Internet Newsletter for Lawyers |
|---|
It is sometimes difficult to comprehend how, in the not too distant past, anyone could book a
hotel without looking at TripAdvisor or could invite someone out for lunch without checking a
user review published in Toptable or london- eating. Today, we rely on the collective wisdom
of total strangers (although not necessarily to the operator of the website) to make important
decisions like where to stay during a holiday abroad or where to take a key client for lunch. This
is the spirit of Web 2.0 – the latest reincarnation of e-business and one that is proving very
rewarding for a new breed of hugely popular websites.
As in the old days of e-commerce, the operators of these Web 2.0 sites only want to use the
opportunities presented by the web to foster their creativity and entrepreneurial skills. In the
meantime – as was also the case with the first generation of e-commerce websites – the law
struggles to catch up and creates uncomfortable situations for those managing the Web 2.0
businesses. The law dealing with privacy and data protection presents a number of challenges
which are not exactly new, but which take on a different dimension in a Web 2.0 environment.
Even in the UK, where the courts in recent years have adopted a very narrow interpretation of
the concept of personal data, that type of information will be sufficient to be caught by data
protection law. The situation becomes less clear where the only information available to the
operator of a Web 2.0 website or the users of that site is just a name (real or fake) and no other
information about the identity of the individual. By and large, where the information is unlikely
to reveal the identity of an individual who cannot be approached or targeted in any way by
someone else (including the operator of the site), that will not be personal data in the UK.
However, a number of EU countries are unrepentant about the fact that the “identifiable”
element in the definition of personal data should apply irrespectively of who can identify the
individual. This means that the operator of a website may not be able to identify an individual
from the data it holds alone, but the fact that another party does will turn the data held by the
website into personal data. The implications of this approach for Web 2.0 businesses are
devastating and could eliminate the privacy friendly side of anonymous data processing. This
is particularly worrying since the Article 29 Working Party – which comprises all EU data
protection authorities – is currently looking to adopt a uniform interpretation of the concept of
personal data which looks likely to be very wide when compared to the UK approach.
Getting back to basics for a moment, under the fair processing obligations of the UK Data
Protection Act organisations must make available to the individuals whose personal data is
collected the following information:
• the identity of the organisation;
• contact details for the organisation’s data protection representative (if any);
• the purposes for which data is intended to be processed;
• any other relevant information (including information as to the potential recipients of the data
and the likely uses of the data to be made by such recipients).
This is called the information provision obligation and the most practical and user-friendly way
of providing this information to Web 2.0 users is by means of a Privacy Policy that explains all
relevant data uses. However, the Privacy Policy is unlikely to be seen by third parties mentioned
by the users of the site and this has led websites like YouTube to impose a requirement on its
users to obtain the written consent, release or permission of each and every identifiable
individual appearing in all materials submitted. Although this approach seems sensible, it is
completely unrealistic to expect that users who submit materials to a website are going to seek
the written consent of those appearing in such materials.
Technically speaking, there is an exemption to the information provision obligation that applies
where personal data is acquired other than from the individual himself or herself and the
provision of the specified information would involve a disproportionate effort. The scope of this
exemption in respect of individuals appearing in materials submitted to Web 2.0 websites has
not been tested but it is reasonable to assume that it will apply since users will not generally be
alerting the operator of the site to the fact that they are providing personal information about
third parties.
The right to object to the processing of personal data that causes substantial damage or
distress is another right that is likely to be used in this environment. Being able to identify the
individual seeking to exercise this right and quickly deciding whether it applies in each case will
be very important. Needless to say, to minimise any possible arguments as to whether the
operator is entitled to suppress information about third parties submitted by a user, including
an unfettered right to remove content without notice to the user and at the discretion of the
operator will be essential.
No doubt, the scope of data protection rights and obligations will continue to evolve as
technology develops and Web 2.0 matures. As ever, the evolving legal framework will be tested
by those pioneers who are prepared to try new business models and explore the edges of the
law.
Eduardo Ustaran is a partner in the Privacy and Information Law Group of Field Fisher
Waterhouse and he is a member of the Advisory Board to the International Association of
Privacy Professionals.
Email eduardo.ustaran@ffw.com
Back to Contents.
Web 2.0 and Privacy: risks and solutions
by Eduardo Ustaran
A dangerously wide interpretation of personal data
What is “personal data” is something that law makers and regulators should have figured out
by now. However, as technology evolves there are some grey areas in terms of what type of
information should be regarded as personal data and what type should not. Reviewers of hotels,
restaurants or films on Web 2.0 web sites will often be registered users with a real name and
real contact details. Sometimes, the name may just be a nickname and the only contact details
will be an e-mail address. However, this information plus the expressions of opinions of those
users will be regarded as personal data under data protection law.Fair processing – old rules in a new environment
A real test for data protection rights
Ultimately, the Web 2.0 environment is a perfect testing ground for privacy and data protection
rights. The individuals who contribute content and any third parties named by them have a
number of rights that do not simply disappear when the information is voluntarily provided. The
collaborative and open nature of Web 2.0 websites means that these should be properly geared
to honour the individual’s rights recognised by data protection law in a very effective way. The
right of access in particular can pose a problem due to the sheer number of contributors that
may be involved in providing personal information. However, Web 2.0 business should be well
prepared to address the right of access to someone’s own data (including where such data is
provided by third parties) by adopting a well thought out subject access policy.