Web 2.0 and privacy: risks and solutions

It is sometimes difficult to comprehend how, in the not too distant past, anyone could book a hotel without looking at TripAdvisor or could invite someone out for lunch without checking a user review published in Toptable or london- eating. Today, we rely on the collective wisdom of total strangers (although not necessarily to the operator of the website) to make important decisions like where to stay during a holiday abroad or where to take a key client for lunch. This is the spirit of Web 2.0 – the latest reincarnation of e-business and one that is proving very rewarding for a new breed of hugely popular websites.

As in the old days of e-commerce, the operators of these Web 2.0 sites only want to use the opportunities presented by the web to foster their creativity and entrepreneurial skills. In the meantime – as was also the case with the first generation of e-commerce websites – the law struggles to catch up and creates uncomfortable situations for those managing the Web 2.0 businesses. The law dealing with privacy and data protection presents a number of challenges which are not exactly new, but which take on a different dimension in a Web 2.0 environment.

A dangerously wide interpretation of personal data

What is “personal data” is something that law makers and regulators should have figured out by now. However, as technology evolves there are some grey areas in terms of what type of information should be regarded as personal data and what type should not. Reviewers of hotels, restaurants or films on Web 2.0 web sites will often be registered users with a real name and real contact details. Sometimes, the name may just be a nickname and the only contact details will be an e-mail address. However, this information plus the expressions of opinions of those users will be regarded as personal data under data protection law.

Even in the UK, where the courts in recent years have adopted a very narrow interpretation of the concept of personal data, that type of information will be sufficient to be caught by data protection law. The situation becomes less clear where the only information available to the operator of a Web 2.0 website or the users of that site is just a name (real or fake) and no other information about the identity of the individual. By and large, where the information is unlikely to reveal the identity of an individual who cannot be approached or targeted in any way by someone else (including the operator of the site), that will not be personal data in the UK.

However, a number of EU countries are unrepentant about the fact that the “identifiable” element in the definition of personal data should apply irrespectively of who can identify the individual. This means that the operator of a website may not be able to identify an individual from the data it holds alone, but the fact that another party does will turn the data held by the website into personal data. The implications of this approach for Web 2.0 businesses are devastating and could eliminate the privacy friendly side of anonymous data processing. This is particularly worrying since the Article 29 Working Party – which comprises all EU data protection authorities – is currently looking to adopt a uniform interpretation of the concept of personal data which looks likely to be very wide when compared to the UK approach.

Fair processing – old rules in a new environment

Getting back to basics for a moment, under the fair processing obligations of the UK Data Protection Act organisations must make available to the individuals whose personal data is collected the following information:

  • the identity of the organisation;
  • contact details for the organisation’s data protection representative (if any);
  • the purposes for which data is intended to be processed;
  • any other relevant information (including information as to the potential recipients of the data and the likely uses of the data to be made by such recipients).

This is called the information provision obligation and the most practical and user-friendly way of providing this information to Web 2.0 users is by means of a Privacy Policy that explains all relevant data uses. However, the Privacy Policy is unlikely to be seen by third parties mentioned by the users of the site and this has led websites like YouTube to impose a requirement on its users to obtain the written consent, release or permission of each and every identifiable individual appearing in all materials submitted. Although this approach seems sensible, it is completely unrealistic to expect that users who submit materials to a website are going to seek the written consent of those appearing in such materials.

Technically speaking, there is an exemption to the information provision obligation that applies where personal data is acquired other than from the individual himself or herself and the provision of the specified information would involve a disproportionate effort. The scope of this exemption in respect of individuals appearing in materials submitted to Web 2.0 websites has not been tested but it is reasonable to assume that it will apply since users will not generally be alerting the operator of the site to the fact that they are providing personal information about third parties.

A real test for data protection rights

Ultimately, the Web 2.0 environment is a perfect testing ground for privacy and data protection rights. The individuals who contribute content and any third parties named by them have a number of rights that do not simply disappear when the information is voluntarily provided. The collaborative and open nature of Web 2.0 websites means that these should be properly geared to honour the individual’s rights recognised by data protection law in a very effective way. The right of access in particular can pose a problem due to the sheer number of contributors that may be involved in providing personal information. However, Web 2.0 business should be well prepared to address the right of access to someone’s own data (including where such data is provided by third parties) by adopting a well thought out subject access policy.

The right to object to the processing of personal data that causes substantial damage or distress is another right that is likely to be used in this environment. Being able to identify the individual seeking to exercise this right and quickly deciding whether it applies in each case will be very important. Needless to say, to minimise any possible arguments as to whether the operator is entitled to suppress information about third parties submitted by a user, including an unfettered right to remove content without notice to the user and at the discretion of the operator will be essential.

No doubt, the scope of data protection rights and obligations will continue to evolve as technology develops and Web 2.0 matures. As ever, the evolving legal framework will be tested by those pioneers who are prepared to try new business models and explore the edges of the law.

Eduardo Ustaran is a partner in the Privacy and Information Law Group of Field Fisher Waterhouse and he is a member of the Advisory Board to the International Association of Privacy Professionals.

Email eduardo.ustaran@ffw.com.