A key point to take away is that operators of SNS are data controllers rather than merely data processors, so that they are more likely to be subject to European data protection law than if they were merely “data processors”.
Who is the working party?
The working party was set up by by the data protection directive as an advisory body. Its opinions are not legally binding, but they are likely to be persuasive and the Commission must respond them.
The response to the opinion (so far) has concentrated on the view that SNS operators are probably data controllers. I’ll have more to say about that at the end of this post.
For me the most interesting points are:
- SNS operators are usually data controllers
- … and so are many third party application providers
- … as indeed will be many users
- privacy should be the default setting
- release of profile information beyond a user’s selected friends should never be implicit
- third party applications should not by default be given access to all an individual’s profile information, but only what is necessary for that application to work
It seems to me that this signals a tougher line to SNS like facebook which will not be able to get away with, for example, a completely cavalier attitude to third party applications.
There are a couple of specific points of interest.
Almost anything about someone is “personal data” but most individuals using an SNS won’t be subject to the Directive because it excludes processing “by a natural person in the course of a purely personal or household activity”.
The working group notes an increased use of SNS for other purposes such as for businesses or campaigning. Those would fall outside the household exception and such users would need to comply with the Act.
The Working Group makes three recommendations on this point:
- SNS providers provide adequate warnings to users about the privacy risks to themselves and to others when they upload information on the SNS - SNS users should also be reminded that uploading information about other individuals may impinge upon their privacy and data protection rights; - SNS users should be advised by SNS that if they wish to upload pictures or information about other individuals, this should be done with the individual’s consent.
Which seems entirely positive. Strictly speaking you don’t always need an individual’s permission to process their data, so the last point is not quite right, though it is good practice. What the Directive does require is that individual’s are notified of the processing, which could be done by a tagging system.
Having said that, the Directive was not (I think) written with uses of SNS in mind. I suspect that more difficulties will follow.
Controller vs Processor
The Directive makes a distinction between “controllers” on the one hand “processors” on the other. A controller is an entity which “alone or jointly with others determines the purposes and means of the processing of personal data.”
In the context of an SNS you might argue that it is the users of the site who decide the purpose and means of processing the data, the operator of the site provides nothing more than an environment for the users to do what they wish (post pictures, disclose information about themselves and so on). In other words, they are just a processor.
The Working Party thinks not. Amongst other things sites like facebook decide what use is to be made of data contributed to the site for the purposes of advertising and marketing.
This matters for two reasons: first because it is on the controller (not the processor) that most of the obligations of the directive are imposed; but second because the location of the controller affects whether or not the directive applies at all.
How far does the Directive reach?
The answer to that question applies in article 4 of the directive which states:
(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable; (b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.
The first two provisions give little difficult: if your processing is being carried out in/with or by an establishment of yours in a member state (or somewhere else that state’s law applies) then unsurprisingly you have to comply with the Directive.
The odd one is (c). The Working Group have previously in their opinion on search engines said that storing a cookie in a user’s browser amounts to “making use of” equipment (the user’s browser) so that wherever on the plant a data controller might be, if their processing of the data involves cookies they will be subject to the directive.
I am not entirely convinced by that argument. It would require any such site to have a designated representative in every member state from which anyone were to browse them (under article 4(2)). It also seems to me that what the directive means is that if you process the data in question in a member state then the directive applies to the processing of that data in that member state. A cookie will necessarily contain much personal data of itself.
The opinion seems to me to be useful. It is relatively short and an easy read. Let us hope that it contributes to the pressure on sites like facebook to put their house in order.