Facing facts

Most users of social networking websites such as Facebook have no idea how their personal data can be used. It’s time to educate them on the risks, says Kevin Calder

It is a good time to be writing about data protection and privacy. Generally, no one gets excited if you say you are a lawyer working on data protection issues, but there is now a new spotlight on the topic.

This is mainly down to HM Revenue & Customs (HMRC) losing discs containing the confidential personal details of 25 million child benefit recipients. Thank you, HMRC.

Another topical data protection issue, with a similar amount of excitement among those affected, but not quite the same press coverage, is Facebook Beacon.

This function enables your ‘friends’ on Facebook to see the purchases you make through associated third-party retailer websites, as details of the purchases are automatically posted to their Facebook news board.

It is a creative idea, but one that has had to be revamped and an apology made by founder Mark Zuckerberg. Why? The data was made available without the users involved ‘opting in’.

Much of the growth of the internet is being driven by social networking and the exchange of personal information, and sites such as MySpace, Facebook and Flickr are examples of the increasing trend for giving large amounts of personal data away. But social networking sites have created a new challenge for data protection lawyers for a number of reasons.

Opting out

First, users are often surprised by what can be done with the personal data they make available online. Many do not understand the full implications of moving from a private conversation between two individuals and having a chat via a Facebook ‘wall’.

The privacy policies that are intended to provide full information on the proposed uses of personal data can be lengthy and legalistic, and as a result users rarely read them in full.

Another issue is that it is common for social networking sites not to require an ‘opt in’. Given that users demand rapid access to the features of a website, designers of social networking tools frequently do not trouble their users with having to worry about ticking boxes or reviewing privacy options.

Given the emphasis on sharing data, the default settings of many sites allow full sharing and maximum access to data that is uploaded. There is often a lack of clarity on what privacy settings are available and how to change them.

Facebook’s ‘networks’ neatly illustrate the problem. Users (having agreed to terms of use, including detailed data protection provisions) can upload personal data, which often includes images of both themselves and their friends, and are then encouraged to join relevant networks, such as a network covering a local area. One example is the London network, which has more than a million members.

There is a number of settings that you can vary relating to networks – one of these allows all the members of the network to view your content. This can result in a huge audience for your personal photos, and much larger than intended, particularly if you would not want colleagues or your employer to see the content.

Not only is this an issue for the account holder, but also for those whose personal data is in the photos, such images often being ‘tagged’ with their names for easier identification.

The legislation

The EU legislative framework protecting personal data has not been updated to address the new issues posed by social networking websites. One challenge to the legislators is that a number of the major social networking websites are based wholly on servers outside the EU.

The UK data protection legislation bites on personal data that is processed in the UK (whether or not relating to UK-domiciled data subjects), but does not apply to data transferred by the data subject outside the UK and then processed on servers based overseas.

Where the Data Protection Act 1998 does apply, at first glance it copes reasonably well with social networking. The concepts are broad and no specific technical means, for example for obtaining user ‘consent’, are set out. In June 2007 the Information Commissioner issued guidance on the act’s application to the collection of personal data-using websites.

However, one concern, highlighted in the wake of the HMRC incident, is the extent of the Information Commissioner’s investigatory and enforcement powers and the limited sanctions available for breach of the act. The commissioner’s inspection powers look set to be improved, but are not yet of the same order as the powers given to other enforcement authorities.

There have also been calls for a criminal offence to be created for those who breach the act. At present the main incentive to comply with the act is the fear of adverse press rather than any threat of penalty or criminal sanction.

Too little, too late?

Although the act’s concepts provide a good foundation for protecting a vulnerable public faced with new means to disseminate their data, there are calls for the Information Commissioner and equivalent agencies to be more proactive in publicising the issues and risks arising from social networking sites.

The UK Government has taken some steps to address the problem of user understanding – government-backed campaign group Get Safe Online provides detailed advice on maintaining online privacy, but much of the focus is on not disclosing personal information at all. For those on Facebook, the horse may have already bolted from that particular stable.

The Information Commissioner’s own research, published last November, suggests that in the UK more than four million young people would not want a college, university or potential employer to carry out an online search on them owing to data on social networking sites. The commissioner has now launched a website to educate young people on the risks.


Further guidance would be welcome on the process to be followed to obtain informed consent under the act, particularly where the personal data is to be widely disseminated. In a December 2007 report, think-tank Demos recommended that a new “common sense test” is used for privacy statements, with a move away from “established legalistic policies” and jargon.

According to the European Network and Information Security Agency (ENISA), social networking sites themselves could do more to educate users and to be transparent on their data-handling practices. The ENISA’s ‘Security Issues and Recommendations for Online Social Networks’ report advocates the use of safe default privacy settings, given that the default settings are rarely changed.

Social networking sites often rely on wording buried in a privacy policy. The extent to which this works as informed consent has not yet been tested, but the Information Commissioner’s guidance states: “It is not enough simply to say ‘click here to see our privacy statement’.”

The commissioner advocates a ‘layered’ approach, where a detailed data protection notice is provided as well as a condensed notice.

Be informed

Given that privacy and data protection have more public attention than ever before, there is a real opportunity to strengthen the enforcement and remedies available for breach of data protection principles, and for clear guidance to be given to social networking sites on good practice in obtaining the informed consent of users to how their data will be used.

In the meantime, users would do well to go back and read Facebook’s latest privacy policy. Do you know what Facebook – not to mention any third-party providers of Facebook applications – is entitled to do with your photos?

Kevin Calder is a partner at Mills & Reeve