The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.
The Guidance
Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.
The guidance says
The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes
There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.
The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.
This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.
The Law
Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that
This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity
and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing
of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses
These provisions are given domestic effect in section 36 of the DPA, which says
Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]
In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that
[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people
Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said
the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]
Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.
The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says
the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication
Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that
There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
Pingback: Photographing sleeping people – data protection implications | inforightsandwrongs
Pingback: Lords’ Committee on Social Media and Criminal Offences – lacking a DPA expert? | informationrightsandwrongs
Pingback: Do bloggers need to register with the ICO? And in the future? | informationrightsandwrongs
Pingback: Russell Brand and the domestic purposes exemption in the Data Protection Act | informationrightsandwrongs