Article 29 Working Party on online social networking
This article is also available in:
Deutsch: Der Arbeitskreis Artikel 29 äußert sich zu Social Networking
Article 29 Working Party issued on 22 June 2009 an opinion on how European privacy laws affect social networking sites such as Facebook or Myspace.
The opinion states the social networking sites should be responsible for the compliance to European privacy laws and, on the other hand, that users of such sites should upload pictures or information about other individuals only with the consent of the respective individuals.
Presently, social networking users share pictures and tag friends' images without requiring a prior consent and generally, communicate publicly, placing their own and others' private information on shared "walls".
The Data Protection Authorities recommend that users are given the opt out choice and are warned of the privacy risks and on the personal data that is being made available to others. The opinion says that "the homepage should contain a link to a complaint facility covering data protection issues for both members and non-members".
The group also draws attention to the processing of personal data on the Internet for commercial purposes, recommending that before using the collected data aimed for personalised advertisements, the sites should obtain the prior consent of the respective users. Data on sensitive topics such as race, religion or sexual orientation should not be processed or passed on to advertisers and individuals should be allowed to adopt a pseudonym. Special attention should be given to the processing of the minors' personal data. This is an opinion that has been lately supported by the European Commission which has announced future strong measures to regulate online tailored ads.
The opinion also advises imposing limits on retaining the data of inactive users believing that abandoned accounts, together with their accompanying data, should be deleted.
The Article 29 Working Party's opinion is based on the principle that social networking websites must be subject to the EU Data Protection Directive even when their headquarters are outside the European Union space.
The group interprets the definition of "data controller" as covering the service providers who, therefore, must adhere to privacy laws. Although an exception is made for personal or "household" users, when users broadcast or gather information very widely via such sites, they become data controllers themselves which could affect users who organise concerts, human rights letter-writing campaigns or try to sell a homemade product online.
The recommendations are not binding but show the trend in the legislative measures that might be taken in the future at the national as well as EU level. The group has focused lately on privacy issues related to search engines and its initiatives have led to actions in this direction. The big search engines such as Google, Microsoft and Yahoo!, have been pressed to reduce the retention period of data collected from their users.
The opinion has implications on the way the responsibility of social networks themselves is seen in carrying images and information that could breach protecting privacy and security rules.
The European Commission has lately focused more on protecting citizens and consumers' privacy and social networking websites are considered potentially dangerous for inexpert users.
Information Society Commissioner Viviane Reding has shown her support to this line of action and has kept pushing the major players in this field in adopting a code of conduct meant to protect young users, threatening to otherwise take further action to protect privacy.
Article 29 Data Protection Working Party - Opinion 5/2009 on online social
EU data monitors outline Facebook ground rules (25.06.2009)
EU privacy regulators eye online social networks (25.06.2009)
Citizens' privacy must become priority in digital age, says EU Commissioner
EDRI-gram: Behavioural targeting at the European Consumer Summit (8.04.2009)