DCN May 2016 - Page 37

data protection about themselves being gathered, particularly where they can be personally identified from the information. The Data Protection Directive defines consent as ‘any freely given specific and informed indication of (a user’s) wishes by which (a user) signifies his agreement to personal data relating to him being processed’. Facebook stipulates in its Data Policy that it shares user data for ‘advertising, measurement and analytics services’, a policy which all users must agree to prior to creating an account. Arguably then, every Facebook user has consented to Facebook permitting data scrapers to acquire their information. This is important because, under the Data Protection Act 1998, it is an offence to obtain or disclose personal data without the consent of the data subject; ‘personal data’ in turn is defined in the Act in general as data which relates to a living individual who can be identified from that data. The issue faced by these data scraping programs is that, whilst details obtained from one website may in isolation not be sufficiently ‘personal’ to constitute personal data, when data from multiple websites is aggregated the company may inadvertently find itself in possession of personal data without the consent of the individual concerned. As a hypothetical example, a program might collate the Twitter usernames of everyone who has retweeted a company’s tweets in the last 12 months. This data may not in itself be sufficiently personal to allow individuals to be identified and so not breach data protection rules. If the software then scrapes Facebook and a user has referenced their Twitter account on Facebook, when the Facebook and Twitter data is read together the company may now inadvertently be in possession of data from which an individual can be identified – ie. personal data. Under the websites’ terms and conditions the software may have conducted perfectly legal data scraping but someone using the results may find themselves in breach of data protection rules as they don’t have permission from the individual to use the personal data. consented to being sent such communication. In addition to such a fine, a company may find itself faced with calls from individuals for compensation for distress. In 2015 the Court of Appeal backed consumers in Google vs. Vidal-Hall by confirming that, in order to bring a claim for distress, an individual does not even need to show financial loss. Indeed since 2010 the ICO has issued fines totalling over £6,400,000 for breaches of the Data Protection Act. Using the data Having collated sufficient information on individuals to build up a directory of customers, a company may be tempted to use the information for marketing purposes, rather than analytics alone. Even if the information doesn’t constitute personal data, the company may be in possession of sufficient detail to allow it to contact the individual. Companies considering such activities should be aware that the consent required from individuals to collate their personal data is distinct from the consent to be sent unsolicited communications. Under the Privacy Regulations an individual recipient of unsolicited emails or automated calls must have given their prior consent to being contacted and the consent must have been given to the sender. The dangers of overstepping data protection rules should not be taken lightly: in December 2015 the ICO fined the Telegraph Media Group £30,000 for sending unsolicited marketing communications to its readers during the 2015 General Election. The ICO held that none of the Telegraph’s readers had specifically Many websites have express provisions in their terms and conditions dealing with data scraping. What should be done? These issues should serve as a warning to companies engaging in such activities to check carefully what information these programs collate and that the necessary consents have been obtained from each source. Companies should not assume that, simply because the software has the necessary licences and consents to be used, they themselves can be covered by the same consents. The data needs to be considered not only as separate sets of data, but holistically to ensure that, if necessary, consent has been obtained from individuals for the collation of their personal data and an agreement to be contacted as part of a marketing campaign. 37