The Huffington Post has recently published a story that begins thus: “When Justin Bassett interviewed for a new job, he expected the usual questions about experience and references. So he was astonished when the interviewer asked for something else: his Facebook username and password”.
So what would you do in such circumstances? And what would the data protection implications be if this happened in the UK? The conclusions I have reached is that the UK Data Protection Act would apply (even if an employer took a fleeting glance at a Facebook page), and that Facebook’s public comments promising legal action to protect privacy are window dressing.
Why does the Data Protection Act apply?
Suppose an employer at a job interview asks you to “consent” to provide your Facebook password and suppose further, the employer just loads one of your pages and says “No job for you”.
The data protection questions that need to be asked are (a) “has the employer processed personal data as a data controller?”; (b) “is consent valid?” and (c) “are there other data protection issues?”. I think the answer to (a) is “yes; (b) is that the employer’s consent procedure is very likely to be valid in the UK; and (c) there are potential breaches of the Data Protection Principles, at least relating to fairness and relevance.
So to the first question: why does the Act apply? Obviously, if the employer cuts and pastes anything from the Facebook pages onto a data file then obviously the Act applies as there are recorded personal data under the control of an employer as data controller.
But what if the data were not recorded by the employer? This is an important question because under the old Data Protection Act 1984, personal data needed to be permanently recorded. This meant that personal information held temporarily in electronic memory were not personal data and not caught by that Act.
So, suppose the employer just looked at a screen of personal information and that information had only a transient existence when it was displayed on the screen? Does this information still fall within one of the specified categories of “data”? Does the “data” still constitute the “personal data”? And are these personal data “processed”?
My answer is “yes” to all three. The information displayed on the screen is “data” by virtue of the definition of limb(a) of “data” which only requires that information “is being processed by means of equipment operating automatically in response to instructions given for that purpose”. Clearly the information is personal data as it identifies and relates to a prospective employee. The only remaining issue is whether the information is “processed” and there again, the definition of “processing” includes “obtaining”.
So the definitions do not include a requirement that personal data have to be “recorded in a form that can be processed” (as in the 1984 Act). This means that the employer in the UK would be processing personal data and the Act would be engaged, even if the employer restricted himself to a fleeting glance of a single Facebook page on a VDU screen.
Has the data subject consented to the processing?
I think the answer under the current DPA is “yes” – and it is important to explain why.
Our hypothetical UK employer is using what I call “Home Office consent” (or “Hobson’s choice consent”, if one is talking to Home Office officials). This form of consent is often used in the UK – it describes circumstances when the consent is freely given and fully informed, but the choices on offer are not really a choice.
For instance, most readers will have consented to their personal details being used by any host of people to trace their debts via a credit reference agency; you have to consent to this or you don’t get a loan or mortgage.
When you go through airport security, you may be given the following consent choice: “go through the scanner or do not fly”. The New Labour ID Card system was also keen on this form on consent: “consent to showing us your ID card, or choose not to get the service”. Enforced Subject Access also depends on this: “consent to use your access rights to your personal data held by the police or forget about a job”. (Note: I use the term “Home Office consent” because the issues mentioned in this paragraph are to some significant degree, unaddressed policy matters that are the responsibility of the Home Office in the UK)
.
The changes proposed in the Regulation infer that “Home Office consent” constitutes a valid “data subject consent” with respect to the definition in Directive 95/46/EC. For instance, the Regulation states in Article 7 that “Consent shall not provide a legal basis for the processing, where there is a significant imbalance between the position of the data subject and the controller” (and obviously there is such an imbalance if the choice is “give consent or give up hope of a job”).
So why does this support the notion of “Home Office consent” is valid? Well, the Regulation would not propose the inclusion of a concept of “imbalance” if the meaning of “data subject consent” as found in the Directive excluded “Home Office consent”.
Other data protection principles?
Although the data controller can argue he has “data subject consent” has to consider at least two Data Protection Principles (even in the ‘fleeting glance’ scenario). These Principles are:
(a) the Third Data Protection Principle in that the data controller has to demonstrate that the personal data are relevant to the purpose (e.g. employment purpose).
(b) the First Data Protection Principle in that the data controller has to be fair. I think in this context, fairness requires telling the data subject what personal data have been used to making the employment decision and an explanation why the personal data are relevant to that decision.
Breach of these Principles would also, I assume, be likely to trigger other breaches of employment law.
Facebook’s response to the use of Facebook for employment purposes
In response to this problem in the USA, Facebook’s Chief Privacy Officer (CPO) has stated on the company’s web-site that “In recent months, we’ve seen a distressing increase in reports of employers or others seeking to gain inappropriate access to people’s Facebook profiles or private information” and adds that “If you are a Facebook user, you should never have to share your password, let anyone access your account, or do anything that might jeopardize the security of your account or violate the privacy of your friends. We have worked really hard at Facebook to give you the tools to control who sees your information”.
The CPO continues “Facebook takes your privacy seriously. We’ll take action to protect the privacy and security of our users, whether by engaging policymakers or, where appropriate, by initiating legal action, including by shutting down applications that abuse their privileges” adding that “While we will continue to do our part, it is important that everyone on Facebook understands they have a right to keep their password to themselves, and we will do our best to protect that right” (my emphasis).
Why these statements on privacy are window dressing
So is the threat of initiating legal action to protect privacy valid? Well, I think the threat is much diminished by Facebook’s own Privacy Policy. This states that “When you publish content or information using the Public setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture)”.
The policy also states that “As a general rule, you should assume that if you do not see a sharing icon, the information will be publicly available”. Additionally, “when others share information about you, they can also choose to make it public” or “when you write on a Page's wall or comment on a news article that uses our comments plugin; this is because some types of posts are always public posts”. The Privacy Policy then states that “your name, profile picture, Facebook profile, User ID, etc has to be public so it can show up when someone does a search on Facebook or on a public search engine” (my emphasis).
Facebook has therefore stated that the fact you have a Facebook account (and therefore control Facebook pages) is public knowledge, available to all prospective employers, and this fact is out of your control. Of course you could deactivate a profile, but this deactivation does not guarantee to deactivate those details that have already been published (thus inferring the existence of a Facebook account that has been deactivated, an act that could easily reinforce the suspicions of any employer who asks for Facebook passwords).
In other words, Facebook makes a lot of information public and its business model makes it easy for users to make information public. And if information is in the public domain, it can’t have any claim that it is “private”. Hence, I don’t think there can be successful legal action in the USA to protect privacy with respect to this kind of public information.
But what about non-public information? Research has shown that the average Facebook user has 245 friends. So I think that most Facebook posts to large networks of “friends” are, in fact, publishing events in themselves. One cannot tell 200 individuals, many of whom are acquaintances rather that real friends, and expect to make a subsequent successful claim that these personal details distributed to 200 people (who could publish these details) are confidential or private.
So, I would argue that an employer would also have the defence that most personal information that is password controlled is effectively published. By asking for a Facebook password, all the employer is doing is accessing the public information in the full knowledge of the Facebook user.
In other words, I suspect the same “it’s in the public domain” defence as above could well apply, except in those rare circumstances when a circle of “Facebook friends” is very few in number.
That is why Facebook’s promise of supporting legal action to protect privacy is not credible. It’s a promise that has been defeated by Facebook’s own desire to make the maximum amount of information public, so it can be subsequently exploited by advertisers.
In summary, Facebook has been hoisted by its own petard – the use of Facebook by employers exposes the fact that users think their information is “private” when in fact it isn’t.
Privacy versus data protection; there are important differences
Finally, the above shows the fundamental difference in approach between the USA’s view of “privacy” and Europe’s view of “data protection”. The USA Privacy Officers will state, quite correctly, that anything in the public domain cannot be private. Hence there cannot be any “privacy protection” so the information can be used for anything. But, as we have seen, a data protection analysis asks additionally whether the use of public domain information is fair and relevant; the fact that such personal data may be in the public domain is largely irrelevant.
So whenever you talk to American Privacy Officers do not use the term “privacy legislation” as a shorthand to explain the workings of Europe’s data protection legislation. This is a mistake; there are far too many differences between the two concepts.
References
Huffington post story: http://www.huffingtonpost.com/2012/03/20/facebook-passwords-job-seekers_n_1366577.html?1332247088&ref=business
Protecting Your Passwords and Your Privacy, statement from its Chief Privacy Officer, Policy https://www.facebook.com/notes/facebook-and-privacy/protecting-your-passwords-and-your-privacy/326598317390057
Comments
You can follow this conversation by subscribing to the comment feed for this post.