Instagram hoax 'should prompt companies to review' data subject requests

Out-Law News | 22 Aug 2019 | 2:30 pm | 2 min. read

Businesses should take heed of a recent Instagram hoax and review their processes for handling data subject requests, a data protection law expert has said.

Dublin-based Hannah Hassell of Pinsent Masons, the law firm behind Out-Law, said that many organisations may be unprepared to deal with increased data subject requests under the GDPR, particularly when exercised though informal channels.

Data subject requests were in the news recently when an online post called on social media users to post their objections to changes purportedly being made to Instagram's privacy policy went viral. Instagram subsequently confirmed that the post was a hoax, but not before a number of celebrities, including actress Julia Roberts, repeated the false warning.

The GDPR provides data subjects with a right to object to organisations processing their personal data in certain circumstances. Individuals have an absolute right to object to and stop the processing of their personal data for direct marketing purposes, but the right to object to other forms of processing is limited to specific circumstances under the GDPR.

The right to object to processing applies where organisations are processing the data in pursuit of a legitimate interest or for the performance of a task carried out in the public interest. In the 'legitimate interest' cases, organisations receiving such objections must be able to show that their compelling legitimate interests in continuing the processing override the interests or the fundamental rights and freedoms of the data subject.

The GDPR, however, does not dictate the form that objections must take. It does confirm, though, that where data subjects are using 'information society services', like social networks, the right to object can be exercised "by automated means using technical specifications", for example using tools to block the tracking of web browsing behaviour. In practice, objections to processing based on such automated means are more likely to apply to data controllers' use of cookies and other tracking technologies.

"Although the origins of the recent campaign against Instagram's supposed change to its privacy policy were false, the level of engagement, and re-distribution, exhibited by users demonstrates that organisations could face similar exercises of data subject rights through informal processes – such as via tweets or other social media outlets –  in the future," Hassell said.

"The hoax serves as a timely reminder to organisations that data subject requests can be made through a variety of formats, and even through unconventional channels," she said. "Businesses should therefore be wary to treat any and all objections to processing seriously, whether they are expressed verbally, written formally and submitted through conventional communication channels like email, or even where a customer tags an organisation's social media account in a public post as occurred in the Instagram hoax."

"Businesses should likewise be aware that data rights requests might come to anyone in their organisation, and not just through channels set up for that purpose, so all staff should be trained on channelling those requests through the correct internal processes," she said.