- Introduction
‘Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that “what is whispered in the closet shall be proclaimed from the house-tops.”’[1]
So said Warren and Brandeis in their famous article of 1890. They concluded that such technological advances merited an expanded right to privacy; instead, disclosure of private information undoubtedly outstripped legal protection of it over the course of the 20th century. Now, as the development of Social Networking Services (SNS) and the increased reach of the Internet grant ordinary individuals an ability to broadcast information more quickly and cheaply than could the print media of a century ago, the question of privacy has become of paramount importance.
- ‘Privacy’
- Definitions
There is no single definition of what constitutes ‘privacy’ for the purposes of the law. Cooley J’s definition, cited by Warren and Brandeis, is ‘the right to be let alone’.[2] Winfield defines the violation of privacy as ‘unauthorised interference with a person’s seclusion of himself or of his property from the public.’[3] Jaffey recognises the concept of ‘informational privacy’: ‘the law restricting disclosure of information on the ground that it is private.’[4] Lloyd recognises it in similar terms.[5] For Westin it is the right to self-determination of the disclosure of information[6] – another form of ‘informational privacy’.
Privacy is therefore a multiplicity of interests. It protects a fundamental aspect of human dignity, the ‘personal sphere’ which each person has, and access to which he may control. On the other hand, many of the actions that protect privacy in English law, such as nuisance and trespass, rest on the claimant possessing a real right.[7]
As SNS are – chiefly – information broadcasters, it is with the concept of informational privacy that we will chiefly be concerned.
- Protection under English law
English law traditionally contains no explicit right to privacy.[8] Instead protection has been given in particular circumstances through the common law and legislation, both national and European, where the dangers of infringement of privacy are considered to necessitate protection.
It is the equitable action for breach of confidence that has come closest to creating a true action for infringement of privacy, primarily due to the influence of the European Convention on Human Rights and the Human Rights Act 1998. This is because, provided a claimant can found an action for breach of confidence, the court’s duty as a public body to uphold the Convention is engaged.[9] The result of this is that the traditional action for breach of confidence, which previously required a prior relationship of confidence, has been enlarged. Two separate causes of action can be identified. On the one hand there is breach of confidence in its traditional form; on the other what Jaffey considers to be a tort of invasion of privacy in all but name[10] that arises not out of prior relationship but out of situation: ‘A duty of confidence will arise whenever the party subject to the duty is in a situation where he either knows or ought to know that the other person can reasonably expect his privacy to be protected.’[11]
The increased protection afforded to the individual’s privacy, through the Human Rights Act 1998, the data protection legislation, and the courts’ expansion of breach of confidence are all founded on the increasing collection, retention, dissemination and use of information, often in electronic form, and the risk of prejudice to the individual that this presents. It is in this context that the privacy of the individual with regard to SNS must be considered.
- Privacy and SNS
There are two key strands to the debate that can be identified. First, the risks posed in the data protection context in terms of the management and use of data submitted by the user to the SNS; secondly the issues arising out of widening public access to the opportunity to publicise information and comment on oneself and others.
- Data Protection
This is currently governed by the Data Protection Act 1998 (‘the Act’), implementing EC Directive 95/46/EC. SNS are a development that could not have been fully envisaged when the legislation was drafted. Consequently the Act, and the Directive, are designed to deal with a more unilateral data controller.
It may be thought that, since a user consents to his data being processed (he decides what to include and how), he has waived his right to privacy. This is mistaken. First, many SNS users submit information that is ‘sensitive’ – any information regarding race, sexuality and political affiliation, commonplace on many SNS, will fulfil this requirement – and as such is subject to the more stringent requirements of the Act.[12] There have been numerous examples of individuals being compromised by unwise disclosure of information on an SNS.[13] In this context the nature and extent of the consent granted by the user, and the extent of the average user’s awareness of privacy risks, must be examined.
To what, precisely, does the user consent? Clearly he consents to the display of this information according to the settings he actively chooses. But what about ‘default’ settings? These are often poorly understood by the user. In this respect, where individuals are compromised by the display of information to which they have consented, the liability of SNS needs thorough examination, and legislative action, to ensure that the user is fully aware of the risks he is running. While this may negatively impact on SNS, ultimately the public’s trust in them is likely to be seriously adversely affected if data protection issues are not addressed. SNS have a vital role to play in informing the public of the risks data disclosure poses. As the entity with most to gain from such disclosure, it is reasonable that they share the burden in mitigating its worst effects.
Further, many SNS – somewhat controversially – use profile information to target advertising to the user (‘behavioural advertising’). Personal data is the ‘product’ which, it is hoped, will ‘monetize’ the SNS model;[14] indeed the very ownership of the data produced on SNS has been a subject of controversy.[15] Does the consent given encompass these uses? Should there be a separate consent to these activities, outside the general consent to the SNS’ terms and conditions? The point has not arisen directly in relation to the Act, but consent in English law requires a ‘positive demonstrative act’.[16] Further, the history of English data protection decisions suggests that ‘non-obvious’ uses of data require separate consent.[17] In a context where users willingly submit extensive, sensitive data, and where consent is buried within the general terms and conditions, it is submitted that even explicit consent does not imply full consideration of the risks by the user. The extent of behavioural advertising, the sensitive information on which it is based, and its importance to SNS (making self-regulation less likely) necessitate legislative attention.
A further problem arises in that the concept of ‘Data controller’, crucial in European data protection law, is muddied in the SNS context because, for user-generated content, it is arguably the user, not the SNS, that is the ‘controller’.[18] This underscores how technology has outstripped legislation, and legislative amendment must be considered to deal with this development.
b. Widening Access
The arrival of the Internet gave rise to the possibility of wide-scale dissemination of information by private individuals. The development of SNS widens this possibility by providing a mechanism for this information more readily to be found and viewed by others. This in turn means that the risk to an individual of suffering an invasion of privacy, through defamation or disclosure of private information, is substantially increased. In this respect it is hard to argue that the expansion of SNS is anything other than detrimental to privacy.
i. Defamation
SNS increase the opportunity for private individuals to defame others. Accordingly, SNS terms and conditions frequently include provisions obliging the user not to post defamatory material on the SNS While defamation actions are prohibitively expensive for most people, there have been some actions brought.[19]
The SNS itself is in a potentially vulnerable position, as effective monitoring of information can only be carried out after the event. Although this can be carried out rapidly, the libel will already be extant. For this reason, and also the fact that the SNS may be unable to recover damages from the user who is quite likely to be a ‘straw man’, SNS seek to avail themselves of the e-commerce ‘safe harbour’[20] and also of the more restricted defence available in s 1 of the Defamation Act 1996 (though this has to date been considered only in relation to ISPs, who have a less obviously editorial function).[21]
The current position is that the SNS is not liable provided that it is merely hosting the content, that it has no actual knowledge of the libel, and that it takes prompt action once it does have knowledge.[22] This was designed to vitiate the harsh effect of libel on ISPs, who would otherwise have had an unworkably wide liability and an unworkable task in policing their content. It recognised the difference between the Internet and traditional print. The SNS, though, is not precisely analogous to the ISP. It solicits and controls its content to a much greater extent. Is it right, then, that the SNS have the same degree of protection?
Balanced against the argument for a harsher approach to SNS’ liability for defamation must be an acknowledgment of the difficulty of adequately policing their content before the event and the chilling effect on free speech that harsher liability would have. Indeed it is possible that liability would attach to the SNS but not the original author (who may in any event be untraceable).[23] SNS as a business model are predicated on providing a free service. They are also, in the main, as yet unprofitable. If they are to survive – and the extent of their user base indicates that the majority view this as desirable – they cannot be faced with insurmountable legal hurdles. Punishing SNS with harsher libel treatment would be valuing privacy at the expense of free speech.
ii. Other privacy risks
Nor is it only defamation that poses a privacy risk in the SNS context. The unprecedented ease with which private individuals can now broadcast information, via SNS and other Internet media, highlights the limitations of defamation as it cannot protect individuals where the information concerned is either true, or adjudged to be fair comment. SNS allow users to make non-defamatory statements that are invasive of others’ privacy, with previously inconceivable ease and effect.
This issue cannot be resolved without noting both the historical unwillingness to protect privacy as a self-standing right in English law,[24] and the recent move towards protection, albeit under the umbrella of breach of confidence (see above).
If the publication of truthful private information[25] and photographs[26] is to be protected in traditional media, why should it not be in the SNS context? Of course it is correct that if an action would lie in print, it will lie on the Internet. Nevertheless most people will have neither the resources, nor the desire, to pursue litigation. To some extent the data protection legislation may assist, both against the SNS and the offending individual.[27] However this seems to be a somewhat casuistic approach to privacy protection.
The law has serious practical limits in this field. Given that privacy is now a cause of action in itself in all but name, it can be argued that legal protection is already afforded to claimants if private information is made public without their consent. But as long as access to this kind of justice is through the courts, it will remain prohibitive for most people: the law currently protects the privacy of wealthy individuals, but is inaccessible to the majority at precisely the time when the risk has never been greater.
- Where next?
SNS have opened up unprecedented access to the dissemination of information by the public. This has been immensely beneficial to freedom of expression, but only at the cost of privacy. It is no accident that Lady Justice carries a set of scales in one hand: balance between competing objectives is at the heart of the law, particularly so when the debate turns on the relationship between the rights contained in Articles 8 and 10 of the European Convention on Human Rights.
As privacy issues come to the fore, it is crucial that an appropriate balance be struck if SNS are to continue to thrive. It is in the interests of users and operators of SNS that privacy concerns are adequately addressed, because if they are not, the legitimacy of the medium will be called into question. An exponential increase in data collection and dissemination requires an intense questioning of whether privacy rights are adequately protected.
The data protection issues surrounding SNS are in need of urgent legislative examination. It is unrealistic to expect SNS adequately to resolve this issue when it goes to the heart of their financial viability, and experience demonstrates that individuals’ awareness of and ability to protect their data privacy is woefully inadequate. Data protection legislation should be amended to take account of the quantity of sensitive data that users willingly submit to SNS; the questions of consent that arise from use of data for advertising purposes; and the risks present when users submit data of third parties (e.g. in photographs) whose consent has not and cannot be obtained.
Defamation, and invasion of privacy, are harder nuts to crack with the legislative hammer, because barriers to justice are practical rather than legal. This is where self-regulation becomes crucial. In this context the law strikes a reasonable balance. That SNS have no liability until they are informed of the defamation is fair: pre-vetting of information is a practical impossibility that would destroy the SNS medium. The desire to avoid litigation, and accompanying negative publicity, should encourage SNS to respond appropriately when they receive complaints. The situation of non-dafamatory invasive information, however, must be carefully considered. As English law moves ever closer to a self-standing tort of privacy, this must be afforded the same level of protection as the tort of defamation. The sooner the courts openly recognise the right of privacy the better, both for claimants and defendants, but even this will provide theoretical, rather than practical, succour for claimants. SNS are keen to avoid liability in this area, but it would be sensible for the legislative authorities to keep an eye on developments to ensure that the problem does not get out of hand.
The SNS genie is now out of the bottle. It would be neither possible nor desirable to attempt to put it back in, and so SNS – whose currency is the free traffic of information – must be encouraged to behave responsibly. If this is achieved, there is no reason why SNS cannot co-exist with the increasingly important legal right to privacy.
Philip Hutchinson is a student at the College of Law, Moorgate and the winner of the SCL Essay Prize 2009.
Bibliography
Deakin, S., Johnston, A. and Markenisis, B., Markenisis and Deakin’s Tort Law (6th ed.), Oxford: OUP, 2008.
Gray, T., Zeggane T. and Maxwell, W. “US and EU authorities review privacy threats on social networking sites” [2008] Entertainment Law Review 69.
Jaffey, P., “Privacy, Confidentiality and Property”, in Torremans, P.L.C. (ed), Intellectual Property and Human Rights: Enhanced Edition of Copyright and Human Rights, the Netherlands: Kluwer Law International, 2008.
Miles, J. “Users at Risk” Legal Week 2006 8(38) 32.
Rowland, D. and Macdonald, E.: Information Technology Law, Cavendish: Oxford, 2006.
Stromdale, C. “Regulating online content: a global view” Computer and Telecommunications Law Review 2007, 13(6), 173.
Warren, S. and Brandeis, D. “The Right to Privacy.” 4 Harvard Law Review 193 (1890).
Winfield, P. “Privacy” (1931) 47 Law Quarterly Review 23.
[1] Warren, S. and Brandeis, D. “The Right to Privacy.” 4 Harvard Law Review 193 (1890) at 194.
[2] Id at 194.
[3] Winfield, P. “Privacy” (1931) 47 Law Quarterly Review 23 at 24.
[4] Jaffey, P., “Privacy, Confidentiality and Property”, in Torremans, P.L.C. (ed), Intellectual Property and Human Rights, the Netherlands: Kluwer Law International, 2008 at 452
[5] Lloyd, I.J. Information Technology Law, Oxford: OUP, 2008 at 7.
[6] Deakin, S., Johnston, A. and Markenisis, B., Markenisis and Deakin’s Tort Law, Oxford: OUP, 2008, at 820.
[7] Hunter v Canary Wharf [1997] 2 WLR 684.
[8] Kaye v Robertson [1991] FSR 62.
[9] Human Rights Act 1998, s 6.
[10] Jaffey, supra, at 449-450.
[11] Lord Woolf C.J., A v B Plc [2003] QB 195 at 207.
[12] Data Protection Act 1998, s 2 and Schedules I and III.
[13] Office Worker sacked for branding work boring on Facebook, The Daily Telegraph, 26 February 2009, available at:
http://www.telegraph.co.uk/scienceandtechnology/technology/facebook/4838076/Office-worker-sacked-for-branding-work-boring-on-Facebook.html.
[14] Facebook aims to market its user data bank to businesses, The Guardian, 1 February 2009; $10bn for Facebook? Maybe, but the real value lies in the ads, The Guardian, 19 October 2007.
[15] Facebook saves face but have users alreadly sold soul?, Irish Times, 27 February 2009, available at:
http://www.irishtimes.com/newspaper/finance/2009/0227/1224241883460.
[16] Shaw L.J., Bell v Alfred Franks & Bartlett Co Ltd [1980] 1 All ER 356 at 360.
[17] British Gas Trading Ltd v Data Protection Registrar, 22 June 1993, Encyclopedia of Data Protection para 6-513.
[18] Gray, T., Zeggane T. and Maxwell, W. “US and EU authorities review privacy threats on social networking sites” [2008] Entertainment Law Review 69 at 74.
[19] Applause Store Productions and Firsht v Raphael, [2008] EWHC 2263 (QB), Michael Keith-Smith v Tracey Williams [2006] EWHC 860 (QB).
[20] Directive 2000/31/EC.
[21] Godfrey v Demon Internet [1999] 4 All ER 342.
[22] Directive 2000/31/EC, supra, Section 4, Article 14.
[23] Rowland, D. and Macdonald, E.: Information Technology Law, Cavendish: Oxford, 2006, at 414.
[24] Kaye v Robertson, supra.
[25] McKennit v Ash [2006] EWCA Civ 1714.
[26] Von Hannover v Germany (2005) 40 EHRR 442.
[27] Bodil Lindqvist (Case C-101/01) [2004] 1 CMLR 20; Campbell v MGN [2004] 2 AC 457 (HL).