Regulators: EU data protection laws apply to social networks
Social-networking sites, and in some instances their users, are responsible for protecting the privacy rights of the people whose information they exchange online, according to an influential European data protection committee.
Social-networking Web sites such as Facebook and MySpace should be classified as data controllers rather than mere data processors, the Article 29 data protection working party said Tuesday.
And although private users are usually exempt from such a classification, they too can be held responsible if they are networking as part of their job, or if they opt to share their contacts list beyond a specified list of "friends".
Data controllers must inform people before uploading their data under European Union data protection laws.
The working party also made practical recommendations to social-networking sites: they should provide easy and visible access to a complaints process on their home page, where members and nonmembers of the network can oppose the use of their personal data.
They should also design their sites so that full privacy settings are the default, and users have to actively opt out of data protection measures if they want to.
Warnings about privacy risks should be clearly flagged as a user begins to upload information about themselves or others, the working party said in a formal opinion. Users also must be informed about what personal data is available to others in their profile on the network site, it said.
In addition, social-networking sites must delete all information from inactive accounts, it said.
The fact that the opinion classifies social-networking sites as data controllers isn't surprising but the opinion may create some legal issues with regard to how it views users who share contacts on such a site on behalf of their employers.
Users who share people's personal data on a social-networking site used for corporate purposes become data controllers themselves, the opinion said. Employers normally take on this responsibility on behalf of their staff, said Jörg Hladjk, a lawyer specializing in privacy and information management with Hunton & Williams in Brussels.
The Article 29 working group's opinion "could have implications for labor law," Hladjk said.
"The activities of some SNS users may extend beyond a purely personal or household activity, for example when the SNS (social networking site) is used as a collaboration platform for an association or a company," said the opinion. "If an SNS user acts on behalf of a company or association, or uses the SNS mainly as a platform to advance commercial, political or charitable goals, the exception does not apply. Here, the user assumes the full responsibilities of a data controller who is disclosing personal data to another data controller (SNS) and to third parties."
The text of the opinion can be found at: http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2009/wp163_en.pdf
IDG News Service
Sign up for ITworld's Daily newsletter
Follow ITworld on Twitter @IT_world
On Twitter now
privacy
Powered by Twitter
jfruh
Apple syncing patent can't come soon enough
pasmith
New Twitter features borrow from 3rd party clients
Esther Schindler
Open Source Changes the Software Acquisition Process
mikelgan
How to set up continuous podcast play on the new iTunes
David Strom
Five important Windows 7 mobility features
sjvn
Guard your Wi-Fi for your own sake
Sandra Henry-Stocker
Grepping on Whole Words
Sidekick: The Good News & the Bad News
Either way you look at it Microsoft Data Center management did not follow standards or best practices in this failure. In which case it makes me wonder more about the outsourcing of corporate data much less personal data.
- mburton325
Join the conversation here
Quick, practical advice for IT pros. Made fresh daily.
Want to cash in on your IT savvy? Send your tip to tips@itworld.com. If we post it, we'll send you a $25 Amazon e-gift card.
