InfoLawGroup LLP

View Original

EU Data Protection Directive May Apply to Certain "Users" of Social Networking Sites

It is a little vague, but according to this report it appears that simply using a social networking website may subject certain individuals and organizations to the requirements of the EU Data Protection Directive (e.g. notice, consent, etc.).  Essentially, if your purpose for being a user is not "personal" then you could be subject to the EU Directive.  Stated differently, if you use a social networking site to advance commercial, political or charitable goals your activities as a user may be regulated by the EU Directive.

Scroll down to section 3.1 ("Who is a Data Controller"). Which indicates:

A growing trend of SNS is the "shift from "Web 2.0 for fun" to Web 2.0 for productivity and services" where the activities of some SNS users may extend beyond a purely personal or household activity, for example when the SNS is used as a collaboration platform for an association or a company. If an SNS user acts on behalf of a company or association, or uses the SNS mainly as a platform to advance commercial, political or charitable goals, the exception does not apply. Here, the user assumes the full responsibilities of a data controller who is disclosing personal data to another data controller (SNS) and to third parties (other SNS users or potentially even other data controllers with access to the data). In these circumstances, the user needs the consent of the persons concerned or some other legitimate basis provided in the Data Protection Directive.

Typically, access to data (profile data, postings, stories.) contributed by a user is limited to self-selected contacts. In some cases however, users may acquire a high number of third party contacts, some of whom he may not actually know. A high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller.

It seems possible that for a business with a Facebook fan page, the simple act of making "personal information" available (e.g. a link to a person's profile that shows a birthday) might be subject to the act? If basic user "activities" in a social networking service require compliance with EU Data Protection Directive, how can these services work in Europe? What other activities might subject an individual or company users to EU privacy laws?

Prior to embarking on a full blown Web 2.0 business strategy, any company or individual user of a social networking site that will come into contact with European personal information should carefully analyze their activities surrounding and use of personal information and consider whether they are subject to the EU Directive.