March 2017

Give me my metadata!

Every day, we create 2.5 quintillion bytes of data – that’s a huge number, 18 zeros. This data comes from everywhere: sensors used to gather information about the performance of your car, posts to social media sites, digital pictures and videos, shopping transaction records, and cell phone GPS signals to name a few.

There is even a category of data called metadata, which is basically data about data. For example, information about a particular music file, like the name of the artist, album and song title, or the precise time and location that a person made a call from their mobile phone. 

While most businesses understand that they have obligations under the Privacy Act[1] in respect of people’s names and other contact details, many have not considered what obligations they might have under the Privacy Act in respect of any metadata collected.  

This was recently considered in the Federal Court case, Privacy Commissioner v Telstra Corporation Limited. [2]

What information is regulated by the Privacy Act?

The Privacy Act protects an individual’s privacy by regulating the ways that businesses may collect, store and disclose ‘personal information’ about that individual.

‘Personal information’ is information or opinion about an identified (or reasonably identifiable) individual, whether or not the information or opinion is true, and whether or not it is recorded in a material form.[3]

The Privacy Act does not define or refer to metadata.  So, for a business to have obligations under the Privacy Act in respect of metadata, the metadata would need to fall within the above definition of ‘personal information’.

Is metadata ‘personal information’?

The Federal Court considered this question in Privacy Commissioner v Telstra Corporation Limited.

The case arose when Mr Grubb, a journalist, requested access to all metadata that Telstra Corporation Limited (Telstra) had stored about his mobile phone service. Under the Privacy Act, an entity that holds personal information about an individual must give access to the information where the relevant individual requests it.[4]

Telstra provided Mr Grubb with access to some of the metadata requested (including outgoing call records, SMS messages, bills relating to his account and all of the personal information in his customer relationship management account), but disputed that it had any obligation to provide him with access to its mobile network data – which was metadata about the mobile network and caller location.

Mr Grubb made a complaint to the Privacy Commissioner about Telstra’s failure to provide the mobile network data requested. The Privacy Commissioner held that Telstra had breached its obligations to provide access to personal information under the Privacy Act. Telstra applied to the Administrative Appeals Tribunal (AAT) for this decision to be reviewed.

The AAT found that to determine whether Telstra had breached its obligations under the Privacy Act it had to:

  1. first determine whether the information or opinion sought was ‘about an individual’; and

  2. then determine whether the identity of the individual was apparent or could be reasonably ascertained from that information or opinion. [5]

The AAT held that the mobile network data requested by Mr Grubb was not about Mr Grubb personally, rather, it was about the service being provided by Telstra to Mr Grubb.  The AAT concluded:

Once his call or message was transmitted from the first cell that received it from his mobile device, the data that was generated was directed to delivering the call or message to its intended recipient. That data is no longer about Mr Grubb or the fact that he made a call or sent a message or about the number or address to which he sent it. It is not about the content of the call or the message. The data is all about the way in which Telstra delivers the call or the message. That is not about Mr Grubb. It could be said that the mobile network data relates to the way in which Telstra delivers the service or product for which Mr Grubb pays. That does not make the data information about Mr Grubb. It is information about the service it provides to Mr Grubb not about him.

Accordingly, the AAT held that the mobile network data was not ‘personal information’ under the Privacy Act and that there was no requirement for Telstra to provide Mr Grubb with access to that particular type of metadata.

The Privacy Commissioner appealed this decision on the basis that the AAT had incorrectly applied the relevant legal principles when it restricted the definition of ‘personal information’ to information ‘about an individual’. The Privacy Commissioner did not appeal the issue of whether or not the metadata was ‘about’ Mr Grubb.

The Federal Court ultimately held that the AAT correctly applied the relevant legal principles when it decided that information needs to be ‘about an individual’ in order to be considered personal information.

So what does this mean?

This case means that metadata will be considered to be ‘personal information’ if it is ‘about an individual’ (rather than the product or service being supplied to the individual).  This confirms the view long held by lawyers and academics that specialise in this area of the law. 

However, for many businesses it may come as a surprise that ‘personal information’ can include much more than an individual’s name or contact details. 

This case highlights the need for a business to really think about the information (including metadata) that it collects, to consider whether it is ‘about an individual’ and, if so, to ensure that it treats that information in accordance with its obligations under the Privacy Act.

If you are a business collecting personal information and you would like advice about what information you might be required to make available to an individual under the Privacy Act, please contact us.

Authors: Priti Joshi & Michael Cossetto

 

[1] Privacy Act 1988 (Cth) (Privacy Act).

[2] Privacy Commissioner v Telstra Corporation Limited [2017] FCAFC 4.

[3] Privacy Act, s 6.

[4] Australian Privacy Principle 12.1, Privacy Act Schedule 1 (however, Mr Grubb relied on National Privacy Principle 6.1, Schedule 3 of the Privacy Act which was in force at the relevant time).

[5] Mr Grubb’s request related to events that occurred before the definition of ‘personal information’ was amended on 12 March 2014.  This second question posed by the AAT was based on wording found in the old definition of ‘personal information’.