Friends Reunited – years of data, but where’s it going?

internet cyber data protection website email lock laptop web

In the time before Facebook, there was Friends Reunited – a website which arguably helped to start the social media revolution in 2000. The closure of Friends Reunited has long been expected, but it raises interesting questions about what happens to our online ‘life’ when a website closes its doors.

Social networks (like Friends Reunited) are likely to be classified as data controllers under the Data Protection Act 1998 (DPA) as they will:

  • collect the personal data of their users (e.g. account information); and
  • control the processing of such information in order to provide the requested social media services (e.g. controlling the posting of such information).

As a result their activities will be subject to the provisions of the DPA.

The data protection principles (which apply to the collection of personal data) are set out in Schedule 1 of the DPA. In particular, Principle 5 governs use storage and retention and states that:

Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose of those purposes.”

However, although personal data must ultimately be deleted once the purpose for which it was collected has expired, in reality the retention of data can be extended by the data controller by reliance on two factors:

  • the wording of the privacy policy under which the user consented to his personal data being collected
  • legal requirements (if any) requiring the retention of the data.

Depending on whether these factors apply, three options may be permitted: the sale, retention, or deletion of data.

A data controller can be permitted to sell personal data if its business is sold, provided this is not prohibited in its privacy policy. In the example of a business sale, the personal data may also be sold to allow the new data controller to continue to provide the service to the users. As a result, the data will be retained despite the closure of the initial business.  However, to legally process the personal data the new data controller will have to update the privacy policy to let users know who it is and/or may have to obtain new consent from its users (indeed, if sensitive personal data is to be processed new active consent must be obtained from each user).

When totally closing a website or stopping the provision of services, the data controller is also usually permitted to archive and store information (including personal data) for a reasonable time period following closure of the service for legal and administrative reasons, for example for the purposes of re-activating a user account where it is likely that the user might decide to restart the service in the future, or for auditing purposes.

However, the data controller should clearly set out its policy in its privacy policy and should ensure that when retaining personal data it re-evaluates its decision regularly so as to not overstep a reasonable retention period resulting in a breach of the DPA.

Ultimately (as is the case for Friends Reunited) once a data controller genuinely ceases to provide its services, and therefore ceases to have a legitimate purpose to hold or process the data any longer, it should return the personal data to the user or delete the data (where necessary, putting it ‘beyond use’).

In Friends Reunited’s case the company has agreed to provide its registered users with the opportunity to download some of their data for a certain period of time. Following this period, it is highly likely it will delete the data to comply with the DPA’s requirements. Other services do not shut down so gracefully, with some providers shutting services down with only 24 hours’ notice – giving users little chance to preserve their data.

The closure of Friends Reunited, with potentially millions of records of personal data, highlights that managing online profiles carefully, storing memories safely in the cloud (or locally), and understanding your rights has never been more important. Memories can take a lifetime to build, but can disappear in an instant.

Amy Lambert is a solicitor and Robert Grannells is a trainee in the technology, outsourcing and privacy practice at Fieldfisher.