The Article 29 Working Party has given social networking service (SNS) providers quite a bit to think about with its Opinion 5/2009 on online social networking adopted on 12 June 2009. SNS providers are reminded of their duty to tell their users of all the different purposes for which they process personal data and to take particular care with regard to the processing of personal data of minors. The Opinion also refers to SNS providers’ “duty” to advise users regarding the privacy rights of others and in particular that users should only upload pictures or information about other individuals with that individual’s consent.
OBJECTIVE AND SCOPE
The Working Party’s Opinion sets out to provide guidance to SNS providers on the measures that need to be in place to ensure compliance with EU data protection and e-privacy laws. It reminds SNS providers that the Data Protection Directive (95/46/EC) applies to SNS in most cases, even if the provider’s headquarters are located outside of the European Economic Area. SNS providers are broadly defined in the Opinion as online communication platforms that enable individuals to join or create networks of like-minded users. Key characteristics include inviting users to provide personal data for the purpose of generating a description of themselves or “profile”; tools that allow users to post their own material; and tools that provide a list of contacts for each user, and with which users can interact.
THE MAIN OBLIGATIONS OF SNS PROVIDERS
At the end of its Opinion the Working Party lists the main obligations of SNS providers. These are as follows:
- Inform users of their identity, and provide comprehensive and clear information about the purposes and different ways in which they intend to process personal data
- Offer privacy-friendly default settings
- Provide information and adequate warning to users about privacy risks when they upload data onto the SNS
- SNS providers advise users that pictures or information about other individuals should only be uploaded with the individual’s consent
- At a minimum, the homepage of the SNS providers should contain a link to a complaint facility, covering data protection issues, for both members and non-members
- Marketing activity must comply with the rules laid down in the Data Protection and e-Privacy Directives
- Set maximum periods to retain data on inactive users. Abandoned accounts must be deleted
- With regard to minors, take appropriate action to limit the risks
The Opinion draws attention to the fact that SNS providers are data controllers for the purposes of the Data Protection Directive and in most cases users are data subjects too. However, SNS users whose activities extend beyond a purely personal or household activity may be regarded as data controllers for the purposes of the Directive. Therefore, if the user acts on behalf of a company or association or uses the SNS mainly as a platform to advance commercial, political or charitable goals, the exception does not apply, and the user assumes the full responsibilities of a data controller.
SNS providers have been working hard to maintain standards that ensure that they do not attract the unwelcome attention of national and European regulators and earlier this year the major SNS providers signed up to the EU Safer Social Networking Principles. It seems unlikely that SNS providers will be entirely happy with the Working Party’s Opinion in that some of the recommendations with regard to data protection have the potential to make life unnecessarily complicated both for the provider and user.