Privacy is the most common legal concept that a social network would meet. In this article, it will briefly explain what is privacy and how could our project handle it.
The conception of privacy
Even though the term of privacy can date back to hundred years ago, as William Shakespeare stated in his work Troillus and Cressida [1], privacy was treated as a right is only in 100 years [2]. Privacy right is a product of modern technology developing. Since photography, telecommunication and large scale broadcast were invented from 19-century, it is possible to harass and even infract one’s image and reputation. Under this circumstance, different countries begin to enact law (civil law countries) or set case (common law countries) in order to protect people’s right. However, until today, there is no universal conception of privacy accepted internationally, usually each country interpret privacy right under its context [3].
Generally say, European Union has the most strict privacy protection standard all over the globe. Compared with Common law countries, which prefer a sectoral approach to protect privacy in different situations. In another word, most common countries prefer a free information flow than strict information protection. Conversely, due to the identity related genocide during the World Second War in European continent, there is a universal call to strictly protect personal information in post-war period. As a result, European Union regulated a strict regulation to help citizen protect their privacy right.
EU Data Protection Directive
For European country, a valuable reference of privacy protection could be Data Protection Directive (Directive 95/46/EC) [4], which required to be implemented by each country’s law in EU. According to the Directive, a personal data refers to information that could be identifiable to a real person. Among personal data [5], some data was called as sensitive personal data that is able to reveal the racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, and the processing of data concerning to health and sex life [6], and any organization which keep such data would hold a proper liability to secure those data to a third party organization unless certain exception applied [7].
As an implementation of EU DPD in UK, Data Protection Act [8] provides equivalent level protection to personal data. Though privacy is not a clear and independent notion which were stated in UK legislation, DPA defined eight key principle of data protection restricted the privacy protection in IT industry.
In short words, a company holds following liabilities for personal data providers:
- Data should be processed in a fairly and lawfully way, and should not processed to third party unless exceptions (Required by authority, national security etc.)
- Data should be acquired by specific and lawfully purposes, and should not be use exceeded the given purpose or related purpose (For instance, a hospital cannot use patient’s health record for medical insurance investigation, but it would be fair to pass those data to another hospital if patient transformed)
- Data should be kept in accurate and up to data.
- Data provider holds the right to modify and remove according to their concern.
- Company should adopt adequate technical and regulation to keep one’s data is confidential, integrated and available from unlawful processing.
- Data should not be transformed to a country outside European Economic Area without adequate level protection as EEA does.
For our project related issues
As an intermediary of social network, Uin4one itself did not hold or store any user data from other social networks. Most date would be stored as local cache or present by APIs (where the data source is social network than our application). Even though one’s username and password of social network would relate to this application, it will be encrypted into a token which only readable for relevant social networks.
The only information our application would keep is a pair of E-mail address and a user-defined password. That information was used to identify user and let them log in to access their social network information. Basically say, an E-mail address itself could not be treated as a identifiable information, since anyone can sign up a e-mail address without any other information provided. However, when user login to our system, it should use security transmission such as HTTPS or SSL since a leak of E-mail address and password could cause user’s social network information leaked too. So that should be the part we need to pay attention to.
[1] ULYSSES: “But ‘gainst your privacy, The reasons are more potent and heroical: ‘Tis known, Achilles, that you are in love With one of Priam’s daughters.”by William Shakespeare, in Troillus and Cressida (1609)
[2] There are several origins of privacy (civil law believes it is a part of essential civil right, though few constitution clearly use the term ‘privacy’). Here it just refer to the U.S article which first stated privacy as a right in U.S, as the article by Samuel Warren and Louis Brandeis, The Right to Privacy, 4 Harvard L.R. 193 (1890)
[3] Some countries stated that privacy is individual right and should be protected as universal concept. Others may tend to protect privacy in different circumstances, like U.S.
[4] See http://ec.europa.eu/justice/data-protection/index_en.htm and http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML On 25 January 2012, the European Commission unveiled a draft European Data Protection Regulation that will supersede the Data Protection Directive.
[5] See Article 2 (a)
[6] See Article 8 (1)
[7] See Article 8 (2)
[8] See http://www.legislation.gov.uk/ukpga/1998/29/contents, DPA were adapted in 1998 in order to meet EU DPD’s requirement