A friendly word of caution for Datonomy readers: if you post anything about anyone online without their consent, you might be breaking the law.

In today’s world of rampant online social networking and virulent blogging, lots of us write stuff about other people on the internet all the time. Most of us are aware that if we write something really offensive, then we might get into trouble – we’ve at least heard of the law of defamation.

But what about where we post something that is not defamatory? An example – I update my Facebook status to say that I’m “celebrating my wife’s 40th birthday”. Not unlawful, right?

Well, ludicrously enough, it might be. Unless she had told me I could reveal her age to the world, I would probably have just unlawfully processed her personal data, in contravention of the Data Protection Act.

When we think about data controllers and data processors, we tend to think about the banks, government departments, NHS trusts, employers, etc. who hold our personal data in their databases. But thanks to the fabulously-named ECJ case of Bodil Lindqvist v Kammaraklagaren, whenever we post any personal data online we are probably processing it for the purposes of the Data Protection Act. And as the select readership of Datonomy is already no doubt well aware, the DPA says that personal data must be processed fairly and lawfully.

Even worse, knowing that my Facebook friends around the world are likely to check my status, I might well be guilty of transferring my wife’s personal data outside the European Economic Area – also unlawful under the DPA.

So be careful what you post. If you don’t, you might end up getting an enforcement notice from our new Information Commissioner. Of course, you’ll probably be ok unless the person you’re writing about makes a complaint. Which is why it’s safest to clarify that any 40th birthday celebrations for my wife would be extremely premature!

Leave a Reply

Your email address will not be published. Required fields are marked *