A regulatory model for personal data on social networking services in the UK.

The Data Protection Act 1998 is seen as partially effective for social media.Self-regulation is widely adopted by service providers but has limitations.User behaviour and system design can help protect privacy.Existing models of regulation do not reflect current regulatory activity.A new regulatory model includes: legislation, self-regulation, behaviour and design. Widespread use of online social networking services (SNSs) exposes users to a variety of risks. This study examines the UK's Data Protection Act 1998 (DPA) and considers the wider regulatory landscape in the UK. Although based on EU legislation, the DPA has shortcomings in enforcement and in regulating global services using national legislation. Lessig's model of internet regulation was used as a starting point to examine the alternative regulatory mechanisms that apply to personal data on SNSs. Interviews with industry experts highlighted self-regulation as a major influence on the behaviour of users and SNS providers. This has been incorporated into a new model of regulation that applies to SNSs. The resulting model has identified the following modes: law (statutory legislation), self-regulation (privacy policies and self-regulation of the online advertising industry), code (the way services are designed and their system architecture), and norms (expressed as user behaviour and collectively as market behaviour). The paper concludes that this new model of regulation is needed to adequately describe the current regulatory landscape as it applies to social media. This may form a better basis for evaluation of regulatory effectiveness in the future.