Privacy and social networking
Article by Dr. Michael Schmidl, LL.M. Eur. (Rechtsanwalt/Maître en Droit), published by BNA International in World Data Protection Report 07/09, p. 25 - 26.
In June 2009 the Article 29 Data Protection Working Party, an independent European advisory body on data protection and privacy set up under Article 29 of Directive 95/46/EC (“WP-29”), rendered an opinion on privacy law implications of social networking (“WP-163”). In its WP-163, the WP-29 defines a social network service as “online communication platform which enables individuals to join or create networks of like-minded users” and categorises them as being information society services, as defined in Article 1 paragraph 2 of Directive 98/34/EC as amended by Directive 98/48/EC. The WP-163 stresses that the key phenomenon of social networks lies in the fact that users are asked to provide sufficient information about themselves in order to create a thorough personality profile or description and that moreover such information can easily be distributed to others.
The social network providers offer the corresponding tools, which not only allow the sharing of directly private information but also of subjects of interest to the user such as their favorite music, films or actors. All this information allows the social network providers to tailor advertising campaigns to the respective user groups. In light of the fact that many children and minors are using social network services WP-163 emphasises the importance for social network providers to make sure that the corresponding user group is adequately protected inter alia by means of age verification, informed consent, awareness as well as training campaigns, limiting the scope of collected data and its purposes, separation of communities of children and adults.
The WP-163 also deals with questions relating to the applicability of the European Data Protection Directive 95/46/EC and contains measures, which social network providers should implement in order to abide by the legal principles contained in the European privacy framework.
The most important question of whether European privacy laws apply to the social network providers established outside Europe is not analysed. Instead the WP-163 refers to its WP-148 on search engines in which the WP-29 has extensively examined under what circumstances European privacy laws may be applicable. The use of cookies on the social network users’ computers in order to improve or customise the services is almost the rule and correspondingly a very frequent reason for applying European privacy laws to social network providers outside Europe. The reason for this effect of cookies is that they enable the social network provider to collect data without the users’ interaction. The users’ computers are thus turned into technical means under the control of the provider, which is sufficient to trigger the applicability of the privacy laws at the users’ locations.
On this basis the WP-163 deals with identifying the data controller in the framework of social network services. The statement that the social network providers are to be regarded as responsible data controllers is not surprising, especially if and to the extent they actively process the users’ data for their own business purposes but also since they provide all the network and user management functionality. The third-party providers of applications accessible for users of social networks can also qualify as data controllers, for example as regards the user data. The most interesting phenomenon, however, is the concept of users being qualified as additional data controllers. Although all users collect, process and use personal data about other users they are exempted of the application of privacy law as a consequence of the so-called “household exemption”, if their data processing activities occur simply in the course of a purely personal or household activity. This exemption does not apply, however, where a user acts as company representative in the social network in order to promote the company’s activities, commercial, political or other goals or if a company uses the service as a professional collaboration platform. As a consequence the full set of data controller obligations apply. WP-163 lists further typical examples of when data controller rules have to be applied to users
WP-163 also deals with the importance of restrictive so-called “privacy-friendly” default settings (e.g., on what data can be searched and found from inside the network or from outside by means of search machines), since such settings will most likely be left unchanged by the majority of the users, and with the importance of sufficient information and warnings to users regarding the impact on their privacy if they upload personal data. According to the WP-163 users do especially have to be informed about planned direct marketing measures, data sharing with third parties, the risks for providing own data (especially sensitive data) and the potential illegality of providing third parties’ data on social networks. The WP-163 recommends that the social network provider should also give information (e.g., on its website) on how to access a complaint facility, which could inter alia deal with the users’ rights of access, correction and deletion. Another aspect of “privacy-friendly” settings can be seen in the definition of maximum time periods for which data of inactive users is retained and in the deletion of users who have terminated their accounts. Moreover, the service provider has to enable data subjects to use the service with a pseudonym rather than with their real name.
In addition to these topics the WP-163 emphasises that any kind of direct marketing targeted at the users of the network must comply with the corresponding legal requirements, especially as regards the use of cookies and the technique of behavioural targeting. As per the WP-163 the social network providers do not have to fulfil data retention requirements applicable to providers of electronic communication services provided in Article 2 c) of the Framework Directive (2002/21/EC). This may be seen differently if they provide additional services that fall under the scope of an electronic communications service such as a publicly accessible email service. Another interesting aspect the working paper deals with is the handling of invitations to join the network directed at third parties by users of a networking system. Such invitations can be exempted from direct marketing restrictions for email if they are merely personal communications (i.e. no incentive is given to either sender or recipient, the provider does not select the recipients of the message, the identity of the sending user must be clearly mentioned, the sending user must know the full content of the message that will be sent on his behalf).
In many respects the WP-163 is similar to a June 2008-decision of the German Düsseldorfer Kreis (“GDK”), a panel in which the German Federal States’ data protection authorities reach agreement on the uniform application of the FDPA. The GDK’s decision contains a list of key obligations for the operators of social networks (for details on the GDK’s decision, please refer to an article written by the author which appeared in the May 2008 issue of the WDPR).