Website-law.co.uk

The first principle of data protection law is that personal data must be processed fairly and lawfully, and that one or more specified conditions must be met.

Perhaps the most important of those conditions affecting the collection and use of personal data via websites is:

“The data subject has given his consent to the processing.“  (Data Protection Act 1998, Schedule 2, paragraph 2)

This raises the question of when a child can be taken to have consented to the processing of his or her personal data.

The DPA 1998 does not itself explicitly deal with the issue of obtaining consent from children.  However, the Information Commissioner has written:

“Websites that collect information from children must have stronger safeguards in place to make sure any processing is fair. You should recognise that children generally have a lower level of understanding than adults, and so notices explaining the way you will use their information should be appropriate to their level, and should not exploit any lack of understanding. The language of the explanation should be clear and appropriate to the age group the website is aimed at. If you ask a child to provide personal information you need consent from a parent or guardian, unless it is reasonable to believe the child clearly understands what is involved and they are capable of making an informed decision”  (The Data Protection Good Practice Note: Collecting personal information using websites).

So, privacy policies should be extra-prominent and extra-clear.  A very young child may never be able to give adequate consent; whereas, an older child may be able to give adequate consent in many different circumstances.  The Information does go on to refer to a particular age threshold:

“The Act does not state a precise age at which a child can act in their own right. It depends on the capacity of the child and how complicated the proposition being put to them is. As a general rule, we consider the standard adopted by Trust UK (www.trustuk.org.uk) to be reasonable:  ‘TrustUK approved webtraders recognise children need to be treated differently from adults. They will not market their products in any way that exploits children, nor will they collect information from children under 12 without first obtaining the permission of a parent or guardian. They will not collect personal data about adults from children.‘”

There are particular pitfalls for the operators of social networking websites, other websites which publish user generated content, and websites that collect information that is passed on to third parties:

“There are certain practices that are likely to breach the Act, for example, collecting information about other people from children, and enticing children to reveal information to win a prize or similar. If you are going to disclose or transfer personal information collected from children to third parties, you need to have the explicit and verifiable consent of the child’s parent or guardian, unless you can be sure that the child really appreciates what is going on and the consequences of their actions.

If you want to publish a child’s personal information on the internet, you should usually get the verifiable consent of the child’s parent or guardian. Whether you need the parents’ or guardians’ consent for the publication, or that of the child, will depend on the circumstances, in particular, the child’s age and whether you can be sure the child fully understands the implications of making their information available on the internet.”

An obvious question arises: how can parental consent be verified?  The Commissioner states:

“If you need parental consent, you must have some way of verifying this. It will not usually be enough to ask children to confirm their parents have agreed by using a mouse click. If you need parental consent but decide that verifying the consent will involve disproportionate effort, you should not carry out your proposed activity.”

There are a wide range of methods which may be used to verify parental consent, some of which are stronger than others.  For example, you might ask for a nominal credit card payment to be made before the child can access the relevant functionality, or you might telephone parents to verify consent.

Note: there are is a dedicated US law concerning the online collection of children’s personal data.  The Children’s Online Privacy Protection Act of 1998 (COPPA) applies to commercial websites that are directed at children under 13 or, even if not so directed, knowingly collect information from children under the age of 13.  The most far-reaching provision of COPPA requires that such websites must, before collecting, using or disclosing personal information from a child, obtain verifiable consent from the child’s parent.  This is why many US-orientated websites prohibit children under 13 from registering and using the website.

Website operators commonly transfer the personal data of their users overseas.

However, the UK’s Data Protection Act 1998 expressly restricts certain transfers of personal data outside the European Economic Area : “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data”.

This is known as the Eighth Data Protection Principle.

The Information Commissioner recommends a 4 stage approach to analysing such personal data transfers: first, is the transfer a “transfer of data to a third country”; second, is there an “adequate level of protection”; third, have the parties put in place “adequate safeguards”; and fourth, do any of the “other derogations” from the general principle apply.

Transfer of data to a third country

The EEA consists of the EU plus Iceland, Liechtenstein and Norway.

Transfer is to be distinguished from transit: there will be no transfer of personal data where it merely passes through one jurisdiction on its way to another jurisdiction.

In the context of websites, there will be a transfer (or transfers) of personal data outside the EEA where:

- personal profile information will be published on the internet around the world (e.g. on social networking sites, auction sites, dating sites) – see Lindqvist v Kammaraklagaren (2003);

- where a website collecting and/or hosting the personal data of EEA nationals is hosted outside the EEA;

- where a website passes personal information to marketing affiliates outside the EEA.

Obviously, this list isn’t exhaustive.

Adequate level of protection

A range of different factors may be taken into account in determining whether the level of protection offered by a country or territory is adequate.

These include: the nature of the personal data, the country or territory of origin of the information contained in the data, the country or territory of final destination of that information, the purposes for which and period during which the data are intended to be processed, the law in force in the country or territory in question, the international obligations of that country or territory, any relevant codes of conduct or other rules which are enforceable in that country or territory (whether generally or by arrangement in particular cases), and any security measures taken in respect of the data in that country or territory.

Very few countries have been deemed by the European Commission to offer an “adequate level of protection”. At the date of writing, only Argentina, Canada, Guernsey, the Isle of Man and Switzerland are considered to offer such protection. In addition, the Commission has recognised that US companies that sign up to the US Department of Commerce’s Safe Harbor principles offer an adequate level of protection.

In any particular case, a the data controller transferring personal data outside the EEA may be expected to demonstrate having made an analysis of the relevant factors, and having concluded that protection was adequate.

Adequate safeguards

Where a data controller is not satisfied as to the adequacy of the level of protection in the country of destination, then it may still transfer the personal data if it uses the “model clauses” or “binding corporate rules” approved by the European Commission.

The binding corporate rules are only applicable to intra-group transfers.

The model clauses may be suitable for individually negotiated hosting or affiliate arrangements, but will be of no use where the data controller is contracting on the data processor’s standard terms - are in any case they generally considered to be unwieldy.

Other derogations

There are also a number of exceptions to the general prohibition, some of which may apply in the case of personal data processed by website owners:

- the data subject has given his consent to the transfer.

- the transfer is necessary (a) for the performance of a contract between the data subject and the data controller, or (b) for the taking of steps at the request of the data subject with a view to his entering into a contract with the data controller.

- the transfer is necessary (a) for the conclusion of a contract between the data controller and a person other than the data subject which— (i) is entered into at the request of the data subject, or (ii) is in the interests of the data subject, or (b) for the performance of such a contract.

If a website owner is to justify a transfer on the grounds of consent, that consent must be fully informed and freely given. Data subjects must, according to the Information Commissioner’s guidance, have a real opportunity of withholding that consent without suffering any penalty, and must be able to withdraw that consent at a later date if they change their minds. As the Information Commissioner notes: “For these reasons, consent is unlikely to provide an adequate long-term framework for data controllers in cases of repeated or structural transfers of data to a third country.

The other two relevant derogations both use the concept of “necessity”. This may be a difficult test to meet.

Examples of application

Websites, such as social networking sites, auction sites, and dating sites, which allow users to publish their personal information on the internet may be best served by seeking to rely upon the derogation which allows transfers which are necessary for the performance of a contract between the data subject and the data controller. A key question will be whether the transfer is really “necessary”. For instance, it might be argued that it is not “necessary” for an auction site which is focused only on the UK to publish the personal information of individuals outside the EEA. If relying upon this derogation, the website owner will want to make certain that there is in fact a “contract” of some kind in place (not merely a licence to use the website).

Website owners who are thinking of having sites (which process personal data) hosted outside the EEA will not be able to rely upon that “necessary for contract” derogation, nor will they be able to rely upon a consent derogation (unless they also maintain special hosting facilities within the EEA for users who do not consent!). Instead, they should seek to ensure – one way or another – that the destination offers an adequate level of protection or that adequate safeguards are in place.

Caveats

The application of the Eighth Data Protection Principle is (some might say, needlessly) complicated. If you are in doubt about a particular issue of data protection law you should consider contacting the information Commissioner’s office or seeking professional advice.

Please note that this post is grounded in the UK approach to data protection law, and the approaches of other EEA states will vary.

The centrepiece of UK data protection law is the Data Protection Act 1998 (the “DPA”). This legislation was enacted pursuant to a European Directive.

Data protection law governs the “processing” of “personal data”. “Processing” is defined in the Act to mean:

“… obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including - (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or (d) alignment, combination, blocking, erasure or destruction of the information or data.”

In other words, almost anything you do with data will constitute “processing”.

“Personal data” is broadly defined to mean:

“… data which relate to a living individual who can be identified - (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.”

So, for example, a list of names and addresses of customers will be personal data, as will an email address containing a person’s name.

Most of the key obligations in the DPA are placed upon “data controllers”. A data controller is defined as:

“… a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.”

In respect of personal data collected and processed through your website, you (or the company or other person who operates the website) will be the data controller.

The main consequences of this status are as follows.

First, the DPA requires “notification” from data controllers, unless an exemption is available (unlikely in your case). You can find out more about notification (which costs £35 per year) on the Information Commissioner’s website.

Second, individuals have certain rights under the DPA in relation to their personal data – for example, the well known subject access right – with which data controllers must comply.

Third, in the processing of personal data, data controllers must comply with the data protection principles.

In practice, a large number of UK websites operate in breach of data protection laws. Nonetheless, it is important that data protection compliance issues be addressed. Breaches of data protection legislation can lead to criminal as well as civil liability.