The growing popularity of social networking sites has been accompanied by a rise in concern about the risks that people, especially children, may unwittingly incur by sharing their personal data online. Responding to this, the Information Commissioner’s Office recently issued new guidance on the application of the Data Protection Act to social networking. This article briefly considers the extent to which the “domestic purposes” exemption relieves the general responsibility only to process data in accordance with the DPA in the context of social networking, and also what organisations and individuals, who process personal data for purposes such as running a business, need to consider when they run, contribute to, or download personal data from social networking sites, online forums, message boards or blogs. In particular, it considers the position of a business using social networking sites for marketing purposes and the extent to which that business is responsible for ensuring that its processing of user-generated content complies with the DPA.
Processing personal data under the Data Protection Act
In the UK, the DPA gives people rights in relation to their personal information and creates obligations on individuals and organisations that handle such data.
In particular, the DPA imposes obligations on “data controllers”, defined as “a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are to be processed”. Responsibilities of a data controller include taking reasonable steps to ensure the accuracy of personal data. This applies in particular to personal data which is presented as a “matter of fact”, for example a post recording someone’s date of birth. Expressions of opinion are not covered. Stricter requirements may apply for sensitive information such as an individual’s ethnic background, criminal records, and religious beliefs.
A business which operates an online forum or social media site to which people upload their personal data will generally be a data controller. Likewise, a business which uses social media for its business purposes (such as running brand-related Facebook pages) will also be deemed to be a data controller and will need to comply with the DPA in relation to personal data controlled by it. Facebook, in particular, has rules on running promotions through its site which specifically provide that people entering the promotion are providing their personal data to the promoter, not to Facebook (see here), which suggests that Facebook’s position is that brand-owners are the data controllers in respect of personal data uploaded to Facebook brand pages.
The “domestic purposes exemption”
The ICO guidance focuses on the “domestic purposes exemption”. The exemption essentially provides that, where an individual processes personal data for the purposes of their personal, family or household affairs, that act is not caught by the DPA. Individuals’ use of social networking sites for personal reasons is therefore not subject to the DPA. However, the ICO clearly states that the domestic purposes exemption only applies to individuals, so an organisation using social media can never rely on it. Likewise, an individual who processes personal data through social media to run a business as a sole trader is also not within the exemption and therefore is in principle subject to the DPA.
One key difficulty, as highlighted by the ICO in its guidance, is where social media are used for both domestic and non-domestic purposes. It gives the example of people in the public eye who use their social media accounts for personal, family and recreational purposes, and to promote their business interests by raising their public profile. In such cases, the ICO’s view is that the key issue is the purpose behind the processing. Processing personal data for business purposes, even by an individual, will not be within the domestic purposes exemption.
A particular difficulty arises where individuals using a social networking site provide personal data about third parties. Who is responsible for the accuracy of such personal data?
The ICO again considers that the purpose of the processing is key. Individuals who have posted personal data whilst acting in a personal capacity, no matter how unfair, derogatory or distressing the posts may be are exempted from the DPA. The ICO confirmed in its guidance that it will not consider complaints made against individuals in such a case.
However, where an organisation or an individual processes the inaccurate data for non-domestic purposes, even if that personal data originated from a third party user, that organisation or individual will have a duty to take reasonable steps to check the accuracy of any personal data that is posted on their site by third parties. What constitutes “reasonable steps” varies from case to case. Where there are high volumes of user-generated content, the guidance accepts that the website operator would not need to check every individual post. In that case, reasonable steps could include having a clear and prominent social media policy about acceptable and non-acceptable posts, having procedures for data subject to dispute the accuracy of post and request their removal, and responding to disputes about accuracy quickly.
However other scenarios, particularly where children are the primary users of the site, may require the data controller to monitor and edit posts submitted on its online forum actively. Given the changing data protection landscape and the case-by-case approach taken by the ICO, it is suggested that organisations which make use of social networking sites as part of their marketing activity consider whether they require legal advice at the outset on the potential scope of their obligations as a data controller.
For more information, please click here.