The Internet has revolutionised the way we live our lives. We can book anything from a holiday to a haircut, transfer money, buy and sell almost anything, trade in stocks and shares and even go in search of our ‘soul-mate’.
But every time we disclose personal information on the Internet, are we exposing ourselves to the risk of its misuse? How much control do we have over our personal information once we click ‘submit’?
Different rules apply to different types of ‘data’.
Personal details, such as my name, address, email address, credit card details, and anything else which identifies me, which is held on a computer system or has been deleted but is capable of being retrieved, is protected by the Data Protection Act 1998 (“DPA”). The DPA imposes certain obligations on those who are involved in the “processing” of “personal data”.
Any website processing (this includes “obtaining, recording or holding”) my personal data must, before it processes it, give me the name of the organisation processing it, the purpose for which the data in intended to be processed and any additional information which is “fair” in the circumstances. I must explicitly and actively consent to my data being processed. This is usually done by ticking a box before submitting any information. The website will then be able to use my data for the purposes for which I have consented. It may also disclose my personal data when required to do so by law, in connection with legal proceedings or in the course of obtaining legal advice.
The DPA requires organisations not to retain personal data for longer than is necessary for its own business purposes and to process it in a sufficiently secure manner. The required level of security will depend on the type of data. Names and addresses will require less encryption than credit card numbers or medical histories.
This all seems sensible but how many of us actually read the privacy policies of the websites we visit? How many of us know about and understand the cookies which imbed data from websites onto our hard disks so that a website or advertiser recognises us?
Other types of data, such as digital photographs uploaded onto social media may be protected by copyright usually controlled by the photographer. But again, this will always be subject to the terms and conditions of the particular website.
Facebook’s terms and conditions set out that for
“photos and videos (IP content)…you grant us a non-exclusive, transferable, sub-licensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook (IP License). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it.”
If I upload my holiday snaps onto Facebook, they can be used by Facebook itself or licensed by Facebook for use by a separate organisation. Even if I delete my account the pictures will remain on Facebook if I have shared them with friends and those friends have not removed the pictures.
Twitter, like Facebook, states that “By submitting, posting or displaying Content on or through the Services, you grant us a worldwide, non-exclusive, royalty-free license (with the right to sublicense) to use, copy, reproduce, process, adapt, modify, publish, transmit, display and distribute such Content in any and all media or distribution methods (now known or later developed).”
In reality this gives Twitter and Facebook freedom to use my photographs however they wish. Whilst my holiday snaps may not be of any value commercially we should all be aware of the control we are giving up when we upload our photographs onto these sites.
Where data is misused there may be legal recourse. Any individual can ask the Information Commissioner to make an assessment as to whether it is likely that any processing has been or is being done in breach of the DPA. The Commissioner can serve an enforcement notice requiring a website to take certain steps, refrain from taking certain steps or refrain from processing personal data completely. The individual can apply to the court for compensation if he or she has suffered pecuniary loss or suffered distress.
Even though we give Facebook or Twitter a copyright licence to use our photographs this does not extend to a waiver of our ‘moral rights’. Moral rights give the creator of a copyright work the right to object to its derogatory treatment which distorts, mutilates or otherwise prejudices the reputation of the creator. This may provide an avenue for relief if the copyright holder is being exploited through misuse of their work.
Whilst there are measures which can be taken in response to the abuse of personal data, all Internet users need to be more aware of the terms and conditions of the websites to which they subscribe. Legal proceedings are expensive, the outcome uncertain and the harm may already have been caused by the time a legal remedy is sought.
Sophie Pugh is a Trainee Solicitor working in the Collyer Bristow Cyber Investigations Unit