Imagine: You are a user of the social network service ‘Facebook’. At a certain moment you stumble across an advertisement for ‘Hot Singles’. Much to your surprise, you see a photo of your wife as ‘hot single’. It is true that your wife has a profile on Facebook but she was not aware that her photo could also be used for such purposes. Is this actually allowed?
As a result of the rise of social network services, the use (and possible abuse) of personal information or personal data via or through social network services is receiving more attention. Due to the frequent use of social network services, in particular by minors, a discussion followed immediately about the protection of personal data and the protection of the privacy of the users of these social network services.
In the Netherlands the use of personal data by or via social network services has already led to questions in Parliament various times. Recently, at a European level, the Article 29 Data Protection Working Party has adopted an opinion in which it provides guidelines for social network services as well as the users thereof with regard to the protection of personal data.
This article lists the key points of this opinion.
What Is A Social Network Service?
Social network services can be defined as ‘online communication platforms that enable individuals to create a network or to join an existing network’. Famous examples are Hyves, Facebook and Myspace. In order to participate in such networks, users have to make a so-called ‘profile’, for which personal information is requested. Social network services often also offer the opportunity to add personal videos or photos to the profile.
Social Network Services and Privacy?
a. The Privacy Directive and the Processing of Personal Data
The data that are collected during the registration and are subsequently incorporated into the profile of the users qualify as personal data within the meaning of Directive 95/46/EC (the ‘Privacy Directive’). The Privacy Directive applies to this processing of personal data.
Users do not only post information about themselves online, but also about other people (for instance photos of friends that are posted online). These are all personal data that are being processed. Does the Privacy Directive apply to this processing, and is the user who provides the personal data also subject to the obligations? Probably not, because the Privacy Directive knows an exemption. The Privacy Directive does not apply to processing in the course of a purely personal or household activity. If this is the case, as it often is in the event of the provision of personal data of others by users, the Privacy Directive does not apply to such processing at all. It cannot be indicated unequivocally when the activities qualify as purely personal or household activities. Whether or not a profile is of a public nature is an important basis to determine whether or not there is indeed personal and household use. If the account is only accessible to a limited group of persons (the ‘friends’), there will be such personal or household use. If the profile is accessible to an unlimited or very large group of persons, there will not be personal or household use. In that case the Privacy Directive does apply to the processing and the user has to fulfill (some) obligations of the Privacy Directive.
b. Data Controller
When it is determined that the Privacy Directive applies, it is important to know who the ‘data controller’ for the processing of personal data is. The data controller within the meaning of the Privacy Directive is the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data. In principle, this will be the provider of the social network service. In that case the provider has the obligation to fulfill the obligations that arise from the Privacy Directive.
c. Substantiation of These Obligations by the Article 29 Data Protection Working Party
In the opinion of the Article 29 Data Protection Working Party that was published recently, the obligations arising from the Privacy Directive have been further substantiated and a couple of guidelines are offered to the providers of the social network services in order to guarantee the right to privacy of their users in a better way.
- The provider of the social network service must inform the users of its identity and must provide clear information about the purposes and different ways in which the personal data will be used.
- The provider of the social network service must ensure that the default settings of the service are privacy-friendly. The pages should not be discoverable by internal as well as external search engines (Google, for instance). In addition, users should be allowed to publish under a pseudonym. Therefore, it is important that when an account becomes inactive, the account should be made invisible after a while.
- Users should be warned about the privacy risks for themselves and third parties when they upload information onto their profile.
- Users should be advised that pictures or information about other individuals, should only be uploaded with the individual’s consent.
- Both members and non-members should have access to a complaint-handling procedure.
- If a provider of a social network service undertakes marketing activities, this must comply with the applicable laws (in the Netherlands: the Personal Data Protection Act (Wet bescherming persoonsgegevens (“Wbp”)) and the Telecommunications Act (Telecommunicatiewet).
Social Network Services in the Netherlands
In the Netherlands the Privacy Directive has been implemented into the Wbp. If a provider of a social network service is also established in the Netherlands or if the servers of the provider of a social network service are situated in the Netherlands, the Wbp will apply to this provider, in its capacity of ‘data controller’.
The Dutch privacy authority, the “Dutch DPA”, adheres to the guidelines of the Article 29 Data Protection Working Party. In addition, the Dutch DPA also remarks that the use of social network services by minors is also a focus point. Minors, for instance, must get their parents’ or legal guardian’s consent before they can register. The question, however, is whether the social network services can actually realize this in practice and how this should be done. Furthermore, privacy awareness could be taught in schools. If ‘teaching about privacy’ would become an integral part of the curriculum, minor users would perhaps become more aware of the ‘dangers’ lurking behind the disclosure of all kinds of personal information on the Internet. But should not the parents go back to school too?