Facebook is forced to stop collecting the personal data of those in Belgium not using the site.
The most recent of a number of European data protection cases has forced Facebook to stop collecting personal data from anyone in Belgium who does not use the social media site. Facebook, which has previously been collecting personal data to progress its business, will look to have the decision overturned. In the meantime it has advised that, following the decision on 9th November 2015, it will stop collecting information regarding people in Belgium who do not use the site.
The company has confirmed that it collects personal data regarding both those who are members of Facebook and those who are not. Such information is collected by using cookies. Cookies, small text files, attach themselves to the user’s device, regardless of whether they are a member of Facebook or not. Then, upon the user visiting sites such as Facebook itself, or even other websites with links to Facebook such as the use of the Facebook like button, the cookies become embedded.
In the meantime, should Facebook fail to comply with the ruling, it has been reported that, further to Belgian law, the company may receive daily fines in the region of £177,000.
Belgium is not the only European privacy regulator to be looking into the company’s privacy conditions and their implications regarding data protection. France, Germany, Spain and the Netherlands are also reviewing the same. Furthermore, many data watchdogs throughout Europe have questioned big companies’ use of technology to collect personal data; the matter has even been considered by the European Court of Justice.
It is clear that data protection, especially in light of the recent Facebook case, is of the utmost importance. As such, it is worth considering the UK data protection regime.
UK data protection law
In the UK it is the Data Protection Act 1998 which primarily governs how personal data is collected and stored. The statute also implemented the EU Directive 95/46/EEC which imposes great obligations on data controllers so as to protect individuals. The Data Protection Act 1998 widely defines both “processing” and “personal data” as this is what it applies to. As such, any information relating to individuals held by a business operating in the UK is affected.
Section 1(1) of the Data Protection Act 1998 imposes obligations on those who process, namely defined as obtaining, recording, holding, using, disclosing or erasing, personal data. Under Section 18 of the Data Protection Act 1998, data controllers who intend on processing personal data must first notify the Information Commissioner.
Schedule 1 of the Data Protection Act 1998 sets out the following data protection principles to ensure data controllers process data correctly:
- “Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless:
a) at least one of the conditions in Schedule 2 is met; and
b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
- Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with the purpose or those purposes.
- Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes in which they are processed.
- Personal data shall be accurate and, where necessary, kept up to date.
- Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
- Personal data shall be processed in accordance with the rights of data subjects under this Act.
- Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
- Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.”
Data controllers may be found to have criminal liability as well as civil liability following a breach of data protection laws. It is encouraged that the parties involved attempt to resolve the matter themselves. Otherwise, where no resolution has been achieved with the data controller, the following sanctions, as actioned by the Information Commissioner, may be enforced:
- Serving data controllers with any of the following notices:
a) information notices (unless the information regarding the way they process data is legally privileged);
b) special information notices; or
c) enforcement notices, so as to ensure the data protection principles are complied with by the data controller.
- Imposing a fine (up to a maximum of £500,000) for “serious contraventions” as referred to in section 55A of the Data Protection Act 1998. This must be after a notice of intent has been served upon the data controller. The data controller must then be provided with a reasonable amount of time to provide an opportunity to respond to the Information Commissioner.
- Where the Commissioner has a warrant from the court they may also, in certain circumstances, inspect and seize any relevant documents and/or property under a power of entry.
The effect on publicity, further to non-compliance, must also be considered for many companies.
How UK data protection laws apply to the use of the internet
In 2012, the UK was referred to the European Court of Justice following criticisms of its failure to implement EU rules. The UK had been referred as it was found that the EU rules of confidentiality regarding communicating electronically were not being implemented as required. The UK reviewed and amended its legislation so as interception of user’s electronic information required consent before access. As such, the matter was closed.
It is therefore important that data protection, especially with the progression and development of online communications and information storage, is appreciated in all aspects of collecting and managing personal data.