Skip to main content

Social Media: Data Protection

Question for Department for Digital, Culture, Media and Sport

UIN HL14882, tabled on 27 March 2019

To ask Her Majesty's Government what assessment they have made of the possible future use of encrypted metadata mining by social media companies.

Answered on

9 April 2019

Social media companies that process metadata that contains personal or identifying information about individuals in the UK must comply with the General Data Protection Regulation and the Data Protection Act 2018. The Privacy and Electronic Communication Regulations 2003 also imposes certain restrictions on the processing of metadata.

These rules impose strict obligations on organisations to process people’s data fairly and lawfully and to ensure that any data collected is held securely. Organisations must also ensure they have a legal basis for processing data, are clear and transparent about how personal data will be handled, and ensure that the data is processed in a way which individuals would expect. Organisations that fail to comply may be subject to enforcement action by the Information Commissioner’s Office.

The Government has also recently set up the Centre for Data Ethics and Innovation to provide independent and expert advice on the governance of data-driven technologies. One of the Centre’s first projects is to investigate how data is used to shape people’s online environments via the personalisation and targeting of messages, content and services. The Centre will publish an interim progress report on this project in the summer.