What is the Data Protection Regulation and how will it affect social media?

Dr Rebecca Wong

computer login screen   640 300x199 What is the Data Protection Regulation and how will it affect social media?Imagine this hypothetical scenario whereby Fred owns a Facebook page which details his interests (what he likes and dislikes), hobbies, friends and family network; has a Twitter account with a list of interested followers; checks his bank account regularly online; buys books through Amazon; is a regular shopper on eBay; uses his university email account; uses his smartphone which enables him to connect with others using Google applications. The list goes on.

Day one: his bank notifies him of a data security breach. Day 2: his Facebook profile has been hijacked by cyber thieves; Day 3, some online advertising companies start pestering him with unwanted emails. What does this picture convey?

Online users’ profile through Facebook, Twitter, LinkedIn and other social media, data security breach notifications, smartphone applications (through Google) containing personal information including your whereabouts (known as “location data”) are some of the aspects that are likely to be affected by the forthcoming changes under the Data Protection Regulation.  The proposed Data Protection Regulation was introduced on 25 January and is currently being discussed at EU level. Not only are the proposed changes likely to be significant, but every user and organisation will be affected by the proposed changes. It follows debates amongst policymakers, academics and practitioners on whether and how to amend the Data Protection Directive. The Data Protection Directive is the general legal framework regulating personal information online and offline within the European Union.

By way of background, the Data Protection Directive 95/46/EC was first introduced in 1995 and modelled on the Council of Europe Convention for the Protection of Individuals in 1980. It harmonised the data protection laws within Europe so that a minimum level of standard for data protection could be achieved across Europe. However, it was not only concerned with the protection of personal information or more specifically the fundamental rights and freedoms of individuals, but also the free flow of personal data as indicated within the objectives of the Data Protection Directive.

It has been over 15 years since this was passed. Yet, technological developments have raised inevitable challenges over how personal information is protected online. More specifically, the World Wide Web was only introduced after the Data Protection Directive 95/46/EC was passed. Social networking sites such as Facebook and the MySpace began to emerge by mid-2005. Individual profiles on Facebook have reached over 800 million users. The site contains users profile along with their photographs, likes, family and friends network. Even businesses have their own Facebook profile.

So, what does the forthcoming Data Protection Regulation propose to do? First, there is a general concern over privacy issues online particularly through the use of social networking sites and the ease with which third parties can link directly onto the users’ profile through advertisement on Facebook or publicly available data. What is unclear is the extent to which advertisers have specific access to profiles? Yet, the policies from sites such as Facebook are quite clear that users do not necessarily own their data and that they can consent to advertisements.

So the question is, what is the big deal? Whilst users may have varying degrees whether they are concerned with privacy issues, what is clear is that their profiles can be easily accessible through a click of a button (poke) from a third party to befriend users. Users unwittingly disclose information about themselves including their likes, dislikes, birthday, family and work. For the unwitting user, employers (actual or potential), college and university tutors, police authorities, strangers and even journalists may access this data for various reasons.

The proposed Data Protection Regulations aims to address the concerns of users online that frequently give away their personal information online. The accuracy or inaccuracy of information about users becomes significant when viewed by third parties such as employers, tutors, banks, insurance companies and so on. At the other extreme, it could also be used by cyber thieves or stalkers, which means that the challenges are ever more real.

Consider the recent documentaries such as Erasing David and Catfish and users are likely to consider taking a cautious approach over how they use their data. The proposed Data Protection Regulation aims to introduce the principle of the “right to be forgotten”. This would mean that individuals would be entitled to have their profile deleted on a website without any difficulty.

How practical is this is not yet clear, but social networking sites and other organisations that collect data will have to pay attention to forthcoming changes. Furthermore, data security lapses by organisations (if implemented under the proposed EU Data Protection Regulation) will have to be notified to the UK ICO within 24 hours. Breach of data security is likely to result in a fine of up to 2% of the annual worldwide turnover. Organisations employing over 250 employees will be required to employ a data protection officer.  Individuals will be given more rights to access their data and even bring a complaint collectively with other individuals affected by data security lapses (known as “class actions”). These are some of the radical changes  being considered by the European Commission.

The recent changes to the Directive on Privacy and Electronic Communications 2002/58/EC is another example, which has introduced more protection on the use of cookies on websites. Websites are now required to obtain the consent of users before cookies can be installed on the user’s hard drive. The changes to the UK law took effect in May 2011, but only a handful of websites have modified these changes. Internet browsers have yet to adapt to this and make it user friendly so that websites can easily surf the internet with built in consent on their browsers.

Whilst the debate is still ongoing about the proposed changes to the Data Protection Regulation, what is certain is that the protection of privacy online is likely to be stronger. Organisations will now have to wake up and consider the ramifications of European data protection framework. Reflecting back on Scott McNealy’s phrase that “privacy is dead, get over it”, these changes are likely to be the converse.

Tagged in: , , , , , , , ,
  • Zzeitgeist

    If one has any secrets or security concerns one should know how to protect it also. It’s just like a person having valuables , keeps it out for all to view shouldn’t expect the Gov agencies to protect her valuables . Unless one behaves responsibly that person cannot expect others to take care of her belongings . This approach to introducing data protection acts is motivated by vested interests who are trying to sneak in wolves in the guise of sheep’s skin. Instead of calling upon the people who use the Internet to be careful about what they put up there and educating the people on how to do it , it’s rather disconcerting that the Gov is bringing in regulations !! Regulations are infringement on personal liberties and individual freedom . It’s the privacy of the so called 1% that’s at stake . It’s their excesses and routine injustices that they perpetrate on the 99% that they are trying to hide and their right to do what they want without anyone exposing them to the public through the net. Those who value their individual freedom should fight any attempt at regulating Internet freedom

  • Zzeitgeist

    One way of keeping the people under control by the Gov is to keep them under a state of fear ( look up Michel Crichton’ s 2004 book of that name ) . Brandishing the specter of the threat of compromising personal privacy, the so called 1% is trying to muffle freedom of the Internet , effectively,muffling the freedom of the 99% who enjoy no or very little personal privacy at any rate, nor is there much need for it , if personal information is given on a responsible way on the net whereas it’s the 1 % who have everything to lose, with unlimited Internet freedom . Hence the introduction of these types of Data protection Acts, and SOPA and PIPA in the united states countries who are more a corporatocracy than a democracy ,ie, where rules and regulations are written
    by the Mega corporations , for the corporations for making greedy profits for their share
    holders under a facade of Democracy. Also read Richard StallMan from what he calls ” copy left ” instead of ” copy right ” in his site: and arrive at your own conclusions !

  • noughter

     That’s nothing, in France you get a speeding fine for driving your 30 year old tractor  in the middle of Paris at 150 mph.

Property search
Browse by area

Latest from Independent journalists on Twitter