Privacy Commissioner rules that “metadata” can be personal information

By Cynthia O’Donoghue, Kate Brimsted and Chantelle Taylor of Reed Smith Lawyers

After two years of campaigning, Fairfax journalist, Ben Grubb, finally got the decision he was seeking: metadata could be considered “personal information” under the Privacy Act 1988 (the ‘Privacy Act’). 

The landmark decision by the Australian Privacy Commissioner came about after Grubb was refused access to metadata which is available to law enforcement agencies and councils, but not to individuals.  Telstra, the data controller in this case, refused access to some personal information described as “metadata” (namely, IP address information, URL information and cell tower location information beyond that retained for billing purposes) on the grounds that it was exempt under the Privacy Act.

The Australian Privacy Commissioner determined otherwise.  The Commissioner found that “personal information” includes information whereby an individual may be “reasonably ascertained” from that information.  He concluded that, where an organisation is able to link an individual to metadata it has collected via cross-matching information across its systems, the metadata falls within the definition of “personal information”.

This decision was based on the National Privacy Principles (‘NPP’) under the Privacy Act and not the Australian Privacy Principles (‘APP’) which came into force in 2014. However, given the APP did not significantly change the definition of personal information, it is predicted that more types of data could be considered personal information, and the decision is expected to carry substantial weight in future cases considered under the new regime.

This decision is likely to have a significant impact on large telecommunications companies holding substantial amounts of metadata; they will have to consider how data are stored, how it may be cross-referenced, and their capacity to perform such cross-referencing.  As a result, they could face increased costs in complying with the Privacy Act, as well as a possible rise in personal information requests requiring wider disclosure.

The implication of the decision extends beyond the telecommunications industry.  As Anna Johnston, former deputy privacy commissioner for New South Wales, put it, ‘any dataset which holds unit-record level data can potentially be linked to data from other sources, which can then lead to someone’s identity being ascertainable’.

By categorising metadata in such a way, data controllers in Australia will have to assess whether the metadata they hold fall within the definition of personal information under the Privacy Act. Concerns have already been raised that uncertainty as to the personal nature of metadata could stifle innovation. 

Organisations will not want to risk penalties (financial or otherwise) if they use data which could be classified as personal information.  For example, for “serious” or “repeated” interferences, the Commissioner may apply to the Federal Court or Federal Circuit Court for an order that the organisation pay a penalty of up to $340,000 for individuals or $1.7 million for corporations. Telstra has announced its intention to appeal and is being supported by the Communications Alliance; this telecommunications industry body represents the communications industry and has branded the decision a “regulatory overreach”.

Contact Cynthia at CODonoghue@ReedSmith.com or Kate on KBrimsted@ReedSmith.com