1 / 20

Social Networking: the application of the Data Protection Framework

Social Networking: the application of the Data Protection Framework. Dr Rebecca Wong Nottingham Law School, NTU R.Wong@ntu.ac.uk. Outline. Background to Data Protection Directive 95/46/EC and Directive on Privacy Electronic Communications 2002/58/EC

koen
Download Presentation

Social Networking: the application of the Data Protection Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Networking: the application of the Data Protection Framework Dr Rebecca Wong Nottingham Law School, NTU R.Wong@ntu.ac.uk

  2. Outline • Background to Data Protection Directive 95/46/EC and Directive on Privacy Electronic Communications 2002/58/EC • Case Study: Privacy dimensions to a social networking site • Questions

  3. Background • Interest in Data Protection Developments since 2001 • Progress of the Data Protection Directive 95/46/EC as implemented under the UK DPA 1998 • “Privacy” as concept

  4. Data Protection Directive 95/46/EC • Implementation by all the EU Member States • Data Protection Rules • Definitional difficulties • Art. 3.2 private purposes – applied differently in several EU Member States • ECJ’s decision in Lindqvist - defining point!

  5. Bodil Lindqvist (C-101/01) • Webpage created by an individual parish member • Included details of church members including one who had injured her foot • Required notification to the Swedish Data Inspection Board • ECJ – fell within the provisions of the DPD and Art. 8.1 interpreted broadly such that the injury to the foot constituted the processing of “sensitive data”; private purposes did not apply because webpage was accessible to anybody (not limited) - disagreement

  6. Source: Comscore: Social Networking Sites figures, 12 August 2008

  7. Social networking • Facebook killed the private life http://uk.youtube.com/watch?v=azIW1xjSTCo • Do you have a facebook? http://uk.youtube.com/watch?v=ZMWz3G_gPhU

  8. Data Protection Authorities • Sweden – Misuse-orientated approach – does it cause harm to the individual? Report published looking at social networking by the Data Inspection Board • UK – only a handful of complaints (5) • Germany – Federal Data Protection Authority, Federal Data Protection Act; Länder State Data Protection Act; Telemedia Act • Canada – Canadian Privacy Commissioner

  9. http://www.physorg.com/news143526570.html

  10. Specific Issues with SNS • Weaknesses of the Data Protection Directive 95/46/EC – broad definitions • Directive on Privacy and Electronic Communications 2002/58/EC – unclear scope to which SNS can be covered • “Data controller” to encompass individuals and organisations • “Private purposes” – Lindqvist • “Data retentions” – Data Retentions Directive 2006/24/EC – how long data is kept (min. of 6 months, maximum of 2 years (Art. 6)) – Art. 29 Working Party (6 months) (applicable to search engines) Yahoo – 90 days retention (search log data; page clicks; ad views; ad clicks) Google – 18 months (June 2007) 9 months (September 2008) Microsoft – 6 months (December 2008) Ixquick – deleted with 48 hours (IP addresses and search engines)

  11. Guidelines ENISA • Review and Reinterpret Regulatory Framework: Social Networking was not around when current legislation (especially data protection law) was created. Clarification or even modification is needed in particular of the Dir. 2002/58 on privacy and electronic communications. • Increase Transparency of Data Handling Practices • Awareness-raising & education: recommendations include “real-time” education of users, campaigns for schools, security best practice training for software developers and security conscious corporate policy for SNS usage. • Discourage banning of SNS in schools: instead favouring co-ordinated campaigns to educate children, teachers and parents in a controlled and open way in safe usage of SNS. • Promote Portable Networks: allow users to move, control and syndicate their own data and privacy preferences between SNS. Other recommendations include Research into Mobile SNS and Convergence with virtual worlds. For full list of threats and recommendations, please refer to the Position Paper International Working Group on Data Protection: Report and Guidance on Privacy in Social Network Services, 2008 • Risks associated with the use of SNS • Misleading notion of “community” • Giving away personal information more than you think you do • Allow for user control over secondary use of profile and traffic data • Misuse of profile data by third parties

  12. Social Networking • Indirect effect of social networking Yeoman, A. Facing up to facebook, Computers and Law, 2007, 18(4) 31-32: “Social networks such as Facebook pose a conundrum for employers. On the one hand their use can have a number of negative implications for the employer, such as potential damage to the employer’s reputation…Pictures of a recent drunken stag night are, of course, hugely amusing to the other members of the stag party but are less likely to generate confidence among that person’s professional contacts. Facebook can also damage productivity and waste system resource….Heavy usage, especially browsing photos or watching videos on the sites, can also impact on system performance.”

  13. Applause Store Productions & Anor v Raphael [2008] EWHC 1781 • Creation of a fictitious profile by D about F • Contained information that was defamatory • Personal details of F including his sexual orientation; birthday; political and religious views; • Group webpage created stating “Has F lied about you?” • Breach of misuse of private information – Damages of £22,000

  14. Unwanted disclosures (Educate people) • Oxford Student (don) (Alex Hill) – idea that FB settings were private • College student lost a summer internship when the company’s President saw that his FB lists ‘smokin blunts’ as an interest • Sandra Soroka’s example for saying “letting Will know it’s officially over via Facebook status” – story flooded across the internet

  15. SNS issues - Discussion Facebook and the Social Dynamics of Privacy, Professor J. Grimmelmann • Inefficiency of information flow – explicit privacy preferences • Leaving matters up to the market doesn’t produce an optimal outcome • “Better” privacy policies are irrelevant • “Better” technical controls make matters worse • Treating FB as a commercial data collector misconstrues the problem • Getting users “ownership” over the information they enter on FB is the worst idea”

  16. Grimmelmann’s Proposals • Users’ good names are valuable. There’s a commercial reputational interest in one’s FB persona, and using that persona for marketing purposes without consent should be actionable. • Opt-outs need to be meaningful. People who don’t sign up for FB, or who sign up but then decide to quit, deserve to have their choice not to participate respected. • Unpredictable changes are dangerous. Changes that pull the rug out from under users’ expectations about privacy should be considered unfair trade practices. • Strip-mining social networks is bad for the social environment. Bribing users to use a social network site – for example, by giving them rewards when more of their friends sign up – creates unhealthy chain-letter dynamics that subvert people’s relationships with each other. • Education needs to reach the right audiences. Targeted efforts to explain a few key facts about social network site privacy in culturally appropriate ways could help head off some of the more common privacy goofs users make.

  17. SNS Issues • SNS – Case studies on privacy • Recommendations from ENISA and Data Protection Authorities; Art. 29 Working Party on SNS is the beginning • Academic opinions on this • Changes to the Data Protection Framework – Directive on Privacy and Electronic Communications is a start

  18. Recommendations • Revisit legal concepts – processing for private purposes ought to be revisited – decision in Lindqvist does not take account of the realities (ECJ) – not processing for private purposes – separate from the UK’s decision whereby it includes “recreation”, but other jurisdictions have had to change guidance to take account of this. • Application of “data controller” to be applied sensibly as the legal wording also includes “individuals” – leading to the potential the individuals may bring lawsuits against each other. • Directive 2002/58/EC on Privacy and Electronic Communications is likely to be amended to include “publicly accessible private networks” within the framework and the mandatory notification of “data security breaches” – few changes arising from this. • More developments on this front to consider privacy cases • Written rules is one thing….but rather the evolving understanding and recognition the protecting privacy in a technological sphere needs to be further strengthened with exemptions drawn in – not simply the protection of “fundamental rights and freedoms” including privacy

  19. Concluding Thoughts The DP framework will have to adapt to the technological changes presented to them. Whilst users’ awareness has increased, it does not diminish others (beyond their circle) from accessing their profiles nor within their circle to disclose information about their peers. The sensible application of the framework is called for, whilst the differences in the application of certain issues (private/public spaces; data controller) should be addressed.

  20. Thank you for listening!

More Related