News / Legal Brief

Information about information: why calls for the regulation of metadata are gaining traction in Europe

Apr 7,2021

Ahmore Burger-Smidt - Head of Regulatory

by Ahmore Burger-Smidt, Director and Head of Data Privacy Practice and member of Competition Law Practice; and Tristan Meyer, Candidate Attorney

  • In the European Union, metadata is a known data privacy problem. Data protection regulators are acutely aware of the risks posed by the unregulated processing or collection of metadata. The question is, in the context of South Africa, are companies and regulators sensitive to what metadata is, what its implications are, and why it is relevant in the data privacy regulatory space; and are any regulatory changes anticipated in light of international developments?
  • To take a step back, and for those of us who might be less tech savvy, metadata essentially refers to data concerning other data. This might seem a bit paradoxical at first, but on considering certain practical examples of metadata, the notion becomes a bit clearer. Examples of metadata would include the information which relates to an electronic file, such as the time at which the file or document was created, who the author was that created the file, what the file size is, where or how the file was created, and so forth. Historically, this area of data privacy law has been left largely unregulated. More recently, however, and likely owing to greater awareness of the potential risks it may pose if abused, there has been a considerable drive towards the regulation of metadata.

information abt infoSource: Dataedo[1]

  • The concern for regulators and private individuals alike is that metadata, much like data, can reveal sensitive and personal information about a user, which if left unregulated, would allow data processors to build a consumer or user profile which may relate to aspects of their lives such as their tastes, habits and day-to-day activities. This is because metadata includes “telephone numbers called, websites visited, geographical location, time, data and duration when an individual made a call”, for example.[2] This allows processors or analysts to build a consumer profile and draw accurate conclusions as to a particular data subject’s private life and social relationships, whereabouts and so forth.
  • Considering the above, EU regulators have recently published a draft ePrivacy Regulation (“draft Regulation”), which seeks to regulate this specific area of the law and provide further clarity on the meaning of different concepts in relation thereto.[3] South Africa currently has no ePrivacy regulation equivalent. But as discussed elsewhere, European data protection laws tend to set the tone for the rest of the world and also South African law.[4] As such, European developments remain particularly relevant for companies conducting activities in South Africa and who may soon be required to have more comprehensive privacy policies and notices in place which specifically refer to how they intend on dealing with a user’s metadata collected via its website, for example.

ePrivacy Regulation: on Metadata

  • What then, are some of the key amendments proposed by the draft Regulation in relation to metadata? In its current form, the regulation first and foremost makes it permissible for electronic communications metadata to be processed, and for that processed information to be stored and collected using terminal equipment from the end-user’s terminal.[5]
  • It also creates additional safeguards for individual privacy by requiring that a “data protection impact assessment” is conducted as well as a “consultation of the supervisory authority” prior to any processing of metadata, where such processing of metadata is “likely to result in a high risk to the rights and freedoms of natural persons”.[6]
  • A further aspect which the draft Regulation sheds light on is the concept of ‘location data’. In terms of the draft regulation, location data is defined as “data processed by means of an electronic communications network or service, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service”.[7] The processing of location data is particularly useful in circumstances where, for instance, a spam caller needs to be traced or where emergency services need to respond to persons critically injured or in critical danger. Indeed, the draft Regulation goes so far as to say that under such circumstances of nuisance call tracing or emergency situations, measures such as call line identification would in fact constitute a justifiable limitations or restriction on the right to privacy.[8]
  • Whilst many people tend to think of consent as the predominant basis in terms of which metadata (or even data for that matter) may be processed, various other lesser-known acceptable reasons for processing do exist.[9] According the draft Regulation, some of these would include:
    • where such processing is necessary for the performance of an electronic communications service contract;
    • where the processing is compatible with the initial reason for collection; and
    • the protection of a vital interest.[10]
  • To elaborate, the draft Regulation has first and foremost included ‘performance of a contract’ as an acceptable legal basis in terms of which metadata may be processed. Secondly, it states that metadata may be processed, for reasons unrelated to that for which the metadata was initially collected, where the processing of such metadata is in nevertheless in accordance with (or compatible with) “the purposes for which the metadata [was] initially collected [for]”.[11] Thirdly, where humanitarian purposes or disasters (presumably such as Covid-19) and other phenomena pose a threat to a vital interest, the processing of such metadata in order to protect such an interest is also permissible.[12]
  • In order to safeguard the above, the end-user must still be provided with the requisite information concerning such processing activities, and would still have the right to object to such processing, in terms of the draft Regulation[13].
  • In order to realise the importance or relevance of metadata from a commercial perspective, one would merely have to consider a few practical examples of commercial usages of such metadata, such as:
    • Heat maps, which are data visualisation techniques which display the extent of a phenomenon through colours (e.g. a footballer’s heat map showing where he/she has spent most of his/her time on the pitch);
    • Traffic movements in specific locations at specific times (e.g. when you use a GPS navigation app and it gives you the ability to alert other drivers of police presence at particular intersection);
    • Emergency services applications – examples which spring to mind are that of Namola, ReactPlus or Discovery Insure.
  • Without the processing of metadata, these benefits would not be available for the end-user. Insisting on anonymity of information is also not necessarily a solution to this problem of metadata processing as one’s identity is often required in order for the metadata collected to have any significance or relevance (e.g. it would not be possible to track one’s movements without a specific identifier in the form of metadata).
  • All in all, fresh regulatory changes are on the horizon when it comes to the use of metadata and therefore South African companies ought to be prepared for when these translate into South African law.

[1] https://dataedo.com/kb/data-glossary/what-is-metadata

[2] ePrivacy regulation (Council doc. 5642/21).

[3] Published on 5 January 2021.

[4] See for instance https://www.werksmans.com/legal-updates-and-opinions/thats-the-way-the-cookie-banner-crumbles-draft-eu-eprivacy-regulation-seeks-to-reform-the-cookies-recipe/ .

[5] Recital (17aa) of the Regulation.

[6] Recital (17) – Page 7, paragraph 37.

[7] Article 4(3)(j); Lewis and Bockius op cit note 4.

[8] Recital 27 of the draft Regulation.

[9] For a consideration of what consent means in the context of data protection and particularly in relation to cookies, see too our  article available at https://www.werksmans.com/legal-updates-and-opinions/thats-the-way-the-cookie-banner-crumbles-draft-eu-eprivacy-regulation-seeks-to-reform-the-cookies-recipe/ .

[10] Page 6, paragraph 32.

[11] Recital (17aa) of the draft Regulation; Brett Lawrence, Hall Booth Smith, P.C., “European Union: EU Council Releases Draft ePrivacy Regulation” dated 14 January 2021 available at: https://www.mondaq.com/unitedstates/data-protection/1025306/eu-council-releases-draft-eprivacy-regulation.

[12] Recital (17a) of the draft Regulation.

[13] Recital (17aa) of the draft Regulation.