The Directive requires that the laws of member states protect personal information in both the private and public sectors. That legislation must feature provisions to block transfers of information to non-member states that do not provide an "adequate" level of protection.

It requires all data processing to have a "proper legal basis", encompassing the following: 1. consent; 2. contract; 3. legal obligation; 4. vital interest of the data subject; and 5. the balance between the legitimate interests of those controlling the data and the individuals on whom data is held (the 'data subjects').

Data subjects have important rights, including the following: 1. a right of access to that data; 2. a right to know where the data originated (if such information is available) 3. a right to have inaccurate data rectified; 4. a right of recourse in the event of unlawful processing; and 5. a right to withhold permission to use their data in certain circumstances (eg to opt-out free of charge from being sent direct marketing material, without providing any specific reason).

Recently, in a June 19 opinion released by the EU, users of social networking sites may be considered "data controllers" if they utilize the personal information of your "friends" or other third parties on these sites.

The Article 29 working party asserts that the EU Data Protection Directive applies to site providers even if they are located outside of the European Union.  This would mean that everyone from Facebook to Myspace to LinkedIn, to the smaller social networking sites like Ning, or even China's social networking site Qzone would all have to comply with the directive if an EU national used the site or was able to access the site.

Social Networking Site Providers are advised that in order to comply with EU privacy law, they do the following:

• inform users in advance of how their personal information will be collected, stored, and used, and should gain user consent to those practices;
• establish strong default privacy settings to prevent access to user personal information and free and easy-to-use privacy control features;
• establish a mechanism by which accounts that remain inactive for a long period of time are automatically switched to privacy features that do not allow access to personal information;
• delete user personal data as soon as possible after users close their accounts, except to the extent data are needed to investigate identity theft, fraud, or other illegal or malicious activity;
• allow pseudonym registration so long as strong authentication and access controls are in place;
• pay careful attention to protecting the privacy rights of minors; and
• take responsibility for ensuring that applications made available to site users by third parties also include strong privacy protection features.

This is all fairly common place for social networking sites that are aware of EU privacy laws or operate in the EU.

However, the new twist is that users may be considered Data Controllers.  The working party has initiated a 'Household Exemption' for users or people that engage in "purely personal or household activity."

But where an individual uses a social networking site as an employee in a company's "collaborative platform" or uses the site to "advance commercial, political or charitable goals," the household exception does not apply, and the user accepts responsibility as a data controller under EU law, the opinion said.

A big portion of this analysis is how well you know the individuals you are connecting with.  For instance, if you are a "super connector," and you do not know the individuals you have no personal relationship with, you may be considered a Data Controller.

Lastly, Social Networking sites now have the responsibility to warn users that their activities on the site may make them data controllers in the eyes of EU officials and therefore are required to meet EU privacy rules.

The Working Party's "Opinion 5/2009 on online social networking" is available at http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2009_en.htm.

TrackBack URI for this entry

0 Comments

Show/Hide comments