Article 29 Working Party on online social networking

By EDRi · July 1, 2009

This article is also available in:
Deutsch: [Der Arbeitskreis Artikel 29 äußert sich zu Social Networking|]

Article 29 Working Party issued on 22 June 2009 an opinion on how European
privacy laws affect social networking sites such as Facebook or Myspace.

The opinion states the social networking sites should be responsible for the
compliance to European privacy laws and, on the other hand, that users of
such sites should upload pictures or information about other individuals
only with the consent of the respective individuals.

Presently, social networking users share pictures and tag friends’ images
without requiring a prior consent and generally, communicate publicly,
placing their own and others’ private information on shared “walls”.

The Data Protection Authorities recommend that users are given the opt out
choice and are warned of the privacy risks and on the personal data that is
being made available to others. The opinion says that “the homepage should
contain a link to a complaint facility covering data protection issues for
both members and non-members”.

The group also draws attention to the processing of personal data on the
Internet for commercial purposes, recommending that before using the
collected data aimed for personalised advertisements, the sites should
obtain the prior consent of the respective users. Data on sensitive
topics such as race, religion or sexual orientation should not be processed
or passed on to advertisers and individuals should be allowed to adopt a
pseudonym. Special attention should be given to the processing of the
minors’ personal data. This is an opinion that has been lately supported by
the European Commission which has announced future strong measures to
regulate online tailored ads.

The opinion also advises imposing limits on retaining the data of inactive
users believing that abandoned accounts, together with their accompanying
data, should be deleted.

The Article 29 Working Party’s opinion is based on the principle that social
networking websites must be subject to the EU Data Protection Directive even
when their headquarters are outside the European Union space.

The group interprets the definition of “data controller” as covering the
service providers who, therefore, must adhere to
privacy laws. Although an exception is made for personal or “household”
users, when users broadcast or gather information very widely via such
sites, they become data controllers themselves which could affect users who
organise concerts, human rights letter-writing campaigns or try to sell a
homemade product online.

The recommendations are not binding but show the trend in the legislative
measures that might be taken in the future at the national as well as EU
level. The group has focused lately on privacy issues related to search
engines and its initiatives have led to actions in this direction. The big
search engines such as Google, Microsoft and Yahoo!, have been pressed to
reduce the retention period of data collected from their users.

The opinion has implications on the way the responsibility of social
networks themselves is seen in carrying images and information that could
breach protecting privacy and security rules.

The European Commission has lately focused more on protecting citizens and
consumers’ privacy and social networking websites are considered potentially
dangerous for inexpert users.

Information Society Commissioner Viviane Reding has shown her support to
this line of action and has kept pushing the major players in this field in
adopting a code of conduct meant to protect young users, threatening to
otherwise take further action to protect privacy.

Article 29 Data Protection Working Party – Opinion 5/2009 on online social
networking (12.06.2009)

German version

French version

EU data monitors outline Facebook ground rules (25.06.2009)

EU privacy regulators eye online social networks (25.06.2009)

Citizens’ privacy must become priority in digital age, says EU Commissioner
Reding (14.04.2009)

EDRI-gram: Behavioural targeting at the European Consumer Summit (8.04.2009)