The popularity of Social Networking Sites (SNS) has increased exponentially over the past few years. Sites such as MySpace, Facebook, and the German network StudiVC rank high in overall web traffic. For many people, using the services offered on these sites has become a part of everyday life.
When people join an SNS, they begin by creating an online profile, which is essentially a list of identifying information. It typically includes contact information and the user's name, photographs, birthday, and hometown. Users may also indicate personal interests, such as hobbies, favorite songs, actors, TV shows, foods, etc. These sites allow users to share this information with vast networks of friends. As such, SNSs are a powerful means for users to interact and to make the Internet less anonymous.
At the same time, these sites pose novel legal issues associated with the EU Data Protection Directive. While traditional data protection regulation is primarily concerned with unfair or disproportional processing of personal data, users of SNS publish data on their own initiative.
The scope of the issues associated with processing data on these sites is addressed in a recent paper on “Data Protection Compliant Design of Social Networks” by the German Duesseldorf Circle (GDK) — a working group comprised of members of Germany's state data protection authorities.
The GDK highlights the following major issues:
- Comprehensive information of users: Operators of SNS should provide users with comprehensive information on the processing of their personal data and options available to influence this process. The information must include the risks involved with publication of user data and the impact on users' private lives.
- Use of data for marketing purposes: Use of personal data for marketing should be only permitted if data subjects provide valid consent. The GDK recommends that it should be up to the user to decide if, and to what extent, which profile and usage data may be used for targeted marketing.
- Storage of data: The GDK suggests that storage of usage data beyond the end of a session is only permitted if such data are required for invoicing purposes vis-à-vis the user.
- Retention of data: According to the GDK, there is no legal foundation for storing usage data regarding social networks in case such data may someday be needed for criminal prosecution purposes, unless otherwise permitted by law. The GDK expressly posits that such storage would not be admissible on the basis of the legislation on data retention.
- Introduce anonymous or pseudonymous profiles as an option: Users should be permitted to use the service either anonymously or under a pseudonym, regardless of whether the user must identify himself or herself in the course of the registration process.
- Maintain security: SNS operators should implement and maintain adequate security measures. In particular, they shall prevent export or download of profile data on a systematic basis or on massive scale.
- Privacy-friendly default settings: The GDK requests SNS operators design their standard privacy settings to protect users' privacy as efficiently as possible, in particular if the service is directed to children. Access to a profile by search engines may only be provided if the user expressly agrees, i.e., nonindexibility of profiles by search engines should be a default.
- Deletion of profiles: Users should have the ability to easily delete their own profiles. SNS operators should consider implementing expiration dates or automatic blocking of profiles to be user-defined.
The GDK wants users to have full control over the use of their data voluntarily placed on SNS. An effective control requires (1) transparent and open information to users, including information on the potential consequences of their actions during use of a service, and (2) providing users with technical means to restrict usage and publication of their data, e.g., by changing the privacy settings of the user account. The GDK’s guidelines should be viewed as an initial approach to a matter which poses many legal complexities and will be of continuing relevance.