Category Archives: social media

June 24, 2014 · 8:59 am

Social media crimes at least 50% of front line policing? I don’t think so

UPDATE: The BBC have now amended the headline, but, as FullFact point out, there are still concerns about the accuracy of the story.

What looks like a silly and hyperbolic BBC headline about crimes on social media is getting a lot of coverage. On social media. Here I question whether it’s accurate. On social media

Trailing the always excellent Joshua Rozenberg programme Law in Action the BBC has run a story with a headline saying

Social media crimes ‘at least half’ of front-line policing

And Law in Action’s own page on the broadcast in question also says

Chief Constable Alex Marshall, head of the College of Policing…estimates that as much as half of a front-line officer’s daily workload is spent dealing with calls related to online disputes

I know the BBC has to publicise itself, and maybe the programme itself will support the assertions made, but the quotes attributed to Mr Marshall don’t do so. He says

[Reports of crime involving social media are] a real problem for people working on the front line of policing, and they deal with this every day…So in a typical day where perhaps they deal with a dozen calls, they might expect that at least half of them, whether around antisocial behaviour or abuse or threats of assault may well relate to social media, Facebook, Twitter or other forms

SO what he’s actually saying is that of the dozen or so calls that a front line officer receives a day, about half “may well” relate to social media. Now, I may be naive, but surely a front line police officer’s workload is about an awful lot more than receiving calls. Even if a call is often the precursor to further actions, Mr Marshall doesn’t suggest that the calls about social media inevitably lead to such further action. In fact, I would be amazed if they did, and, indeed, other remarks attributed to Mr Marshall and an unnamed officer suggest that many of these calls relate to obviously non-criminal matters, and the clear implication is that they will lead to no further action whatsoever.

Crimes involving or committed on social media are a serious societal and policing issue, and I am sure Law in Action itself will consider this in its usual measured and serious way, but for the BBC to suggest that the issue takes up more than half of front line policing resource seems to me to be hyperbolic and irresponsible.

Leave a comment

Filed under BBC, police, social media

June 15, 2014 · 9:08 pm

Virgin on the ridiculous

UPDATE 15.12.14: I think the comments on this piece take it further, and I do accept (as I did at the time, in fact) that the “password” in question was not likely to relate to customers’ accounts.
END UPDATE.

I got into a rather odd exchange over the weekend with the people running the Virgin Media twitter account. It began when, as is my wont, I was searching for tweets about “data protection” and noticed an exchange in which someone had asked Virgin Media whether their sales people rang customers and asked them to give their passwords. Virgin Media kindly appeared to confirm they did, and that

it’s for security as we can’t make any changes without data protection being passed

I asked for clarification, and this exchange ensued

[ME] Is it true your sales people call customers and ask for their account passwords? If so, are these unsolicited calls?

[VM] Yes this is true, our sales team would call and before entering your account, would need you to pass account security. I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same. If you give us a call on 150/03454541111 we can get this cleared up. Let me know how you get on

[ME] Thanks. Not a customer. Just interested in what seems like questionable practice being defended under guise of data protection

[VM] We contact our customers if there upgrade is due, or for a heath check on accounts, and a few other instances, but I get where your coming from [sic]

There’s nothing unlawful about this practice, and I assume that the accounts in question are service and not financial ones, but it doesn’t accord with normal industry practice. Moreover, one is warned often enough about the risks of phishing calls asking for account passwords. If a legitimate company requires or encourages its sales staff to do this, it adds to a culture of unnecessary risk. There are better ways of verifying identity, as their social media person seems to accept, when they say “I understand for your own security purposes why you wouldn’t feel great doing this, i’d be the same”.

One thing I’m certain about, though, is that isn’t any part of “passing data protection” (unless they mean bypassing) to make outbound calls and ask for customer passwords.

On a final note, and in admiration of bare-faced cheek, I highlight the end of my exchange with Virgin Media

If you want, as your not a customer, you can check out our brill offers here [removed] maybe we could save you a few pounds?

That’s an offer I most certainly can refuse.

(By the way, as it’s an official Virgin Media account, I’ve taken what I was told on Twitter at face value. If I have misunderstood any of their policies on this I’d be happy to correct).

UPDATE:

Virgin Media’s Twitter account appears to have confirmed to me a) that they do ask for customers’ passwords on outbound sales calls, and b) that they see nothing wrong with it. And rather hilariously, they say that “we can discuss further” if I will “pop a few details” on their web form for social media enquiries. No thanks.

12 Comments

Filed under Data Protection, Let's Blame Data Protection, marketing, nuisance calls, PECR, social media

Tagged as ,

May 28, 2014 · 8:37 am

Letting the data protection genie out of the bottle

Ireland police tweet a picture of a distinctive car they pulled over…social media speculates as to the owner…police warn of data protection implications…

 Recital 26 to the 1995 European data protection Directive explains that

the principles of protection must apply to any information concerning an identified or identifiable person [and] to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person

The Directive was transposed into Irish domestic law by amendments to the Data Protection Act 1988 which defines personal data as

data relating to a living individual who is or can be identified either from the data or from the data in conjunction with other information that is in, or is likely to come into, the possession of the data controller

What this means is that, as the Ireland Data Protection Commissioner says

There are different ways in which an individual can be considered ‘identifiable’.  A person’s full name is an obvious likely identifier.  But a person can also be identifiable from other information, including a combination of identification elements

With that in mind it was instructive to note a brief exchange on Twitter this morning involving the An Garda Síochána official account which is set up to provide “information on traffic and major events”. The exchange began with a tweet containing a photograph of a car pulled over for having “overly tinted windows”, and this was followed by a couple of tweets from another twitter user  alluding to the identity of the driver of the car. Finally, the Garda tweeted

Please do not post name, data protection issues, we want to raise awareness, we do not want to cause embarrassment

Some of the tweets have since been deleted, but @anyabike helpfully took a screengrab, which I have edited to remove any identifying information (except the picture of the car, which is still on the Garda timeline):

image

This is interesting (well, to me at least) because the concerns from the Garda about data protection should perhaps more properly have been addressed at themselves, for tweeting the picture in the first place. I have previously written about the practice of emanations of the state using social media to “shame” people, or to pursue campaigns and the fact that this almost inevitably engages data protection and human rights laws. The fact that the Garda published a picture from which an individual could be identified (either from that data or from that data in conjunction with other information in their possession) meant that they were, by definition, processing personal data (uploading a picture to the internet is certainly “processing”). And it is at least arguable that, in doing so, they should have been alive to the possibility of third parties being able to identify the individual, which would go to the heart of whether the initial processing was “fair” (section 2(1)(a) Data Protection Act 1988). Any complaint arising out of identification would perhaps be made not only about the person naming the individual, but also, and more strongly, about the public authority who initiated the identification.

This is not a huge issue, and I’m not saying the Garda were wrong to tweet the picture, merely that it is some kind of irony that, having done so, they then seek to restrain speculation as to the identity of the car owner: on social media, once the data protection genie is out of the bottle, it can be very hard to get him back in.

1 Comment

Filed under Data Protection, human rights, police, social media

Tagged as ,

March 17, 2014 · 9:24 am

Your Twitter account is worth…

SWEET F.A.

Go and learn some economics. Something’s value is determined by what people are prepared to pay for it, and no one wants to buy your twitter account. Don’t be so greedy.

1 Comment

Filed under nonsense, social media

Tagged as

March 15, 2014 · 11:38 am

Analysis prompted by Morrisons “data breach”

Yesterday’s data breach involving Morrisons supermarket and its staff payroll illustrates how difficult it is properly to handle such incidents, and perhaps provides some learning points for the future. But also raises issues about what is a “data breach

What do we mean by “data breach”, “personal data breach”, “data security breach” etc?

The draft European General Data Protection Regulation (GDPR), which continues to slouch its way towards implementation, says in its current form that

In the case of a personal data breach, the controller shall without undue delay notify the personal data breach to the supervisory authority [and]

When the personal data breach is likely to adversely affect the protection of the personal data, the privacy, the rights or the legitimate interests of the data subject, the controller shall, after the notification referred to in Article 31, communicate the personal data breach to the data subject without undue delay

“without undue delay” is, by virtue of (current) recital 67, said to be “not later than 72 hours” (in the original draft it was “where feasible, within 24 hours”). However “personal data breach” is not defined – it is suggested rather that the proposed European Data Protection Board will set guidelines etc for determining what a “breach” is.What is not clear to me is whether a “breach” is to be construed as “a breach of the data controller’s legal obligations under this Regulation”, or, more generally, “a breach of data security”. Certainly under the current domestic scheme there is, I would argue, confusion about this. A “breach of data security” is not necessarily equivalent to a breach of the Data Protection Act 1998 (DPA). To give a ludicrous example: if a gunman holds a person hostage, and demands that they unencrypt swathes of personal data from a computer system and give it to them, then it is hard to see that the data controller has breached the DPA, which requires only that “appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data” (which clearly cannot be construed as an unlimited obligation) but there has most certainly been a breach of data security.

It is unclear whether Morrisons chose to inform the Information Commissioner (ICO) about their incident, but the wording they’ve used to describe it suggests they are seeing this not as a breach of their obligations under the DPA, but as a potentially criminal act of which they were the victim: on their Facebook page they describe it as an “illegal theft of data” and that they are liaising with “the police and highest level of cyber crime authorities” (a doughnut to anyone who can explain to me what the latter is, by the way). If an offence has been committed under section 55 of the DPA (or possibly under the Computer Misuse Act 1990) there is a possible argument that the data controller is not at fault (although sometimes the two can go together – as I discuss in a recent post). Morrisons make no mention of the ICO, although I have no doubt that they (ICO) will now be aware and making enquiries. And, if Morrisons’ initial assessment was that they hadn’t breached the DPA (i.e. that they had taken the appropriate technical and organisational measures to mean they were not in breach of the seventh DPA principle), they might quite understandably argue that there was no need to inform the ICO, who, after all, regulates only compliance with the DPA and not broader issues around security breaches. There was certainly no legal obligation under current law for Morrisons to self-notify. Plenty of data controllers do, often ones in the public sector (the NHS Information Governance toolkit even automatically delivers a message to the ICO if an NHS data controller records a qualifying incident) but even the ICO’s guidance is unclear as to the circumstances which would trigger the need to self-notify. Their guidance is called “Notification of data security breaches to the ICO” but in the overview at the very start of that guidance it says

Report serious breaches of the seventh principle
Ultimately I see it boiling down to two interpretations: report a data security breach so that the ICO can assess whether it is a serious breach of the seventh principle, or, assess the data security breach yourself, and if you assess it as a serious breach of the seventh principle, report that to the ICO. This is not obligatory under the current domestic data protection law, so to an extent it is an arid discussion, but if the obligation to notify does become obligatory under the GDPR it will become much more important.
There is one domestic law under which it is obligatory to report a “personal data breach”. The Privacy and Electronic Communications (EC Directive) Regulations 2003 amended by 2011 Regulations, require a provider of a public electronic communications service to notify the ICO of
a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of a public electronic communications service
This notably does not specify that the breach has to constitute a breach of the service provider’s DPA obligations, and one wonders if this is the sort of thing that will be specified as a breach once the GDPR is implemented.
Morrisons’ notification to data subjects

The people whose data was apparently compromised in the Morrisons “breach” were its staff – it was payroll information which was allegedly stolen and misused. It appears that Morrisons emailed those staff with internal email addresses (how many checkout staff and shelf-stackers have one of those?) and then, as any modern, forward-thinking organisation might, it posted a message on its Facebook page.However, I really wonder about that as a strategy. The comments on that Facebook page seem to be threatening to turn the incident into a personnel, and public communications disaster, with many people saying they had heard nothing until they read the message. Moreover, one wonders to what extent some staff might have been misled, or have misled themselves, into assuming that the comments they were posting were on some closed forum or network. As was suggested to me on twitter yesterday, some of the comments look to be career-limiting ones, but by engaging on its social media platform, might Morrisons be seen to have encouraged that sort of robust response from employees?

Much of this still has to play out – notably whether there was any contravention of the DPA by Morrisons – but, in a week when their financial performance came under close scrutiny, their PR handling of this “data breach” will also be looked at very closely by other data controllers for lessons in case they are ever faced with a similar situation.

4 Comments

Filed under Breach Notification, Data Protection, employment, Information Commissioner, PECR, social media

Tagged as , ,

January 2, 2014 · 1:33 pm

Shaming the not guilty

UPDATE
9 January 2014, after a bit of prompting, the Information Commissioner’s Office have confirmed to me that they are looking into whether Staffordshire Police’s twitter campaign was compliant with the Data Protection Act
END UPDATE

Is Staffordshire Police’s social media campaign naming those charged with drink-driving offences fair and lawful?

A month ago I wrote about media coverage of Sussex Police’s crackdown on drink-driving. I was concerned that the impression was being given by the media that the police were “naming and shaming” people who had merely been charged – not convicted – with the offence. I asked Sussex Police if they were happy with the words attributed to them by the Eastbourne Herald but they chose not to reply (which I suppose is one way of dealing with enquiries from the public).

I have to concede that, in that instance, it was not clear whether the police themselves were suggesting people were guilty of an offence before any conviction. However, I heard today (thanks @primlystable) that Staffordshire Police have been running a campaign which is much more overt in its suggestion that people who have been charged with drink-driving offences can be called “drink drivers”. They have been running a social media campaign using the hashtag #drinkdriversnamedontwitter, and, they announce, there has been “overwhelming support” for it

Overwhelming support #drink drivers named on twitter

Staffordshire Police has received tremendous support for its name and shame tactic to reduce the number of drink-drivers.

Nearly 500 people completed an on-line survey asking whether they supported naming people charged with drink-drive offences and whether it would help people think about the consequences of this type of offence.

But the blurring of the line in that press release between the guilty and the not-proven-guilty is highly problematic. If someone has merely been charged with an offence, it is contrary to the ancient and fundamental presumption of innocence to shame them for that fact. Indeed, I struggle to understand how it doesn’t constitute contempt of court to do so, or to suggest that someone who has not been convicted of drink-driving is a drink driver. Being charged with an offence does not inevitably lead to conviction. I haven’t been able to find statistics relating to drink-driving acquittals, but in 2010 16% of all defendants dealt with by magistrates’ courts were either acquitted or not proceeded against 1.

I asked the Attorney General’s Office (by twitter) what it thought of the use of the hashtag against the names of those merely charged with an offence, but, in saying

Tweets are same details automatically given to Magistrates’court and made public at hearing – not contempt in this case

I think they rather missed the point – it wasn’t the naming of charged people which concerned me, it was the association of the name with the hashtag. And, in an excellent response on twitter @richgreenhill said

You’d be similarly sanguine about tweeting certain names and “#phonehacker” right now?

But I’ve also asked the Information Commissioner’s Office (ICO) whether the practice is compliant with Staffordshire Police’s obligations under the first data protection principle (Schedule 1 of the Data Protection Act 1998 (DPA)) to process personal data fairly and lawfully. The ICO has shown itself commendably willing recently to challenge unfair processing, and has, for instance, served DPA enforcement notices against Southampton City Council for making it a licensing requirement that taxi drivers have continuous CCTV-with-audio in their cabs, and against Hertfordshire Police for its automatic number-plate recognition “ring of steel” around Royston. I would urge the ICO to consider whether this current campaign warrants some regulatory action.

As I was writing this piece I saw a news item in which a traffic lawyer has called for the Staffordshire Police and Crime Commissioner (PCC) to resign as a result of the campaign, saying

By his comments he is now presuming that everyone named by his officers are guilty as charged even before they have appeared before a court. In other words he is demonstrating a cavalier disregard for the presumption of innocence.

His comments have potentially prejudiced every drink driving case before it is heard.

This pitches it stronger than I have, but I also note that Matthew Ellis, the PCC, has said in response

No-one will be named where there is any doubt

That is deeply concerning: it is no part of the police’s role to determine or pronounce on someone’s guilt or innocence.

1.Ministry of Justice, Criminal Justice Statistics, Quarterly Update to December 2010

16 Comments

Filed under Data Protection, human rights, Information Commissioner, police, social media

Tagged as , ,

December 6, 2013 · 4:00 pm

For Shame

A newspaper says police are “naming and shaming” drivers who have been charged with, but not convicted, of drink-driving offences. Sussex Police say they are merely “naming” the drivers, but do not appear to feel the need to correct the media reports.

The risk for social media users of being held in contempt of court was highlighted this week by the Attorney General, who has said that, in future, the advisory notes issued to “traditional” media on individual cases will now be made more widely available (published on the gov.uk website and twitter).

With this in mind I was concerned to see that Sussex Police were reported by the Eastbourne Herald to be “naming and shaming” drivers arrested and charged with drink-driving

Police have said this year they are ‘naming and shaming’ everyone they arrest in connection with drink driving

The report goes on to quote Chief Inspector Natalie Moloney as saying

It is sad that so many people ignored the warnings that we would be looking for drink-drivers and have been charged with offences within hours of the start of the campaign. The arrests and the naming of those charged with offences will continue across the county throughout the month

This seemed to me potentially to engage the provisions of the Contempt of Court Act 1981 of an offence of strict liability “whereby conduct may be treated as a contempt of court as tending to interfere with the course of justice in particular legal proceedings regardless of intent to do so”, because it is a publication addressed to the public at large, about active proceedings. For an offence to be committed the publication must give rise to a substantial risk that the course of justice in the proceedings in question will be seriously impeded or prejudiced. I am not convinced that would be the case, but, nonetheless, I was surprised to see a police force effectively being reported as saying that  naming someone only charged with an offence gives rise to “shame” (it does nothing of the sort, of course, given the legal maxim of “innocent until proven guilty”). So I asked the Sussex Police twitter account

Are you really running a policy of “shaming” people by naming them prior to a trial?

to which they replied

We are not “shaming” anyone. We are naming those charged with a drink-related driving offence as we do for a range of offences

That was fair enough, (although one might ask Chief Inspector Moloney why an innocent person would heed a warning that police were looking for drink- drivers) but, as it appeared that this “naming-not-shaming” initiative had been launched in conjunction with the media, I wondered if they would be asking the Herald to correct its misleading article. Sussex Police replied

The campaign doesn’t aim to ‘shame’, but rather to deter & the article does not attribute the phrase to us

but this is simply not true: the article may not directly attribute the phrase to the police, but it does so indirectly

Police have said this year they are ‘naming and shaming’…

I have had no response yet to my further tweet pointing this out.

So, in a week when contempt via social media is very much in the headlines, we appear to have an online newspaper report which suggests there is shame attached to being charged with an offence, and which attributes this phrase to a police force, who seem unconcerned about correcting it. Odd.

For the avoidance of doubt, I should say that I have no sympathy whatsoever with people convicted of drink driving offences, but, to suggest there is “shame” in being charged with an offence prior to trial, is to go against centuries of presumption of innocence.

4 Comments

Filed under human rights, journalism, police, social media

Tagged as ,

October 4, 2013 · 12:58 pm

Photographing sleeping people – data protection implications

Is it ever OK to photograph strangers on a train? asks Nell Frizzell, in a balanced, and nuanced, article in the Guardian

one new public transport phenomenon has recently crashed into my consciousness. Tumblr accounts dedicated to secretly photographing, uploading and then critiquing fellow commuters, have spored like bed bugs on a bus seat.

She correctly points out that domestic law, even to the extent that it gives effect to Article 8 of the European Convention on Human Rights, does not prevent, in general terms, the act of photographing an individual without their consent.

However, the practice she describes, of uploading photographs to social media sites, does engage, and, I would argue, breach, the Data Protection Act 1998 (DPA).

An image of a person is potentially (and in these specific cases almost certainly) their personal data (particularly bearing in mind the observation by the Court of Appeal in Durant v Financial Services Authority [2003] EWCA Civ 1746 that for information to be personal data it “should have the putative data subject as its focus”). The DPA contains an exemption (at section 36) from all the provisions of the DPA for processing of personal data by an individual for the purposes of that individual’s personal, family or household affairs (including recreational purposes) (the “domestic purposes exemption”). It is possible, although arguable, that the mere taking (and no more) of a photograph of someone on a train, would be caught by this exemption. However, once such a photograph is uploaded to the internet, the exemption falls away. This is because the European Court of Justice held, in a 2003 ruling that binds all inferior courts, that personal data posted on the internet could not be caught by the domestic purposes exemption (Lindqvist (Approximation of laws) [2003] EUECJ C-101/01).

That said, the Information Commissioner’s Office (ICO), which regulates the DPA in the UK, has shown reluctance to accept this authoritative statement of the law regarding the online processing of personal data. I have previously written about this, in the context of the ICO’s social media DPA guidance, which sidesteps (or, rather, ignores) the point. However, it might be more difficult for a domestic court (bound by the authority of Lindqvist) to ignore it in the same way, in the event that any case came before one for determination.

But therein lies the (lack of) rub. Uploading a photograph, without consent, of someone sleeping on a train is unfair, and therefore in breach of the first Data Protection Principle (because no Schedule 2 condition exists which permits the processing). But I struggle to imagine the chain of events which could give rise to a claim (for instance, the data subject would have to contact the photographer, or the site, to require them to cease processing on the grounds that doing so was causing, or was likely to cause, substantial damage or substantial distress, and the photographer, or site, would have to refuse).

So, ultimately, even though I’d argue that these sites, and those who upload to them, breach the DPA, the unwillingness of the ICO to exercise jurisdiction, and the unlikelihood of any legal claim emerging, mean that they can probably continue with impunity, unfairness notwithstanding.

As photographer Paul Clarke said in an excellent blogpost on the subject earlier this year

Sticking to rigid rules of law won’t help us very much. This might feel (it does to me) like gross intrusion on privacy. But being offensive is not enough to make something an offence.

6 Comments

Filed under Data Protection, human rights, Information Commissioner, Privacy, social media

Tagged as , ,

June 21, 2013 · 7:50 am

ICO Social Media Guidance – Shirking Responsibility?

The Information Commissioner has issued guidance on when the Data Protection Act is held to apply to Social Networking and Online Forums. While I recognise the pragmatic approach it takes, it appears to be in conflict with the leading legal authorities.

The Guidance

Apparently without much fanfare, unless I’ve missed it or am ahead of it, the Information Commissioner’s Office (ICO) has issued guidance for the public on Social networking and online forums when does the DPA apply? The short answer, applying European law, should be “always”. But this would a) make the guidance rather short, and b) not be in line with the ICO’s persistent line that his office should not have to regulate what people say about each other on the internet.

The guidance says

The DPA contains an exemption for personal data that is processed by an individual for the purposes of their personal, family or household affairs. This exemption is often referred to as the ‘domestic purposes’ exemption. It will apply whenever an individual uses an online forum purely for domestic purposes

There are several interesting things about this position statement. First, it omits that the Data Protection Act 1998 (DPA) says that personal data only processed for domestic purposes is exempt from the obligations under the Act. Second, it also, strangely, omits the phrase “including recreational purposes” which arguably supports the ICO’s position (although, as I will mention later, it is controversial wording). Third, it is in direct contradiction of the leading European judicial authority on the exemption.

The guidance goes on to accept that some forms of individual self-expression on the internet will not be caught by the domestic purposes exemption, but as a whole (see the section entitled “ICO involvement in complaints against those running social network sites, organisations and individuals”) it appears to be an exercise in saying “don’t come to us if you don’t like what someone is saying about you on the internet”.

This subject is, of course, of considerable current relevance, given concerns expressed that a regulatory scheme imposed subsequent to the Leveson inquiry might end up applying to the blogosphere, or even to social media in general. I’ve written previously on this, arguing that existing data protection law already applies to such activities.

The Law

Article 3(2) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”) says that

This Directive shall not apply to the processing of personal data…by a natural person in the course of a purely personal or household activity

and recital 12 to the Directive says that the data protection principles contained therein do not apply to the processing

of data carried out by a natural person in the exercise of activities which are exclusively personal or domestic, such as correspondence and the holding of records of addresses

These provisions are given domestic effect in section 36 of the DPA, which says

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III [emphasis added]

In the leading European case on the provisions of the Directive, Lindqvist (Approximation of laws) [2003] EUECJ C-101/01, the European Court of Justice held that

[the] exception must…be interpreted as relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people

Lest there be any doubt as to the meaning of this, the ECJ issued a press release to accompany the judgment, which said

the act of referring, on an internet page, to various persons and identifying them by name…does not fall within the category of activities for the purposes…of purely personal or domestic activities, which are outside the scope of the directive [emphasis in original]

Lindqvist is, I would submit, unequivocal authority for the proposition that referring to an identifiable person or persons on the internet constitutes the processing of personal data, and is processing which is not exempt under Article 3(2) of the Directive.

The ICO has never accepted that Lindqvist has general application to internet publication of personal data. For instance, the ICO’s internal 2011 guidance on “Dealing with complaints about information published online” says

the Lindqvist judgement [sic]…related to a specific set of circumstances and cannot be applied to all cases of online publication

Try as I might I cannot square this with ECJ’s authority in Lindqvist. Still less can I square with it the comment, in an ICO paper on the proposed General Data Protection Regulation that

There has been some suggestion the Regulation should be used to ‘implement’ the Lindqvist decision – in short meaning that information posted openly on the internet necessarily falls outside the law’s personal or household processing exemption. We never wholly accepted the reasoning in Lindqvist…
One might take a moment to reflect on what is being said here. The paper’s author appears to understand the meaning of Lindqvist, regarding the lack of exemption for information posted openly on the internet, but says the ICO doesn’t (wholly) accept what is the binding decision of the ECJ.
One possible justification for the position lies in the additional wording Parliament inserted into section 36 of the DPA relating to “recreational purposes” (although, as I note above, the new guidance doesn’t put much emphasis on this). It is perhaps possible to construe – as the ICO clearly does – this to permit the section 36 exemption to extend to internet publication of personal data. Indeed, the apparently interminable infraction proceedings brought against the UK by the European Commission (tracked doggedly by Dr Chris Pounder) for numerous examples of apparent lack of proper domestic implementation of the Directive include criticism that
the inclusion of “recreational purposes” in the Data Protection Act…in the Commission’s view appeared to be broader than household activities.
However, even if this addition of “recreational purposes” to the UK statutory scheme arguably extends – perhaps impermissibly – the ambit of the exemption, the ICO was told in unequivocal terms in The Law Society & Ors v Kordowski [2011] EWHC 3185 (QB) that
The DPA does envisage that the Information Commissioner should consider what it is acceptable for one individual to say about another, because the First Data Protection Principle requires that data should be processed lawfully
In Kordowski the ICO had been asked by the Law Society to intervene to prevent the publication of defamatory and unfair postings on a website called “Solicitors from Hell”. The ICO had declined, citing – in a letter to the Law Society – the domestic purposes exemption as the reason for not investigating
I do sympathise with solicitors and others who may find it extremely difficult, and in many cases impossible, to have offensive material about them removed from the internet. Perhaps this is a case where the law is out of step with technology. However, I am afraid the DPA is simply not designed to deal with the sort of problem that you have brought to my attention.
Tugendhat J expressed his sympathy
with the Commissioner in what he says about the practical difficulties raised by cases such as the present. It is also beyond doubt that the DPA was not designed to deal with the way in which the internet now works
but said that the ICO had an obligation to investigate a complaint “where there is no room for argument that processing is unlawful”.
The ICO (in the form of David Smith, the Deputy Commissioner responsible for data protection) has argued that the mistake the ICO made in the Kordowski matter was in holding that the site owner and administrator (Kordowski himself) was covered by the section 32 exemption. He does not appear to accept that the people submitting the “ratings” and comments about solicitors were not covered by the same
we took the view, quite rightly I think, that the individuals who posted the comments on the Solicitors from Hell website are just individuals, they are acting in their personal, domestic capacity…I think where we actually went a bit wrong in our analysis…we said the Solicitors from Hell website doesn’t exercise control, is not a data controller and so is not caught by the law. When this case came to court, quite rightly the court looked in more detail at what the operators of the site did, the notice board and it was a lot more than just a notice board, they were actually charging people to put information there and charging solicitors to have information taken down…The intermediary there was clearly a data controller. But this establishing who is a data controller and who isn’t in this whole environment is extremely difficult. [from a transcript of an oral presentation]
While this is an interesting argument, that the site owner, as clearly the primary data controller, holds some sort of primary liability for publication on his or her site, while those posting on it are exempt because of the domestic purposes exemptions, it is hugely problematic. This is because, firstly, it is inconsistent with the judgment in Lindqvist and, secondly, becuase it tends towards an illogical argument that an individual commenter on a site, perhaps a social media site, posting a defamatory, or even a criminal, statement, does so only for domestic purposes.
European developments
In Kordowski the judge’s sympathy rested in part on the fact that the DPA, and the ICO who must regulate it, are creatures of the 1995 Directive
In 1995 search engines were in their infancy. Google was incorporated in 1998. There have been many developments since that time, including the increasing use of third party facilities
In Janaury 2012 the European Commission began the lengthy process of introducing a new European data protection framework. The draft General Data Protection Regulation (GDPR) retains exemption provisions for domestic activities, and introduces new concepts: Article 2(2) states
This Regulation does not apply to the processing of personal data…by a natural person without any gainful interest in the course of its own exclusively personal or household activity [emphasis added]
and Recital 15 explains
This Regulation should not apply to processing of personal data by a natural person, which are exclusively personal or domestic, such as correspondence and the holding of addresses, and without any gainful interest and thus without any connection with a professional or commercial activity [emphasis added]
This might shift the scenery set by Lindqvist to a degree, and it is possible that the ICO’s guidance, although dealing with the current DPA, was written with an eye on the European developments. Indeed, the rest of Recital 15 says
the exemption should also not apply to controllers or processors which provide the means for processing personal data for such personal or domestic activities.
However, it is to be noted that Peter Hustinx, the European Data Protection Supervisor, did not think the draft domestic purposes provisions of the GDPR were adequate
Recital 15 indicates that the exception applies in the absence of gainful interest, but it does not address the common issue of processing of data for personal purposes ona wider scale, such as the publication of personal information within a social network…In line with the rulings of the Court of Justice in Lindquist and Satamedia, the EDPS suggests that a criterion be inserted to differentiate public and domestic activities based on the indefinite number of individuals who can access the information. This criterion should be understood as an indication that an indefinite number of contacts shall in principle mean that the household exemption does no longer apply. It is without prejudice to a stricter requirement for a genuine personal and private link, to prevent that individuals making data available to several hundreds or even thousands of individuals would automatically fall underthe exemption.
But a final development has occurred with the release on 31 May of Irish Presidency of the Council of the European Union’s Justice and Home Affairs draft compromise text which adds to Recital 15 the following words
Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities.
One wonders if the ICO was aware, when drafting his Social Media Guidance, of this development. However, and while it remains to be seen what the GDPR will ultimately say, much could still turn on what “undertaken within the context” means within Recital 15.
And we should not get ahead of ourselves. The ICO regulates the DPA, and as the (European) law currently stands, the act of referring to a person on the internet does not attract the domestic purpose exemption. The ICO guidance implies it might. Will this be challenged?

4 Comments

Filed under Data Protection, defamation, Europe, GDPR, Information Commissioner, social media

Tagged as ,