A request that is hard to swallow? Government gets a whiff of their own ‘metadata medicine’

The UK Information Commissioner’s Office (ICO) has held that requests for metadata are capable of being valid under the Freedom of Information 2000 (FOIA), in particular its section 8 dealing with the form of requests.

The facts of the ICO’s decision involved an appeal from a complainant who asked the Home Office to provide them with “metadata” relating to all emails sent and received by the Home Secretary’s official account during a specified one-week period. The FOIA request also asks that the request response be formatted as a register of information with each item of email correspondence marked with the following: time; data; sender; recipient(s); subject header; and, name of any attachment. These are categories of application-level metadata, rather than network-level metadata, the former of which as Sophie recently pointed out is more intrusive than the latter.

The Home Office refused the request as invalid on the basis that a request must describe the information requested pursuant to section 8 of FOIA. However, the ICO found that that this requirement “does not require a requester to specify the subject matter of the information they seek. Whilst it provides that the request must describe the information sought, it places no restriction on the form of that description” (paragraph 10).

Ultimately, the information was not disclosed on the basis that the request was found to be vexatious under section 14(1) of FOIA. This means that, whilst the request was valid for the purposes of section 8, the Home Office was not obliged to comply with it. The reasons given were that the request involved a “fishing expedition” request, very likely to encompass information of limited value only. As such, complying with the request would impose a disproportionate burden on the Home Office. Nevertheless, the ICO notes that the complainant could resubmit the request for reconsideration if it was refined by asking for emails on a specific topic.

A few additional points are worthy of note.

• First, a notable omission in the decision is reference to section 40 of FOIA, by virtue of which information may be lawfully withheld if it constitutes personal data that is subject to data protection laws. It seems strange that this was not mentioned.

• Second, the decision raises concerns over the use of the term ‘metadata’ according to a very broad definition (e.g. “data about data, either computer or human generated”) in a decision with legal effect. As Sophie’s post earlier this month points out, the term ‘metadata’ is noticeably absent in legal rules. The implicit adoption of a broad definition, however, militates against a more technologically-savvy acknowledgement of the diversity of different types of metadata categories: in particular, the distinction between network-layer and application-layer metadata categories. Conflation of these different categories blurs the line between the content of communications and mere traffic data in a potentially misleading and misleading way, e.g. when the effects of a legal instrument depend upon the scope of the metadata category to which it could apply and those categories to which it would not apply.

• Third, this decision also highlights the perceived importance of metadata (in particular, application-layer metadata) in its deemed capacity to provide a detailed insight into the private life of individuals. The Snowden revelations last year were a hard wake-up call for many about the way that intelligence services make use of our communications metadata. The issue has been a bitter pill for many EU Member States to swallow since the European Court of Justice’s reminder this year that proportionately must be maintained in respect of the purpose for metadata’s collection and the retention period imposed upon electronic communications providers in their implementation of the now defunct EU Data Retention Directive.

Alison Knight