Industry Focus
Hash Tag Privacy - Who Is Twitting on Twitter?
It could be argued that social media, the Internet sensation that allows real-time peer-to-peer communication, has become a troubled adolescent who has very much grown up in the public.
Although legal guidance is already available for individuals, organisations, and businesses seeking to harness this youthful and somewhat errant technology, the question remains—are they enough as it only seems now that the parents and lawmakers are looking to put further controls in place to moderate its behaviour?
In 2011 the EU pledged that it would enshrine in law the right for an individual to “disappear online,” but with complexity surrounding privacy settings and individual users’ lax use of them on Facebook, for example, this has proved more troublesome than the bureaucrats and plutocrats in Brussels had first envisioned.
Britain vs. the Continent
This has not been helped by the ongoing political spats over sovereignty, with member states such as the U.K. announcing last year that it wanted to veto or opt out of Europe’s scoped privacy laws.
The row between Europe and the U.K.’s Ministry of Justice is symptomatic of a wider disagreement that ultimately impacted in a falling out between the Internet and the individual, so much so that there seems to be only wafer-thin protection for users.
The right to be forgotten, Article 17 of the Data Protection Regulation, has been developed by the EU Justice Commissioner’s office primarily in response to complaints about the way that social media sites, such as Facebook, retain and handle information. Although the terms of the regulation have not yet been finalised, its current form provides for punitive fines of up to 2 per cent of global turnover for companies that refuse to comply with requests to erase customers’ personal details.
Viviane Reding, the EU Justice Commissioner, said, “At present a citizen can request deletion only if [data is] incomplete or incorrect. We want to extend this right to make it stronger in this Internet world. The burden of proof shall be on the companies. They will have to show that data is needed.
“This piece of legislation is one of the biggest market-openers of the last few years. It eliminates twenty-seven conflicting rules [one for each EU state] and replaces them with a mechanism for the whole continent. This means saving €2.3bn (£1.9bn) a year,” Reding added.
“But the British government have asked us not to do this and [would prefer] two laws—one for Britain and one for other people, meaning there would be separate layers of complication. I have exchanged letters with [the U.K. Justice Secretary] Chris Grayling on this, which is rather like Kafka. Britain is meant to oppose red tape; here Britain wants a supplementary layer of red tape. It’s crazy. The U.K. wants twenty-seven rules—one for each country,” she said last year.
This has resulted in high-profile cases where inaccurate statements and opinions and outright threats have been posted in the name of free speech and have shone an unfavourable light on the social media sites that host them.
However, it could be argued that trying to moderate this with stringent controls of social media sites that encourage, and require, spontaneous engagement and content to survive and thrive, is a little like trying to put toothpaste back in the tube once it has been squeezed.
Although it is often thought of in terms of “a lie is halfway around the world before the truth has got its boots on” or “closing the digital stable door after the horse has bolted,” the physical world is clumsily trying to play catch up with the ethereal playground of the Internet.
Tools do exist that may provide remedy post event, including the following:
- The Data Protection Act
- The Protection from Harassment Act 1997
- The Communications Act 2003
- The European Convention on Human Rights
- The Malicious Communications Act 1988
- The Contempt of Court Act 1981
- s4A of the Public Order Act 1986
- The common laws of defamation
But in the post-Leveson world, where individuals are still trying to get redress from inaccuracies printed in the physical press, there is still a long way to go before social media moderation gets the airtime it requires.
Proactive Guidance for Businesses
Retailers are among the vanguard of businesses using the Internet for commercial purposes with online shopping through transactional sites being a huge revenue earner for many. Commentators always cite the latest online sales figures to highlight the demise of the traditional High Street—the so-called “clicks and mortar” over “bricks and mortar.”
Retailers are now looking to grow that market even more with the use of tablet and mobile smartphones, QR codes, and other rapidly advancing technologies. This has resulted in US rapidly entering a new world where loss prevention teams are playing catch up because the technology is still so new and the risks have not been fully assessed, other than the ever-looming and nebulous threat of cyber-crime.
But what about reputational threats? There are instances when public confidence is challenged when a retail website is compromised, for example, but what about content issues and policies surrounding the use of social media?
Many forward-thinking retailers have policies about the use and often misuse of social media by staff. In a recent incident, staff from one High Street retailer got into disciplinary issues when they responded to defend their brand from a television documentary made by Mary Portas. Their comments, although loyal to their employer, contravened the company policy on the use or misuse of social media.
The Information Commissioners Office (ICO) in the U.K. has published a helpful guidance document on the use and misuse of social media, which distinguishes between individuals on Facebook and Twitter for their own personal and private use and where businesses engage with social media or encourage their staff to use it for commercial purposes.
Titled Social Networking and Online Forums—When Does the Data Protection Act Apply?, the sixteen-page document is a useful resource that is available on the ICO website at ico.org.uk. It is a step-by-step guide that distinguishes between what is personal or domestic use and what is organisational or commercial. For these purposes, it highlights the role of the data controller and their role in checking and moderating content.
It also provides case study and legal case examples of where breaches of the Data Protection Act have occurred in individual cases where data has been processed unfairly or unlawfully because they have been the subject of derogatory, threatening, or abusive postings by third parties.
This is the case for social network sites including Facebook and Twitter where content is totally provided by its users. Here, it is impossible to moderate or even check content for accuracy or levels of offensiveness. And, many argue, that in a democratic country that prides itself upon unfettered free speech, any tampering with this principle should be resisted.
For these sites, the Data Protection Act is clear—the social networking sites must have clear and prominent policies about what is not acceptable to post and have clear and easy-to-find procedures for those who take issue with posts to dispute their accuracy and ask for them to be removed. They must have mechanisms in place to respond quickly and suspend access to content until the dispute is settled.
Where “wronged” individuals approach the ICO over these postings, the body advises take initial steps, including following the website’s grievance procedures (which it should have), contacting the website administrator, or taking the matter up directly with the individual or organisation that has posted the contentious material. If the material is libelous, threatening, or constitutes harassment—as has been the case with a number of recent high-profile cases—they should consider taking legal advice or contacting the Police.
Two people recently appeared in court charged over threatening postings aimed at a campaigner looking to get greater female representation on British bank notes.
However, the guidance is clear—the ICO will not consider complaints made against individuals who have posted personal data and are acting in a personal capacity because, although the postings may be offensive, he or she is posting in their own capacity under the s36 exemption to the Data Protection Act.
What is important for businesses to remember, including retailers asking staff to tweet on behalf of the company, is that the ICO will consider complaints about such posts, if challenged. However, it will try and work with businesses to make sure its policies and procedures for dealing with complaints are adequate.
Conversations with Customers
Although we have all grown up with the Internet; obviously some more than others. Although careful not to generalise, there are so-called “digital natives” who are individuals who use social media as part of their everyday discourse. These individuals are often emboldened posters who operate with a notion of impunity, blissfully unaware of the legal consequences of their actions as the perpetrators see it as everyday pub-type banter.
At the other end of the digital scale are the “digital migrants” who were alive before the Internet and tend to treat it in a toe-in-the-water manner—everyone’s talking about it, but they are not really sure if it suits them.
It can be argued with authority that most businesses that preceded the Internet would fall into this latter category. Many leave the social media aspects of the business to a few unregulated interns from the digital native generation who may or may not have the guidance or perspective to protect the brand.
Heads of loss prevention have a major role to play in educating the business about the inherent risks of half-playing with social media as a way of carrying on conversations with their customers. Social media, by its very nature only works if it is spontaneous, but posters need to be aware of the rules of everyday engagement.
Monitoring Staff
What about retailers employing social media to monitor staff behaviour? According to the ICO, this is mostly about context in the U.K.
If they are representing the organisation, such as providing general customer advice in response to queries to the organisation via Twitter, then there is an expectation that the activity will be monitored. However, monitoring someone’s personal profile is an altogether different issue.
The ICO would need to be satisfied that an employee had explicitly given permission for their personal social network account to be monitored. Even then, how could the giving of personal password details be smoothed over in a tribunal or court of law?
Would granting permission to monitor be a condition of employment? In other words, how much is it a freely given choice? Would it involve providing log-in details? There is a question of proportionality here. How necessary is it for an employer to monitor an employee’s social network account? What are they looking for and why?
In these post-Edward Snowden days that revealed that European heads of state’s text and email communications were monitored by the U.S. National Security Agency, how could an individual’s right to privacy—albeit in an open forum such as a social media site—be so freely negotiated away to an employer?
In Europe where worker’s council’s have a greater say on employment law, it would not be countenanced. The U.K.’s nearest neighbour Ireland, which is part of the EU, takes a very strident anti-intrusion approach with draconian penalties—up to 2 per cent of global turnover being the suggested penalty for transgressions over the Irish Data Protection regulations.
The Role of LP
To say that social media on the Internet has changed both our personal and business lives is an enormous understatement. Company and government response to managing data privacy simply cannot keep pace with the rapidly accelerating technology issues.
That said, businesses cannot simply throw up their hands and ignore the potential issues that could adversely affect their brand and their bottom lines. Loss prevention executives can and should be leading the internal efforts to manage the risks and develop the policies and training to protect the company, their employees, and their customers.
EDITOR’S NOTE: The U.S. magazine has addressed issues around social media in numerous articles that our EU readers may find interesting. Following are a list of articles that can be found on the U.S. website, LPportal.com.
“The Evils of Technology,” September-October 2013
“The Threat of Social Media,” July-August 2011
“Social Networking—A Double-Edged Sword,” July-August 2010
