Article 29 Working Party issues Opinion on Online Social Networks
The Article 29 Working Party (“Working Party”) has issued an opinion on on-line social networking and the applicability of European Union data protection law to social networking websites.
The Working Party is a body set up by the European Commission under the Data Protection Directive. Its main tasks are
(a) promote the uniform application of the general principles of the Data Protection Directives in all member states through co-operation between data protection authorities in each of the member states;
(b) to advise the European Commission on Community measures affecting the rights and freedoms of natural persons with regard to the processing of personal data and privacy, and
(c) to make recommendations to the public at large and community institutions on matters relating to the protections of persons with regard to the processing of personal data and privacy in the European community.
Opinion 5/2009 on on-line social networking (the “Opinion”) was adopted by the Working Party in June 2009. The Opinion focuses on how the operation of social networking sites can comply with European Union data protection law. The Opinion also provides guidance to the operators of social networking sites on measures that need to be in place to ensure compliance with European Union law.
The Opinion considers the data protection implications of social networking sites from three main perspectives:
- the Application of EC Directives and National law to social networking sites;
- the obligations of social networking site provides under data protection Law; and,
- the rights which users of social networking sites have under data protection law.
Applicability of EU Directives
The Working Party considers that the data protection directives generally apply to the processing of personal data by social networking site providers even where the headquarters of the social networking site providers are outside the European Economic area.
Under the data protection directives the Working Party considers that providers of such websites are considered be data controllers while the users of such sites are considered to be data subjects. Application providers may also be considered to be data controllers under the Directive.
Obligations of Social Networking Site Providers
The Working Party considers that the providers of social networking sites should inform users of their identity, and provide clear and comprehensive information about the purposes and different ways in which they intend to process personal data.
The Opinion further recommends that social networking service providers should offer privacy friendly default settings. The Opinion notes that as only a minority of users signing up to a service will make any changes to the default privacy settings. Social network providers should offer privacy friendly default settings which allow users to freely and specifically consent to any access to their profile’s content that is beyond their self selected contacts in order to reduce the risk of unlawful processing by third parties.
Further, the Opinion states that social networking site providers should provide information and adequate warning to users about privacy risks when they upload data onto the social networking site. Users should be advised by social networking site providers that publication of data regarding other individuals should only be uploaded with that individual’s consent.
In respect of sensitive data, as defined in the data protection directives, the Working Party considers that social networking sites must be aware that data subjects must explicitly consent to such data being made available and being processed. Sensitive data includes data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership or data concerning the health or sex life of the data subject.
The Opinion also addresses issues such as the processing of data of non-members of the social networking site, third party access to the social networking site and the legal consequences of direct marketing. In respect of the direct marketing issues (and the use of personal data in this regard) which social networking sites raise, the Working Party intends to address this issue in a separate document in the near future.
The Opinion also notes that the home page of the social networking site should contain a link to a complaint facility which is suitable for both members and non-members of the social networking site. The social networking site must set maximum periods to retain data on inactive users. Abandon accounts must be deleted and social networking site operators must be aware of their obligations under Data Protection Directive especially with regard to the requirement to keep data only for so long as is necessary. Further, social networking site operators should take appropriate action to limit the risks associated with minors being members of social networking sites.
Rights of Users
The Opinion addresses the rights of users of social networking sites have and a notice of both members and non-members have rights in this regard. These rights include the right to rectification of incorrect information and the right of access to any information held on them. Again, the Opinion emphasises at a minimum the home page of social networking services sites should clearly refer to the existence of a complaint handling office which will deal with data protection privacy issues and complaints by both members and non-members.
The fact that the Opinion considers that the duties of data controllers may apply to non-resident social network website operators is a significant step in safeguarding the privacy and data protection rights of users of these websites.
While a Working Party opinion is not binding law, it is often used by data protection authorities as a reliable interpretative guide to issues arising regarding data protection and is followed more often than not in practice by data protection authorities.
For further information on this topic or any other issue relating to data protection, please contact: Dan Barry at email@example.com or 00353 1 614 5000. Dan Barry is a solicitor in the Commercial Department of Mason Hayes+Curran.
The content of this article is provided for information purposes only and does not constitute legal or other advice. Mason Hayes+Curran (www.mhc.ie) is a leading business law firm with offices in Dublin, London and New York. © Copyright Mason Hayes+Curran 2009. All rights reserved.