The Data Protection Act: a stone to sling at the Facebook Goliath?
By Rhory Robertson, Partner and head of CIU and Sophie Pugh, Trainee from Collyer Bristow
When you log into Facebook the first thing you see is your ‘newsfeed’: a seemingly random collection of messages, status updates and photographs posted by your Facebook friends. I say “seemingly random” with scepticism because of course Facebook is not so rudimentary.
The recently reported and much criticised Facebook survey, which was carried out by Facebook researchers in 2012, deliberately manipulated almost 700,000 account holder newsfeeds and monitored the results. The survey showed that those subjected to ‘happy’ newsfeeds were more likely to post happy messages themselves, and vice versa.
Critics are fuming at Facebook’s manipulation of its account holders’ emotions and for collecting information about individuals without their informed consent. Whilst we all know that Facebook is a multibillion corporate beast, and not our friend, the 2012 survey reminds us of our vulnerability online.
Manipulating the emotions of its account holders may be unethical but is Facebook contravening any laws? Depending on the data collected in the survey it may have breached data protection laws. The Electronic Privacy Information Center in the US has filed an official complaint about the Facebook 2012 survey to the US Federal Trade Commission but no finding has yet been made. The UK Information Commissioner’s Office has also said that: “We’re aware of this issue and will be speaking to Facebook, as well as liaising with the Irish data protection authority, to learn more about the circumstances.”
You may think reassuringly that if you decide that Facebook has become too powerful and too intrusive then you can simply delete your account. But even after doing this any information you have chosen to share, by posting it onto friend’s accounts or by tagging other people in your photographs, will remain on the site. If you want to delete all trace that you were ever on Facebook you must go back to each and every individual post, status update, and photograph and delete each one. If other people have uploaded photographs of you these will remain on the site unless you ask your friends to remove them or you report them to Facebook and Facebook then agrees to remove them. If you have been an active account holder of Facebook for many years this may be near impossible.
European Data Protection laws may be able to help you. If your Facebook account has been set up outside the US or Canada your contract will be with Facebook Ireland Limited. The Irish Data Protection Act 1988, as amended, is the Irish implementation of the Data Protection Directive 95/46/EC. Section 4 gives the same access rights as the UK section 7 of the UK Data Protection Act 1998.
It allows anyone to write to Facebook Ireland Limited and request a copy of all his or her personal information held by Facebook. Whilst you cannot ask Facebook to delete your personal information if it has been processed fairly and is being retained for no longer than is reasonably necessary, you can require Facebook to rectify anything that is incorrect. Facebook Ireland Limited cannot deny accountability by arguing that your information is stored and processed in the US because under the Data Protection Directive, Facebook Ireland Limited is the “data controller” regardless of whether it is the “processor”.
If Facebook has misused your personal information a civil action can be taken against it in the Irish Courts for breach of its duty of care under section 7 of the Irish Data Protection Act 1988. Depending on the facts of your case you may also be able to bring proceedings against Facebook Ireland Limited or Facebook Inc. in the English Courts. Following the recent decision in Vidall-Hall v Google Inc. [2014] EWHC 13 (QB), it seems that the English Courts are looking more favourably on applications of English Claimants to invoke (or invite) the jurisdiction of the English Courts to hear cases in this “developing area” of law.
Whilst the Data Protection Act may be a useful weapon, Facebook account holders should regularly update their privacy settings and think very carefully about how far their personal information is likely to be disseminated on Facebook before, rather than after, they lose control of it.
IMAGE: www.facebook.com
