Data Protection Law Enters the Social Media Era
The usage of these networks started out as a trend which has developed through the years into an essential tool in the everyday lives of millions of people, providing an easy platform to communicate, share and publish views, news and information. The usage of these networks results at the same time to a massive transfer of personal data around the globe.
Data Protection Legislation could not be far behind these new communication networks since people are in need of protection now more than ever and maybe more than many of us realise. The everyday casual usage of social networks may in some cases lead to an increased level of exposure. Safeguard measures are required, especially when the personal data of children is affected.
In Cyprus, the Processing of Personal Data (Protection of Individuals) Law (Law 138 (I) 2001) (henceforth “the Law”) has been enacted in year 2001 and is soon to be replaced by the General Data Protection Regulation (GDPR) and three new legislation acts to come into force beginning of next year. Article 18 provides for the appointment of the Commissioner of Personal Data Protection entrusted with the power and duty to safeguard the implementation of the Law.
One of the Commissioner’s most recent decisions following a complaint for the violation of the Personal Data Law, concerns the use of the social networking platform Facebook. A mother (Ms. A) had filed a complaint on 28th February 2016 regarding the posting of her minor child's personal data on Facebook by the father (Mr. P), which marked her first complaint. At the time of the complaint the posts had been deleted. However, new posts were posted by Mr. P and Ms. A lodged a second complaint to the Commissioner on 4th October 2016. The Commissioner issued a decision on 2nd May 2017 terminating the complaint examination based on the data she had before her. Ms. A, on 4th September 2017 filed a third complaint claiming that Mr. P, her ex-husband, was uploading photos and comments concerning her and her minor child on the social networking site Facebook, without her consent. Ms. A provided the Commissioner’s office with a Family Court Order of 2nd June 2017, according to which she was entitled the exclusive parental custody rights for the minor child. Mr P. voluntarily withdrew the said posts from his Facebook ‘wall’.
The Commissioner considered that the aforementioned posts on Facebook which had been posted without the consent of Ms. A, were unacceptable. In addition, the Commissioner felt that the provision of information concerning details of the complainant’s place of residence was dangerous and the information on her family status was not in the best interest of the child. Therefore, the Commissioner considered the processing of personal data as excessive and unfair.
On the basis of the above, the administrative sanction imposed by the Commissioner was a warning to Mr. P for violation of Articles 4 (1)(a)(c) and 5(1) of the Law. The Commissioner stressed that if similar infringements were repeated, the measures to be taken would be particularly strict. The Commissioner’s decision was handed to Mr P on 20th September 2017.
Ms. A, on 26th September 2017 submitted her fourth complaint, which concerned a new post by Mr. P. containing a photograph of their minor son. The Commissioner asked Mr. P to submit any comments/opinions/positions regarding the above, and following his reply, the Commissioner delivered her decision.
Articles 23 (f) and 25 (1) of the Law empower the Commissioner of Personal Data Protection with the authority to impose administrative penalties if it is found that a person has breached their obligations under that Law. Taking into consideration the fact that Mr P disregarded the previous administrative sanction of the warning, the Commissioner decided to impose to Mr. P the penalty of € 1,000 (Thousand Euros) and the removal/destruction of the said post with the child's photo.
The Commissioner’s role seems vital and works as a shield safeguarding the individuals’ right to decide about their personal data. This right is of course extended to the right of the parents to decide about their children’s personal data. Our children are being raised by a generation, our generation, who -in the best case- have developed an acquired skill in social media. For many of us the road to the realisation of the duty we have towards our children and towards the adults they will one day transform into, as well as the measures we need to take in order to protect our minors’ personal data, is a long one. In the meantime, the law seems to have evolved naturally into the social media era. A testament of this is the role of the Commissioner, derived from legislation, which has proven to be of great significance.
Article provided by:
- Alexia Kountouri (Lawyer, tassos papadopoulos & associates LLC)
- Constantinos Andronicou (Lawyer, tassos papadopoulos & associates LLC)
Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project
Director CPC project: Dr. Tobias Höllwarth, tobias.hoellwarth@eurocloud.org