social networking the application of the data protection framework l.
Skip this Video
Loading SlideShow in 5 Seconds..
Social Networking: the application of the Data Protection Framework PowerPoint Presentation
Download Presentation
Social Networking: the application of the Data Protection Framework

Loading in 2 Seconds...

play fullscreen
1 / 20

Social Networking: the application of the Data Protection Framework - PowerPoint PPT Presentation

  • Uploaded on

Social Networking: the application of the Data Protection Framework. Dr Rebecca Wong Nottingham Law School, NTU Outline. Background to Data Protection Directive 95/46/EC and Directive on Privacy Electronic Communications 2002/58/EC

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Social Networking: the application of the Data Protection Framework' - koen

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
social networking the application of the data protection framework

Social Networking: the application of the Data Protection Framework

Dr Rebecca Wong

Nottingham Law School, NTU

  • Background to Data Protection Directive 95/46/EC and Directive on Privacy Electronic Communications 2002/58/EC
  • Case Study: Privacy dimensions to a social networking site
  • Questions
  • Interest in Data Protection Developments since 2001
  • Progress of the Data Protection Directive 95/46/EC as implemented under the UK DPA 1998
  • “Privacy” as concept
data protection directive 95 46 ec
Data Protection Directive 95/46/EC
  • Implementation by all the EU Member States
  • Data Protection Rules
  • Definitional difficulties
  • Art. 3.2 private purposes – applied differently in several EU Member States
  • ECJ’s decision in Lindqvist - defining point!
bodil lindqvist c 101 01
Bodil Lindqvist (C-101/01)
  • Webpage created by an individual parish member
  • Included details of church members including one who had injured her foot
  • Required notification to the Swedish Data Inspection Board
  • ECJ – fell within the provisions of the DPD and Art. 8.1 interpreted broadly such that the injury to the foot constituted the processing of “sensitive data”; private purposes did not apply because webpage was accessible to anybody (not limited) - disagreement
social networking
Social networking
  • Facebook killed the private life

  • Do you have a facebook?
data protection authorities
Data Protection Authorities
  • Sweden – Misuse-orientated approach – does it cause harm to the individual? Report published looking at social networking by the Data Inspection Board
  • UK – only a handful of complaints (5)
  • Germany – Federal Data Protection Authority, Federal Data Protection Act; Länder State Data Protection Act; Telemedia Act
  • Canada – Canadian Privacy Commissioner
specific issues with sns
Specific Issues with SNS
  • Weaknesses of the Data Protection Directive 95/46/EC – broad definitions
  • Directive on Privacy and Electronic Communications 2002/58/EC – unclear scope to which SNS can be covered
  • “Data controller” to encompass individuals and organisations
  • “Private purposes” – Lindqvist
  • “Data retentions” – Data Retentions Directive 2006/24/EC – how long data is kept (min. of 6 months, maximum of 2 years (Art. 6)) – Art. 29 Working Party (6 months) (applicable to search engines)

Yahoo – 90 days retention (search log data; page clicks; ad views; ad clicks)

Google – 18 months (June 2007) 9 months (September 2008)

Microsoft – 6 months (December 2008)

Ixquick – deleted with 48 hours (IP addresses and search engines)



  • Review and Reinterpret Regulatory Framework: Social Networking was not around when current legislation (especially data protection law) was created. Clarification or even modification is needed in particular of the Dir. 2002/58 on privacy and electronic communications.
  • Increase Transparency of Data Handling Practices
  • Awareness-raising & education: recommendations include “real-time” education of users, campaigns for schools, security best practice training for software developers and security conscious corporate policy for SNS usage.
  • Discourage banning of SNS in schools: instead favouring co-ordinated campaigns to educate children, teachers and parents in a controlled and open way in safe usage of SNS.
  • Promote Portable Networks: allow users to move, control and syndicate their own data and privacy preferences between SNS. Other recommendations include Research into Mobile SNS and Convergence with virtual worlds. For full list of threats and recommendations, please refer to the Position Paper

International Working Group on Data Protection:

Report and Guidance on Privacy in Social Network Services, 2008

  • Risks associated with the use of SNS
  • Misleading notion of “community”
  • Giving away personal information more than you think you do
  • Allow for user control over secondary use of profile and traffic data
  • Misuse of profile data by third parties
social networking12
Social Networking
  • Indirect effect of social networking

Yeoman, A. Facing up to facebook, Computers and Law, 2007, 18(4) 31-32:

“Social networks such as Facebook pose a conundrum for employers. On the one hand their use can have a number of negative implications for the employer, such as potential damage to the employer’s reputation…Pictures of a recent drunken stag night are, of course, hugely amusing to the other members of the stag party but are less likely to generate confidence among that person’s professional contacts. Facebook can also damage productivity and waste system resource….Heavy usage, especially browsing photos or watching videos on the sites, can also impact on system performance.”

applause store productions anor v raphael 2008 ewhc 1781
Applause Store Productions & Anor v Raphael [2008] EWHC 1781
  • Creation of a fictitious profile by D about F
  • Contained information that was defamatory
  • Personal details of F including his sexual orientation; birthday; political and religious views;
  • Group webpage created stating “Has F lied about you?”
  • Breach of misuse of private information – Damages of £22,000
unwanted disclosures educate people
Unwanted disclosures (Educate people)
  • Oxford Student (don) (Alex Hill) – idea that FB settings were private
  • College student lost a summer internship when the company’s President saw that his FB lists ‘smokin blunts’ as an interest
  • Sandra Soroka’s example for saying “letting Will know it’s officially over via Facebook status” – story flooded across the internet
sns issues discussion
SNS issues - Discussion

Facebook and the Social Dynamics of Privacy,

Professor J. Grimmelmann

  • Inefficiency of information flow – explicit privacy preferences
  • Leaving matters up to the market doesn’t produce an optimal outcome
  • “Better” privacy policies are irrelevant
  • “Better” technical controls make matters worse
  • Treating FB as a commercial data collector misconstrues the problem
  • Getting users “ownership” over the information they enter on FB is the worst idea”
grimmelmann s proposals
Grimmelmann’s Proposals
  • Users’ good names are valuable. There’s a commercial reputational interest in one’s FB persona, and using that persona for marketing purposes without consent should be actionable.
  • Opt-outs need to be meaningful. People who don’t sign up for FB, or who sign up but then decide to quit, deserve to have their choice not to participate respected.
  • Unpredictable changes are dangerous. Changes that pull the rug out from under users’ expectations about privacy should be considered unfair trade practices.
  • Strip-mining social networks is bad for the social environment. Bribing users to use a social network site – for example, by giving them rewards when more of their friends sign up – creates unhealthy chain-letter dynamics that subvert people’s relationships with each other.
  • Education needs to reach the right audiences. Targeted efforts to explain a few key facts about social network site privacy in culturally appropriate ways could help head off some of the more common privacy goofs users make.

SNS Issues

  • SNS – Case studies on privacy
  • Recommendations from ENISA and Data Protection Authorities; Art. 29 Working Party on SNS is the beginning
  • Academic opinions on this
  • Changes to the Data Protection Framework – Directive on Privacy and Electronic Communications is a start
  • Revisit legal concepts – processing for private purposes ought to be revisited – decision in Lindqvist does not take account of the realities (ECJ) – not processing for private purposes – separate from the UK’s decision whereby it includes “recreation”, but other jurisdictions have had to change guidance to take account of this.
  • Application of “data controller” to be applied sensibly as the legal wording also includes “individuals” – leading to the potential the individuals may bring lawsuits against each other.
  • Directive 2002/58/EC on Privacy and Electronic Communications is likely to be amended to include “publicly accessible private networks” within the framework and the mandatory notification of “data security breaches” – few changes arising from this.
  • More developments on this front to consider privacy cases
  • Written rules is one thing….but rather the evolving understanding and recognition the protecting privacy in a technological sphere needs to be further strengthened with exemptions drawn in – not simply the protection of “fundamental rights and freedoms” including privacy

Concluding Thoughts

The DP framework will have to adapt to the technological changes presented to them. Whilst users’ awareness has increased, it does not diminish others (beyond their circle) from accessing their profiles nor within their circle to disclose information about their peers. The sensible application of the framework is called for, whilst the differences in the application of certain issues (private/public spaces; data controller) should be addressed.