Whose data is it anyway? close
Some of you may have read about the row in the US about XY.com, a gay teenagers magazine’s website that has filed for bankruptcy. Other than a couple of dollars in the bank, the only asset of note belonging to the failed company is a database of tens of thousands of young men. The argument is from one side: that the personal details were given with the assumption of privacy and should not be transferred to anyone else. And from the other side: "Any property listed... is property of the bankruptcy estate and (we) intend to administer those assets for the benefit of creditors."
Codegent creates sites that hold private data every day. And because we have a specialism in working with children and young people, much of that data includes children’s information, which brings with it many additional responsibilities. We often have the discussion with clients about the best way to protect children’s data, as well as protecting them online. The concerns from clients are generally around security of our systems and the best way to prevent children from being exposed to inappropriate content or malicious users. It’s something we take very seriously and something we’ve spent a lot of time on. It is beholden on us to ensure that we collect as little data as possible and we look to get parental approval for any user-generated content that we publish.
But never have any of our clients asked what would happen to the data if they went bust. Maybe because most of us don’t start a business thinking about what happens if that business goes down the plug-hole. But it’s something we should be worried about.
Privacy law is very clear in the UK and people have a variety of rights under the Data Protection Act, from accessing information that others hold about them, to preventing unsolicited marketing, even through to claiming compensation for distress caused by breaching the act. But according to Simon Davies, director of Privacy International, talking to the BBC, in the event of bankruptcy or winding-up, “all bets are off”.
But if I give my details to a website (or worse, agree to the details of my children being stored by that website), I don’t then expect those details to end up being used for something else by the website’s creditors about whom I know nothing.
Ordinarily, a business can’t just pass on your details to another company for a different purpose without your permission. But if ownership changes, for example if someone bought Facebook, all my details would become the new owner’s property, but so long as the details were only used for the purposes of me continuing to use Facebook. We recently took over Twilert from a former client, and although the service was broadly the same, we took the decision to contact everyone on that database and invite them to sign-up again. We did this because we wanted to be 100% transparent to our users, but given that we were going to use their data in the same way, we didn’t actually need to do this. (And in fact some people actually moaned that we didn’t just port all their data over to the new system).
But despite this, and although I’m no lawyer, to me the key question to ask is around the reason the data has been collected in the first place. Yes, there is value in that data that should be “administered for the benefit of creditors”, but so long as that data is only used for any future incarnation of XY.com. There should only be any value if the data is used for the same purpose that it was given. If they want to use the data beyond that they should get the permission of everyone on that list to do so. In other words, people should be able to opt-in, but there should be no automatic assumption that data is data regardless of where it sits.