Telstra has said a ruling from Australian Privacy Commissioner Timothy Pilgrim may force the telco to hand over more data than it is required to store under the mandatory data-retention law.
Close to two years ago, Fairfax journalist Ben Grubb requested access to his own metadata relating to a mobile service with Telstra. He sought metadata including which cell tower he was at at any given time, the phone numbers of both incoming and outgoing calls, and all SMS data.
Telstra was willing at the time to provide outbound call details and data usage session records, but said that due to privacy laws, it could not provide location and inbound call details. A complaint was lodged with Pilgrim's office, and today his office sided with Grubb and ordered Telstra the data requested, such as IP addresses, URL information, and cell tower information, but excluding the numbers of incoming calls.
Telstra has been ordered to provide the data free of charge.
The telco is already planning to contest the decision, with the company's chief risk officer Kate Hughes stating in a blog post that the data Telstra has been ordered to hand over exceeds that which it already provides to law enforcement.
"We already provide access to personal information, but this decision could extend this practice to every single piece of data in our networks, regardless of whether the data reveals the identity or anything else about someone," Hughes said.
"We respect the role the privacy commissioner plays, and we share his commitment to transparency, but we will be seeking a review of the determination. As it stands, this determination would require us to go well beyond the lawful assistance we provide to law-enforcement agencies today. It also goes well beyond what we have to retain under the government's data-retention regime."
The company has declined to make any further comments on the matter.
Communications Alliance, the peak representative body for Australian telecommunications companies, said in a statement on Monday that the decision was pure regulator overreach and has "disturbing ramifications for the telecommunications sector".
"Applying the declaration that all metadata is personal information would layer additional costs and complexity on telecommunications service providers, without any tangible benefit in terms of protecting privacy," it stated.
"Asserting that every single trace of network data -- no matter how obscure, unintelligible, or remote it is, or whether it reveals anything about a person at all -- is captured under the Privacy Act is impractical, unnecessary, and will be very costly for industry to manage. This is a stark example of regulatory overreach."
Comms Alliance said it would increase the burden of regulation on telcos at a time when the industry is already facing hundreds of millions of dollars in costs because of the government's mandatory data-retention regime, due to come into effect later this year.
The alliance warned that the decision may force telcos to hand even more data over to law enforcement.
"This determination is likely to actually increase the amount of data handed over to law-enforcement agencies under the federal government's new data-retention legislation. Today, many elements of the information required by the privacy commissioner to be provided to the journalist in question are not provided to law-enforcement and national security agencies when they make data requests to service providers," it stated.
"This is because such data are very difficult to extract. But if telcos have to provide this much broader suite of data to customers, it is likely only a matter of time before agencies will start asking for it as well."
During parliament's examination of the data-retention legislation prior to passing it earlier this year, Telstra revealed that it would need to bring data from 13 different systems into one central system under the mandatory scheme.
The company has also implemented a scheme where customers can apply to get their own metadata -- though not the same amount of data as ruled by Pilgrim -- for a fee starting at AU$25.
The judgment comes at the beginning of Privacy Awareness Week in Australia.