What is the Data Protection Regulation and how will it affect social media?
Imagine this hypothetical scenario whereby Fred owns a Facebook page which details his interests (what he likes and dislikes), hobbies, friends and family network; has a Twitter account with a list of interested followers; checks his bank account regularly online; buys books through Amazon; is a regular shopper on eBay; uses his university email account; uses his smartphone which enables him to connect with others using Google applications. The list goes on.
Day one: his bank notifies him of a data security breach. Day 2: his Facebook profile has been hijacked by cyber thieves; Day 3, some online advertising companies start pestering him with unwanted emails. What does this picture convey?
Online users’ profile through Facebook, Twitter, LinkedIn and other social media, data security breach notifications, smartphone applications (through Google) containing personal information including your whereabouts (known as “location data”) are some of the aspects that are likely to be affected by the forthcoming changes under the Data Protection Regulation. The proposed Data Protection Regulation was introduced on 25 January and is currently being discussed at EU level. Not only are the proposed changes likely to be significant, but every user and organisation will be affected by the proposed changes. It follows debates amongst policymakers, academics and practitioners on whether and how to amend the Data Protection Directive. The Data Protection Directive is the general legal framework regulating personal information online and offline within the European Union.
By way of background, the Data Protection Directive 95/46/EC was first introduced in 1995 and modelled on the Council of Europe Convention for the Protection of Individuals in 1980. It harmonised the data protection laws within Europe so that a minimum level of standard for data protection could be achieved across Europe. However, it was not only concerned with the protection of personal information or more specifically the fundamental rights and freedoms of individuals, but also the free flow of personal data as indicated within the objectives of the Data Protection Directive.
It has been over 15 years since this was passed. Yet, technological developments have raised inevitable challenges over how personal information is protected online. More specifically, the World Wide Web was only introduced after the Data Protection Directive 95/46/EC was passed. Social networking sites such as Facebook and the MySpace began to emerge by mid-2005. Individual profiles on Facebook have reached over 800 million users. The site contains users profile along with their photographs, likes, family and friends network. Even businesses have their own Facebook profile.
So, what does the forthcoming Data Protection Regulation propose to do? First, there is a general concern over privacy issues online particularly through the use of social networking sites and the ease with which third parties can link directly onto the users’ profile through advertisement on Facebook or publicly available data. What is unclear is the extent to which advertisers have specific access to profiles? Yet, the policies from sites such as Facebook are quite clear that users do not necessarily own their data and that they can consent to advertisements.
So the question is, what is the big deal? Whilst users may have varying degrees whether they are concerned with privacy issues, what is clear is that their profiles can be easily accessible through a click of a button (poke) from a third party to befriend users. Users unwittingly disclose information about themselves including their likes, dislikes, birthday, family and work. For the unwitting user, employers (actual or potential), college and university tutors, police authorities, strangers and even journalists may access this data for various reasons.
The proposed Data Protection Regulations aims to address the concerns of users online that frequently give away their personal information online. The accuracy or inaccuracy of information about users becomes significant when viewed by third parties such as employers, tutors, banks, insurance companies and so on. At the other extreme, it could also be used by cyber thieves or stalkers, which means that the challenges are ever more real.
Consider the recent documentaries such as Erasing David and Catfish and users are likely to consider taking a cautious approach over how they use their data. The proposed Data Protection Regulation aims to introduce the principle of the “right to be forgotten”. This would mean that individuals would be entitled to have their profile deleted on a website without any difficulty.
How practical is this is not yet clear, but social networking sites and other organisations that collect data will have to pay attention to forthcoming changes. Furthermore, data security lapses by organisations (if implemented under the proposed EU Data Protection Regulation) will have to be notified to the UK ICO within 24 hours. Breach of data security is likely to result in a fine of up to 2% of the annual worldwide turnover. Organisations employing over 250 employees will be required to employ a data protection officer. Individuals will be given more rights to access their data and even bring a complaint collectively with other individuals affected by data security lapses (known as “class actions”). These are some of the radical changes being considered by the European Commission.
Whilst the debate is still ongoing about the proposed changes to the Data Protection Regulation, what is certain is that the protection of privacy online is likely to be stronger. Organisations will now have to wake up and consider the ramifications of European data protection framework. Reflecting back on Scott McNealy’s phrase that “privacy is dead, get over it”, these changes are likely to be the converse.Tagged in: Data Protection Regulation, facebook, information, LinkedIn, password, privacy, security, Social media, twitter
Latest from Independent journalists on Twitter