Privacy & Information Security Law Blog

The UK Information Commissioner’s Office (“ICO”) has published guidance on the application of the Data Protection Act 1998 (“DPA”) to social networking sites and online forums. The guidance emphasizes that organizations and individuals that process data for non-personal purposes must comply with DPA requirements in their use of social networking sites and online forums just as they would in any other context.

Under Section 36 of the DPA, individuals who process personal data for their personal, family or household affairs are exempt from complying with the obligations of the DPA with respect to such processing. This exemption does not, however, apply to processing by organizations, nor to individuals processing personal data for business purposes (e.g., operating as a sole trader).

Application of the Data Protection Act 1998

The DPA applies to any individual or organization that determines (alone or jointly) the purposes for which and manner in which personal data are processed (“data controllers”). The guidance underscores that a site operator will be considered a data controller if it processes contact information of its users or subscribers. Whether a site operator acts as a data controller in relation to personal data posted on its website depends on a number of factors, in particular whether the site operator moderates content before it is posted, or if users are able to post content directly, but only in accordance with site rules (and the site operator may immediately remove any content breaching those rules). Where the site operator acts as a data controller, it must take reasonable steps to ensure that posted personal data presented as a matter of fact (as opposed to an expression of opinion) are accurate and up-to-date. The ICO’s expectations in terms of “reasonable steps” will depend on the circumstances. Where the vast majority of site content is posted directly by third parties, the volume of posts is significant, and the site content is not moderated in advance, “reasonable steps” would not include checking the accuracy of individual posts, but would include:

• having a clear and prominent acceptable use policy;
• having clear and easy to find procedures for individuals who wish to dispute the accuracy of posts relating to them and request the removal of such posts;
• responding to accuracy disputes quickly; and,
• having procedures to suspend or remove disputed content.

Individuals who have complaints about their personal data posted on a site can contact the ICO, but should first contact the website administrator or the individual or organization responsible for the post. Further, the guidance clarifies that the ICO will not take any action with respect to complaints made against individuals processing personal data for personal purposes, no matter now unfair, derogatory or distressing the content.

The guidance also identifies other UK laws that may be relevant to social networking sites and online forums, including the Protection from Harassment Act 1997, the Malicious Communications Act 1988 and the common law of defamation.

Application of the Personal Purposes Exemption

In practice, organizations tend to focus more on their compliance obligations with respect to more established forms of online media, such as corporate websites, than they do when it comes to new media. The guidance makes clear, however, that organizations’ obligations under the DPA remain the same, specifically referencing organizations using social media to:

• post personal data on their own or a third party’s website (e.g., posting customer reviews or “I just bought…” advertisements);
• download personal data from a third party website (e.g., data scraping from public profiles); or,
• run a website allowing users to publish comments and posts, such as a blog.

Whether an individual’s use of online media is considered personal or non-personal depends on the particular facts. A sole trader setting up a website to promote his or her own business, including customer reviews, would constitute a non-personal, business purpose. An individual selling a few possessions online and messaging prospective buyers through an auction site would constitute a personal purpose exempt under Section 36, notwithstanding the fact that the individual will earn money from the sales.

The guidance also addresses the status of groups of individuals, such as clubs and societies, that create sites for their shared recreational purposes. An example of this type of shared site might be a photo-sharing webpage for friends to compile pictures from a group holiday. For those types of groups, the Section 36 exemption will still apply. A group-developed site with an evolving membership is less likely to qualify for the personal purposes exemption, since a group that exists independent of specific individuals is more likely to process personal data for its own purposes as opposed to the personal purposes of individual members. In relation to processing by groups, the presence of the following factors make it less likely that the personal purposes exemption will apply:

• the site is commercial and generates income through subscription or advertising;
• the site has been set up to pursue a professional or commercial objective;
• personal data are processed for the purposes of the group itself, rather than for the purposes of its individual members;
• personal data are posted by the group, rather than by individuals;
• the group is separately legally constituted in some way;
• the group would continue to exist even its membership changed; or,
• the group has its own set of rules, which exist separately from its members.

Conclusions

This new guidance will no doubt serve as a timely reminder to organizations that they must comply with data protection requirements with respect to of all their processing activities, including corporate social media accounts, microsites and blogs. It also may signal that the ICO intends to focus its attention more on online operators and their processing activities.

Although this guidance focuses on the personal purposes exemption with respect to social media, there also is clear overlap with the Section 32 exemption (applicable to data processing for the purposes of journalism, art, literature and the public interest). In accordance with a recommendation contained in the Leveson Inquiry, the ICO will publish guidance on the Section 32 exemption shortly.