Regurgitated content and liability
QUESTION 3
'Social networking sites are all about use generated content. Much of this content is regurgitated from other sources. What are the legal issues if this material appears on a company's website (i.e. if the company is using some type of social networking functionality)?'
ANSWER
The answer to this is clear. If the company has set up the site then it is likely to face the risk of liability in the following respects:
Defamation
If the material is defamatory then the company could be responsible for each fresh publication on its site. There are defences available under Section 1 of the Defamation Act for 'innocent' publication, but if the company takes an active part in monitoring, editing or participating in the site then that defence is unlikely to be available.
Copyright infringement
If the company has set up the system it is more likely to be vicariously liable for the infringing acts of its employees or for authorising infringements than in the situation described in the answer to the previous question.
Other criminal laws
There are also criminal laws relating to obscenity and pornography to consider as well as issues of the material exposing the company to discrimination claims.
Privacy laws
From a privacy perspective, there are also concerns.
Data Protection Act
The Data Protection Act (DPA) places obligations on how organisations can use and disclose 'personal data' and gives people a number of privacy rights to control how their data is used. A key question is whether photographs posted on social networking sites qualify as 'personal data' so as to be covered by the DPA. While the scope of what is 'personal data' is currently in a state of flux in the UK, there is no doubt that a photograph of an identifiable individual qualifies. False information about an individual and opinions are also 'personal data' and are covered by the DPA (a recent EU Working Party opinion confirms this).
Under the DPA, the key obligation on businesses who collect personal data is to inform individuals at the outset (eg via a website privacy policy) of all the likely uses and disclosures of their data. Where data is being disclosed, consent is usually required.
- — The problems in practice of social networking sites
Issues generated by social networking sites
Social networking sites generally present a number of potential issues.
The first issue is control. A user can upload photos of himself and his colleagues or friends to his profile page on a social networking site, without being required by the website to ask the permission of those friends to the uploading of their images. As a result, the friends have no control over what the user may decide to post on his profile page. Clearly this could lead to problems: for example, if an embarrassing photograph posted by a friend is viewed by other members of the community an individual could easily consider that his privacy has been infringed. A simple request as between friends may not, unfortunately, lead to the photo being removed; and in most cases such sites currently do no offer a mechanism by which an aggrieved individual can protect his privacy by requiring the 'friend' to take the photo down.
The second issue is the posting of false information, as there is nothing to stop users posting incorrect items about third parties on their profile pages. This may cause concerns over possible legal claims of 'false privacy' or defamation by the person who is a victim of a third party publishing something untrue. The other concern is that prospective employers may well look at a job applicant's profile on social networking sites as part of the recruitment process — clearly, there is also potential for damage to an individual's career prospects.
- — Whose legal responsibility is it?
Question of legal responsibility
Is the legal responsibility on the Service provider or service user? This is a difficult and as yet untested legal issue. To be regarded as the party subject to the DPA, the provider would have to be controlling the 'purpose and the manner' in which personal information is processed on the site. It would seem that it is the user, rather than the service provider, who is controlling what data is being posted on the profile pages, the broad purpose of the posting and the manner in which it is being published.
If this is correct, it is the user who has responsibility under the DPA, and the Web 2.0 provider could theoretically be regarded as inducing a breach of the DPA by encouraging users to post photographs without a mechanism for obtaining the consent of the third parties involved.
- — How to achieve compliance
Compliance
To ensure overall compliance, site owners should consider the following:
- — ensure users are informed during sign-up of all the different ways in which their personal data could be used or disclosed by other users
- — encourage users to obtain friends' permission prior to posting photos about them
- — encourage users to take down photos where friends object to their publication.
Whether an aggrieved individual could successfully bring a claim and against whom is another matter — we await with interest a test case in this area. In the meantime, if you use these services, think about what you post and be aware of the privacy pitfalls.
Summary
In short, if a company is setting up an internal social networking site it should approach this on the same basis as if it were a publisher and seek advice accordingly.
Ian De Freitas, Partner, Intellectual Property, ian.defreitas@blplaw.com & Paul Langford, Professional Support Lawyer, Business & Technology Services, Berwin Leighton Paisner LLP paul.longford@blplaw.com
© Berwin Leighton Paisner LLP
