Flawed dataportability

Things are moving quickly. After the Scoble affair last week, Facebook was challenged to join the dataportability working group. It duly did. The more astute commentators picked up that the dataportability working group (and the concept of data portability, as currently conceived) pays little regard to European data privacy law. In essence, its take on the world is from a less privacy-focussed US perspective. That has kicked off further interesting discussion about the impact of the UK's Data Protection Act, and what rights individuals have over their own personal data and the personal data of others who have established Facebook 'friend' links with them.

The comments on the Techcrunch post (from which I've taken the links above) throw up a sea of relevant issues, including the lack of understanding of data protection rights among users of social networks, the prevalence of US perspectives in a lot of tech / privacy debates, and the difficulty of the law keeping track of technology developments.

For what it's worth, I disagree that the UK's Data Protection Act is unsuited to developments in technology. On the contrary, I think it (and the EU legislation from which it emerges) do a good job of establishing principles that are technology neutral. Rather than the situation being that the law fails to keep pace with the tech community and social networks, the case is more realistically that the tech community and social networks (and what they want to do with data) have failed to give due regard to the law which regulates them. There is nothing in the data protection principles (see below) set out in the 10 year old UK legislation that is not comprehensible and applicable in the context of social networks; it is rather that what is technologically possible (and for some desirable) is not necessarily permissible.

UK data protection principles

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless... [legal stuff].
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.