Directive 95/46/EC (the Data Protection Directive) is the legal framework of data protection in the European Union and England. In its Opinion, the Working Party analyzed how this Data Protection Directive could be applied to social networking. The Opinion is not law and, therefore, not a binding instrument. The European Data Protection authorities, however, use the Opinion as guidance when taking decisions. Thus, SNPs should better pay attention to this Opinion.
First, the Opinion defines social networking as online communication platforms that allow interaction among individuals with similar characteristics that share their profile, photos, and personal materials. The Opinion limits application of the Data Protection Directive to social network providers (SNPs) that have headquarters in the European Economic Area, or that process personal data in a non-European state, but using storage equipment located in a member state.
Second, the Opinion categorizes in three the possible groups of data controller in social networking: (1) the SNP; (2) third party application providers; and (3) users. For instance, Twitter and Facebook, for example and without going into the jurisdictional issue, would be the SNPs in the sense that they manage and control users' accounts. A third party application providers are those that provide an application to SNPs in addition to those provided by the SNP. Determining who is a third party application provider may not be an easy task and may require a case-by-case analysis. Regarding users, social networking users are data subjects regarding the data processing by the SNP. The Opinion, however, also provided the "household exception” for data subjects. This exception states that the Data Protection Directive does not apply to the processing of data by a natural person in the course of household or personal activity. The Opinion states that the “household exception” does not apply and users will be data controllers in the following scenarios:
-When the purpose of users" processing activities go beyond purely personal activities. An example would be the use of social networks for commercial, political, or charitable purposes, or to advance a company’s goals;
-When a large group of contacts can access a user’s profile information. This may happened when a search engine collects and stores a high volume of contacts that may be accessed by all members of the social network; and
-When users can process third party’s data.
This means, users are initially data subjects and the NSP are data controllers. Yet, users may also be data controllers when the join social networks that allow them to view a large group of contacts or process third party data. The “household exception” would not benefit users in any of these scenarios.
Third, the Opinion emphasizes the need of security and transparency in SNP’s data processing. Security must be the goal when the SNP renders its services and even at the time the SNP’s system is designed. This is a principle to be followed by SNPs in Europe when their operation is at the initial stage. As an example, the Opinion warns SNPs to be cautious about default settings that allow users to share information with unauthorized visitors. The Opinion recommends that SNPs’ systems only allow the share of information when the user explicitly consents. Thus, “conservative default settings” should be the applicable security measure in SNP’s services. Regarding transparency, the Opinion suggests that data controllers inform users of the data controller’s identity and the manner in which user’s data would be used. Also, the Opinion requires SNPs to inform users of any direct marketing associated to the data, the sharing of data with third parties, and the use of sensitive data. NSP should inform users of the risks involved when they upload private information, including pictures.
As the above information shows, the Opinion addresses the main points concerning the application of data protection laws and principles to social networking; for instance, the definition of data subject and data collector, jurisdictional issues, security and transparency, and additional topics that are presented in Part II of this article.
http://www.ibls.com/internet_law_news_portal_view.aspx?s=latestnews&id=2374
