A Cloud with a Lock on It

A Report on the Legal Issues of Privacy Online


There are a number of legal issues that must be considered when publishing content online, one of which is privacy. Looking at UK legislation, the Data Protection Act is the main piece of legislation to ensure privacy online, and implementation of this is explained in Privacy Policies of websites. There has also recently been the introduction of an EU cookie law, which governs how websites can use cookies to track our behaviour and browsing on their sites. Finally, it must also be considered what legislature there is to govern exactly what content we can post online. Once these three areas have been examined, it is possible to see how privacy fits in with other legal aspects of publishing online, and to make recommendations for the future.



Many websites now collect user data, sometimes in obvious ways, but often in ways in which the users don’t understand. This data collection, storage and/or distribution presents numerous legal issues, including that of user privacy. There have been a number of pieces of legislation passed to assist in governing web technologies in recent years, and across numerous countries. The legislature is too numerous and verbose to list here, so it makes more sense to examine some of the issues various pieces tried to tackle, with a particular view to UK legislature.


Data Protection Act and Privacy Policies

If a website collects user data, for example in registration forms, there are two things it must do. First, is to adhere to the Data Protection Act. This is an Act of Parliament defining the law on processing of identifying data on living people. [1] It governs how organisations, businesses and the government itself can use data (Principles are available in Appendix 1[3]). The Act tackles a number of issues, ensuring users privacy in a number of ways. The Act makes it illegal to withhold information when a request is made by the individual whom the data is about, prevents sale of the data to groups such as advertisers, and also tackles the potential security risks of storing personal data, ensuring personal privacy. Websites also explain their compliance via a Privacy Policy. This explains the steps the site takes to adhere to the Data Protection Act (or applicable legislation in their geo-political area). An example of the content of a privacy policy can be seen in Figure 1.

An Example Privacy Policy

Figure 1: An Example of the Contents of a privacy policy, this one being the BBC’s. [6]

Some sites used P3P in their policies, which could facilitate some browsers quantifying the privacy of the website for the user. [4] However, implementation in web browsers was ineffectual, and the standard is now largely obsolete. [5] To summarise, the Data Protection is a piece of UK legislature to govern how websites must use and store data, and the website’s privacy policies should explain how they adhere to the act, and as a result protect user privacy. There are similar pieces of legislature to the UK’s Data Protection Act across the world.



A cookie is a small text file that can be placed on a user’s machine when they access a website. This facilitates server recognition of the device, and stores information about preferences and past activity. [8] A recent piece of legislation was passed by the European Union (now known as the EU Cookie Law) on the 26th May 2012. It originally planned to ask users for explicit consent to store cookies, but was later changed to assume consent for cookies, but state clearly they were being stored and provide easy instructions for removal. [9] An example of this is pictured in Figure 2.

An Example of a cookie pop up

Figure 2: An Example of a pop up informing users about Cookie Collection from the CNN International Site [10]

This protects user’s privacy as it forces the publisher of the website to inform the user if they plan to track their activity or behaviour on the site. Although recent surveys have shown that users of the web in the UK are concerned about their privacy online (as high as 72% of people [11]) the Cookie law has proven controversial. The main argument against the law is that it did nothing to discourage websites placing cookies and tracking users. Indeed, the Information Commissioner’s office reports that the average UK website placed 44 cookies on the first visit (10 more than the average globally) and a shocking 70% of the cookies placed were third party [12]. This makes cookies the chief way of monitoring users online, and thus the main invader of privacy.  To summarise therefore, the only law in place is that sites placing cookies must provide a very basic declaration of this. This does not limit the amount, author or purpose of the cookies placed which constitutes a reduction in privacy and explains why more needs to be done in this area.


Content on the Page (Placing a person in false context, Disclosure of Private Information, Commercial use of Private Property)

The final area that a web publisher must be wary of is the content itself. Much like regulations for traditional media, web publishers are restricted in the information that can they can reveal, and must insure this does not constitute an invasion of another’s privacy. The Human Rights Act of 1998 declares that every individual has “the right to respect of his private and family life” and this is no different in the online domain. The Internet Rights and Principles Coalition clearly state that individuals should have “freedom from defamation”, and that no one should suffer an unlawful attack on their honour online. [13] Although the coalitions charter is not yet law, it represents a call to authorities to uphold the principles of the Universal Declaration of Human Rights online. [14] This may not apply to everyone, but is particularly relevant for those publishing news articles, or investigatory pieces. While it is not law, there is still a precedent for charges to be levelled against those who publish private information about others online, under various domestic laws. A curious area for publishing content online, is protecting the freedom of expression. Johnathon Dimbleby claims we are “liberated and simultaneously imprisoned by social media” [15], and this is an area that must be carefully examined from a legal standpoint, as technical legislation bounds ahead, and legislators are left in the dust. Finally, the other area that must be considered when publishing content online, is commercial use of private property (although this is arguably copyright law). An example could be photographs taken on private property, and then sold online. There is confusion in this area, and many people continue to use pictures that are not their own, for commercial purposes, such as advertising. The content on a webpage therefore should also be checked to ensure it does not infringe on privacy. While the infringements may not be as obvious, or technologically-exclusive, as others, they are still important, especially given their overlap with other legal spheres, such as copyrights and trademarks.



In conclusion, there are a number of potential privacy violations of privacy online. While there is legislature in place to govern some of these, both in the UK and across the world, much lacks clarity. This in turn makes it harder for the publishers of web content to and to protect user’s privacy. Given the number of users that worry about their privacy online, it would be beneficial for both users and publishers of the web content if this legislation was improved. Organisations such as the Internet Rights and Principles Coalition are trying to encourage a mirroring of the basic human rights in online behaviour, yet this has not yet taken off. Privacy also should not be considered independent of other areas. Privacy goes hand in hand with security (how to keep all of the personal data about us safe) and copyright (how to protect our private property) making it all the more important, and increases the need for cross-border cooperation when trying to legislate the internet. It is logical to expect the privacy and transparency of legislature we have in the “physical world” also to manifest itself in a digital environment.


Reference List

[1] (1998,). Data protection act. [Online]. Available: http://www.legislation.gov.uk/ukpga/1998/29/contents#sch2. Accessed: Feb. 21, 2016.


[2] A. Cavoukian and D. Tapscott, Who knows? Safeguarding your privacy in a networked world. Toronto: Random House Canada., Toronto, 1995.


[3] HM Government, “Data protection,” in gov.uk, GOV.UK, 2015. [Online]. Available: https://www.gov.uk/data-protection/find-out-what-data-an-organisation-has-about-you. Accessed: Feb. 21, 2016.



[4] W3, “Using P3P on your web site,” in W3 – P3P, 2002. [Online]. Available: http://www.w3.org/P3P/usep3p.html. Accessed: Feb. 21, 2016.


[5] S. Fulton and D. L. F. Cranor, “Expert: Microsoft’s P3P ‘Ineffective,’ Google’s Privacy Bypass Unhelpful,” in ReadWrite, 2012. [Online]. Available: http://readwrite.com/2012/02/23/expert-microsofts-p3p-ineffect. Accessed: Feb. 21, 2016.


[6] BBC, “Privacy policy – privacy and cookies,” in BBC, 2015. [Online]. Available: http://www.bbc.co.uk/privacy/information/policy/. Accessed: Feb. 21, 2016.


[7] Information Commissioner’s Office, “Subject access request,” in ICO UK, ICO, 2015. [Online]. Available: https://ico.org.uk/for-organisations/guide-to-data-protection/principle-6-rights/subject-access-request/. Accessed: Feb. 21, 2016.


[8] A. Barth, “HTTP state management mechanism,” in IEFT, 2011, sec. Overview. [Online]. Available: http://tools.ietf.org/html/rfc6265#section-3tools.ietf. Accessed: Feb. 21, 2016.


[9] Amity Web Solutions, “EU cookie law deadline, May 26th 2012,” in Amity Web Solutions Blog, 2012. [Online]. Available: http://www.amitywebsolutions.co.uk/blog/eu-cookie-law-deadline-may-26th-2012. Accessed: Feb. 21, 2016.


[10] CNN, “Breaking news, U.S., world, weather, entertainment & video news,” in CNN, CNN, 2016. [Online]. Available: http://edition.cnn.com. Accessed: Feb. 23, 2016.


[11] S. Gibbs, “Data protection concerns 72% of Britons in post-snowden world, research shows,” in The Guardian, The Guardian, 2015. [Online]. Available: http://www.theguardian.com/technology/2015/apr/09/data-protection-concerns-72-of-britons-in-post-snowden-world-research-shows. Accessed: Feb. 23, 2016.


[12] “A cookie can last 7, 984 years, according to new international privacy study,” ICO, Feb. 17, 2015. [Online]. Available: https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2015/02/a-cookie-can-last-7984-years-according-to-new-study/. Accessed: Feb. 23, 2016.


[13] Internet rights & principles coalition, “Right to privacy on the Internet,” in Internet rights & principles coalition Charter, 2009. [Online]. Available: http://internetrightsandprinciples.org/wpcharter/archives/53. Accessed: Feb. 23, 2016.


[14] R. Bodle, “IRPC charter | Internet rights & principles coalition,” in Internet Rights & Principles Coalition, 2013. [Online]. Available: http://internetrightsandprinciples.org/site/charter/. Accessed: Feb. 23, 2016.


[15] J. Dimbleby, “For freedom of speech, these are troubling times,” in The Guardian, The Guardian, 2015. [Online]. Available: http://www.theguardian.com/commentisfree/2015/sep/21/freedom-of-speech-online-witch-hunts-law–bbc. Accessed: Feb. 28, 2016.


Figure Citations:

[6] BBC, “Privacy policy – privacy and cookies,” in BBC, 2015. [Online]. Available: http://www.bbc.co.uk/privacy/information/policy/. Accessed: Feb. 21, 2016.

[10] CNN, “Breaking news, U.S., world, weather, entertainment & video news,” in CNN, CNN, 2016. [Online]. Available: http://edition.cnn.com. Accessed: Feb. 23, 2016.




Appendix 1:

Principles of the Data Protection Act 1998:

  • used fairly and lawfully
  • used for limited, specifically stated purposes
  • used in a way that is adequate, relevant and not excessive
  • accurate
  • kept for no longer than is absolutely necessary
  • handled according to people’s data protection rights
  • kept safe and secure
  • not transferred outside the European Economic Area without adequate protection [3]


Leave a Reply

Your email address will not be published. Required fields are marked *