< Back

Share |

Anti-social media? Networking and the power of privacy

February 2013

Love it or loath it, no one can deny the influence of social media on our lives. Whether it is posting a comment on a blog or forum, sending holiday updates to friends and family or connecting with professional associates, these online communities and networks enable us to reach out, link to and share information with others.

In many cases the information relating to ourselves or those we post about will be subject to data protection laws.  In Europe these laws derive from EC Directives, with the core implementing legislation in the UK being the Data Protection Act 1998 (DPA).  The DPA provides rights to individuals in respect of personal data processed about them and places obligations on those who process personal data.

The implications of the DPA to social media will vary depending on the user, the service and the use to which social media is put. Sometimes the distinctions between these uses may not always be apparent.

Implications for users of social media

sharing informationIn many cases users of social media will be the subject of information they post about themselves or about matters touching on the private sphere of their life, their friends and family. The user in these cases is exempt from the DPA where the personal  information they process will be purely for their personal or household purposes.

In other situations however, the DPA is brought to bear on the use of a social networking service.  This can be seen for example where a business adopts a social profile or uses social media as a marketing or public relations tool to promote its products or services. Where these activities involve the publishing of personal data or the sending of  communications to other persons, then the user will be treated as a data controller to whom the DPA applies and the consent of the persons whose data is processed will typically be needed.

Not surprisingly, business use of social media has grown significantly in recent years. Increasingly businesses are mining social media sites to build profiles of users based on the information they post. Those who harvest this data cannot argue that the data is fair game because it is in the public domain. The processing of any harvested data will remain subject to DPA  obligations, such as the requirement to process collected personal data fairly and lawfully. See our article for more information on the data protection issues associated with business use of social media.

Implications for providers of social media services

Although the providers of social media services may not create the content that is published and shared by their users, they are clearly data controllers subject to the DPA as they provide a platform for the processing of user data and users must register with them and create an account.  The provider may then look to exploit the data of its users for its own and third party advertising and marketing purposes.

tick box - default settings

Providers of social media services must make clear to users who they are providing their data to and what range of 'behind the scenes' uses may be made of this data, by either the provider or by third parties. The services should offer clear and easy to operate default privacy settings so that data is not shared beyond a user's immediate circle of contacts, (unless the user actively chooses to publish their data more widely). In addition information should alert users to the potential privacy risks to themselves and those about whom they post information through the service, as well allowing users the option to adopt a pseudonym for their posts if they wish.

Other considerations relevant to the providers of social media services include:

  • Only collecting sensitive personal data, (for example data revealing race or ethnic origin, political opinions, religious or philosophical beliefs health or sex life) with the explicit consent of the user.
  • Only collecting data of children with the verifiable consent of their parents and not directing profiling or marketing activities at children.
  • Enabling users or the subject of published content to easily contact the provider with any complaint or concern about data posted to the service.
  • Setting clear timeframes by which the data of any inactive accounts and data on inactive users are deleted.

Importantly, users should be confident that their accounts and data are kept secure.  Any failure to preserve the integrity of user accounts could have far reaching implications, not just for the user's social media account but also for any other accounts they have that share the same user name and password. Where account data is compromised this could potentially reveal data useful as building blocks in future identity frauds across a range of other services.

hackedIt is often the very popularity of these services that makes them a target for attack. As recently as 1 February 2013,  Twitter announced that it had been targeted by hackers who gained access to account information on approximately 250,000 of its users.

Ultimately, the continued popularity of social media tools rests on the ability of both providers and users to instil confidence in those they connect with that their data will be respected and protected. Failure to take the DPA on board could only result in an anti-social outcome.

If you have any questions on this article or would like to propose a subject to be addressed by the Global Data Hub please contact us.

Anti-social media
Sally Annereau


Sally looks at the influence social media has on our lives and the implications for data protection.

"Any failure to preserve the integrity of user accounts could have far reaching implications, not just for the user's social media account but also for any other accounts they have that share the same user name and password."