Lecturer in Law and Cohort Tutor at the University of Hertfordshire
The emergence of online social networking sites services has provided us with numerous benefits and has transformed the way in which people work, live, interact and learn. Their use, however, also gives rise to a number of legal and regulatory challenges concerning the privacy of the users of such services. One of the most significant of these challenges is the way in which social networking sites may be used as a means of facilitating the unwanted publication of photographs. It is estimated that approximately 1.8 billion photos are uploaded to social networking platforms each day. Many of these pictures will contain images of identifiable individuals and will have been uploaded without their consent, or against their wishes, and may result in negative consequences. We frequently hear, for example, about individuals missing out on employment opportunities or being blackmailed as a result of personal data distributed via social media. Accordingly, how individuals can be put in a position from which they can exercise control over information shared about them online, photographic or otherwise, and protect their privacy, has become a salient issue for European privacy regulators. An interesting recent development has suggested, however, that technology, rather than the law, might be the best way of securing this objective.
Privacy in English law is primarily safeguarded by the Human Rights Act 1998, which incorporates Article 8 of the European Convention on Human Rights – which entitles an individual to “a right to respect for his private and family life, his home and his correspondence” – into the UK’s domestic legal order. Within this wording, there are four recognisable forms of privacy: personal, informational, territorial and communicational privacy. Informational or communicational privacy, which encompasses unwanted disclosures of information, has generally been protected by the tort of breach of confidence. However, due to technological advances, for various reasons it appears that this remedy does not map well to privacy violations that occur in cyberspace. Critics, in fact, have suggested that it is completely deficient in both its application, and remedial effect.
Aside from the European Convention on Human Rights, the main tool which purports to safeguard the privacy of individuals within Europe is the Data Protection Directive, soon to be replaced by the General Data Protection Regulation. The Regulation has been drafted specifically to respond to privacy challenges posed by contemporary online services like social networking sites. It aims to give individuals greater control over their personal data online by way of providing them with several new rights. Arguably, the most significant of these is the right to be forgotten, which will have the effect of forcing social networks such as Facebook to comply with users’ requests to erase every item of personal data stored on their servers. This would, hypothetically, allow users to ensure their personal data, including photographs in which their images are shown, are used in a way they see fit, enhancing their informational privacy. In reality, however, the introduction of the right to be forgotten may have a somewhat limited practical effect. Affording individuals rights which purport to give them extensive control over their information online may, quite simply, be administratively or technologically unworkable. For example, organisations commanding large quantities of data may struggle to effectively implement high volumes of deletion requests and, even if they were able to do so, the deletion of a photograph from a social networking site would not guarantee its deletion from the Web as a whole.
One conclusion that we might draw from this situation is that the ability of the law to control the unwanted disclosure of photographs online is truly limited. Perhaps, however, an answer to these issues might be found in the cause of all the trouble, technology itself. Notably, in early October 2016, AVG Technologies, published its “Do Not Snap Badge”, a wearable badge, linked to software that is designed to automatically blur the wearer’s face in photographs whenever they are posted online. According to AVG’s blog, the device, works through an algorithm which is able to recognise the Do Not Snap Logo, meaning that regardless of the platform or social networking site the wearer’s picture is uploaded to, their face should be automatically blurred. This should, therefore, allow individuals to exercise greater autonomy over their personal data online that is stored in photographic form, and as a result enjoy greater privacy. The problem, however, is the fact that whilst AVG has open-sourced its badge-recognition software, so to encourage its widespread adoption, there are no obligations for social networks and other social media platforms to integrate it into their services. According to Business Insider, for instance, a number of popular social media platforms like Snapchat and Facebook have no plans to use it. The lack of any compulsion for popular providers of such services could act as a considerable barrier to Do Not Snap’s widespread adoption and proliferation. Nevertheless, in an age where the online and offline worlds are being drawn closer together, and information technologies are woven ever deeper into our day-to-day lives, the Do No Snap badge seemingly represents an early embryonic example of how emergent regulatory challenges might increasingly be solved by way of technology, or code, rather than law. If such a situation were to manifest, what then for the law? This is a question we may have to confront sooner rather than later.
 Business Insider (last accessed October 2016) “PLANET SELFIE: We’re Now Posting a Staggering 1.8 Billion Photos Every Day”, http://www.businessinsider.com/were-now-posting-a-staggering-18-billion-photos-to-social-media-every-day-2014-5?IR=T
 Grimmelmann, J. (2009) “Saving Facebook”, Iowa Law Review, 94, pg.1165.
 Art. 8 European Convention on Human Rights
 Marsoof, A. (2011) “Online social networking and the right to privacy: the conflicting rights of privacy and expression”, International Journal of Law & Information Technology, pg.4.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal L 281.
 An agreed text of the General Data Protection Regulation was adopted by the European Parliament in April 2016. See: European Parliament (2016) “Data protection reform – Parliament approves new rules fit for the digital era”, http://www.europarl.europa.eu/news/en/news-room/20160407IPR21776/Data-protection-reform-Parliament-approves-new-rules-fit-for-the-digital-era (last accessed April 2016)
 General Data Protection Regulation, Article.17
 The Telegraph (last accessed June 2013) “Young will have to change names to escape ‘cyber past’ warns Google’s Eric Schmidt”, http://www.telegraph.co.uk/technology/google/7951269/Young-will-have-to-change-names-to-escape-cyber-past-warns-Googles-Eric-Schmidt.html
 Business Insider (last accessed October 2016) “This wearable badge links to software that could blur your face in unwanted social media photos”, http://uk.businessinsider.com/do-not-snap-badge-protect-privacy-facial-recognition-unwelcome-photos-avg-innovation-labs-2016-10?r=US&IR=T