A recent report by the Science and Technology Committee (a UK parliamentary select committee) on the Responsible Use of Data (the Report) concludes that online terms and conditions for the use of social media platforms are unnecessarily complex and may not serve their intended purpose of obtaining informed consent from a user for the right to process personal data.
While the Report focuses on the UK, the Committee’s observations have relevance globally because the requirement for informed consent to process personal data features in the privacy regimes of many jurisdictions.
In the UK, the Data Protection Act 1998 provides that businesses may process personal data if they have obtained the informed consent of the user (Data Protection Act 1998, Schedule 2). “Consent” is not defined in the Data Protection Act 1998 so the term is interpreted by reference to the EU Data Protection Directive (95/46/EC) to which the Data Protection Act 1998 gives effect. The EU Data Protection Directive (95/46/EC) defines consent as “ . . . any freely given specific and informed indication of [the data subject’s] wishes by which the data subject signifies his agreement to personal data relating to him being processed (EU Data Protection Directive (95/46/EC), Article 2).” Typically, a social media platform business will seek to obtain this consent by requiring the user to accept a set of terms and conditions in order to access and use the platform.
The Report questions the efficacy of this practice. It notes that making acceptance of the terms of conditions the basis for permission to use a social media platform does not necessarily correlate to having obtained informed consent, as such terms and conditions are rarely read in detail or understood by the user. They are often far too long, contain jargon and use complex language.
The Committee observes that the opaque, legalistic style of terms and conditions makes them unsuitable for explaining to a user how a business intends to use its data. It emphasises that businesses need to communicate effectively how they intend to use the data they collect, and if the terms and conditions do not achieve this then businesses will need to spell out separately what the data is going to be used for.
The implications of such an approach for most businesses are immediately apparent. It means that a separate way of drawing the attention of the user to what uses will be made of its data would need to be developed if the terms and conditions are not effective in obtaining informed consent. This in turn would require changes to the way information is presented to a user on a website when he/she first accesses a social media platform.
The Report suggests that the widespread adoption of an effective means of communicating the intended use of collected personal data could be achieved through the development of a set of information standards that businesses can sign up to. Such standards would commit them to explaining to their customers their plans for using personal data in clear, concise and simple terms.
Observing that, when users sign up to access social media services, businesses often require them to provide personal information without any explanation justifying the requirement, the Committee notes that some of the requested information may simply not be necessary. For example, the Committee queried why an app supplier needs to know a user’s location for a service that is not location-dependent.
The Committee concludes that businesses ought to draw a distinction between information required to access a service and information that is merely requested but not required as such. The Committee considers that businesses have a greater responsibility to explain to the user their need for required information than would be the case for merely requested information.
Finally, the Committee recommends that the UK government should work towards the development of an internationally recognised “kitemark” system to grade the contents of social media platform terms and conditions. According to the Committee, such a system would provide users with an easy and immediate identification of those terms and conditions that have achieved a high kitemark rating, as well as incentivise businesses to review their terms and conditions to obtain a good kitemark rating.