In the time before Facebook, there was Friends Reunited – a website which arguably helped to start the social media revolution in 2000. The closure of Friends Reunited has long been expected, but it raises interesting questions about what happens to our online ‘life’ when a website closes its doors.
Social networks (like Friends Reunited) are likely to be classified as data controllers under the Data Protection Act 1998 (DPA) as they will:
- collect the personal data of their users (e.g. account information); and
- control the processing of such information in order to provide the requested social media services (e.g. controlling the posting of such information).
As a result their activities will be subject to the provisions of the DPA.
The data protection principles (which apply to the collection of personal data) are set out in Schedule 1 of the DPA. In particular, Principle 5 governs use storage and retention and states that:
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose of those purposes.”
However, although personal data must ultimately be deleted once the purpose for which it was collected has expired, in reality the retention of data can be extended by the data controller by reliance on two factors:
- legal requirements (if any) requiring the retention of the data.
Depending on whether these factors apply, three options may be permitted: the sale, retention, or deletion of data.
When totally closing a website or stopping the provision of services, the data controller is also usually permitted to archive and store information (including personal data) for a reasonable time period following closure of the service for legal and administrative reasons, for example for the purposes of re-activating a user account where it is likely that the user might decide to restart the service in the future, or for auditing purposes.
Ultimately (as is the case for Friends Reunited) once a data controller genuinely ceases to provide its services, and therefore ceases to have a legitimate purpose to hold or process the data any longer, it should return the personal data to the user or delete the data (where necessary, putting it ‘beyond use’).
In Friends Reunited’s case the company has agreed to provide its registered users with the opportunity to download some of their data for a certain period of time. Following this period, it is highly likely it will delete the data to comply with the DPA’s requirements. Other services do not shut down so gracefully, with some providers shutting services down with only 24 hours’ notice – giving users little chance to preserve their data.
The closure of Friends Reunited, with potentially millions of records of personal data, highlights that managing online profiles carefully, storing memories safely in the cloud (or locally), and understanding your rights has never been more important. Memories can take a lifetime to build, but can disappear in an instant.
Amy Lambert is a solicitor and Robert Grannells is a trainee in the technology, outsourcing and privacy practice at Fieldfisher.