We're watching you...

Personal information is often one of the most important assets of a business.  It can help analyse and enhance its offering by understanding how users interact with products, services and websites. A business may also generate revenue by selling its information to advertisers. You only need to look at the price Facebook paid for Whatsapp ($19 billion) to understand that personal information means big money for businesses.  

However, such activities are not outside the law.  The Data Protection Act 1998 ("DPA") sets out eight underlying principles which a business must comply with in collecting and using personal information.  The first principle is that personal information is processed fairly and lawfully.  But what does fair and lawful processing mean? 

The Legal Requirements

There are two requirements for processing to be fair.  The first is that a data subject (i.e. the person who the personal information relates to) must be provided with sufficient information on who is collecting the information and the collection and use of such information.  In practice, most businesses that collect personal information online provide details about themselves and how they collect and use personal information through a "privacy policy" and a business is likely to display links to this privacy policy on its website.  

Secondly, processing must meet one of the conditions listed in the DPA to be fair and lawful.  One condition that is routinely relied on is obtaining a data subject's consent to the processing.  We see examples of businesses aiming to meet this condition when it gains consent to collect and use personal information for a specific activity through a "tick box" or an acceptance button on its website.

"Consent" has not been defined under the DPA; although the European Data Protection Directive, which the DPA is based on, states that consent to the processing of personal information must be "freely given specific and informed". 

Data Protection vs Privacy Erosion

Despite the laws that are in place, businesses are arguably stretching the concept of consent.  For example, Facebook recently changed its privacy policy at the end of January to allow it to provide tailored advertisements to users by collecting information on a user when they are using other websites.  By its own account, if you used the internet to search for a TV, when logging into Facebook, it may now bring you an advert on a TV.   One of the ways Facebook has notified its users of this change is through this notice: 

Which means that, despite the much reported criticism of Facebook's privacy policy, you are deemed to have consented to this controversial change simply from checking your newsfeed or posting a status after 30 January.  And this begs the question - how "freely given" is such consent? 

Facebook is not alone.  In January, Google was required to sign a formal undertaking to the Information Commissioner's Office (the regulatory body for data protection compliance in the UK) to improve its privacy policy since it was held to be too vague with no indication as to how and why it processed users' personal data.  And this was not an isolated example of Google being taken to task – it has been the subject of more formal action which resulted in it being fined in France, Spain and the USA.

Most recently, Google has come under fire about cookies and its disregard for new regulations on the use of cookies.  A cookie is a small text file stored on a user's hard drive which can track user activities like user location, browsing habits and shopping basket content.  Since 2011, businesses have been required to obtain the data subject's consent to the use of cookies as well as providing information on why the type of cookies are used – we see this in practice with "cookie banners" which appear on websites.  However, just recently, Google was held liable for bypassing security settings on the "Safari" browser to install cookies on and acquire information from users without their knowledge or consent.

In relation to the specific regulations on the use of cookies and the requirement of consent, there has been some confusion on what constitutes valid consent.  The Article 29 Working Party recently published a report which suggested there may be a slight relaxation on the interpretation of consent in this context so that the continued use of a website after a pop-up banner informing the user of the cookies may be deemed sufficient.  However, the report did highlight consent around the use of so-called "persistent cookies".  It revealed the average cookie remains in place on a user's web browser monitoring activities for 12 - 24 months.  Not all websites provide information on the life of a cookie (although they should). Most individuals would never expect a cookie to stay on their computer for that length of time.  And therefore, this raises the question - how "informed" was the original consent and is such consent temporary?

The battle continues between businesses requiring more of our personal information to be innovative, seamless and user-friendly against the rigorous, inhibitive and potentially outdated data protection laws.  To avoid a constant challenge from regulatory authorities, it is imperative for businesses to be open and clear with its users about who they are and why and how they process personal information.  The message is clear – get this wrong and it can be expensive for a business, both in the financial penalties that may arise and the reputational damage it can cause.  

Noor Al Naeme is a Solicitor qualified in Scotland in the Technology, Media & Communications and Intellectual Property team.

For further information on this matter or data protection generally, please contact Noor at noor.alnaeme@michelmores.com.