UK: Online Privacy Article And The New Data Protection Regulation

Last Updated: 14 March 2012
Article by Chris Hill

The concept of "online privacy" has become something of a watchword in the technology industry, yet there is no clear answer as to what it is or how it can be effectively protected. This article looks at what online privacy really is, the issues with protecting it under existing data protection legislation, and how these issues will be affected by the new draft, European-wide legislation (the "Regulation") published earlier this month.1

What is online privacy?

What does the term "online privacy" actually mean?

If you asked the average person on the street ten years ago what "online privacy" meant they might well have cited protection of credit card details and home addresses, probably because these were the personal details that many people at that point were most aware of "putting into" the internet. Nowadays the landscape of data collection and creation has changed dramatically, such that the information to be protected encompasses browsing histories, shopping habits, geographical location, social connections, music tastes, tweets, and in fact almost every aspect of your life that is in any way connected to use of the internet.

Why should online privacy be treated differently from any other form of privacy?

The reason online privacy is regarded separately from any other form of privacy is based on two key factors. It is worth focusing briefly on what these factors are before looking into how the law deals with them.

1. Background usage

The first factor is the ease with which data about an individual collected in the online world can be stored, duplicated and transmitted without that individual's knowledge. A typical example of this is the use of cookies (such as tracking cookies) to collect information on individuals' internet usage. Cookies are now wholly commonplace in the online world, particularly in the area of advertising. Such cookies are in some ways the fuel of the internet, as the advertising revenue generated from their use is the financial backbone of many "free-to-air" web services. The use of targeted advertising also brings benefits to consumers, who receive tailored and relevant advertising.

However, many individuals are simply not aware of the fact that their use of the internet is being tracked by providers of websites they have visited. Much less are they aware of the fact that details about their internet usage – their "online profile" – are often sold to third parties such that individuals receive unsolicited targeted advertising from companies they have had no dealings with.

Regardless of the benefits, this type of behind-the-scenes tracking is something that many consumers find somewhat unnerving, and an infraction on their privacy.2 Should this reaction come as a surprise? After all, if you bought a piece of cheese in a shop, you might not be surprised if the shop owner remembered this and on your next visit told you about a new type of cheese on offer; you might, however, be a little unnerved if you went to a restaurant in a different town a week later and the waiter brought you a menu with only cheese-based dishes on it, because the shop owner had rung ahead to tell the restaurant what you liked. The oddity of this analogy in itself demonstrates the difference between the privacy concerns that are presented by information collection in an online and offline world: a type of information sharing that would be absurd in an offline environment is entirely commonplace in e-commerce, and the measures needed to protect privacy in this setting must accordingly be viewed in a different light.

2. Personal broadcasting

The second factor which distinguishes online privacy from other privacy considerations is the ease and breadth with which individuals can transmit information about themselves, without necessarily any real understanding of the ramifications of doing so. The greatly increased access to communications technology and the meteoric of rise social networks in the last decade has resulted in huge amounts of individuals' personal information being made freely available to truly vast audiences. The lack of understanding that many people have about privacy settings and how their information can be used - whether for legitimate commercial purposes, profiling, job interviews,3 journalism or even crime - is evident. And yet many will react negatively to reuse of that information for purposes they had not intended, or thought of, at the time they shared it. In an offline world the giving of information to friends and acquaintances is of less concern because the impact is so much smaller. Take photo sharing: if you give one, two, even twenty hard copies of a photo of yourself to different acquaintances, the number of people likely to see that photo is incredibly small compared to the potential audience of the same photo posted to an unrestricted social media profile. Again, issues of privacy need to be addressed in a different light given the difference in impact in an online environment.

The element that links these two factors together is the desire that, when we do share information for one purpose, it is not taken and used for some other purpose we didn't know about or approve. This is of course also a tenet of any form of privacy: the difference in an online world is the scale of the impact of a breach of privacy, due largely to the differing technological means of mass information-sharing. It is these means that any legal system seeking to protect online privacy must deal with; the real challenge is to deal with them in a way which does not unduly impede the effective use of technology in society.

Is the DPA sufficient to deal with online privacy?

1. Who is the data controller?

To any lawyer versed in the fundamentals of the Data Protection Act 1998 ("DPA"), the concept of using personal information only for approved purposes is instantly familiar territory. The DPA's core tenet of using personal data only for the purposes for which consent was given by the data subject, should therefore theoretically still be sufficient for the current climate. To a large extent the DPA's framework has coped extremely well with the shifting face of technology and data usage over the past fifteen years. However, where the DPA is now arguably lacking – amongst other things - is in the shift in the identity of the data controller.

When the data protection Directive (EC/95/46) was created in 1995, it was really only large corporates and government departments that had the capacity to store, manipulate and transmit – to "control" - large amounts of information about individuals. As such it was entirely appropriate at that time that regulatory obligations concerning such data were focused on those bodies: they were big enough, and sophisticated enough, to be expected to understand and comply with the regulations imposed on them.

By contrast, individuals are now data controllers of their own personal data in ways which could not have been predicted in the mid-1990s. They are technology-literate, and have ready access to a myriad of facilities to store, manipulate, replicate and transfer huge amounts of both their own personal data and the personal data of other individuals they interact with online. The DPA does exempt the use of personal data for domestic purposes from the scope of its requirements,4 but at the time of Directive the scale of information-sharing practised by individuals for domestic purposes was tiny compared to the level of sharing possible now.

So the DPA does not intervene in individuals' "domestic" activities, but should it now do so in order to protect other individuals' privacy? The risks to privacy are self-evident, but it is not realistic or rational to expect every Facebook-using or internet-surfing individual – or even small emerging companies - to become expert in data protection regulation. Nor does it serve the interests of society as a whole to clamp down on any use of personal data at all. We will look below at the Regulation's response to this anomaly.

2. Quality of consent

The level of consent needed to satisfy the DPA is a complex issue. The variety of methods by which personal information can be used and transmitted is again far beyond the scope of what was legislated for in the mid-1990s. The text of the DPA has again held up remarkably well in its changing landscape. Nonetheless, online commercial practice has in many aspects developed in a manner which technically satisfies the DPA's requirements but is nonetheless unsatisfactory in the context of the spirit of the DPA's core principles.

A good example of this is the recent iPhone location data debacle, when it emerged that Apple were monitoring and storing iPhone users' location data without full disclosure to such users.5 Although this was largely seen as an issue related to a specific and separate category of data, it was really a classic consent issue like any other: had consent been validly obtained for the use which was being made of information relevant to an individual? Yes, Apple could point to their terms and conditions, and in doing so could evidence that their customers had "accepted" the use of this data by accepting those terms and conditions when setting up the phone's software. The question was therefore not "was some level of consent gained", but "was that consent was good enough?" Answering this question ultimately required a common sense interpretation of (i) whether those whose locations had been tracked really knew it was happening, and (ii) what they would think of it if they did. The answer to the first question was almost universally "no". The answer to the second question was, in one case at least, "pretty creepy, but also kind of cool".6

Tracking cookies are another example of the same phenomenon: if an internet user is on a website and has therefore technically accepted its privacy policy - including consents to use of tracking cookies – can we interpret this to mean that they have actually "given their consent" within the meaning of the DPA? Whatever the answer to this question should be, the fact is that huge numbers of web providers have interpreted this type of activity as giving sufficient consent, and entire industries have built been up around this interpretation. The fact that such practices are now so embedded is the result not necessarily of deficiencies in the DPA itself, but in the interpretation and enforcement of it. Location data was seen as a new type of personal data and was therefore picked out for special attention. But the phenomenon is far broader, far more entrenched, and presents real issues for legislators, regulators and businesses.

3. The "right to be forgotten"

This phrase is another watchword in the context of online privacy, but its meaning is again unclear. At its base it is an insistence that individuals should have the right to demand that their personal information is removed from particular databases. However, this is already possible under the existing legislation: a data subject can withdraw their consent to any "processing" of their personal data, and "processing" is so broad a definition that it would encompass even holding a copy of such information i.e. not deleting it. The gap between this technical right and reality lies in the lack of a practical means for an individual to effect such a deletion, given the varied proliferation of the data to multiple unknown parties. Again, this is more a question of interpretation and enforcement of the DPA than a deficiency in the legislation itself. As such, the many discussions on the potential introduction of a "right to be forgotten" are arguably discussions about the better enforcement of an existing right to withdraw consent.

4. Privacy vs publishing - should all aspects of online information-sharing be protected?

It is arguable that not every aspect of information-sharing by individuals can or should be protected by law. Some of the typical examples given in relation to "breaches of online privacy" are where details or photos on a Facebook page, or information on Twitter, are used by journalists, employers or criminals. However, there is a strong argument that in many such cases there is no longer any "privacy" to be breached, as the information has in fact been published, and any right to privacy in respect of that information has been waived.

Similar to the change in the identity of "data controllers" outlined above, changes in technology have occasioned a change in the identity of "publishers". Where a Twitter feed has, for instance, several hundred, or several thousand followers, is the information in that feed still "private" in a way that should be protected, or has it in fact been "published" in the conventional sense of the term? To turn this on its head, if a magazine is available only to a list of 1,000 subscribers, it would surely not be reasonable to claim that any information in that magazine is private and has not been published into the public domain. On the other hand there is clearly an argument that, for example, a Facebook user with a limited number of friends and tight security settings really does have a legitimate expectation that the information they share will not be seen by others. But where is the dividing line between private communication and personalised publication? 25 recipients? 100? 1,000?

Where does this leave the law in relation to protecting the information of those who really do have a legitimate expectation of privacy? Due to the blurriness of the dividing line between private sharing and publication, it will always be very difficult to enforce or even to design a form of regulation that will provide protection only where protection is really needed. To clamp down on any use of such information "published" would raise significant concerns surrounding freedom of speech issues; to allow all such usage would clearly be unsatisfactory. There may be a middle ground involving education of users in the way they transmit information - which may ultimately have the effect of informing individuals of the point at which they lose their right to protection - and several organisations including Vodafone have advocated this approach.7 Privacy by design i.e. designing systems such that the default position is to keep information private and not to disclose it, is also increasingly discussed as a means of mitigating this risk.

Principle vs reality

The obvious difficulty in strict enforcement of the DPA – or of designing any new legislation to protect individuals' rights to control their personal data – is in finding the correct balance between quality of consent and effective provision of desirable functionality. The danger is always that burdening a technological process with excessive consent screens will hamper functionality, usability and increase drop-off rates, in ways which may cause significant damage to certain areas of online commerce.

We have already had a taste of the impact that stricter privacy enforcement may have on the practical functioning of online businesses, in relation to consent-gathering. The Privacy and Electronic Communications (EC Directive) Regulations 2003 impose obligations on website providers using cookies to obtain informed and specific consent from individuals in relation to all the uses of the cookies8. Despite these regulations coming into force just 3 months from now, there is as yet no clear method for obtaining such consent in a way that will satisfy the regulations without some form of pop-up window and check box. The fear is that, through having to obtain informed and specific consent from individuals in this way, drop off rates in surfing will be greatly increased, reducing advertising revenue and therefore the diversity of free web-based services available to consumers. The alternative is to stop using the of cookies themselves, which would have the same or worse effect on advertising revenue, and would simultaneously stop businesses from carrying out important usage analytics. First and foremost, however, constant pop-ups would make internet surfing unbearably cumbersome.

Is there a balance to be struck? On cookies, one suggestion is to apply an objective test to what constitutes "normal usage" of data in the circumstances, and to have to seek specific consent only for usage in excess of that level ("I expect to you to remember what cheese I like when I'm in the shop, but you have to ask me before you start ringing all the restaurants in the UK telling them..."). This might free up the surfing experience for most, whilst removing some of the more unnerving aspects of current data sharing. Sadly, however, this does not appear to be the approach taken in the Regulation (see below).

However, in all aspects of online privacy, legislators and regulators need to be acutely conscious of the potential detriment that strict enforcement of principles may have. There will be many circumstances in which the strict insistence on privacy will undo some of the great benefits that information usage can bring, without conveying any real benefit on the individual and in fact bringing disadvantages to the very people it is trying to protect.

The Regulation's approach to online privacy

Firstly, it should be clarified that the Regulation9 is currently only in draft form, and it will be some time before it becomes law (the current DPA emerged only 5 years after a proposal of this type).

Nonetheless, the draft makes for interesting reading. In relation to the issues outlined above, it:

  • explicitly exempts individuals from the requirements of the Regulation10 – thereby moving away from the idea of "everyone is a data controller";
  • exempts "micro, small and medium-sized enterprises" from many of the more onerous requirements of the Regulation – thereby intending to remove some of the compliance barriers from the path of emerging enterprises11;
  • requires data controllers to implement "privacy by design"12 – this may help to overcome in practice some of the issues with unintentional personal publishing;
  • requires "specific, informed and explicit" consent13 in relation to the use of personal data – thereby giving consumers greater control over their personal information, but potentially damaging large swathes of the online world.

The clear indication at the moment then, is that privacy is the primary priority and large businesses are to foot the bill for it, regardless of the difficulties this may pose to the smooth running of the online world. This is a welcome development to privacy campaigners, but is it a little heavy-handed and contradictory?

The fact that individuals and small companies are exempted from the full requirements of the Regulation is surely a good idea on a practical level, as it is taking some of the compliance obligation away from individual data controllers and placing it once again on those entities which are big enough and sophisticated enough to be able to do something about it. But surely these exemptions mean that some of the issues of online privacy, as breached by individuals and small companies, will persist. This is probably a necessary evil, and is a welcome development in terms of practicality. However, it is nonetheless a compromise, and jars awkwardly with the uncompromising enforcement of consent-gathering for large businesses no matter what the commercial consequences.

The online world is famously adaptive. To an extent the new Regulation is simply a stricter re-stating of existing principles, unravelling some of the departures from the DPA which have damaged the public's feeling of privacy on the net. But one cannot help but wonder if, by stamping out the "creepy", we might also lose some of the "cool".

Footnotes

1 Full text available at:

http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

2 Research carried out by Which? revealed that half the respondents felt that online behavioural advertising was an invasion of their privacy, quoting reasons such as feeling like they were being spied on, and worries that the information would be passed on to third parties and/or used in ways they did not know about.

3 Research commissioned by Microsoft in 2009 found that 41% of recruiters/employers have rejected candidates based on information found on-line; 80% of recruiters/employers have concerns about the accuracy of the information they find on-line; but only 68% say that take steps to check it. The major reasons for rejecting candidates included inappropriate things written by the candidate; unsuitable videos, photos etc.,

concerns about the candidate's lifestyle; comments criticising previous employers etc..

4 Section 36 DPA

5 http://www.bbc.co.uk/news/technology-13145562

6 http://www.bbc.co.uk/blogs/thereporters/rorycellanjones/2011/04/iphone_tracking_creepy_cool.html

7 See http://support.google.com/a/bin/answer.py?hl=en&hlrm=en&answer=60762, page 9, 4th para

8 Section 6, Privacy and Electronic Communications (EC Directive) Regulations 2003. See also http://www.kemplittle.com/OurEvents/EventsDownloads/2012-01-25_%20Article_Analytic%20and%20consumer%20targeting.pdf for further detail, paras 23 to 26.

9 Full text available at:

http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf

10 Recital 15 and Article 2(2)(d)

11 For instance, such enterprises are in most cases exempt from the requirement to have a data protection officer – Article 35(1)(b)

12 Article 23

13 Recital 25 and Article 4(8)

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.