storage requirements of the retained information. The only requirement is contained in Section 187BA which provides as follows:
A service provider must protect the confidentiality of information that, or information in a document that, the service provider must keep, or cause to be kept, under section 187A by:
(a) encrypting the information; and
(b) protecting the information from unauthorised interference or unauthorised access.
There is also presently no restriction that the retained information needs to be stored in Australia, although it has been reported that this will eventually be required by future amendments.
5. Does it affect my privacy?
The Amendments also insert a note into Section 6(1) of the Privacy Act to clarify that personal information can extend to information held under the data retention provisions. Therefore, if the retained data falls under Section 6(1) of the Privacy Act, the Privacy Act storage requirements would apply.
Despite some questions being raised as to how metadata which does not contain substantive information could be “personal information” as defined in the Privacy Act (information about an identified or reasonably identifiable individual), a decision of the Australian Privacy Commissioner in the case of Ben Grubb and Telstra Corporation Limited [2015] AICmr 35 (1 May 2015) (“the Decision”) has provided strongest indication to date that metadata can come under the definition of “personal information” under the Privacy Act.
The Decision is actually based on an older version of the Privacy Act prior to the 12 March 2014 amendments of the Privacy Amendment (Enhancing Privacy Protection) Act 2012 and therefore relates to the repealed National Privacy Principles (NPPs) rather than the current Australian Privacy Principles (APPs). However, given the many parallels in the definition of “personal information” under the former and current Privacy Acts, the Decision remains quite relevant.
The facts in the Decision arose from a dispute between Fairfax journalist Ben Grubb and Telstra over a request made by Ben Grubb to Telstra for release of “all the metadata information Telstra had stored [in relation to his account].” Telstra refused to comply with the request citing that beyond the standard call log information available to an account holder, there is no basis for the request and the information would not be provided without a subpoena. Ben Grubb lodged a complaint to the Privacy Commissioner who had to determine whether or not Mr Grubb had rights to the requested metadata under the NPPs of the then Privacy Act which he would if the metadata could be seen to fit the definition of “personal information” which at the time was:
“Information or an opinion (including information or an opinion forming part of a database), whether true or not, and whether recorded in a material form or not, about an individual whose identity is apparent, or can reasonably be ascertained, from the information or opinion” (emphasis added).
The Commissioner held that although the metadata did not immediately identify Ben Grubb on its own, it could be linked with other data held by Telstra and Ben Grubb’s identity could be ascertained in a way that was “reasonable” because:
(a) the information was stored in a way that associated a particular (phone) number with Ben Grubb
(b) Telstra had the operational capacity to retrieve and match related data on its account holders as demonstrated by its ability to fulfil warrants issued by law enforcement agencies for access to metadata on a particular Telstra customer.
Thus, the metadata was capable of being captured by the meaning of “personal information” under the Privacy Act, and the Decision is therefore strong indication that the Privacy Act will continue to apply to metadata.
There are important qualifications to this though. Firstly, the unlike the current definition of “personal information” the former definition expressly provided for information “forming part of a database” and contained the expression “can be reasonably ascertained” – both of which are not present in the current definition of “personal information” which as mentioned above refers only to information about an identified or reasonably identifiable individual. Given the apparent weight in the Decision given to the links between the information in the Database, this could prove to be a critical definitional difference.
Further, regardless of whether metadata can or cannot constitute “personal information” under the current definition, it will not affect the operation of the DRA – the Privacy Act does not contradict or in any way protect against use and access of personal information by law enforcement agencies. Consequently, the significance of metadata being or not being personal information relates largely to your ability to access and correct it and the additional protections that it would offer to the DRA storage and encryption requirements in relation to retained metadata. Apart from that, whether or not the metadata retained is privacy information or not will not prevent enforcement agencies from accessing it without the need for a warrant come 13 October.