The UK Information Commissioner’s Office (“ICO”) has published guidance on the application of the Data Protection Act 1998 (“DPA”) to social networking sites and online forums. The guidance emphasizes that organizations and individuals that process data for non-personal purposes must comply with DPA requirements in their use of social networking sites and online forums just as they would in any other context.
Under Section 36 of the DPA, individuals who process personal data for their personal, family or household affairs are exempt from complying with the obligations of the DPA with respect to such processing. This exemption does not, however, apply to processing by organizations, nor to individuals processing personal data for business purposes (e.g., operating as a sole trader).
Application of the Data Protection Act 1998
The DPA applies to any individual or organization that determines (alone or jointly) the purposes for which and manner in which personal data are processed (“data controllers”). The guidance underscores that a site operator will be considered a data controller if it processes contact information of its users or subscribers. Whether a site operator acts as a data controller in relation to personal data posted on its website depends on a number of factors, in particular whether the site operator moderates content before it is posted, or if users are able to post content directly, but only in accordance with site rules (and the site operator may immediately remove any content breaching those rules). Where the site operator acts as a data controller, it must take reasonable steps to ensure that posted personal data presented as a matter of fact (as opposed to an expression of opinion) are accurate and up-to-date. The ICO’s expectations in terms of “reasonable steps” will depend on the circumstances. Where the vast majority of site content is posted directly by third parties, the volume of posts is significant, and the site content is not moderated in advance, “reasonable steps” would not include checking the accuracy of individual posts, but would include:
- having a clear and prominent acceptable use policy;
- having clear and easy to find procedures for individuals who wish to dispute the accuracy of posts relating to them and request the removal of such posts;
- responding to accuracy disputes quickly; and,
- having procedures to suspend or remove disputed content.
Individuals who have complaints about their personal data posted on a site can contact the ICO, but should first contact the website administrator or the individual or organization responsible for the post. Further, the guidance clarifies that the ICO will not take any action with respect to complaints made against individuals processing personal data for personal purposes, no matter now unfair, derogatory or distressing the content.
The guidance also identifies other UK laws that may be relevant to social networking sites and online forums, including the Protection from Harassment Act 1997, the Malicious Communications Act 1988 and the common law of defamation.
Application of the Personal Purposes Exemption
In practice, organizations tend to focus more on their compliance obligations with respect to more established forms of online media, such as corporate websites, than they do when it comes to new media. The guidance makes clear, however, that organizations’ obligations under the DPA remain the same, specifically referencing organizations using social media to:
- post personal data on their own or a third party’s website (e.g., posting customer reviews or “I just bought…” advertisements);
- download personal data from a third party website (e.g., data scraping from public profiles); or,
- run a website allowing users to publish comments and posts, such as a blog.
Whether an individual’s use of online media is considered personal or non-personal depends on the particular facts. A sole trader setting up a website to promote his or her own business, including customer reviews, would constitute a non-personal, business purpose. An individual selling a few possessions online and messaging prospective buyers through an auction site would constitute a personal purpose exempt under Section 36, notwithstanding the fact that the individual will earn money from the sales.
The guidance also addresses the status of groups of individuals, such as clubs and societies, that create sites for their shared recreational purposes. An example of this type of shared site might be a photo-sharing webpage for friends to compile pictures from a group holiday. For those types of groups, the Section 36 exemption will still apply. A group-developed site with an evolving membership is less likely to qualify for the personal purposes exemption, since a group that exists independent of specific individuals is more likely to process personal data for its own purposes as opposed to the personal purposes of individual members. In relation to processing by groups, the presence of the following factors make it less likely that the personal purposes exemption will apply:
- the site is commercial and generates income through subscription or advertising;
- the site has been set up to pursue a professional or commercial objective;
- personal data are processed for the purposes of the group itself, rather than for the purposes of its individual members;
- personal data are posted by the group, rather than by individuals;
- the group is separately legally constituted in some way;
- the group would continue to exist even its membership changed; or,
- the group has its own set of rules, which exist separately from its members.
Conclusions
This new guidance will no doubt serve as a timely reminder to organizations that they must comply with data protection requirements with respect to of all their processing activities, including corporate social media accounts, microsites and blogs. It also may signal that the ICO intends to focus its attention more on online operators and their processing activities.
Although this guidance focuses on the personal purposes exemption with respect to social media, there also is clear overlap with the Section 32 exemption (applicable to data processing for the purposes of journalism, art, literature and the public interest). In accordance with a recommendation contained in the Leveson Inquiry, the ICO will publish guidance on the Section 32 exemption shortly.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott H. Kimpel
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code