Wednesday, November 28, 2012

When is personal information on the Internet ‘manifestly made public’?

The Directive 95/46/EC in Article 8 regulates conditions related to the processing of special categories of data. In paragraph 1 the Directive says that “Member States shall prohibit the processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.”[1] In the paragraph 2 the Directive presents exceptions from the rule in paragraph 1, therefore according to the section (a) the paragraph does not apply if “the data subject has given his explicit consent to the processing of those data” and (among others) also according to the section (e) if “the processing relates to data which are manifestly made public by the data subject.”[2] Therefore it could be assumed that all personal information online, which has been ‘manifestly made public’ by individuals themselves could be processed by other individuals or third parties. 

In my opinion it is unclear when it could be claimed that an individual has his personal information manifestly made public. One might argue that since, what is published online will most likely stay there and everyone with an Internet connection has access to it, therefore an individual with publishing his personal information online has manifestly made it public.

On the other hand it is not necessary that everyone has access to all the content that has been shared online. Individuals can, while using Internet services protect their personal information in a way that they narrow down access to it to a limited amount of people. Could it then still be argued that an individual by publishing his personal information online has manifestly made it public? Furthermore, even though an individual limits access to a certain amount of third parties, this can still represent a big amount of people. I will illustrate with an example: Maggie is a student who writes a blog[3] every day. She writes about her personal life, her grades at University, places she had visited, shops where she has shopped, her hobbies and other activities, and daily shares her personal information online with all Internet users, that is 32, 7% of world’s population. In this case one might reasonably argue that she manifestly made her personal information public. If Maggie decides to limit access to her blog only to registered users of the same blog publishing service, this would narrow down the amount of potential readers a lot. However, if she is writing her blog and using Wordpress[4] services there is still a huge amount of potential readers who could access her blog and consequently her personal information, since Wordpress noted 6 million new blogs created only in 2010.[5] One could again argue that since so huge amount of people could access her personal information, she manifestly made it public. To go even further, Maggie has decided to limit access to her blog only to her 4 best friends, who are also members of the same blog publishing tool. Could one therefore still argue that she manifestly made her personal information public by publishing it online?

Answers to these questions are important from the perspective of control over personal information. The Directive 95/46/EC in Article 7 presents grounds for legal processing of personal information.[6] According to Article 7 (a) personal information (including information that is spread online) “may be processed if the data subject has unambiguously given his consent.”[7] Article 8[8] regulates special categories of data. But neither of them regulates when conditions for lawful processing of individual’s personal information, which can be found on the Internet are fulfilled, except the requirement of individual’s consent.

The Article 29 Data Protection Working Party [9] adopted Opinion 5/2009 on Online Social Networking. They approach this issue from the data controller perspective, which could be social network providers, application providers or users themselves.[10] The perspective relevant for this case is user’s perspective. Regarding this issue, the Directive in Article 3[11] defines the scope of protection and in paragraph 2 presents exceptions; therefore the directive the Directive shall not apply “to the processing of personal data by a natural person in the course of a purely personal or household activity.”[12] The Art. 29 WP in the Opinion 5/2009 presented grounds when the Article 3 household exception may not apply and user could be considered as data controller.

The household exception might not apply when social networks users extend their activity on those networks from personal to professional.[13] User therefore starts acting “on behalf of a company or association, or uses
the [social network] mainly as a platform to advance commercial, political or charitable goals, the exception does not apply.”[14] In such circumstances the user takes over responsibilities of data controllers for disclosing personal information to other information collectors or to third parties, and needs to fulfill conditions set out in the Directive 95/46/EC regarding the personal data processing, such as data subject’s consent.[15] Furthermore, a high number of user’s personal contacts could also indicate that a household exception should not apply and that user should be considered as data controller.[16] 

The household exception might be also connected to the access to profile information. The social network services must provide privacy settings, which enable users to narrow access to his profile information only to a certain contacts. Whether a user does not limit access to his personal profile and furthermore if it is possible to search for information with use of search engines, such access might not fall within the scope of household exception.[17] Rules for data controllers apply also if a user later changes his privacy settings and grants access to his profile information to all social network users.[18]

Art. 29 WP also foresee the non-applicability of the household exception in cases when social networks’ users online share personal information of third parties, especially when it comes to the procession of special categories of data.[19] Furthermore, in such cases a user might be liable under national civil or criminal laws (if one fulfills conditions set out in relevant provisions), even though the household exception would apply in particular case.[20]

The manifestly making personal information public issue was also addressed in Pamela Pengelley’s article: “Fessing Up to Facebook: Recent Trends in the Use of Social Network Websites for Insurance Litigation” in relation to disclosure of documents.[21] Under Canadian law parties of a dispute have a possibility to ask a Court to order a disclosure of documents if they reasonably suspect that the opposite party did not presented all relevant documents.[22] In a case Murphy v. Perger[23] the plaintiff Ms. Murphy was involved in a car accident.[24] She sued the other driver, seeking for damage for the detrimental impact on her enjoyment of life and her inability to participate in social activities, since she suffered for chronic pain disorder.[25] Before the trial her post accident photos from a party appeared on Facebook in her fan page, and the defendant’s lawyer asked for disclosure of documents, since her personal profile had restricted access, but he was able to see that she has 366 contacts.[26] Plaintiff’s lawyer objected, claiming that “this was too speculative to justify an order for production given the plaintiff’s expectation that the site would be kept private.”[27] The judge decided that there is a reasonable suspicion that the plaintiff’s photos exist on her personal Facebook profile, and what is the most important for this Thesis perspective, the judge decided “that the plaintiff could not have any serious expectation of privacy given that 366 people had already been granted access to the private site.”[28] If I compare presented case to the Directive 95/46/EC, the decision presented in this case has defined that granting access to 366 other users is a sign that data subject has manifestly made his personal information public.
With the use of the Internet an individual’s risk that their personal information will be processed without their consent is higher than in ‘real’ life. Anonymity is decreasing with our every click we make on the Internet. Every Internet’s user is slowly turning in some kind of public figure, who enjoys a different (lower) level of privacy and consequently also personal information protection. I will illustrate the question of minimal level of privacy and personal information protection with public figures as an example.

[1] Directive 95/46/EC, 1995.
[2] Ibid.
[3] A blog is an individual's journal distributed on the Internet (Wikipedia. (n.d.). Blog. Retrieved April 26, 2012, from Wikipedia:
[4] Wordpress is a “free and open source blogging tool” where individuals can publish their blogs. (Wikipedia. (n.d.). Wordpress. Retrieved April 16, 2012, from Wikipedia:
[5] Bryant, M. (2011, January 7). growing fast. Over 6 million new blogs in 2010, pageviews up 53%. Retrieved April 25, 2012, from The next web:
[6] Directive 96/46/EC, Article 7.
[7] Ibid.
[8] Directive 95/46/EC Article 8.
[9] This Working Party was set up under Article 29 of Directive 95/46/EC. It is an independent European advisory body on data protection and privacy. Its tasks are described in Article 30 of Directive 95/46/EC and Article 15 of Directive 2002/58/EC.
[10] Article 29 Data Protection Working Party:. (2009, June 12). Opinion 5/2009 on Online Social Networking. Retrieved May 1, 2012, from European Commission Justice:, p. 5.
[11] Directive 95/46/EC, Article 3.
[12] Ibid.
[13] Article 29 Data Protection Working Party:, 2009, p. 6.
[14] Ibid.
[15] Ibid.
[16] Ibid.
[17] Ibid.
[18] Ibid.
[19] Ibid.
[20] Article 29 Data Protection Working Party:, 2009, p. 7.
[21] Pengelley, P. (2009, March 3). Fessing Up to Facebook: Recent Trends in the Use of Social Network Websites for Insurance Litigation. Retrieved May 1, 2012, from Social Science Research Network:
[22] Id. p. 5.
[23] Murphy v. Perger, [2007] O.J. No. 5511 2007 WL 5354848 (Ont. S.C.J.).
[24] Pengelley, 2009, p. 5.
[25] Id. p. 6.
[26] Ibid.
[27] Ibid.
[28] Ibid.