The Protection of Personal Data on Social Network Services
As a result of the rise of social network services, the use (and
possible abuse) of personal information or personal data via or
through social network services is receiving more attention. Due to
the frequent use of social network services, in particular by
minors, a discussion followed immediately about the protection of
personal data and the protection of the privacy of the users of
these social network services.
In the Netherlands the use of personal data by or via social
network services has already led to questions in Parliament various
times. Recently, at a European level, the Article 29 Data
Protection Working Party has adopted an opinion in which it
provides guidelines for social network services as well as the
users thereof with regard to the protection of personal data.
This article lists the key points of this opinion.
What
Is A Social Network Service?
Social network services can be defined as 'online
communication platforms that enable individuals to create a network
or to join an existing network'. Famous examples are Hyves,
Facebook and Myspace. In order to participate in such networks,
users have to make a so-called 'profile', for which
personal information is requested. Social network services often
also offer the opportunity to add personal videos or photos to the
profile.
Social Network Services and Privacy?
a. The Privacy Directive and the Processing of Personal
Data
The data that are collected during the registration and are
subsequently incorporated into the profile of the users qualify as
personal data within the meaning of Directive 95/46/EC (the
'Privacy Directive'). The Privacy Directive applies to this
processing of personal data.
Users do not only post information about themselves online, but
also about other people (for instance photos of friends that are
posted online). These are all personal data that are being
processed. Does the Privacy Directive apply to this processing, and
is the user who provides the personal data also subject to the
obligations? Probably not, because the Privacy Directive knows an
exemption. The Privacy Directive does not apply to processing in
the course of a purely personal or household activity. If
this is the case, as it often is in the event of the provision of
personal data of others by users, the Privacy Directive does not
apply to such processing at all. It cannot be indicated
unequivocally when the activities qualify as purely personal or
household activities. Whether or not a profile is of a public
nature is an important basis to determine whether or not there is
indeed personal and household use. If the account is only
accessible to a limited group of persons (the 'friends'),
there will be such personal or household use. If the profile is
accessible to an unlimited or very large group of persons, there
will not be personal or household use. In that case the Privacy
Directive does apply to the processing and the user has to fulfill
(some) obligations of the Privacy Directive.
b. Data Controller
When it is determined that the Privacy Directive applies, it is
important to know who the 'data controller' for the
processing of personal data is. The data controller within the
meaning of the Privacy Directive is the natural or legal person,
public authority, agency or any other body which alone or jointly
with others determines the purposes and means of the processing of
personal data. In principle, this will be the provider of the
social network service. In that case the provider has the
obligation to fulfill the obligations that arise from the Privacy
Directive.
c. Substantiation of These Obligations by the Article 29
Data Protection Working Party
In the opinion of the Article 29 Data Protection Working Party
that was published recently, the obligations arising from the
Privacy Directive have been further substantiated and a couple of
guidelines are offered to the providers of the social network
services in order to guarantee the right to privacy of their users
in a better way.
- The provider of the social network service must inform the
users of its identity and must provide clear information about
the purposes and different ways in which the personal data will
be used.
- The provider of the social network service must ensure that
the default settings of the service are privacy-friendly. The
pages should not be discoverable by internal as well as
external search engines (Google, for instance). In addition,
users should be allowed to publish under a pseudonym.
Therefore, it is important that when an account becomes
inactive, the account should be made invisible after a
while.
- Users should be warned about the privacy risks for
themselves and third parties when they upload information onto
their profile.
- Users should be advised that pictures or information about
other individuals, should only be uploaded with the
individual's consent.
- Both members and non-members should have access to a
complaint-handling procedure.
- If a provider of a social network service undertakes
marketing activities, this must comply with the applicable laws
(in the Netherlands: the Personal Data Protection Act (Wet
bescherming persoonsgegevens ("Wbp")) and the
Telecommunications Act (Telecommunicatiewet).
Social Network Services in the Netherlands
In the Netherlands the Privacy Directive has been
implemented into the Wbp. If a provider of a social network service
is also established in the Netherlands or if the servers of the
provider of a social network service are situated in the
Netherlands, the Wbp will apply to this provider, in its capacity
of 'data controller'.
The Dutch privacy authority, the "Dutch DPA", adheres
to the guidelines of the Article 29 Data Protection Working Party.
In addition, the Dutch DPA also remarks that the use of social
network services by minors is also a focus point. Minors, for
instance, must get their parents' or legal guardian's
consent before they can register. The question, however, is whether
the social network services can actually realize this in practice
and how this should be done. Furthermore, privacy awareness could
be taught in schools. If 'teaching about privacy' would
become an integral part of the curriculum, minor users would
perhaps become more aware of the 'dangers' lurking behind
the disclosure of all kinds of personal information on the
Internet. But should not the parents go back to school too?