FaceBook Data Concerns

February 1, 2008

Social networking sites such as MySpace and FaceBook are becoming increasingly popular.  Most adults between the age of 18 and 30 seem to be registered on either or both of these social networking sites.  FaceBook was among the fastest growing websites (according to comScore) last year – it saw a staggering 2,167% growth in the UK over the period September 2006 to September 2007.  However, these sites are also all examples of the increasing trend for giving large amounts of personal data away. 

It is obvious why social networking sites seek to gather so much personal information about their users: they are driving the development of targeted advertising models.  Whilst targeted advertising is crucial to push forward a more efficient advertising model, the line between personal and private is blurred. 

This concern has been highlighted in the press recently with the announcement that FaceBook is to be investigated by the Information Commissioner’s Office in relation to its data protection policies.  The investigation follows a complaint by a user of FaceBook who was unable to fully delete their profile even after terminating their account.

FaceBook gives users the ability to deactivate their profile, which means that the individual’s profile is removed from the site.  However, FaceBook retains the information on its servers even after the profile is deleted.  This is useful for anyone that changes their mind and wants to rejoin, because all they would have to do is enter their old username and password and all of their information will pop back up onto the site.  But not everyone will want to grant FaceBook the right to keep their data indefinitely. 

Deleting the information entirely is a much more time-consuming process. Individuals have to navigate round the site and delete everything that they have ever done.  This includes removing every wall post, photograph and group membership.  Moreover, it is difficult to see how a user could delete all of the information relating to them on FaceBook: where friends have “tagged” a user in a photograph identifying that individual, for example, whilst the “tag” identifying the individual can be removed easily, the photograph itself cannot be removed without the person that originally posted the photograph on the site removing it.  Although the majority of information can be deleted, it is a laborious process and it is this which is of concern to the Information Commissioner.  It is perhaps because FaceBook differs to other social networking sites, in that it tends to have older users and people are encouraged to use their real names on FaceBook, unlike Myspace, for example, that has brought FaceBook into the privacy spotlight.

What does the law provide?

The EU legislative framework only protects individuals where the social networking site is based in (or uses servers based in) the EU.  The UK Data Protection Act 1998, for example, bites on personal data that is processed in the UK or organizations based in the UK.  It does not apply to data transferred by users of websites operated by organizations located outside the UK with servers based overseas.  Users of some websites will not therefore be afforded the protection of European data protection law.

Social networking sites often do not trouble their users with having to tick boxes or review privacy options, but this is vital to protect individuals’ privacy.  Assuming that EU privacy law applies, the EU legislative framework requires that personal data be processed fairly and that it be retained for no longer than the purpose for which it was originally obtained.  This means that website operators who collect information directly from individuals must always make sure that those individuals are aware of, among other matters, the purposes for which their data will be processed.  

FaceBook’s privacy statement, for example, includes the following statements so as to inform its users of the purposes for which it will process their data:
– profile information is used primarily to be presented back to and edited by the user when the service is accessed and to be presented to others permitted to view that information by the user’s privacy settings;
– FaceBook uses information (which has been anonymised) to pass to third parties, e.g. to calculate how many people in a network like a particular band and for direct marketing;
– Facebook uses information about the user that it may obtain from other sources, e.g. newspapers and internet blogs to supplement the Facebook profile;
– FaceBook retains information so that a user can return to view prior messages and that when information is updated a back up copy of the prior version is usually kept for a reasonable period of time to enable reversion to the prior version of that information; and
– even after removal, copies of user content may remain viewable in cached and archived pages or if other users have copied or stored your user content.
As to when this information must be provided, the Information Commissioner has issued specific guidance to website operators in connection with the collection of personal information for use on websites.  This makes it clear that it is not enough to simply say, “click here to see our privacy statement”. There must be a description of how the data will be used wherever personal information is collected.  Help in putting together a privacy statement can be obtained easily from the Organisation for Economic Cooperation and Development website, which has a privacy policy generator. 

It is worth noting that companies do not have to spend vast sums in order to comply with the law.  For example, the Information Commissioner is likely to weigh up an individual’s right to, for example, request that a site no longer process their data, against the rights of the business not to have to expend lots of money in trying to get rid of that data.  If a business has lots of money and IT infrastructure then that is likely to sway the Information Commissioner as to the steps that the business should take in order to comply with data protection law.  FaceBook, recently valued at $15 billion (as a result of Microsoft’s recent $240 million investment) is unlikely to receive much sympathy. 

Does privacy matter?

While some FaceBook users may not care about the issue of privacy, it is likely that many do. Website users can group together and put pressure on the operators of websites in order to change working practices.  This was shown to be successful at the end of last year when FaceBook was presented with a petition of more than 50,000 Facebook users who called on the company to alter or abandon its Beacon advertising technology which informed FaceBook users’ friends and businesses what users looked at or bought online.  Similarly, in some cases resistance to practices may come in the form of organised lobbies, the Article 29 Working Party, for example, which is made up of national advisory bodies that provide input on privacy to the EU, has asked for an explanation of search engine data retention periods.

The media is also raising the profile of privacy issues with more and more stories in the press about privacy and in particular security breaches. Privacy is now a front page news item and as a result individuals’ awareness of their rights, the law and privacy risks is increasing.  Despite this, many people are posting more personal information on social networking and other sites without thinking about the electronic footprint that they leave behind.  Young people that are posting information on social networking sites may not be aware of the implications of this for them in the future.  Prospective employers frequently carry out searches of prospective employees on FaceBook and it will increasingly provide a very useful tool for the media (as it did recently in the case of Amanda Knox in relation to the murder of Meredith Kercher).  It is possible that an innocent 20-year-old now may, in the future hold a position of authority, with full details of their life for all to see on FaceBook or elsewhere. David Cameron has famously (or infamously depending on your viewpoint) defended politicians’ rights to a private life before public life but he may represent the last generation that has not itself freely, although perhaps not entirely knowingly, surrendered that right. Whilst webusers should be aware that even seemingly innocuous activities, such as social networking, could have consequences in the future, websites should also act responsibly and legally in their use of personal data. 

Alexander Brown is a Partner and Lucy Pownall is an Associate at Simmons & Simmons: www.simmons-simmons.com