June 23, 2009, 3:34 PM — Social-networking sites, and in some instances their users, are responsible for protecting the privacy rights of the people whose information they exchange online, according to an influential European data protection committee.
Social-networking Web sites such as Facebook and MySpace should be classified as data controllers rather than mere data processors, the Article 29 data protection working party said Tuesday.
And although private users are usually exempt from such a classification, they too can be held responsible if they are networking as part of their job, or if they opt to share their contacts list beyond a specified list of "friends".
Data controllers must inform people before uploading their data under European Union data protection laws.
The working party also made practical recommendations to social-networking sites: they should provide easy and visible access to a complaints process on their home page, where members and nonmembers of the network can oppose the use of their personal data.
They should also design their sites so that full privacy settings are the default, and users have to actively opt out of data protection measures if they want to.
Warnings about privacy risks should be clearly flagged as a user begins to upload information about themselves or others, the working party said in a formal opinion. Users also must be informed about what personal data is available to others in their profile on the network site, it said.
In addition, social-networking sites must delete all information from inactive accounts, it said.
The fact that the opinion classifies social-networking sites as data controllers isn't surprising but the opinion may create some legal issues with regard to how it views users who share contacts on such a site on behalf of their employers.
Users who share people's personal data on a social-networking site used for corporate purposes become data controllers themselves, the opinion said. Employers normally take on this responsibility on behalf of their staff, said Jörg Hladjk, a lawyer specializing in privacy and information management with Hunton & Williams in Brussels.
The Article 29 working group's opinion "could have implications for labor law," Hladjk said.
"The activities of some SNS users may extend beyond a purely personal or household activity, for example when the SNS (social networking site) is used as a collaboration platform for an association or a company," said the opinion. "If an SNS user acts on behalf of a company or association, or uses the SNS mainly as a platform to advance commercial, political or charitable goals, the exception does not apply. Here, the user assumes the full responsibilities of a data controller who is disclosing personal data to another data controller (SNS) and to third parties."
The text of the opinion can be found at: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf
