The Privacy Commissioner has ruled that metadata is personal, finding that Telstra must hand over information it holds about a journalist, two years after he exercised his legal right to see his personal metadata.

Fairfax journalist Ben Grubb requested access to personal metadata Telstra held about him two years ago.

At the time there was a debate about how police and spy agencies had gathered this information.

“This is a landmark decision. There’s never been a ruling like this before,” Grubb said after Monday’s ruling.

• This handful of senators fought for your privacy
• Metadata laws pass parliament
• Passwords you should never use – but probably do anyway

Telstra said it would appeal the decision.

The telecommunications company said the decision “would require us to go well beyond the lawful assistance we provide to law enforcement agencies [and the] Government’s data retention regime”.

Telstra also said the decision would have broad implications for the Australian economy and the development of new technologies.

Australian privacy commissioner Timothy Pilgrim revealed that half the major companies he had recently examined failed to comply with rules and guidelines regarding privacy policies.

Major companies have failed to comply with rules and guidelines regarding privacy policies

The audit did not identify which companies were non–compliant.

The Telstra decision comes amid a global shift over what constitutes privacy and how much control individuals have over their personal data.

Metadata does not show the content of emails, calls or web searches.

But it records when, where and for how long individuals are active and who they communicate with.

Fred Cate, a specialist in information privacy and security law issues, is highly critical of company privacy policies and says they are used to shift liability from the company to the customer.

“I think that privacy policies are pretty much useless,” Professor Cate told Lateline.

“You wouldn’t sit down and read Hamlet, you’re not very likely to sit down and read the privacy policy.

“There was a recent research study in the United States showing that if you just read the privacy policies of the top 100 websites that most people visit, it would take over 30 days a year just to stay on up on those.

“So you’d be giving effectively your month’s vacation just to be reading privacy policies and that’s not going to work.”

Individual privacy rights currently ‘pretty well unenforceable’

Origin Energy, Gumtree Australia and Veda were three of the 20 companies on the Privacy Commissioner’s hit list.

Origin Energy is Australia’s largest energy retailer and its customers hand over sensitive information like bank and credit card details and credit history.

The energy provider’s privacy policy states “personal and credit-related information” may be held in up to 11 different countries including Vietnam, China, Chile, Botswana, Indonesia and Papua New Guinea.

eBay-owned Gumtree gathers “additional data … from other sources such as public authorities to the extent permitted by the law”.

Origin says it takes “reasonable steps” to ensure information is handled according to Australian law. It also says the Privacy Commissioner found no fault.

Online classified ad giant Gumtree Australia — owned by the eBay group — says it collects information including but not limited to device ID, device type, geo-location information, name, email, address, phone, financial information, social media and demographic data.

It also says it collects “additional data … from other sources such as public authorities to the extent permitted by the law”.

Veda, a credit giant that deals in sensitive personal financials, says that “your personal information may not receive the same protection as it does in Australia under Australian law”.

David Vaile, executive director of the Cyberspace Law and Policy Centre at the University of New South Wales, said Australia’s privacy enforcement is under-resourced and needs broader powers.

“In the hands of the individual at the moment in Australia, your privacy rights such as they are, are pretty well unenforceable,” Mr Vaile said.

Grubb said the implication of the decision today went beyond the telecommunications companies that would have to comply with the new metadata retention laws.

“No-one should think that privacy can be protected simply by leaving out customer names of other identifiers from a database,” he said.

“The cautious thing for organisations to do is assume that even ‘anonymised’ data meets the definition of ‘personal information’ and thus must be treated in accordance with the Australian Privacy Principles.”

Statement from Origin Energy

Origin is an Australian-based, international energy company with employees and operations in 10 of the 11 countries identified in our privacy policy.

Where a business partner completes work for us from an overseas location, personal and credit information is accessed within Origin’s own system, used for an agreed, discrete purpose and not duplicated nor shared without our permission.

Origin places a number of controls on this data, and our expectations of how it is used are enforced with employees and business partners regardless of where they are located.