Data Protection and Web 2.0 Web sites

Question

Many countries now have data protection legislation which afford individuals the rights to:

1. request that an organization hand over all information they hold on the individual and
2. to request that any information held on the individual is destroyed

Facebook got into trouble over the second part of this in the UK as it is nigh on impossible to delete your information from Facebook.

This is understandable. A persons' data in a social media site is intricately woven into the fabric of the site. Users generate posts, messages, chat, relationships with others, photos, applications etc. and in turn other people will add their own comments / thoughts on this content.

However, I am far from convinced that simply stating in your terms and conditions that your data cannot be deleted complies with data protection legislation (at least in the UK - any programming lawyers want to comment?).

We tend to handle the issue of deleting users content by overwriting key fields in the record for that user (e.g. username, name, email address) and by overwriting key fields in the content they have posted (e.g. comments, blog posts). This means that you may come accross a discussion post attributed to "deleted user" which reads "This post was deleted."

Data protection issues even affect decisions such as hosting (we tend to host applications in the UK for many clients for Data Protection reasons, despite the higher cost).

As a developer, how far is this my problem? I have a feeling that responsibility would ultimately fall on the legal owner of the application (my clients / employers) and it would be up to them to come after my company for not giving the issue proper consideration if they fell foul of this.

My questions to you are:

1. How do you deal with the issue of deleting content from a social media application where data protection compliance is an issue?
2. Whose responsibility is this ultimately?
3. Should I just lighten up and be less concerned about these kinds of issues?

EDIT: Some great answers to 2 and 3 already, but what of the main issue? How do you handle removing a user's content from a complex social media application where it is tied in with so much other content

Answer 1

Stating that data cannot be deleted is certainly not compliant with EU data protection laws; where we have the right to request deletion and request that it not be shared; basically we can expect that data is

• fairly and lawfully processed, -processed for specified purposes and not in any manner incompatible with those purposes,
• adequate, relevant and not excessive,
• accurate,
• kept for no longer than is necessary,
• processed in line with the individual’s legal rights,
• kept securely,
• transferred to countries outside the European Economic Area, only if the individual’s rights can be assured.

So not deleting when a user closes his account is arguably in breach of "kept for no longer than necessary".

The responsibility lies with the data controller; the company who collects and processes the data. If you have no involvement with day to day running of the system, if you have sold it to clients and they administer the system, then it's their problem.

Should you lighten up? Well that's subjective; personally, being in the UK, I take these things into account; because privacy is important, regardless of any commercial aspect.

To deal with your question about deleting from a social networking application it simply doesn't matter. The data must be deleted regardless of the application itself. Now it's personal information that is the problem, so you may assume that it's just names, dates of birth etc; however what if a comment gives identifiable information away? It's a bit of a minefield. The safest option is simply to nuke everything. In addition because displaying the information on the web means it may/will be transferred outside the EU you should have explicit permission for this when users sign up, the UK Information Commissioner has guidelines

Insert standard I am not a lawyer, this is not legal advice disclaimer here

Answer 2

Blowdart's answer is great although I wonder about data which intrinsically relates to more than one individual - like a Facebook message or wall posting. Or even a PDF which contains the names of multiple individuals - what if one of them asked for the information to be deleted? I imagine that you would be allowed to retain that data.

Anyway that's not my answer. My answer is on the question of 'who is responsible'. While the data controller (your client) is indeed responsible under the legislation, you as a professional adviser may have a duty to them. So if they were prosecuted they might pursue you for damages for providing incomplete or wrong advice.

I would recommend that you make them aware of the legislation, advise them to get a lawyer (there are lots of good ones around who specialise in information law), and put it in writing. You'll be doing the client a service and protecting yourself at the same time.

If you are hosting the application then the position may be slightly different - there is a 'bureau' registration under the data protection act which may be appropriate here, but in any case you should probably take a bit of legal advice yourself.

None of this is likely to apply to you as an employee, but it may apply to your employers as a supplier.