In the midst of the buzz about Automattic acquiring Tumblr, some of us took pains to point out that we literally can’t see anything on Tumblr blogs, nor would we want to – not at the cost of playing Verizon/Oath’s privacy head games.
If you don’t know what I’m on about, click on this link to view the 1349 x 19249 screen cap of the second of four privacy Zuckering screens which European users have to wade through in order to view the content on any Tumblr blog.
Click on the thread for more screen caps.
It's actually a lot worse than that. Here is the first thing any European user sees when trying to access any Tumblr blog, in this case, Matt's. Tumblr *does not allow access* unless the user consents to having their search, location, and browsing data accessed. pic.twitter.com/Z4Kh89dQhl
— Heather Burns (@WebDevLaw) August 13, 2019
The merger brings up two valid questions: will the privacy head game continue under new ownership, and what is being done with the personal data which – by nature of the transaction – will have been part of the acquisition? After all, removing the “huge block of legal language” – as Matt Mullenweg said in the New York Times – only removes the interface which gave users their choices and options. The data capture, storage, and transfers still take place when they’ve been baked into the way the site works.
And that brings up a third question: did they think to ask about these things at all? It’s entirely possible they did not, as both companies’ American bases mean that no one involved in either side of the transaction will have seen the privacy head game, much less been forced to play it just to see the content.
For my wonk job, I’m currently evaluating the ICO’s draft code of practice on data sharing, which is open for public consultation until 9 September. There is a section on due diligence when sharing data following mergers and acquisitions (see page 70 of the PDF draft.)
This guidance might be useful to keep at hand if you ever decide to acquire a privacy-invasive social network. As you do. Especially one that’s under investigation – which means that you will be too.
Here’s what the draft has to say:
At a glance
If merger or acquisition or other change in organisational structure means that you have to transfer data to a different or additional controller, you must take care. You must ensure you consider data sharing as part of the due diligence you carry out, including establishing the purposes for which the data was originally obtained, and your lawful basis for sharing it. You must comply with the principles, and document your data sharing. Consider when and how you will inform individuals about what’s happening to their data. You must also ensure sound governance, accountability and security.
In more detail
This chapter is of particular relevance to the private sector. It highlights situations such as mergers and acquisitions, or other changes in organisational structure, where you need to make good data sharing practice a priority.
How does data sharing apply to mergers and acquisitions?
Data sharing considerations may become a priority when a merger or acquisition or other change in organisational structure means that you have to transfer data to a different organisation. For example, as part of a takeover, data might be sold as an asset to a different legal personality. You must take care if, as a result of the changes, there is a change in the controller of the data, or if the data is being shared with an additional controller. This is the case whether you are the sharing or recipient controller. We will look at this from the point of view of the organisation sharing the data with a different controller:
- ensure that you consider the data sharing as part of the due diligence you carry out;
- follow the data sharing guidance contained in this code;
- establish what data you are transferring;
- identify the purposes for which the data was originally obtained;
- establish your lawful basis for sharing the data;
- ensure you comply with the data processing principles – especially lawfulness, fairness and transparency to start with;
- document the data sharing;
- seek technical advice before sharing data where different systems are involved: there is a potential security risk that could result in the loss, corruption or degradation of the data; and
- consider when and how you will inform individuals about what is happening. Under the GDPR you are required to keep individual data subjects informed about certain changes relating to the processing of their data, and they may have a right to object. Please see the guidance on individual rights on the ICO website at www.ico.org.uk.
The same considerations may apply in reverse to the controller receiving the data.
How do we manage shared data following a merger or restructure or other change of controller?
On a practical level, it can be difficult to manage shared data immediately after a change of this kind, especially if you are using different databases, or you are trying to integrate different systems. It is particularly important in this period to consider the governance and accountability requirements of the GDPR. You must:
- check that the data records are accurate and up to date;
- ensure you document everything you do with the data;
- adhere to a consistent retention policy for all records; and
- ensure appropriate security is in place
And as with all of the steps that go into building a genuine and healthy regard for user privacy, document your due diligence or it didn’t happen. Because Helen’s going to want to see a copy of it, so she will.