This Directive shall not apply to the processing of personal data by a natural person in the course of a purely personal or household activity.

The Data Protection Act 1988 (DPA) gives an exception for the use of Data for Domestic purposes. Otherwise everybody in the UK would have to register for holding information in our diaries, etc…. DPA covers not just computers, but any data…..

So as long as I only scrape that information from Facebook for recreational purposes I do not have to worry about the DPA! Now linked-in could be another mater if one was to use those contacts for work!

Domestic purposes

Personal data processed by an individual only for the purposes of that individual’s personal, family or household affairs (including recreational purposes) are exempt from the data protection principles and the provisions of Parts II and III.

What you must include in a ‘Privacy Statements’ is grey at best in the UK, whilst it’s almost black and white in Ireland. Ireland goes to the extreme by expressing where on a Web page you should place the link to where the statement can be found.

Placing a privacy statement on Web sites is a legal requirement, which many organisations continue to ignore.

I will be *extremely* interested to hear from someone who has more information. I’ve been to various government departs, all of whom sent me a link to the ‘Business Link’ Web site – a joke to say the least.

It will of course happen, it may just take a little while. I’ll go put the kettle on…

https://www.prime-project.eu/

The minefield has a map with this information, add the appropriate licenses and storage services (AWS?) + tools voila

regards
Al

The problem is that any rules set are never going to be able to keep up with the pace of Internet developments. There are always going to be big issues when it comes to privacy.

Since tonnes of people are now using Facebook for both personal and work networking I see something of a legal minefield ahead (my original point). Anyone else agree/disagree?

Does it matter that the data was passed to the “individual” by a commercial organisation (E.g. Facebook)?

See also:
http://blogs.talis.com/nodalities/2008/01/data_licenses_for_social_netwo.php

I am a UK citizen and I hereby grant my permission for you to pass the personal data associated with this post to any other agency you see fit. I’m pretty sure I can trust you not to exploit the data for nefarious ends, and that’s good enough for me

When Robert pulled out that data, he did so without explicit consent of the people who had given him that data. You can argue that, by marking him as a friend, they’d given him implied consent to take that data and move it elsewhere, but given that Facebook has a measure of protection against porting email addresses, and given that users know this, I think you’d have a hard time actually demonstrating there was implied consent.

regards
Al

My original post was v high level, and definitely not a detailed legal analysis.

There is a lot more to Section 8, you can transfer info to the US, provided that you have certain protections in place, one option being membership of the Safe Harbo(u)r. Both Plaxo and Facebook are members of this. At the risk of oversimplification, it places obligations on Facebook etc to treat the data in the same way as if they were based in Europe. In the late 90s there was a lot of discussion about the dataflow question, and it has recently flared up with the airline data reservation system PNR.

Ben, a US company processing data about EU citizens does have obligations under EU law, policing it though, is another challenge.

The law is not there to mess around private citizens who maintain personal data for their own use, but the line between private and non-private use is rather blurred. This law is rather complex, and the interpretations of the directive differ markedly between EU countries, Spain being particularly fond of fines. The Lindqvist case is also worth a look, as it involves what most of us would consider to be a harmless parish website, something out of the vicar of Dibley.

I believe that it is possible to architect effective sharing and privacy control. Microsoft and IBM have some promising research, and there is a lot going on in academic circles too. It is arguably the most interesting area of research, because it brings together so many technical, legal and social issues. I welcome the efforts of facebook, google etc look at these issues. It will require a mix of legal and technical know how.

The UK Information Commissioner’s website is greatly improved, and well worth a visit. I’m glad to see them paying attention to social media. But the law is not well enforced.

I know a couple of privacy experts in the UK, and I’d be happy to connect you with them, just drop me a note or a tweet.

As part of my own academic work, I’m looking at how law is architected into technology, so I can bore for england on this.

It does really depend on how much information we can transfer between the different sites and networks.

If it is just contact info then I see no difference to me moving my address book from my PC to an online webmail service, or even me re-keying in the data that I already have.

If it is more information that contains information on actions my contacts have made on Facebook (For example) then it becomes a more tricky as that probably does need permission of each contact.

I’m no expert on EU privacy law but I do know it can be a very grey area and is difficult to interpret when it comes to situations like this. The whole privacy thing is a big subject and one that does need rethinking, quickly as the Internet is moving fast in this area!

The UK data protection act covers data that a company holds on other people. Surely in this case there isn’t a huge difference between the scenario where it is a company holding that data on people, and, say, Scoble holding that data on people, in the form of contact information etc?

Sure, it’s a different legal entity, but the principle isn’t wildly different.

I go back to the question just because I give Scoble permission to be my friend in Facebook does not imply he is my friend in another social context. So why should he have the right to move his social graph.

The data he has access to is his own lifesteam/attention data (APML and or attention.xml). If FB (beacon) gathers that for Scoble, he then should have the right to move his APML file.

Attention is the key value that commercial vendors want to trade with advertisers. They don’t care about you or your friends.

In the future your attention + your credit rating (plus buying history) will be key pieces of info that advertisers want in order to determine if you can afford their product.

In the future marketeers won’t waste their advertising budget on widescale marketing campaigns. They will target 1:1 people in real-time who have show interest in their product (or their competitors) based on their attention and then they will see if they can afford it. Just because you look at the Aston Martin site does not mean you can afford it.

Advertiser Servers like OpenAds, Wunderloop and Adify are already looking to combine these pieces.

If not, then why isn’t this EU rule being applied to our address books and other personal information that we may have stored on other online services.

It does need some clarification though, and perhaps a court case as Ben says. EU privacy laws are complex and not very easily understood when applied to Internet services and data.

If you are an EU registered company, or have a EU subsidery then juristiction could apply.

However, and frankly, a US originated company with no local office in EU doesn’t to comply with any EU rules.

Also, it does depend on what is considered ‘personal’. Unique ID’s that represet a friend, and friend meta data may not constitute personal data. There’s a court case in here to be had.

More long term, there’s also some debate to be had on whether person-to-person tranfer of data, facilitated by a 3rd party could be relaxed, etc.

I don’t think EU law is a blocker to all this myself.

2. Have you chatted to ORG about this or DRI from Ireland or the EU guys. Your analysis is shoddy to say the least.