Confirmed: Social Networking Sites Are Subject To EU Data Protection Requirements
The EU's independent advisory body on data protection and
privacy, the Article 29 Working Party, published its opinion on the
legal status of social networking operators such as Linked-In,
Facebook and others last month. It said:
"SNS [Social Network Service] providers are data controllers
under the Data Protection Directive."
The opinion went further, stating that social networking
companies count as data controllers under EU law "even when
their headquarters are outside of the European Economic
Area".
More importantly for EEA businesses however, the opinion
expressed the view that users of social networking sites could also
be data controllers (and accordingly bound by the relevant national
legislation, such as the Data Protection Act 1998 in the UK), if
the user was acting on behalf of a company, association or in
pursuit of commercial, political or charitable goals.
This opinion confirms a view that was already widely held, but
the clarification is welcome.
Key points
Data controllers situated in the UK should be aware that:
Failure to notify the Information Commissioner's Office
(ICO) that you are a data controller (unless you are exempt from
notification) is a strict liability criminal offence, meaning that
ignorance is no defence.
If required to notify, subsequent failure to keep the
notification accurate and up-to-date is also a criminal offence.
The company notification to the ICO can also refer to brands under
which the company processes personal data, not just the main
company name unless the Brand is a data controller entity in its
own right.
Data controllers are subject to the 8 data protection
principles set out in the Data Protection Act 1998. These
principles include requirements in relation to fair and lawful
processing of data, data security and retention and restrictions in
relation to transferring personal data outside of the EEA.
Data controllers are under a duty to inform data subjects how
their data is to be processed and for what purpose. Online, this
includes providing users with privacy warnings and giving warnings
about the potential privacy implications of their actions to users,
as well as highlighting whether the intention is to use the
personal data for internal human resources procedures, external
recruitment or customer profiling.
In summary, data controllers that use social networking sites as
part of their...
To continue reading
Request your trial