All modern communications involve metadata.
Using the internet creates metadata. Interacting on social media creates metadata. Simply using your smartphone creates metadata.
If someone were to compile all your metadata they would be able to draw a detailed picture of your life including your interactions, behaviour, tendencies and more.
The protection of this data should be a paramount consideration for individuals and businesses alike.
But is your metadata considered ‘personal information’ and is that information being protected by Australian law?
What is the background?
On 19 January 2017, a decision was handed down by the full bench of the Federal Court that will likely have wide ranging ramifications on Australian privacy laws.
The decision of Privacy Commissioner v Telstra Corporation Limited stretches back to 2013 when Journalist Ben Grubb requested Telstra provide information they had retained about him pursuant to Australia’s mandatory data retention laws. That request included a request for ‘metadata’.
Telstra provided Mr Grubb with his customer and billing information but refused access to his metadata arguing it did not constitute “personal information” for the purposes of the Privacy Act 1988 (Cth) (‘the Act’).
Mr Grubb lodged a complaint with the Privacy Commissioner and this decision is the latest in a series of appeals.
The Court’s judgment centred on the question - is metadata classified as “personal information” about an individual?
What is metadata?
Metadata is the data our communications send that allow our communications to reach their intended recipient.
More importantly for today’s society, metadata includes the data generated by devices such as smartphones and computers.
This data includes IP addresses, URLs that we visit online, precise locations where we make calls, review emails and even check for social media updates.
It is the space between the atoms of our digital lives.
What is “personal information”?
In this case the Court considered an earlier definition of “personal information”. The Act previously defined “personal information” as “information about an individual whose identity is apparent, or can be reasonably ascertained, from the information”.
The current definition of “personal information” within the Act is “information or an opinion about an identified individual, or an individual who is reasonably identifiable”.
The fact that this ruling centred on an earlier definition casts some issue on the decision’s potential ramifications, though the prior and current definitions are similar in theme.
What was the Federal Court’s decision?
Throughout the case the Privacy Commissioner argued that the metadata held by Telstra was personal information as it could be linked to an individual subscriber and their billing information.
This argument suggested that the metadata was essentially a “data fingerprint” allowing the individual to be identified when linked with other information held by Telstra.
Telstra, on the other hand, argued that as Mr Grubb’s name or telephone number was not referenced in the metadata it was not “personal information” for the purposes of the Act. That is, Mr Grubb could not be identified from that information alone.
It is important to note that in its judgement the Court conceded that there is information that may only become “about” an individual when combined with other information.
Despite this, the Court decided that this metadata was not “about” the individual concerned as per the definition because the individual was not the subject matter of that data.
The Court took the view that the metadata in this case was about the service provided by Telstra to the individual rather than “about” the individual.
What does this mean for Australian Privacy Laws?
In its judgment the Court adopted a narrow definition of “personal information”, distinct from the broad definition the Privacy Commissioner was hoping for.
The Court its in decision overlooked the wide ranging possibilities of data linking different metadata to paint an overall picture of an individual.
As a result, Australia has been left with a privacy regime that will struggle to meet the realities of today’s technological society in the authors’ opinion.
Why does this matter?
Metadata is information all service providers like Telstra and Optus are required to store by law about every one of their customers. It is also marketing nirvana.
This is also the information the full Federal Court of Australia concluded was not “personal information” as defined by the Act.
If a narrow definition is adopted in future cases, then metadata will not be afforded protection under Australia’s current privacy regime.
If that proves to be the case, this decision will have effectively undermined Australia’s privacy laws causing the Privacy Act to fall short of fulfilling its purpose to Australian individuals.
Either way, there is a requirement of the legislation to either include or expressly exclude metadata to the application of the Privacy Act. Watch this space.
The authors would like to thank Mikaela Dooley for her contribution to this article.