Confirmed: Social Networking Sites Are Subject To EU Data Protection Requirements

The EU's independent advisory body on data protection and

privacy, the Article 29 Working Party, published its opinion on the

legal status of social networking operators such as Linked-In,

Facebook and others last month. It said:

"SNS [Social Network Service] providers are data controllers

under the Data Protection Directive."

The opinion went further, stating that social networking

companies count as data controllers under EU law "even when

their headquarters are outside of the European Economic

Area".

More importantly for EEA businesses however, the opinion

expressed the view that users of social networking sites could also

be data controllers (and accordingly bound by the relevant national

legislation, such as the Data Protection Act 1998 in the UK), if

the user was acting on behalf of a company, association or in

pursuit of commercial, political or charitable goals.

This opinion confirms a view that was already widely held, but

the clarification is welcome.

Key points

Data controllers situated in the UK should be aware that:

Failure to notify the Information Commissioner's Office

(ICO) that you are a data controller (unless you are exempt from

notification) is a strict liability criminal offence, meaning that

ignorance is no defence.

If required to notify, subsequent failure to keep the

notification accurate and up-to-date is also a criminal offence.

The company notification to the ICO can also refer to brands under

which the company processes personal data, not just the main

company name unless the Brand is a data controller entity in its

own right.

Data controllers are subject to the 8 data protection

principles set out in the Data Protection Act 1998. These

principles include requirements in relation to fair and lawful

processing of data, data security and retention and restrictions in

relation to transferring personal data outside of the EEA.

Data controllers are under a duty to inform data subjects how

their data is to be processed and for what purpose. Online, this

includes providing users with privacy warnings and giving warnings

about the potential privacy implications of their actions to users,

as well as highlighting whether the intention is to use the

personal data for internal human resources procedures, external

recruitment or customer profiling.

In summary, data controllers that use social networking sites as

part of their...

To continue reading

Request your trial

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT