Since the European Commission published its proposals for the reform of EU data protection laws in January 2012, commentators have been assessing the changes and speculating on what effects these might have on businesses. A year on and the latest area under the spotlight is social networking sites.

Background

It is nearly 20 years since the original Data Protection Directive (Directive 95/46/EC) was implemented in the EU and the Regulation aims to make data protection laws more relevant to today’s world where individuals voluntarily share a vast amount of personal information online, for example, through social networking sites.

The Commission wants to encourage ‘e-business’ by building trust in the online environment and one way of accomplishing this, they hope, is by protecting individuals against threats to their personal privacy associated with this ‘online world’.

Social networking sites and your personal data

Many websites, including social networking sites, rely on information gleaned from user data (for example users’ preferences) which is sold to generate ad revenue. Generally, users consent to the use of their personal information for such purposes when they access the site and sign up (consents often being contained in the site’s relevant T&Cs) and sites can change their T&Cs to modify how they use personal data after users have signed up.

How might the Regulation (as currently drafted) affect social networking sites?

Sites will be restricted as to the type of data that can be collected. This must be limited to the minimum necessary and collected only for specific, explicit, limited, legitimate purposes. So collecting data on users’ preferences to generate ad revenue may not be considered ‘legitimate’.

Users will be entitled to ‘privacy by default’ (which, in the context of social networking, would mean that the default settings must protect the privacy of users and users would be required to take an active role in what they choose to share in the online environment of the networking site) and sites will not simply be able to claim the right to use personal data merely because a user has ‘consented’ through accepting a site’s T&Cs. Additionally, sites will not be able to change these T&Cs after users have signed up in order to give themselves greater rights over personal data.

Users will also be able to withdraw their consent to the processing of their personal data and request that it be deleted/removed permanently. Undoubtedly this would create additional costs and burdens for website owners, who will not be allowed to charge a fee to carry out the request, particularly as there would also be an obligation to track down and inform third parties of the user’s request where the website owner has made the personal data public.

The upshot of these proposed changes is that if sites cannot use personal information in a way that is profitable or useful for advertising purposes, users may have to pay to use such sites. Charging may also be necessary to cover the hefty fines (up to 2% of annual worldwide revenues) companies may face for breaking the rules.

Next steps

The European Parliament will shortly vote on the adoption of the General Data Protection Regulation (2012/0011) which will replace the existing Personal Data Protection Directive. Once adopted, the Regulation is expected to come into force later this year and member states will then have 2 years to enforce the legislation.