Specially protected information

72.135 As noted above, some stakeholders raised issues about the use and disclosure of silent numbers, other blocked calling numbers and location information. These issues primarily concerned the exception under ss 291 and 302. This section considers these issues and whether the Telecommunications Act should be amended to protect a category of ‘specially protected information’.

Silent numbers and calling number display

72.136 In DP 72, the ALRC noted that Electronic Frontiers Australia had submitted that a number of telecommunications providers have been disclosing calling line identification (CLI) to some of their internet service provider (ISP) customers. CLI reportedly provides these ISPs with caller identification information regardless of whether permanent or per call blocking has been enabled on these lines. That is, the default blocking of calling number display (CND) for unlisted numbers and caller initiated blocking of CND are not operative by virtue of the arrangement of these carriers. [116]

72.137 Electronic Frontiers Australia made a complaint to the Australian Communications Authority (ACA) (now ACMA) and the OPC about telecommunications service providers disclosing CLI to some of their ISP customers. The ACA and the OPC found that some of these disclosures were not permitted under s 291. The OPC decided, however, that in the same circumstances where the ACA found that s 291 was not applicable, carriage service providers could use the s 289(1)(b)(i) exception to disclose information that is not permitted to be disclosed by s 291.[117]

72.138 In DP 72, the ALRC asked whether ss 291 and 302 should be amended to provide that silent and other blocked calling numbers can be used or disclosed only with a person’s consent.[118]

72.139 One stakeholder noted that, while it would be ideal to confine the exceptions so that the silent and other blocked calling numbers can be disclosed only with a person’s consent, it would not be practical. She noted that there are circumstances in which the disclosure of silent or blocked numbers is necessary for the provision of a requested service to the caller where it is impractical to obtain consent.[119]

72.140 She submitted that the problem arises when silent and other blocked calling number information is disclosed for purposes that are not necessary to connect the call. An example of an inappropriate purpose is when the calling number is disclosed beyond the terminating carrier’s call-terminating exchange, and disclosed to the called party. She submitted that such disclosure, without consent, is inappropriate regardless of whether the called party is an individual, business, or a dial-up ISP. She noted that:

Arguments put forward by those ISPs who contend that receipt of silent and other blocked calling number information is a ‘business need’ are no different from the arguments that could be put forward by, for example, a non-CSP business such as a dial-up telephone banking service. Dial-up ISP services are not so special that they should have special privileges to receive silent and other blocked calling number information without consent.[120]

72.141 In her view, s 291 should be amended to limit expressly the circumstances when silent and other blocked calling numbers can be used or disclosed. Such circumstances would arise only when it is necessary for the carriage of a telephone communication. She was also concerned that the exceptions under ss 279 and 296 (Performance of person’s duties) and s 289(1)(b)(i) (Knowledge of person concerned) may permit the use and disclosure of unlisted or other blocked calling numbers.[121]

72.142 Telecommunications service providers opposed any amendment of the exceptions under Part 13 to limit the use or disclosure of silent or other blocked calling numbers. Optus submitted that limiting s 291 to apply to only listed numbers would have ‘disastrous consequences’ for the telecommunications industry.[122] Telstra submitted that the disclosure of customer information, including silent numbers, is essential for services to be provided in the telecommunications market. Further, it argued that limiting disclosure of silent and other blocked calling numbers to other carriers or carriage service provides was inappropriate and would be detrimental to the customer. Telstra also noted that calling number display is regulated under an industry code.[123]

Location-based services

72.143 Stakeholders have raised concerns about whether certain exceptions under Part 13 provide adequate protection of location-based information.[124] Location-based services have been used for some time. There are a range of commercially offered location-based services. These are broadly divided into two categories:

  • ‘active’ or ‘pull’ services that are initiated by an action, such as an SMS, from the consumer requesting that a taxi be sent to the person’s present location; and

  • ‘passive’ or ‘push’ services that are not requested by the consumer.[125]

72.144 Examples of ‘active’ or ‘pull’ services would include certain numbers starting with ‘13’ (such as those used by taxi services or food delivery chains) that involve the use of location-based technology, and ‘triple 0’ emergency calls that capture location information.

72.145 ‘Passive’ or ‘push’ services may take the form of marketing distributed to consumers according to their whereabouts, or ‘tracking’ services initiated by third parties interested in the location of other individuals. These services are now offered in Australia, and include:

  • Optus ‘Friend FindA’. This service enables a person to find out the location of another person’s mobile phone if the other person has agreed to share their location with the first person;[126] and

  • Telstra’s Mobile Location Manager. This service provides location information about Telstra mobile phones and is available to any business or application provider that wishes to ‘location enable’ their applications.[127]

72.146 The Department of Communications, Information Technology and the Arts (DCITA)[128] considered location-based services in its review of the regulation of content delivered over convergent devices.[129] It noted that the use of active location-based services is likely to be taken as constituting informed consent. The review was concerned, however, that passive location-based services could be misused for illegal or inappropriate purposes if offered without appropriate safeguards.[130]

72.147 DCITA observed that s 291 of the Telecommunications Act may operate in certain circumstances to allow for the use and disclosure of location information without a user’s consent or knowledge. It suggested that an alternative means of protecting against the privacy and safety issues associated with passive services should be pursued. The review concluded that it would be appropriate to require the consent of an account holder before location information relating to any handsets operated under an account is used or disclosed.[131] It was noted that this approach was consistent with the requirements under the European Union (EU) Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector.[132]

72.148 The Communications Legislation Amendment (Content Services) Act 2007 (Cth) amended s 291 of the Telecommunications Act to provide that the use or disclosure by a person of information or a document is permitted if the information or document relates to the location of a mobile telephone handset or any other mobile communications device, and the person has consented to the disclosure or use.[133]

72.149 One stakeholder noted, however, that the amendment did not address the disclosure without consent of mobile phone or device location information to individuals and businesses that are notcarriage service providers. She also noted that it is unclear whether the exceptions under ss 279 and 296 (Performance of person’s duties) and s 289(1)(b)(i) (Knowledge of person concerned) would allow the disclosure of location information without an individual’s consent. She submitted that these exceptions should be amended immediately to provide expressly that the disclosure of location information without consent is prohibited.[134]

A new exception?

72.150 One stakeholder submitted that Part 13 should be amended to establish a category of ‘specially protected information’ comprising information that is generated, or processed, by a telecommunications network for the purpose of carriage of a communication or billing. This includes information such as calling number information and location information about a mobile phone or other mobile communications device. It was submitted that the protection of this information is particularly important because:

  • individuals have no control over the generation of the information, and no way of preventing its use or disclosure unless a means is provided by a telecommunications service provider;

  • it is increasingly being used and disclosed for the provision of ‘value-added services’; and

  • the disclosure of such information without consent is privacy-invasive and potentially puts the safety of an individual at risk.[135]

72.151 It was submitted that the proposed new exception should state that, ‘specially protected information’ is not permitted to be used or disclosed for any purpose, beyond what is strictly necessary for the transmission of a communication or billing, unless the person has consented to the use or disclosure in the circumstances concerned.[136]

72.152 The stakeholder argued that the exception should state that for the purposes of the exception, consent may be express or implied, and may be taken to be implied only if the service provider has provided the person on a permanent basis with a simple and free of charge means of preventing the use or disclosure of the information. The exception also should state that telecommunications service providers are prohibited from overriding a user’s choice to prevent use or disclosure, unless:

  • overriding the user’s choice to prevent disclosure is necessary to provide the information to a recognised emergency service (for example, an ‘000’ operator);

  • the use or disclosure is required or authorised by the Telecommunications (Interception and Access) Act; or

  • the use or disclosure is necessary for the transmission of a communication or billing.[137]

ALRC’s view

72.153 The ALRC is concerned that telecommunications service providers could use the exceptions under ss 291 and 302 of the Telecommunications Act, and possibly other exceptions under Part 13, to use or disclose sensitive information such as unlisted numbers, other blocked calling numbers and location information. While the recent amendments to s 291 deal with the use and disclosure of location information between telecommunications service providers, it does not address the use of this information between telecommunications service providers and third parties.

72.154 The ALRC sees merit in an amendment of the Telecommunications Act to regulate further the use and disclosure of unlisted numbers, blocked calling number and location information. In particular, the EU and the United Kingdom have recently enacted special laws to deal with the use and disclosure of location information.[138]

72.155 The ALRC does not, however, make a recommendation in relation to use or disclosure of unlisted numbers, blocked calling numbers and location information. The ALRC is concerned about any unforeseen consequences of regulating further the use and disclosure of this information. The ALRC has been advised that it may be difficult for telecommunications service providers to comply with laws relating to unlisted or blocked calling numbers. This is because an individual may be a customer of multiple telecommunications service providers, and one provider may not hold the same information about an individual as another. For example, it has been suggested that a telecommunications service provider will not always be aware that a number is unlisted, or that an individual has implemented calling number display blocking.

72.156 These issues should be considered as part of the review of telecommunications legislation recommended in Chapter 71. The ALRC notes that the use and disclosure of information held on the IPND to provide location dependent carriage services is currently being considered by the Australian Government.[139]

[116] Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[117] This issue was also discussed in I Graham, Submission PR 427, 9 December 2007.

[118]Australian Law Reform Commission, Review of Australian Privacy Law, DP 72 (2007), Question 63–4.

[119]I Graham, Submission PR 427, 9 December 2007.

[120]Ibid.

[121]Ibid.

[122]Optus, Submission PR 532, 21 December 2007.

[123]Telstra Corporation Limited, Submission PR 459, 11 December 2007. See Australian Communications Industry Forum, Industry Code—Calling Number Display, ACIF C522 (2007).

[124]I Graham, Submission PR 427, 9 December 2007; Electronic Frontiers Australia Inc, Submission PR 76, 8 January 2007.

[125] Australian Government Department of Communications‚ Information Technology and the Arts, Review of the Regulation of Content Delivered Over Convergent Devices (2006).

[126] Optus, ‘Friend FindA Help’ <www.mobile.optuszoo.com.au> at 23 April 2008.

[127] Telstra, ‘Mobile Location Manager’ <www.telstra.com.au> at 23 April 2008. Telstra also offers a location-based mobile workforce management solution that enables companies to automate employee timesheets, and to monitor job activity and physical location in real time: R Gedda, ‘Telstra Launches Mobile Workforce App’, CIO (online), 3 November 2006 <www.cio.com.au>, at 23 April 2008.

[128] Now the Department of Broadband, Communications and the Digital Economy.

[129] Australian Government Department of Communications‚ Information Technology and the Arts, Review of the Regulation of Content Delivered Over Convergent Devices (2006), 31–32.

[130] Ibid, 102.

[131] Ibid, 104–105.

[132] Ibid, 105. See European Parliament, Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, Directive 2002/58/EC (2002), arts 6–9. While this approach would provide sufficient safeguards to prevent abuse of passive location-based services with respect to adults, DCITA concluded that further measures will be required where services are offered that would identify the location of minors: Australian Government Department of Communications‚ Information Technology and the Arts, Review of the Regulation of Content Delivered Over Convergent Devices (2006), 104–105. Communications Alliance also considered privacy issues related to location-based services: Communications Alliance Ltd, Submission PR 198, 16 February 2007.

[133]Communications Legislation Amendment (Content Services) Act 2007 (Cth) sch 1, pt 1.

[134] I Graham, Submission PR 427, 9 December 2007.

[135]Ibid.

[136]Ibid.

[137] Ibid.

[138] See European Parliament, Directive Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector, Directive 2002/58/EC (2002), arts 6–9; Privacy and Electronic Communications (EC Directive) Regulations 2003 (UK), r 14.

[139] Australian Government Department of Communications, Information Technology and the Arts, Use of IPND Information to Provide Location Dependent Carriage Services—Discussion Paper (2007).