Personal, Private, Public and …‘Priblic’?
As explained in my first post on this issue, Privacy is a difficult concept to define in a universal manner, and conceptualising it on a case-by-case basis is simply unworkable in an online environment, both in terms of compliance and enforcement. Telling a company that is active online that it has to uphold a legal concept that is undefined and undefinable (except for some commonalities) is the perfect recipe to legal uncertainty.
This led me to consider that this is why Europe has gone for a protection of personal data, a concept that seems at first glance easier to encompass. After all, how hard can it be to define what data is personal and what isn’t, right?
And to quote Commissioner Reding on Twitter:
Before delving into the Data Protection Directive 95/46, I want to mention that I am not ignoring the influence of the OECD Guidelines in this matter (especially as they are celebrating their 30th Anniversary this year), but just focussing on the EU Directive, as this is the one under review currently in Europe.
The Directive is built around a series of concepts (‘personal data’, ‘sensitive data’, ‘consent’, ‘processing’, ‘data controller/subject’, etc.) and sets in place key principles in the area of data protection (for the Geek way of summarising, this, check out this Tech and Law post – For the official version, see here):
- Personal data: any information that relates to an “identified or identifiable natural person.”
- How should data be processed? Personal data must be processed fairly and lawfully, and collected for specified, explicit and legitimate purposes. They must also be accurate and, where necessary, kept up to date.
- When can data processing occur? Only if the data subject has unambiguously given his/her consent or processing is necessary:
- for the performance of a contract to which the data subject is party or;
- for compliance with a legal obligation to which the controller is subject or;
- in order to protect the vital interests of the data subject or;
- for the performance of a task carried out in the public interest or;
- for the purposes of the legitimate interests pursued by the controller.
- Opt-out and right to object: the data subject should have the right to object, on legitimate grounds, to the processing of data relating to him/her. He/she should also have the right to object, on request and free of charge, to the processing of personal data that the controller anticipates being processed for the purposes of direct marketing. He/she should finally be informed before personal data are disclosed to third parties for the purposes of direct marketing, and be expressly offered the right to object to such disclosures.
- Sensitive data: it is forbidden to process personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life, except under specific circumstances (notably if data subject has given explicit consent or in cases where processing is necessary to protect the vital interests of the data subject or for the purposes of preventive medicine and medical diagnosis).
- Data subject’s right to information and access: data controllers must provide data subjects from whom data are collected with certain information relating to himself/herself (the identity of the controller, the purposes of the processing, recipients of the data etc.) and of the fact that the subject has a right of access to its data that covers:
- confirmation as to whether or not data relating to him/her are being processed and communication of the data undergoing processing;
- the rectification, erasure or blocking of data and the notification of these changes to third parties to whom the data have been disclosed.
- Exemptions and restrictions: the principles in the Directive can be disregarded for reasons of national security, defence, public security, the prosecution of criminal offences, an important economic or financial interest of a Member State or of the European Union or the protection of the data subject.
There are also provisions relating to data transferred to third parties (e.g. in case of outsourcing), transborder data flows (an issue that merits a book on its own) and the fact that data controller must notify Data Protection Authorities (DPAs).
So now that we’ve done our little summary of facts & principles, what does all of this mean in an online context? Well, quite frankly, a lot of different things to different people, notably due to the substantial margin of manoeuvre given to Member States as regards transposition of the Directive.
To give only one illustration, personal data, which has been graced by additional guidance from the Art 29 Working Party under the form of an Opinion, but it is still being discussed if, for example, IP adresses should be regarded as personal data under all circumstances. Moreover, the EU DPD provides an exception that may negate the special rules on “sensitive data” in many online contexts, namely that “special treatment” is not required where “the data are manifestly made public by the data subject”.
In a web 2.0 context, things become even more puzzling, as people seem to enjoy posting information online (on social networks but also on blogs, in chat rooms, when posting comments, etc) that they would probably not share with either their mum or their spouse even after too much to drink.
Framing it slightly differently (and more academically), Edwards and Brown point out in their 2010 article on “Data Control and Social Networking” that:
“The future of both law and technology will require reconciling users’ desire to self- disclose information with their simultaneous desire that this information be protected.”
Or at least protected from some people, or instances.
Not being a data protection lawyer, I find that the way I think about sharing personal data online is in four layers: there’s me (or should I say ME), then there’s YOU (and by YOU I mean people I have some form of direct connection with, be it family, friends, colleagues, or even social networks and Internet content providers I subscribe to), then there’s THEM (third party providers, friends of friends, colleagues of colleagues I don’t know directly, law enforcement, justice, etc.) and then there’s IT (not as an acronym for Information Technology, but more for the creepy IT out there I cannot truly define or scope but I am convinced I do not want IT to have access to my personal data). If you click on the image below you will (A) see a larger version and hopefully get a visual of what I mean (B) be able to agree with my teachers at school that drawing would not enable me to make a decent living.
To quote Edwards & Brown again:
“The SNS phenomenon in itself (…) shows a clear shift of values from prizing privacy to prizing disclosure and visibility in the social online space. (Nor is this merely an online phenomenon – observe the rise of the “famous for five minutes” generation, who will reveal anything from their sexuality to their unhappy childhood on shows like Jerry Springer and Big Brother to achieve a soupcon of celebrity.)”
Moreover, I am no longer a spectator on the Internet, but also an actor, through my blogs, my status updates on social networks, my comments, etc. In some cases, what I do would fall under the so-called “household exemption” (whereby I can process personal data for a purely personal or household activity without having to comply with the obligations of a data controller), whereas in others, due to the open nature of the network or the fact that what I do can be considered as falling under my professional activities, I will become a data controller. And that smeans I should be notifying things to my Belgian DPA, I guess, if you consider the Art. 29 WP’s views in this matter. And I’m not even going to try to think about jurisdiction and applicable law issues…