Back in the late nineties when the Data Protection Directive and the UK’s Data Protection Act were enacted, social media was none existent. Linkedin arrived in 2002, Facebook in 2004, YouTube in 2005, Twitter in 2006, Whatsapp in 2009, Instagram in 2010, Snapchat in 2011 with a thousand and one variations in between and ever since. In stark contrast to a time when having a brick-like mobile phone with its ability to send two short and sweet lines of text to a friend was something of a novelty, less than two decades later our lives are now unavoidably linked by technology– it’s often hard to escape.
Whilst our digital world has brought many benefits, the rapid progression of technological advances brings with it a whole world of legal issues. Legally controlling use of technology and corresponding data is a constantly evolving and complex task. One particular area of concern is the proliferation of personal data available online and the potential risk of misuse. As personal data is more easily spread, it is increasingly important that individuals have a means to prevent, or at least restrict as far as possible, unwanted use.
EU legislators are attempting to further control the processing of personal data via the General Data Protection Regulation, or “GDPR”, which empowers individuals by giving them more rights with regard to how their personal data is used. One such right given to individuals is the right of erasure or the right “to be forgotten”, as well as the right to rectification, right to object and the right to restrict processing in certain circumstances. This right of erasure is likely to be the most relevant to in relation to social media platforms.
The right to be forgotten is found in Article 17 of the GDPR. This sets out the circumstances under which a data subject can request that the data controller erases his or her personal data without undue delay. These circumstances include where: the personal data are no longer necessary for the purposes for which they were collected or processed; the data subject withdraws consent or objects to the processing and where there is no other legal ground for processing; the personal data have been unlawfully processed; the personal data have to be erased for compliance with a legal obligation or; the personal data have been collected in relation to the offer of particular information society services.
Particularly relevant to social networking sites and internet forums is the fact that children will additionally have the right to erase data that they previously consented to provide as they may not have fully understood the risks at the time they gave consent.
These rights are limited to the extent that processing is necessary for exercising the right of freedom of expression and information or for compliance with a legal obligation, is in the public interest or exercise of official authority, for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes or in relation to legal claims.
If businesses fail to comply with a valid request to remove data, they can potentially face the highest level of administrative fine under the GDPR – a massive €20M or 4% of annual global turnover – whichever is higher.
In line with this, the UK’s new Data Protection Bill shall contain a the right to be forgotten. In a statement given, the government specified that under the new legislation, people will have the right to ask social media channels to delete information they posted in their childhood.
Social media sites are therefore going have to be very careful to adhere to the terms of the GDPR. Not only do they have to ensure they have procedures in place to remove data when validly requested to do so, they must be able to respond quickly. Their privacy notices will have to be reviewed and updated as necessary and they will have to be pro-active in educating users as to their new rights. They will also have to ensure they are now meeting the higher bar set by the GDPR in relation to gaining valid consent for processing information, all whilst trying to maintain the current user friendliness that they have over the last decade perfected. They will have to adhere to transparency principles and inform users of various aspects of their internal data procedures including contact details, the purposes of processing, data retention periods, details of transfers to third countries and corresponding safeguards, whether the data will be used for profiling purposes, as well as of course ensuring that they are using appropriate technical and organisational measures to keep data secure.
Many social media sites rely heavily on ad-generated revenue, but here too changes will be required. The whole culture within the marketing world will be forced to shift to embrace the concepts integral to the GDPR. Additionally, not only will advertisers and social media sites be affected by the changes introduced by GDPR, but also the new EU ePrivacy Regulation. The latter, which in January 2017 was published as a proposed text but is not yet in force, aims to be an update of EU’s current ePrivacy Directive. The new Regulation will cover all aspects of electronic communications including the web, internet, telephone, instant messaging and consequently direct marketing, telecommunications firms, mobile app developers, online advertising networks and the Internet of Things. The Regulation will in particular address unsolicited marketing, cookies and confidentiality. Once in force, it will also apply to those providing electronic communications services such as WhatsApp, Facebook Messenger and Skype and will ensure that these services guarantee the same level of confidentiality of communications as traditional telecoms operators. Behavioural marketing and advertising methods will have to be updated. Facebook and Google’s ability to easily collect and use consumer data will be curbed, restricting them from targeting ads based on data from over-the-top services such as Whatsapp, Gmail and Messenger, until they have lawfully gained consent from individuals for each service. The proposal is for the new ePrivacy Regulation to mirror the GDPR in terms of vast fines for failure to comply, once again with maximum fines stretching up to €20M or 4% of annual global turnover.
Given the potentially huge fines involved for non-compliance, the social media giants and advertisers should be on top of this and will be busy updating privacy notice and consent requirements and updating internal procedure, ready to comply with the new legislation.
This may seem onerous for those businesses involved, but as has been stressed repeatedly by the ICO – the GDPR is an opportunity to commit to data protection and embed it in organisations’ policies, processes and people. This will help restore trust and confidence and improve customer relations. Individuals, should see all of the above as a positive. The GDPR is designed to deal with the digitally focused world in which we now live. It’s there to give individuals more rights and control over their personal data. There may be a period of time during which people will be bombarded with information from data controllers and processors supplying them with new information on their rights, how the data will be used, informing them of their internal organisations procedures and asking for consent. There will be forms to be completed, a multitude of pop up boxes full of useful information to be read and positive opt-ins will be rife. For many caught up in their current fast-paced, one-click-solves-everything lifestyle, this may seem tedious. However it must be remembered that in the world we now live in, our personal data is an incredibly valuable commodity and must be protected, and this new legislation is a big step in enabling that to happen.
For more information on GDPR, contact firstname.lastname@example.org.