When business trumps privacy

The BBC reports that the financial failure of gay teenager magazine XY, and its associated database, has given rise to a painful privacy conundrum: what happens to the database of registered site users?

When a company fails, it is normal practice for the administrator to seek the greatest possible asset value on behalf of the creditors. In some cases this means running the company on their behalf, but most of the time the administrator will sell off assets, or offer them up to creditors in lieu of debts. 10 years ago, the administrator would have been selling off the IT assets based upon their hardware value, but as businesses become increasingly aware of the (often intangible) value of data assets, these are being put up for sale as well.

That all seems reasonable, but we run into a fundamental conflict where the data assets contain personal information. A sale of the asset causes two principal problems from a data protection perspective: the change of Data Controller, and potential change of purpose of the personal information. The database has very little commercial value to the buyer unless the vendor can obtain consent from data subjects to both of these changes, and would be in breach of the Data Protection Act (1998) unless this was obtained. In practice the new consent is so complex to obtain that this situation rarely arises in Europe, where the European Data Protection Directive provides parity of protection across member states.

But the US has no equivalent Federal legislation. Contrary to popular belief, US citizens have no constitutional right to privacy (although this is in part granted by various constitutional amendments), and instead achieve privacy through a powerful Federal Trade Commission, individual State legislation, and the ever-present threat of class action lawsuits against any company that infringes its own privacy policies.

And hence we have the situation arising with XY.com. The database, containing personal information about many tens of thousands of young gay men, many of whom will not yet have decided upon their own sexuality, or told family and friends about that sexuality, is now up for grabs. The creditors are keen to obtain the maximum value for the database, and this might include selling it for commercial purposes at odds with the original intentions. In the US, this may be legal, but the situation becomes increasingly complicated when we take into account that because of the global nature of the Internet, it is inevitable that EU citizens will be in that database. Does the Data Protection Directive apply? Can they demand protection of their personal data? As Privacy International’s Simon Davies points out,

“The selling off of private information, gathered under the supposition of privacy, is bad enough … Even worse if you’re forced into it. And positively untenable when the information is connected to kids who are dealing with a dawning sexual reality that in some instances is even more fraught than what straight kids go through. … I would argue that this is a case where the Information Commissioner should write directly to the US and ensure action is taken.”

That point about intervention by the Information Commissioner’s Office is an important one, and I agree that the Commissioner should get involved. But will the US listen? Probably not. More likely, the lawyers will weigh up the threat of a meaningful lawsuit being brought by young gay men in the EU, who may well have to disclose their details in order to take action (many will not wish to do so), and decide that the risk is acceptable. The situation is about as far from ideal as it could be, and underlines the pressing need for reform of the legal arrangements for transfer of personal data about EU citizens to the US in light of the general failure of the Safe Harbour agreement and companies’ poor implementations of Binding Corporate Rules.

This is also a classic case of how matters of gender and sexuality are often the lightning rods for privacy policy development. Young people growing up uncertain of their sexuality or gender often spend many years keeping their feelings and experiences away from some or all of the people in their lives, and may live ‘split’ lives whereby family, friends and employers have very different views of their personae. One of the most important implications of the fundamental right to privacy is the right to keep these aspects of our lives separate, and that right is critical where the wedge of prejudice might force a person away from the support of people they need most. Last week former Minister for ID Cards Meg Hillier MP demonstrated her appalling lack of understanding of this sensitivity by proposing the forcible outing of the UK’s transgender population.*

The Information Commissioner launches his annual report today, and I hope that as his office publicly reviews the past year and speaks of the challenges of the year ahead, that the protection of those individuals threatened with a loss of privacy by the potential sale of XY.com’s database is one of the topics on his agenda.

* – This was almost certainly because of a lack of understanding of ID issues rather than a lack of compassion for the transgender community, and I’m not for a moment suggesting any prejudice on her part.