Online Social Networks and Global Online Privacy
Monday, February 22, 2010 at 7:47 PM This post is part of an eleven-part series entitled Cyber Civil Rights. Click here for a PDF version of the entire Cyber Civil Rights series. Click here for a PDF version of this post.
By Jacqueline D. Lipton, Ph.D.†
Introduction
Web 2.0 technologies pose new challenges for the legal system, distinct from those that arose in the early days of the Internet. Web 2.0 is characterized by participatory interactive technologies such as online social networks (such as Facebook and MySpace), massive online multiplayer games (such as Second Life and World of Warcraft) and wikis (such as Wikipedia and Wikinews). The participatory nature of these platforms makes it more difficult to classify online participants as either information content providers or consumers—classifications that were fairly typical of earlier technologies. Content providers were generally held liable if they infringed laws relating to copyrights, trademarks, occasionally patents, defamation, and privacy rights. Consumers generally avoided such liability. However, as consumers increasingly became content providers themselves—on early file sharing platforms such as Napster, for example—the lines between production, distribution and consumption of online information became blurred.
This aggregation of online roles is readily apparent in the context of online social networks (OSNs) such as Facebook and MySpace. While the OSN provider is the entity that makes available the platform for online interaction, the members take on the various roles of content creator, distributor, and consumer. Members are also the subjects of much online content shared on OSNs: for example, a Facebook member (or even a non-member) may easily become the subject of gossip and pictures created and distributed by OSN members over the network. Because of the wide scale sharing of information about private individuals on OSNs, commentators have begun to raise concerns about privacy in this context.[1] Individual privacy rights, difficult to protect at the best of times, are easily reduced to almost nothing in the context of OSN interactions.
This Comment aims to emphasize some of the more obvious limitations of existing privacy laws in the OSN context. The discussion focuses on the E.U. Data Protection Directive [2] and its potential application to conduct on OSNs. The Directive is one of the most comprehensive attempts to protect privacy in the digital age, in contrast to the piecemeal, sectoral approach to privacy taken in countries like the United States.[3] However, even the Directive is limited in its ability to apply to OSNs. Despite being drafted in the wake of the Internet revolution and taking early Internet technologies into account, the Directive’s privacy-protections are now dated in their application to OSNs. Nevertheless, lawyers and policy makers might learn valuable lessons from the current gaps and limitations in applying the Directive to OSNs. These lessons might usefully inform future developments in global privacy discourse.
I. The Data Protection Directive, OSNs and Unresolved Issues
The E.U. Data Protection Directive aims to protect individual privacy by imposing certain obligations on those who process personal data. The notions of “processing” and “data” are defined very broadly within the Directive[4] in an attempt to make the Directive as technology neutral and future proof as possible. Entities that are defined as data controllers or data processors are required to conform to certain requirements including limiting the amount and nature of information collected about individuals,[5] and ensuring that individuals have access to data collected about them.[6]
Although the Directive was intended to be technology neutral, OSNs pose some new privacy challenges outside the initial contemplation of the drafters. At the time the Directive was implemented, the main concern of the drafters was to curtail practices involving the unbridled aggregation, use, and analysis of text-based dossiers about private individuals. These dossiers might be compiled by governments or private entities, and used for all kinds of purposes, including public security, crime prevention, and, targeted marketing. At the time, little thought was given to aggregations of large amounts of personal information for predominantly social purposes—although the Directive does contain an exemption for the processing of personal data: “by a natural person in the course of a purely personal or household activity.”[7]
A. Defining “Data Controller”
In May of 2009, an independent working party reviewed the Directive’s application to OSNs and identified a number of uncertainties inherent in the application of the Directive to this context. One of the key issues discussed by the working party revolved around the appropriate identification of a “data controller” in the OSN context. While an OSN provider like Facebook is obviously a data controller for these purposes, it is less clear whether and, if so, when, other participants might be so defined. Application providers, for example, might be data controllers in circumstances where they develop add-on applications for OSN users. The more important question, however, is when members of OSNs might themselves be data controllers for the purposes of the Directive.
The working party noted that in most cases OSN members will be data subjects, rather than data controllers. In other words, they are typically the people whose information needs to be protected, rather than the people who need to protect others’ information. However, there are clearly circumstances in which individuals interacting online should be subject to obligations to take care for others’ privacy rights. The working party identified a number of circumstances in which an OSN member might be regarded as a data controller under the Directive, and would not be able to take advantage of the “personal or household use” exemption. These circumstances include situations in which an OSN member:
(a) acquires a high number of third party contacts including people who she does not actually know in the real world;[8]
(b) opens her profile, including information about other people, to the public at large rather than restricting it to a selected group of contacts;[9] and,
(c) is acting on behalf of a company or association to advance a commercial, political or charitable goal.[10]
B. Categorizing Data
Another issue that has been particularly challenging in the OSN context is that of the format of the information being processed. While the Data Protection Directive was drafted largely with aggregation of text-based data in mind, much of the information exchanged on OSNs is in pictorial, video and multi-media formats. The Directive itself is not expressly limited to text-based data and the drafters did contemplate that it should also cover “sound and image” data as technological capabilities improved over time.[11] However, there is little clarity as to how this information should be classified and protected under the Directive.
In particular, the Directive distinguishes between standard “personal data” and “special categories of personal data” such as data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health or sexual life.[12] These special categories are given greater protection than other data under the Directive. Information within these categories may not be processed at all unless one of a limited number of exceptions applies,[13] the most important of which is probably the data subject’s consent to the processing.[14] In the OSN context, the question has arisen as to whether pictures of data subjects should automatically be considered as coming within the special categories of data and subject to heightened protection. The argument in favor of treating images as a special category is that they can be used to identify a person’s racial or ethnic origins or may be used to deduce a person’s religious beliefs and some health data.[15]
While some European Union Member States have domestic laws under which images are specially protected data by default, the 2009 working party on the Data Protection Directive rejected making this approach into a general rule.[16] The working party took the view that images on the Internet are not sensitive data per se unless the particular images are “clearly used to reveal sensitive data about individuals.”[17] The working party also noted that to the extent an OSN service provider like Facebook creates a user profile form that includes spaces for particularly sensitive data, the service provider must make it clear to members that answering any of those questions is completely voluntary.[18]
C. Third Party Data
Additionally, the working party raised concerns about the collection and collation of third party data (i.e., data about non-members). These practices are of questionable validity under the Data Protection Directive. The working party noted with particular concern that an OSN provider might send an invitation to a non-member to join the network and take advantage of a profile the OSN had already created by piecing together information contributed by other users who may be real world friends of the non-member. In this case, the OSN provider would likely be violating European Union regulations that prohibit the sending of unsolicited commercial emails – or spam – for direct marketing purposes.[19]
Conclusion
The above discussion raises just a few of the more salient challenges posed for privacy law by OSNs. Obviously, if a law as comprehensive as the Directive is challenged by the realities of online social networking, the piecemeal laws in countries like the United States are unlikely to be able effectively to protect privacy in this context. Several commentators have talked about the limitations of American privacy tort law in the context of OSNs, and the need to rethink our approach to privacy regulation in this context.[20] The European Union experience with the Directive may give some guidance to any ongoing law reform efforts in jurisdictions such as the United States, particularly as digital privacy law reform now needs to be a more global initiative.
† Professor of Law and Associate Dean for Faculty Development and Research; Co-Director, Center for Law, Technology and the Arts; Associate Director, Frederick K. Cox International Law Center, Case Western Reserve University School of Law, 11075 East Boulevard, Cleveland, OH, 44106. JDL14@case.edu, 216-368-3303.
[1]. See Patricia Sánchez Abril, A (My)Space of One’s Own: On Privacy and Online Social Networks, 6 Nw J. Tech. & Intell. Prop. 73 (2007); Patricia Sánchez Abril, Recasting Privacy Torts in a Spaceless World, 21 Harv. J.L. & Tech. 1 (2007); James Grimmelman, Saving Facebook, 94 Iowa L. Rev. 1137 (2009); Daniel Solove, The Future of Reputation: Gossip, Rumor, and Privacy on the Internet 1 (2007); Jacqueline Lipton, “We, the Paparazzi”: Developing a Privacy Paradigm for Digital Video, 95 Iowa L. Rev. (forthcoming 2010); Jacqueline Lipton, Mapping Online Privacy, 104 Nw. U. L. Rev., (forthcoming Mar. 2010).
[2]. This Directive considers the protection of individuals with regard to the processing of personal data and on the free movement of such data.
[3]. Raymond Shih Ray Ku & Jacqueline Lipton, Cyberspace Law: Cases and Materials (2d ed. 2006) (contrasting United States and European Union approaches to privacy law).
[4]. European Union Directive 95/46/EC of the European Parliament and of the Council, 1995 O.J. (L 281) 31 at Art. 2(a) (defining “personal data”), 2(b) (defining “data processing”).
[8]. Article 29 Data Protection Working Party, Opinion 5/2009 on online social networking, adopted on 12 June, 2009 (01189/09/EN, WP 163), ¶ 3.1.1.
[11]. EU Directive, supra note 4, at Art. 33 (“The Commission shall examine, in particular, the application of this Directive to the data processing of sound and image data relating to natural persons and shall submit any appropriate proposals which prove to be necessary, taking account of developments in information technology and in the light of the state of progress in the information society.”)
[14]. Id. at Art. 8(2)(a). See also Opinion 5/2009, ¶ 3.4.
Reader Comments