Data protection, privacy, and other bits for personal websites
This is not a proper blogpost, but rather some hastily-scribbled thoughts in response to a question on Twitter, which would be better held in one place than in a series of tweets.
This is not legal advice.
The question, in a nutshell, is about the application of the data protection and ePrivacy framework when it comes to personal sites, such as a blog.
So here are some quick, off-the-cuff, thoughts.
The (UK) GDPR applies only if you are processing personal data
If you are not processing personal data, you don’t need to worry about the UK GDPR.
If you are just serving up pages which themselves do not contain personal data, with no comments section, no newsletter, and no individual-level analytics, the likelihood of the UK GDPR applying is low.
IP addresses and server logs
There is an argument to be had about IP addresses in server logs. There is case law from the Court of Justice of the European Union on this, but relating to a set of facts involving logs, including IP addresses, which were kept “[w]ith the aim of preventing attacks and making it possible to prosecute ‘pirates’”
Even though the site operators — the German government, which may also play a role in the decision — could not identify an individual from an IP address, the court’s reasoning was that:
in the event of cyber attacks legal channels exist so that the online media services provider is able to contact the competent authority, so that the latter can take the steps necessary to obtain that information from the internet service provider and to bring criminal proceedings
In other words, by relying on the facilities and powers available to others, it was possible to identify an individual.
(For what it’s worth, I think this judgment is poorly reasoned, and makes some logical leaps in terms of linking an IP address to an individual, but, hey, no-one asked for my view.)
Even if an individual operating a personal website has full, untruncated, IP address in logs, for a limited period, purely to assist with the operation of the site (e.g. fail2ban to deal with abusive logs, or the like), I think there’s scope to argue that those IP addresses are not “personal data”. But it’s arguable, and so potentially risky.
Better would be to truncate the IP addresses before storing them in the logs, so that they could not be used, even in conjunction with the police, to identify an individual.
In other words, if you can avoid processing personal data, do so.
If you collect email addresses (e.g. for comments, or for a newsletter sign-up), if your site content contains the personal data of other people, then this is irrelevant anyway.
The (UK) GDPR does not apply to processing “by a natural person in the course of a purely personal or household activity”
This is commonly known as the “domestic purposes” exemption.
Case law shows that it is interpreted narrowly, particularly in the context of online activity, but that does not mean it does not exist at all.
I an not aware of case law specifically about personal blogs / sites.
Recital 18 to the GDPR says:
This Regulation does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity and thus with no connection to a professional or commercial activity. Personal or household activities could include correspondence and the holding of addresses, or social networking and online activity undertaken within the context of such activities.
My gut feeling is:
- if you are including personal data of other people in the site content, and the site is available to the world, you’d struggle to argue this exemption applied. (i.e. the UK GDPR would apply to that processing).
- if you are talking solely about data contained in logs, or newsletter admin tools, which is available only to you, then I think there’s a good argument that running a personal site is still a “purely personal … activity”, and so the GDPR does not apply to that processing.
Even if it does apply, what do you need to do?
The UK GDPR has requirements which apply in all cases (unless an exemption applies), and other requirements which apply only if the processing will reach a sufficient level of risk. I’m going to go out on a limb and say that a personal website probably won’t trigger those conditions.
So the gist is:
- process (including storing) as little personal data as you can. Question whether you really need it.
- work out what your lawful basis is for that processing. It’s probably either:
- you’ve got the person’s consent (and you’ve get a record of it), and you’ve given them a simple way of withdrawing consent at any time, at which point you cease your processing
- e.g. newsletter sign-ups
- you’ve got a legitimate interest in doing it, and your interests override theirs
- for example, serving up web pages, if it entails processing of personal data at all, is likely to be valid processing under this basis
- comment systems are likely to fall under this too
- probably, although more arguably, unobtrusive analytics, but see the rules on cookies and the like, below
- you’ve got the person’s consent (and you’ve get a record of it), and you’ve given them a simple way of withdrawing consent at any time, at which point you cease your processing
- tell people what you are doing with their data. You’ve got to include certain things in that transparency information. It could be a “privacy notice”, but it doesn’t have to be, and it’s probably best if it is “just in time” information instead.
- in other words, tell people what you’ll do with their email address, why, for how long, etc. at the point you collect it, so it’s obvious then, rather than making them dig into a privacy notice
- the regulator has provided a free template. It’s horrible, but it’s free, and it would be hard for the regulator to grumble if you used their own template correctly.
- do not use personal data for anything other than the (stated) reasons you collected it
- there are exceptions to this, but they are narrow.
- get rid of personal data automatically, when you no longer need it.
- store the personal data with an appropriate degree of security.
- be prepared for people to ask you for a copy of their data, but it’s (hopefully) unlikely.
Do I need to register with the ICO?
The rules about registration with the ICO are separate from the rules around processing of personal data.
The simplest thing to do is to use the regulator’s own toolkit.
If all your processing falls within the “domestic purposes” exemption (above), you have no requirement to register.
Cookies and the ePrivacy framework
The GDPR applies only where there is processing of personal data.
The rules on cookies contained in the ePrivacy framework are not limited to processing of personal data, and there is no “purely household purposes” exemption.
In the UK, the rules are contained in the Privacy and Electronic Communications Regulations 2003.
Although they’re often known as the “cookie” rules, they apply more broadly. They apply whenever someone stores access to information in the terminal equipment of a subscriber or user, or gains access to information stored in the terminal equipment of a subscriber or a user.
The gist of the rules is:
- if your storage / access is “strictly necessary” to provide the service a subscriber or user has requested (e.g. to serve the page, remember what they have added to a shopping basket to enable them to check out, or for security or legal compliance purposes), you do not need consent. Under the ePrivacy rules, you do not even need to tell them what you are doing, but if you are processing personal data for these things, then the UK GDPR’s transparency requirements apply anyway.
- if your storage or access is not “strictly necessary” – perhaps it is for analytics purposes, or advertising purposes — then you need to tell the subscriber/user what you want do, and get their consent, in each case before you do it.
- The UK’s regulator has said words to the effect of “we don’t care about unintrusive first party analytics, even though we know that the law says you need consent”. So you might get away with this.
- consent requires a positive action, in response to a specific thing. “Continuing to browse this website” does not get you consent.