Metadata

Subscribe to Metadata

With all the focus on Brexit and the California Consumer Privacy Act (CCPA), there has not been much published about the draft e-Privacy regulation recently. Readers will remember that there had been plans to implement this companion legislation (which covers specific issues regarding cookies and direct marketing among other things), at the same time as the General Data Protection Regulation (GDPR). However, since the draft proposals proved (rightly) so controversial, this did not happen and the drafts have been chugging their way through compromise debates and revisions ever since.

Although some have begun to think that we may never see the legislation come to fruition, in fact there has been quite a lot of progress in the last six months. It is possible that a draft could be finalised by the EU Council by the summer (although it will still then need finalising with the EU Parliament and input from the European Commission).

Continue Reading Five things we still don’t know about the e-Privacy regulation (which are getting very annoying!)

After two years of campaigning, Fairfax journalist, Ben Grubb, finally got the decision he was seeking: metadata could be considered “personal information” under the Privacy Act 1988 (the ‘Privacy Act’).  The landmark decision by the Australian Privacy Commissioner came about after Grubb was refused access to metadata which is available to law enforcement agencies and councils, but not to individuals.  Telstra, the data controller in this case, refused access to some personal information described as “metadata” (namely, IP address information, URL information and cell tower location information beyond that retained for billing purposes) on the grounds that it was exempt under the Privacy Act.

The Australian Privacy Commissioner determined otherwise.  The Commissioner found that “personal information” includes information whereby an individual may be “reasonably ascertained” from that information.  He concluded that, where an organisation is able to link an individual to metadata it has collected via cross-matching information across its systems, the metadata falls within the definition of “personal information”. This decision was based on the National Privacy Principles (‘NPP’) under the Privacy Act and not the Australian Privacy Principles (‘APP’) which came into force in 2014. However, given the APP did not significantly change the definition of personal information, it is predicted that more types of data could be considered personal information, and the decision is expected to carry substantial weight in future cases considered under the new regime.

Continue Reading Australian Privacy Commissioner rules that “metadata” can be personal information