Blog Taster: Privacy and Social Networks – Bees to the Honeypot

November 14, 2007

Privacy is at no.2 on my ‘Top 10’ Web 2.0 issues (see my September 07 Post). Maybe it’s just moved to no. 1. The papers are currently full of stories about social networks – igoogle, ‘MySpace’, Facebook et al – opening themselves up to third party applications and sharing user data with them.

It’s not surprising. User data is the nectar of social networks, attracting all those advertiser bees to make all that lovely advertising revenue honey!  But as Jeff Jarvis writes in today’s Media Guardian, the advertising revenue pot may be declining over time, as supply and demand find each other without advertising. So no wonder that the battle is hotting up.

All this is driving privacy up the business and regulatory agenda. So it’s probably a good idea to remind ourselves about the key issues at the heart of the debate. We can probably reduce it to two:

  1. What is consent?
  2. What is ‘personally identifiable information’ (or ‘personal data’ in Eurospeak)? Is it an IP address? Is it aggregated but anonymised information about user preferences?

In this post, I’m going to focus on the issue of ‘consent’.

Do you consent?

Let’s take Facebook’s Privacy Policy as an example. Facebook takes the issue seriously. It’s a licensee of the Truste Privacy Program and is also a signatory to the EU Safe Harbor Privacy Framework. The Policy explains how a user can exercise control via their Profile over what information is available to other Facebook users, members of their network and third party applications developed using the Facebook Platform.  Facebook also imposes contractual controls over 3rd party applications to require them to respect users’ Facebook privacy settings.

Privacy compliance therefore rests on the notion of ‘consent’. Pretty obvious stuff, you might think. But there are volumes written in commentary and by the European Commission’s ‘Article 29 Working Party’ about the meaning of ‘consent’. For instance, you may find that the default privacy settings on your social network platform of choice are set so that you have to untick all the boxes in order to limit sharing your Profile information.

From a privacy point of view, the key question is: if you don’t untick the boxes, have you ‘consented’ to the sharing of your information? The Article 29 Working Party’s document WP 114 makes it pretty clear that pre-ticked boxes are not the right way to get consent. ‘using pre-ticked boxes fails to fulfil the condition that consent must be a clear and unambiguous indication of wishes.’

There are three major lessons here:-

  1. If we, as users, can’t be bothered to read Privacy Policies and actively manage our profile settings on social network sites, then the law may not be of much help.
  2. Social network sites have to make sure that they do make it possible – and actively encourage their users – to give real consent.
  3. Social network sites have to build into their contracts the necessary obligations when it comes to the disclosure of their users’ information. That sounds fine but do they need to monitor compliance? Well, if they never check compliance at all, they are probably at risk.

Whose law is this anyway?

Why am I quoting from EU data protection law when talking about US-based social network sites? It’s for several reasons.

  • First, the notion of ‘consent’ is integral to most if not all data protection laws. Privacy regulators are increasingly taking similar approaches to the issue.
  • Second, EU data protection law can apply to US-based sites where it is treated as being ‘established’ in the EU. This is a a highly technical point and not one that I’m going to explore here.
  • Third, the European Union has effectively exported its data protection laws through the 8th Data Protection Principle. This is found in  Article 25 Directive 95/46/EC which is the core data protection directive. I should make it clear that this applies where an EU-base site ‘exports’ personal data outide the EU – say to the USA. So although it isn’t directly applicable to the situation I have been discussing, it reinforces the point about the ‘internationalisation’ of EU data protection law.

All very technical stuff so – yes – here’s the disclaimer: ‘this does not constitute legal advice by Laurence Kaye.’ But the bottom line is this: data protection compliance is located at the commercial heart of Web 2.0.

Laurie Kaye is a Partner at Laurence Kaye Solicitors and Chairman of the SCL Internet Group: You can access Laurie Kaye’s blog at


Click here for the second in the blog taster series.