6 legal things you should know about social media and how to deal with them

Shona Harper

At London Social Media Week, I met solicitor Shona Harper, an expert in the legal side of social media for individuals and corporations, and we got to talking about some of the rather scary things that most of us pay little attention toward when using social media.

Whether it is uploading photos, that we then allow another entity to have control of, or granting access to our Facebook or Twitter account to a third party – we are, often unknowingly, giving away data, and, in certain instances, giving away certain privacy rights associated with that data. Admit it, when that long, boring box of detailed legal information pops up when you download an app or sign up to a website, you just hit “I Agree” and don’t actually read it, don’t you? While maybe there are a few things you should be paying attention toward.

Shona has kindly offered to give The Wall Blog UK readers some in-depth insight to the legal side of social media, with these 6 legal things we should know, and how to deal with them:

1) No online service or app is free: your data is the asset you give up to use the service or app

As the internet continues to evolve, we are increasingly being offered new and more funky services and apps to play with. But as we play, a continuing stream of information about how we are playing is being recorded by those sites, services and apps for future use – though it’s possible that future use is not yet known. Thus, the sites are building up a mine of information about us without us necessarily being aware of it. In this way, that information is “the price” of using that service, and we users need to re-align our assessment of sites to match this.  We’ve re-aligned the rest of our lives as a result of the internet, so adding re-aligning our concepts of price could just be part of that.

2) Not all sites have to comply with data protection laws

Any legitimate site collecting data about its users and their usage of the site should be happy to comply with data protection rules, even if they are not compelled by law to do so. The European laws probably set the highest standards internationally, and are often followed by other countries as a template. These rules are based on two fundamental principles of transparency and consent.

Transparency is the concept that data controllers, ie those operating websites which collect and make decisions about data, must tell users what information they are collecting, why they are collecting it, what they intend to do with it, how long they intend to keep it, how they will keep it secure, and what they will do when they have finished using it. This information is usually given to users in a privacy policy which should be easy to find on any website. A current challenge for controllers is how they provide this information if their only contact with users whose data they gather is an app, as it is very difficult to get a privacy policy into an app in a user-friendly way. Perhaps the answer here is to have a link to a website with the policy. However, the difficulties the controllers face in marrying up today’s technology with their legal requirements is no excuse, and many are coming up with some very inventive ways of doing so.

The second fundamental principle is user consent, which must be informed (hence the importance of transparency) and freely given. You as a user must understand what you are consenting to. Failure to get such genuine consent is why there have been a number of highly publicised privacy errors by data controllers in the last few years.

So when using any social media service or app that is collecting your data (other than anonymous data), make sure that their use of that data is transparent (by checking their privacy policy) and check you are comfortable with what they say in that policy before consenting to that use. If the policy isn’t clear, perhaps you could invite them via a tweet to explain it in more straightforward terms?

3) What is the “right to be forgotten”?

The “right to be forgotten” is a new rule that will come into force in European data protection law in the next few years.  It will create an express right for the subject of data to require that the data held about him or her be erased in certain circumstances, one of those being that the data is no longer needed for the original purpose for which it was processed. This will be a useful right on paper, but it is going to cause considerable headaches for the companies who hold the data. The real challenge will be how companies implement it technically, against the background of the threat of a fine of up to 2% of global turnover. It is definitely better to have a legal right to demand data be deleted than not to, but the safest action for users will always be not to post anything they wouldn’t want their mother or employer to see in the first place.

4) Social media sites are sharing your information with other sites

Various sites which encourage users to post information about themselves online have changed their privacy settings over the past few years to allow them to share that information with other linked sites to make the users’ experience more specific and unique. The sites need to have user consent to share information in this way, but many have obtained it “by the back door”: they have introduced the service with all users automatically opted-in to it, such that users have to be aware of the sharing to decide whether or not to opt-out.

Examples of this sort of service are Facebook’s instant personalisation, which went live in early 2011, or LinkedIn’s “social advertising”. LinkedIn downsized its service to minimise the public data sharing in response to user and data protection regulator complaints, but Facebook’s remains live. It works by sharing data with its partner websites and vice versa, which then allows friends or contacts to share on other websites the information they learn about the original user on the partner website. This means the information that the user originally posted on the first site is then well and truly out of his or her control.

Users could respond to this by assessing the data sharing options on the websites they post any information on. Think about all the sites you use and review all their privacy settings: who is sharing what with whom and for what purpose? Does the site provide a list of all the sites they share information with to help you with making that assessment? Any site based in Europe is obliged to tell you who they share with, so if it’s not clear, why not ask them to tell you? If users value a site’s service but not its data sharing, the site might respond to users in the same way that LinkedIn did by allowing users to opt-out of that sharing without losing the ability to use the service.

5) Do you have the legal right to share what you share?

Another question is not just what is being sharing about you, but what are you sharing via your social networks? If you share anything that you do not have the right to share, then you risk being accused of, amongst other things, copyright infringement. Copyright holders are much more aware of the sharing of their content than they were 5 years ago. They have finally caught up with the scope and scale of the internet and are hot on chasing and catching illegal sharers, even the small-scale ones. There is new legislation in force in several countries that allows copyright holders to notify ISPs of any IP addresses that they suspect of sharing infringing content, whereupon that ISP has to notify the relevant subscriber of that complaint. If the sharing continues, then depending on the country, the ISP has to send further notifications, and in due course, the copyright holder may be allowed to go to court to ask the ISP to identify the subscriber behind the IP address which is sharing the copyright protected content. While there are many flaws in this sort of legislation, the point is that it exists, it is being used, and as a result, illegal sharing has fallen in those countries.

6) Hold your horses: think first, type later and avoid being fired or sued

Social media makes it even easier to vent one’s feelings but regret it afterwards. This is emphasised by the fact that the right to be forgotten isn’t actually part of (European) law yet, and some social media networks (eg Facebook) have a tendency to say they have deleted everything but actually haven’t. Thus, users run an even greater risk of writing something inappropriate with very negative consequences. While there is a fundamental freedom of expression in the US, negative comments can often result in negative action by those you write about, especially if you write about your employer. Here is a great list of examples of Facebook posts leading to the user looking for a new job:

Also, the borderless nature of the internet means that the jurisdiction of the English Court in respect of a claim for defamation (damaging someone’s reputation) is almost worldwide, as long as enough people read the post in question. So you may not just lose your job, you may be served with English legal proceedings seeking damages and legal costs for your (probably ill-considered and long-regretted) comment.

——

Do you have further legal questions for Shona? Leave a comment and she will respond.