ICO Social Media Guidance – Shirking Responsibility?

The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.

The Guidance

Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.

The guidance says

The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes

There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.

The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.

This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.

The Law

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that

This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity

and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing

of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

These provisions are given domestic effect in section 36 of the DPA, which says

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]

In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that

[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people

Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said

the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]

Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.

The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says

the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication

Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that

There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
One might take a moment to reflect on what is being said here. The paper’s author appears to understand the meaning of Lindqvist, regarding the lack of exemption for information posted openly on the internet, but says the ICO doesn’t (wholly) accept what is the binding decision of the ECJ.
One possible justification for the position lies in the additional wording Parliament inserted into section 36 of the DPA relating to “recreational purposes” (although, as I note above, the new guidance doesn’t put much emphasis on this). It is perhaps possible to construe – as the ICO clearly does – this to permit the section 36 exemption to extend to internet publication of personal data. Indeed, the apparently interminable infraction proceedings brought against the UK by the European Commission (tracked doggedly by Dr Chris Pounder) for numerous examples of apparent lack of proper domestic implementation of the Directive include criticism that
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
However, even if this addition of “recreational purposes” to the UK statutory scheme arguably extends – perhaps impermissibly – the ambit of the exemption, the ICO was told in unequivocal terms in The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB) that
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
In Kordowski the ICO had been asked by the Law Society to intervene to prevent the publication of defamatory and unfair postings on a website called “Solicitors from Hell”. The ICO had declined, citing – in a letter to the Law Society – the domestic purposes exemption as the reason for not investigating
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
Tugendhat J expressed his sympathy
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
but said that the ICO had an obligation to investigate a complaint “where there is no room for argument that processing is unlawful”.
The ICO (in the form of David Smith, the Deputy Commissioner responsible for data protection) has argued that the mistake the ICO made in the Kordowski matter was in holding that the site owner and administrator (Kordowski himself) was covered by the section 32 exemption. He does not appear to accept that the people submitting the “ratings” and comments about solicitors were not covered by the same
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
While this is an interesting argument, that the site owner, as clearly the primary data controller, holds some sort of primary liability for publication on his or her site, while those posting on it are exempt because of the domestic purposes exemptions, it is hugely problematic. This is because, firstly, it is inconsistent with the judgment in Lindqvist and, secondly, becuase it tends towards an illogical argument that an individual commenter on a site, perhaps a social media site, posting a defamatory, or even a criminal, statement, does so only for domestic purposes.
European developments
In Kordowski the judge’s sympathy rested in part on the fact that the DPA, and the ICO who must regulate it, are creatures of the 1995 Directive
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
In Janaury 2012 the European Commission began the lengthy process of introducing a new European data protection framework. The draft General Data Protection Regulation (GDPR) retains exemption provisions for domestic activities, and introduces new concepts: Article 2(2) states
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
and Recital 15 explains
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
This might shift the scenery set by Lindqvist to a degree, and it is possible that the ICO’s guidance, although dealing with the current DPA, was written with an eye on the European developments. Indeed, the rest of Recital 15 says
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
However, it is to be noted that Peter Hustinx, the European Data Protection Supervisor, did not think the draft domestic purposes provisions of the GDPR were adequate
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
But a final development has occurred with the release on 31 May of Irish Presidency of the Council of the European Union’s Justice and Home Affairs draft compromise text which adds to Recital 15 the following words
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
One wonders if the ICO was aware, when drafting his Social Media Guidance, of this development. However, and while it remains to be seen what the GDPR will ultimately say, much could still turn on what “undertaken within the context” means within Recital 15.
And we should not get ahead of ourselves. The ICO regulates the DPA, and as the (European) law currently stands, the act of referring to a person on the internet does not attract the domestic purpose exemption. The ICO guidance implies it might. Will this be challenged?

4 Comments

Filed under Data Protection, defamation, Europe, GDPR, Information Commissioner, social media

4 responses to “ICO Social Media Guidance – Shirking Responsibility?

  1. Pingback: Photographing sleeping people – data protection implications | inforightsandwrongs

  2. Pingback: Lords’ Committee on Social Media and Criminal Offences – lacking a DPA expert? | informationrightsandwrongs

  3. Pingback: Do bloggers need to register with the ICO? And in the future? | informationrightsandwrongs

  4. Pingback: Russell Brand and the domestic purposes exemption in the Data Protection Act | informationrightsandwrongs

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s