I’ve pretty much come to accept that anything I do online – even things that are supposed to be private, such as sending and receiving emails and doing my banking – may be observed by people or agencies who have no legitimate reason or right to be observing me.
Any last naive hopes I had that maybe some corners of my online life might be private were dispelled when I watched Snowdon, a rivetting film which I’d highly recommend. After watching that, you’ll be keeping your webcam covered, if you’re not already.
But even if I’ve given up on online privacy, the law has not.
The privacy paradox
In his thought-provoking piece, Sharing Privately, Max Mills navigates the murky waters of social media, privacy, and the law. He sees a paradox in, on the one hand, the innate human wish to share information about themselves online and, on the other hand, the desire to be protected from the unintended sharing of such information beyond the intended recipients. In other words, we want to share, but to share privately.
I’d long thought that if you posted something on Facebook, you’d essentially placed it in the public domain and relinquished your privacy in relation to that material. But Mills explains that that’s not necessarily how the law sees it.
English law, at least, allows that a person may wish to share something only via a private Facebook page, in which case, the sharer could be said to have a ‘reasonable expectation of privacy’. In other words, they should be able to expect that the shared material will not be disseminated beyond the group they sent it to.
Twitter is viewed very differently, though. Mills likens using Twitter to sitting in a room with an open door, into which anyone could wander, or outside of which anyone could eavesdrop. Thus, it would be hard to argue that a Twitter user should have any reasonable expectation of privacy. Indeed, many Twitter users are hoping for exactly the opposite – they’re hoping for exposure to a wide audience. Mills refers to this as publicity-seeking behaviour and cites it as a factor in deliberations on some cases.
What’s the public domain, these days?
It’s an important question in relation to complaints of online defamation. Mills explains that the answer determines to what extent material could be considered to have been ‘published’ (literally, ‘made public’) and so what damages, if any, will be awarded. It gets really complicated so I’ve summarised some of the key questions in the infographic below. (For more information, see the references section.)
All I’ll say is that, although the law is yet to (and may never) fully address every possible digital media scenario, there’s already been a lot of work done on trying to find a balanced approach to the issues. So in answer to my opening question, it seems privacy is still a thing. Certainly the European Union doesn’t intend to give up on it. There’s too much at stake.
What’s Europe doing?
Paul Voight and Axel von dem Bussche (2017, pp. 1-2) explain that the GDPR is a set of requirements with which any business anywhere in the world that holds the personal data of an EU citizen will need to comply. It came into force globally on 25 May 2018 and the fines are staggering – up to 20 million euro or 4% of global turnover – forcing businesses to take data protection seriously.
The time and expense involved in businesses ensuring compliance with the GDPR is considerable. So what’s driving this sudden demand for rigorous management of personal data?
Well, first of all, it’s not sudden. The EU has been looking at this since the mid-90s. An earlier attempt at aligning the EU member states on data protection failed, so in 2016, the EU agreed on the GDPR. Importantly, this is a ‘regulation’, not just a ‘directive’, which means it will apply across all member states (and beyond) without the need for each state to pass it into law, avoiding the inevitable legal uncertainty that would otherwise have resulted (Voight & von dem Bossche 2017, pp. 1-2).
Secondly, the EU has recognised that a population’s uncertainty as to the safety of their personal data has a chilling effect on e-commerce. Voight and von dem Bussche cite Recitals 7 and 9 of the GDPR in stating that:
The EU aims at regaining the people’s trust in the responsible treatment of their personal data in order to boost digital economy across the EU-internal market. (p. 2)
So, it all comes down to money – protecting citizens’ privacy is vital for protecting commerce.
The GDPR is vast in its implications and I’ll write more about this and related topics in the coming weeks.
Content updated on 29 July 2018.
Mills, M 2017, ‘Sharing privately: the effect publication on social media has on expectations of privacy’, Journal of Media Law, vol. 9, no. 1, pp. 45-71, DOI: https://www.tandfonline.com/doi/full/10.1080/17577632.2016.1272235
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), , OJ L 119/1, art 83(5).
Voight, P & von dem Bussche, A 2016, The EU General Data Protection Regulation (GDPR) – A Practical Guide, Springer International Publishing AG, Cham, Switzerland.
Background to infographic: as per header image.