UK: Online Privacy Article And The New Data Protection Regulation

Last Updated: 14 March 2012
Article by Chris Hill

The concept of "online privacy" has become something of a watchword in the technology industry, yet there is no clear answer as to what it is or how it can be effectively protected. This article looks at what online privacy really is, the issues with protecting it under existing data protection legislation, and how these issues will be affected by the new draft, European-wide legislation (the "Regulation") published earlier this month.1

What is online privacy?

What does the term "online privacy" actually mean?

If you asked the average person on the street ten years ago what "online privacy" meant they might well have cited protection of credit card details and home addresses, probably because these were the personal details that many people at that point were most aware of "putting into" the internet. Nowadays the landscape of data collection and creation has changed dramatically, such that the information to be protected encompasses browsing histories, shopping habits, geographical location, social connections, music tastes, tweets, and in fact almost every aspect of your life that is in any way connected to use of the internet.

Why should online privacy be treated differently from any other form of privacy?

The reason online privacy is regarded separately from any other form of privacy is based on two key factors. It is worth focusing briefly on what these factors are before looking into how the law deals with them.

1. Background usage

The first factor is the ease with which data about an individual collected in the online world can be stored, duplicated and transmitted without that individual's knowledge. A typical example of this is the use of cookies (such as tracking cookies) to collect information on individuals' internet usage. Cookies are now wholly commonplace in the online world, particularly in the area of advertising. Such cookies are in some ways the fuel of the internet, as the advertising revenue generated from their use is the financial backbone of many "free-to-air" web services. The use of targeted advertising also brings benefits to consumers, who receive tailored and relevant advertising.

However, many individuals are simply not aware of the fact that their use of the internet is being tracked by providers of websites they have visited. Much less are they aware of the fact that details about their internet usage – their "online profile" – are often sold to third parties such that individuals receive unsolicited targeted advertising from companies they have had no dealings with.

Regardless of the benefits, this type of behind-the-scenes tracking is something that many consumers find somewhat unnerving, and an infraction on their privacy.2 Should this reaction come as a surprise? After all, if you bought a piece of cheese in a shop, you might not be surprised if the shop owner remembered this and on your next visit told you about a new type of cheese on offer; you might, however, be a little unnerved if you went to a restaurant in a different town a week later and the waiter brought you a menu with only cheese-based dishes on it, because the shop owner had rung ahead to tell the restaurant what you liked. The oddity of this analogy in itself demonstrates the difference between the privacy concerns that are presented by information collection in an online and offline world: a type of information sharing that would be absurd in an offline environment is entirely commonplace in e-commerce, and the measures needed to protect privacy in this setting must accordingly be viewed in a different light.

2. Personal broadcasting

The second factor which distinguishes online privacy from other privacy considerations is the ease and breadth with which individuals can transmit information about themselves, without necessarily any real understanding of the ramifications of doing so. The greatly increased access to communications technology and the meteoric of rise social networks in the last decade has resulted in huge amounts of individuals' personal information being made freely available to truly vast audiences. The lack of understanding that many people have about privacy settings and how their information can be used - whether for legitimate commercial purposes, profiling, job interviews,3 journalism or even crime - is evident. And yet many will react negatively to reuse of that information for purposes they had not intended, or thought of, at the time they shared it. In an offline world the giving of information to friends and acquaintances is of less concern because the impact is so much smaller. Take photo sharing: if you give one, two, even twenty hard copies of a photo of yourself to different acquaintances, the number of people likely to see that photo is incredibly small compared to the potential audience of the same photo posted to an unrestricted social media profile. Again, issues of privacy need to be addressed in a different light given the difference in impact in an online environment.

The element that links these two factors together is the desire that, when we do share information for one purpose, it is not taken and used for some other purpose we didn't know about or approve. This is of course also a tenet of any form of privacy: the difference in an online world is the scale of the impact of a breach of privacy, due largely to the differing technological means of mass information-sharing. It is these means that any legal system seeking to protect online privacy must deal with; the real challenge is to deal with them in a way which does not unduly impede the effective use of technology in society.

Is the DPA sufficient to deal with online privacy?

1. Who is the data controller?

To any lawyer versed in the fundamentals of the Data Protection Act 1998 ("DPA"), the concept of using personal information only for approved purposes is instantly familiar territory. The DPA's core tenet of using personal data only for the purposes for which consent was given by the data subject, should therefore theoretically still be sufficient for the current climate. To a large extent the DPA's framework has coped extremely well with the shifting face of technology and data usage over the past fifteen years. However, where the DPA is now arguably lacking – amongst other things - is in the shift in the identity of the data controller.

When the data protection Directive (EC/95/46) was created in 1995, it was really only large corporates and government departments that had the capacity to store, manipulate and transmit – to "control" - large amounts of information about individuals. As such it was entirely appropriate at that time that regulatory obligations concerning such data were focused on those bodies: they were big enough, and sophisticated enough, to be expected to understand and comply with the regulations imposed on them.

By contrast, individuals are now data controllers of their own personal data in ways which could not have been predicted in the mid-1990s. They are technology-literate, and have ready access to a myriad of facilities to store, manipulate, replicate and transfer huge amounts of both their own personal data and the personal data of other individuals they interact with online. The DPA does exempt the use of personal data for domestic purposes from the scope of its requirements,4 but at the time of Directive the scale of information-sharing practised by individuals for domestic purposes was tiny compared to the level of sharing possible now.

So the DPA does not intervene in individuals' "domestic" activities, but should it now do so in order to protect other individuals' privacy? The risks to privacy are self-evident, but it is not realistic or rational to expect every Facebook-using or internet-surfing individual – or even small emerging companies - to become expert in data protection regulation. Nor does it serve the interests of society as a whole to clamp down on any use of personal data at all. We will look below at the Regulation's response to this anomaly.

2. Quality of consent

The level of consent needed to satisfy the DPA is a complex issue. The variety of methods by which personal information can be used and transmitted is again far beyond the scope of what was legislated for in the mid-1990s. The text of the DPA has again held up remarkably well in its changing landscape. Nonetheless, online commercial practice has in many aspects developed in a manner which technically satisfies the DPA's requirements but is nonetheless unsatisfactory in the context of the spirit of the DPA's core principles.

A good example of this is the recent iPhone location data debacle, when it emerged that Apple were monitoring and storing iPhone users' location data without full disclosure to such users.5 Although this was largely seen as an issue related to a specific and separate category of data, it was really a classic consent issue like any other: had consent been validly obtained for the use which was being made of information relevant to an individual? Yes, Apple could point to their terms and conditions, and in doing so could evidence that their customers had "accepted" the use of this data by accepting those terms and conditions when setting up the phone's software. The question was therefore not "was some level of consent gained", but "was that consent was good enough?" Answering this question ultimately required a common sense interpretation of (i) whether those whose locations had been tracked really knew it was happening, and (ii) what they would think of it if they did. The answer to the first question was almost universally "no". The answer to the second question was, in one case at least, "pretty creepy, but also kind of cool".6

Tracking cookies are another example of the same phenomenon: if an internet user is on a website and has therefore technically accepted its privacy policy - including consents to use of tracking cookies – can we interpret this to mean that they have actually "given their consent" within the meaning of the DPA? Whatever the answer to this question should be, the fact is that huge numbers of web providers have interpreted this type of activity as giving sufficient consent, and entire industries have built been up around this interpretation. The fact that such practices are now so embedded is the result not necessarily of deficiencies in the DPA itself, but in the interpretation and enforcement of it. Location data was seen as a new type of personal data and was therefore picked out for special attention. But the phenomenon is far broader, far more entrenched, and presents real issues for legislators, regulators and businesses.

3. The "right to be forgotten"

This phrase is another watchword in the context of online privacy, but its meaning is again unclear. At its base it is an insistence that individuals should have the right to demand that their personal information is removed from particular databases. However, this is already possible under the existing legislation: a data subject can withdraw their consent to any "processing" of their personal data, and "processing" is so broad a definition that it would encompass even holding a copy of such information i.e. not deleting it. The gap between this technical right and reality lies in the lack of a practical means for an individual to effect such a deletion, given the varied proliferation of the data to multiple unknown parties. Again, this is more a question of interpretation and enforcement of the DPA than a deficiency in the legislation itself. As such, the many discussions on the potential introduction of a "right to be forgotten" are arguably discussions about the better enforcement of an existing right to withdraw consent.

4. Privacy vs publishing - should all aspects of online information-sharing be protected?

It is arguable that not every aspect of information-sharing by individuals can or should be protected by law. Some of the typical examples given in relation to "breaches of online privacy" are where details or photos on a Facebook page, or information on Twitter, are used by journalists, employers or criminals. However, there is a strong argument that in many such cases there is no longer any "privacy" to be breached, as the information has in fact been published, and any right to privacy in respect of that information has been waived.

Similar to the change in the identity of "data controllers" outlined above, changes in technology have occasioned a change in the identity of "publishers". Where a Twitter feed has, for instance, several hundred, or several thousand followers, is the information in that feed still "private" in a way that should be protected, or has it in fact been "published" in the conventional sense of the term? To turn this on its head, if a magazine is available only to a list of 1,000 subscribers, it would surely not be reasonable to claim that any information in that magazine is private and has not been published into the public domain. On the other hand there is clearly an argument that, for example, a Facebook user with a limited number of friends and tight security settings really does have a legitimate expectation that the information they share will not be seen by others. But where is the dividing line between private communication and personalised publication? 25 recipients? 100? 1,000?

Where does this leave the law in relation to protecting the information of those who really do have a legitimate expectation of privacy? Due to the blurriness of the dividing line between private sharing and publication, it will always be very difficult to enforce or even to design a form of regulation that will provide protection only where protection is really needed. To clamp down on any use of such information "published" would raise significant concerns surrounding freedom of speech issues; to allow all such usage would clearly be unsatisfactory. There may be a middle ground involving education of users in the way they transmit information - which may ultimately have the effect of informing individuals of the point at which they lose their right to protection - and several organisations including Vodafone have advocated this approach.7 Privacy by design i.e. designing systems such that the default position is to keep information private and not to disclose it, is also increasingly discussed as a means of mitigating this risk.

Principle vs reality

The obvious difficulty in strict enforcement of the DPA – or of designing any new legislation to protect individuals' rights to control their personal data – is in finding the correct balance between quality of consent and effective provision of desirable functionality. The danger is always that burdening a technological process with excessive consent screens will hamper functionality, usability and increase drop-off rates, in ways which may cause significant damage to certain areas of online commerce.

We have already had a taste of the impact that stricter privacy enforcement may have on the practical functioning of online businesses, in relation to consent-gathering. The Privacy and Electronic Communications (EC Directive) Regulations 2003 impose obligations on website providers using cookies to obtain informed and specific consent from individuals in relation to all the uses of the cookies8. Despite these regulations coming into force just 3 months from now, there is as yet no clear method for obtaining such consent in a way that will satisfy the regulations without some form of pop-up window and check box. The fear is that, through having to obtain informed and specific consent from individuals in this way, drop off rates in surfing will be greatly increased, reducing advertising revenue and therefore the diversity of free web-based services available to consumers. The alternative is to stop using the of cookies themselves, which would have the same or worse effect on advertising revenue, and would simultaneously stop businesses from carrying out important usage analytics. First and foremost, however, constant pop-ups would make internet surfing unbearably cumbersome.

Is there a balance to be struck? On cookies, one suggestion is to apply an objective test to what constitutes "normal usage" of data in the circumstances, and to have to seek specific consent only for usage in excess of that level ("I expect to you to remember what cheese I like when I'm in the shop, but you have to ask me before you start ringing all the restaurants in the UK telling them..."). This might free up the surfing experience for most, whilst removing some of the more unnerving aspects of current data sharing. Sadly, however, this does not appear to be the approach taken in the Regulation (see below).

However, in all aspects of online privacy, legislators and regulators need to be acutely conscious of the potential detriment that strict enforcement of principles may have. There will be many circumstances in which the strict insistence on privacy will undo some of the great benefits that information usage can bring, without conveying any real benefit on the individual and in fact bringing disadvantages to the very people it is trying to protect.

The Regulation's approach to online privacy

Firstly, it should be clarified that the Regulation9 is currently only in draft form, and it will be some time before it becomes law (the current DPA emerged only 5 years after a proposal of this type).

Nonetheless, the draft makes for interesting reading. In relation to the issues outlined above, it:

  • explicitly exempts individuals from the requirements of the Regulation10 – thereby moving away from the idea of "everyone is a data controller";
  • exempts "micro, small and medium-sized enterprises" from many of the more onerous requirements of the Regulation – thereby intending to remove some of the compliance barriers from the path of emerging enterprises11;
  • requires data controllers to implement "privacy by design"12 – this may help to overcome in practice some of the issues with unintentional personal publishing;
  • requires "specific, informed and explicit" consent13 in relation to the use of personal data – thereby giving consumers greater control over their personal information, but potentially damaging large swathes of the online world.

The clear indication at the moment then, is that privacy is the primary priority and large businesses are to foot the bill for it, regardless of the difficulties this may pose to the smooth running of the online world. This is a welcome development to privacy campaigners, but is it a little heavy-handed and contradictory?

The fact that individuals and small companies are exempted from the full requirements of the Regulation is surely a good idea on a practical level, as it is taking some of the compliance obligation away from individual data controllers and placing it once again on those entities which are big enough and sophisticated enough to be able to do something about it. But surely these exemptions mean that some of the issues of online privacy, as breached by individuals and small companies, will persist. This is probably a necessary evil, and is a welcome development in terms of practicality. However, it is nonetheless a compromise, and jars awkwardly with the uncompromising enforcement of consent-gathering for large businesses no matter what the commercial consequences.

The online world is famously adaptive. To an extent the new Regulation is simply a stricter re-stating of existing principles, unravelling some of the departures from the DPA which have damaged the public's feeling of privacy on the net. But one cannot help but wonder if, by stamping out the "creepy", we might also lose some of the "cool".


1 Full text available at:

2 Research carried out by Which? revealed that half the respondents felt that online behavioural advertising was an invasion of their privacy, quoting reasons such as feeling like they were being spied on, and worries that the information would be passed on to third parties and/or used in ways they did not know about.

3 Research commissioned by Microsoft in 2009 found that 41% of recruiters/employers have rejected candidates based on information found on-line; 80% of recruiters/employers have concerns about the accuracy of the information they find on-line; but only 68% say that take steps to check it. The major reasons for rejecting candidates included inappropriate things written by the candidate; unsuitable videos, photos etc.,

concerns about the candidate's lifestyle; comments criticising previous employers etc..

4 Section 36 DPA



7 See, page 9, 4th para

8 Section 6, Privacy and Electronic Communications (EC Directive) Regulations 2003. See also for further detail, paras 23 to 26.

9 Full text available at:

10 Recital 15 and Article 2(2)(d)

11 For instance, such enterprises are in most cases exempt from the requirement to have a data protection officer – Article 35(1)(b)

12 Article 23

13 Recital 25 and Article 4(8)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions