SPEAK NOW AND REPENT AT LEISURE?
Considering the internet elephant that never forgets
The Internet is a great enabler of free speech. These days, we embrace the freedom the internet offers to self-promote our lives and express our opinions on any subject at any time. From blogs, to social networks and the posting of comments, online networks almost crackle with the flow of our electronic chatter.
Yet having a voice in the wired world should not be at the expense of personal privacy. As the internet matures, more people are actively seeking to wrestle back control over aged records posted by or about them, and businesses face the prospect of an increasing compliance burden from demands to take down or remove information.
What types of information may be involved?
Firstly there is our own information that we choose to share. Our attitude towards the information we post is likely to change over time. Ardent expressions of love for a particular boy-band or overly exuberant photos from a party may not be information that we would want a potential employer to see in later years. German data protection regulators have already banned German employers from consulting social media sites on prospective recruits.
Then there is the information that others may post about us. The impression of being anonymous online can lead to people saying cruel things about others which they would not contemplate saying to their face. The “troll” of fiction that lived in caves or under bridges has taken on a new meaning, signifying instead a person who maliciously mocks, denigrates or harasses other people online.
There is also other public information which, when consolidated, published or archived online can reveal, in sum, more about us than the individual parts would do.
So what is the current legal position?
Although there is no general right of privacy enshrined in UK law, the UK Data Protection Act 1998, (the 'Act') and the data protection principles it contains, provide clear protections for individuals in respect of the "processing" of their personal information (meaning here any conceivable use of their data). The Act implements an EU Directive on data protection which means that broadly equivalent legal protections in respect of processing of personal data exist across the European Union.
Under the Act, individuals have the right to gain access to their information and seek to have this information corrected or erased. Individuals also have a legal right to require that the processing of their personal data stop where this is causing, or is likely to cause, substantial damage or distress and is unwarranted.
Obligations for business
Those who process this information, such as social media websites have corresponding obligations to collect and process the data fairly, to use it only for legitimate and lawful purposes and to keep the information secure. Importantly, the Act also requires that information is held for no longer than is “necessary” for legitimate purposes. In practice this means that in the absence of a legal obligation to keep information for a specific period of time or a legitimate need, businesses should keep their records under periodic review and consider removing data that is no longer needed.
The UK regulator of data protection the ‘Information Commissioner’, advises businesses to make it easy for users to update their own records or to contact the business if they have a problem with the use or accuracy of their personal data. He also recommends that where individuals wish to close their online account, it should be clear to them what this means in practice. For example, does this mean permanent deletion or will their records be archived and/or still capable of being retrieved from cached files?
The Information Commissioner can require a business to stop processing or remove information considered to be in breach of the Act and failure to take corrective steps could lead to formal enforcement action. Ultimately, failure to comply with an enforcement notice would be a criminal offence. The Information Commissioner also has the power to issue monetary penalties up to a maximum of £500,000 for serious, deliberate or reckless breaches of any of the data protection principles.
Issues with the practical application of the law
Getting information corrected or removed can, however, also raise more complex questions about whether or not it is appropriate to remove data and who should be doing this. These issues go beyond data protection compliance, involving the interplay between freedom of expression, privacy and the question of responsibility for published content.
A search engine, for example, does not generally create or publish content, it merely makes published content easier to find. Search engines question why they should be forced to remove indexing links to material that has been legally published by others, (and which may restrict others’ freedom of expression). Indeed, removing search engine links would not delete the information which may remain on the publishing site (although it would be harder to locate).
Google is currently appealing an order by the Spanish data protection authority, which requires it to delete information concerning over 90 individuals who complained separately to the data protection authority about their personal data which is available through Google’s search engines. These records range from the merely innocuous, through to more sensitive records such as the address information of a victim of domestic violence. In other cases, information may originally have been legitimately published but is now, due to changes in circumstance, considered irrelevant, distressing or potentially harmful.
A new right to be forgotten?
In addition to the existing data protection rights, the EU legal framework under which the Data Protection Directive and the Law are based, is currently under review. Among the changes envisaged is a plan to introduce a right for individuals to be ‘forgotten’, in other words, the right of individuals to have their data deleted when it is no longer needed for legitimate purposes. It is unclear at this stage how such a new right would enhance the existing rights provided for under the data protection law, whilst recognising the equally important right to freedom of expression.
Further details are likely to emerge in the New Year. In the meantime however, legislators will need to think carefully about how to step through a minefield of issues if they wish to emerge with data protection rights which effectively protect individuals without restricting free speech or the publishing of matters in the legitimate interest of the public.
"As more people seek to exercise control over their aged online records, does this threaten to upset the delicate balance between Freedom of Expression and protection of personal data or do people need enhanced data protection rights?"
"Legislators will need to think carefully about how to step through a minefield of issues if they wish to emerge with data protection rights which effectively protect individuals without restricting free speech or the publishing of matters in the legitimate interest of the public."