Data Protection | Information Privacy | Social Networking Service

Please download to get full document.

View again

of 9
4 views
PDF
All materials on our website are shared by users. If you have any questions about copyright issues, please report us to resolve them. We are always happy to assist you.
Document Description
The current issue and full text archive of this journal is available at www.emeraldinsight.com/1750-6166.htm Data protection issues pertaining to social networking under EU law Eleni Kosta Interdisciplinary Centre for Law and ICT (ICRI) – Katholieke Universiteit Leuven, Leuven, Belgium Data protection issues 193 Received 12 December 2009 Accepted 5 March 2010 Christos Kalloniatis Cultural Informatics Laboratory, Department of Cultural Technology and Communication, University of the Aegean, M
Document Share
Document Tags
Document Transcript
  Data protection issuespertaining to social networkingunder EU law Eleni Kosta  Interdisciplinary Centre for Law and ICT (ICRI) – Katholieke Universiteit  Leuven, Leuven, Belgium Christos Kalloniatis Cultural Informatics Laboratory, Department of Cultural Technology and Communication,University of the Aegean, Mytilene, Greece, and  Lilian Mitrou and Stefanos Gritzalis  Information and Communication Systems Security Laboratory, Department of Information and Communications Systems Engineering,University of the Aegean, Samos, Greece Abstract Purpose – The purpose of this paper is to examine how the introduction of new communicationchannels facilitates interactive information sharing and collaboration between various actors oversocial networking services and how social networking fits in the existing European legal frameworkon data protection. The paper also aims to discuss some specific data protection issues, focusing on therole of the relevant actors, using the example of photo tagging. Design/methodology/approach – Privacy in social networks is one of the main concerns forproviders and users. This paper examines the role of the main actors in social networking, i.e. theproviders and the users, scrutinised under the light of the European data protection legislation.Specifically,howsocialnetworkingserviceprovidersdealwithusers’privacyandhowusershandletheirpersonalinformation,ifthismanipulationiscompliedwiththerespectivelegislationandhow“tagging”,one of the mostfamiliar servicesprovidedby the social networking providers, may cause privacy risks. Findings – Social networking is one of the most remarkable cultural phenomena that has blossomedin the Web 2.0 era. They enable the connection of users and they facilitate the exchange of informationamong them. However, the users reveal vast amounts of personal information over social networkingservices, withoutrealisingthe privacyand securityrisks arisingfrom their actions.The European dataprotectionlegislationcouldbeusedasameansforprotectingtheusersagainsttheunlawful processingof their personal information, although a number of problems arise regarding its applicability. Originality/value – The paper discusses some privacy concerns involved in social networks andexamines how social networking service providers and users deal with personal information withregard to the European data protection legislation. Keywords Privacy, Social networks, Data security, Law, European Union Paper type Research paper 1. Introduction The development of the internet and the emergence of Web 2.0 introduced a new era inthe communication of the internet users and the exchange of user-generated content. The current issue and full text archive of this journal is available at www.emeraldinsight.com/1750-6166.htm Data protectionissues 193 Received 12 December 2009Accepted 5 March 2010 Transforming Government: People,Process and PolicyVol. 4 No. 2, 2010pp. 193-201 q Emerald Group Publishing Limited1750-6166DOI 10.1108/17506161011047406  One of the most remarkable cultural phenomena that blossomed in the Web 2.0 era arethe online social networks (or else “social networking sites” or “social networkingservices”), such as Facebook, MySpace, Friendster, Bebo, Netlog, LinkedIn to name justa few. Social networking services are very popular among adolescents and youngpeople, but they also attract the attention of users of an older age. The latter prefer,however, more profession-related social networking services, such as LinkedIn(Anderson Analytics, 2009).The introduction of new communication channels facilitates interactive informationsharing and collaboration between users over social networking services. At the sametime, social networking services serve as platforms for the exchange of vast amounts of personal information to a sometimes potentially public audience, as the profiles of theusers are not always restricted to be visible only by their friends. Privacy and securityconsiderations have been raised parallel to the great success of social networkingservices. The privacy settings of the services can be used as a tool for the users toprotect their privacy. Via the privacy settings they can restrict the access to theiraccount and distinct parts of it only to specific contacts or categories of contacts.However, not many users change the default privacy settings, which means that theprivacy of the users is to a large extent in the hands of the providers of the socialnetworking services. Recently, Facebook changed the default privacy settings of alluser accounts, so that specific information, such as their list of friends, pictures or thepages they are fan of, are visible to everyone (Facebook, 2009). The Electronic PrivacyInformation Center (EPIC) has filed a complaint with the Federal Trade Commission,urging the FTC to open an investigation into the revised privacy settings of Facebook(http://epic.org/privacy/inrefacebook/EPIC-FacebookComplaint.pdf). 2. Social networking services The vast expansion of social networking services reveals a tendency of the users toacquire as many contacts (friends) as possible accompanied by their eagerness toreveal personal information. Indicative is the experiment that was organized by theinformation security company Sophos in 2007, which wished to increase userawareness on the dangers of social networking in the advent of the phenomenon.Sophos created a Facebook account for “Freddi Staur” (an anagram of “ID Fraudster”).The account was represented by a small green plastic frog who divulged minimalpersonal information about himself. A total of 200 friend requests were sent out inorder to collect information regarding the response of the users and the degree of personal information they were willing to divulge. A total of 87 of the 200 Facebookusers contacted responded to Freddi, with 82 leaking personal information (41 per centof those approached), while 72 per cent of respondents divulged one or moree-mail address and 78 per cent of respondents listed their current address or location(www.sophos.com/pressoffice/news/articles/2007/08/facebook.html).The ease with which users reveal personal information in social networkingservices, as well as the simultaneous lack of awareness and understanding regardingthe threats and dangers lurking in such disclosure of personal information, alarmedInternational and European agencies, data protection and privacy advisory bodies.The European Network and Information Security Agency (ENISA) published aposition paper informing the users of online social networks on security issues andgave recommendations regarding their use (ENISA, 2007). The International Working TG4,2 194  Group on Data Protection in Telecommunications (IWGDPT) adopted a report andguidance on Social Network Services, commonly known as “Rome Memorandum”(IWGDPT, 2008). The working group made recommendations for regulators, providersof social networking services and users, in an attempt to raise awareness on privacyissues in social networking services. The Rome Memorandum was followed by aResolution on Privacy Protection in Social Network Services that was adopted by the30th International Conference of Data Protection and Privacy Commissioners in 2008,which also contained recommendations for users and providers of social networkingservices (International Conference of Data Protection and Privacy Commissioners,2008). In response to the heated debate on the protection of the privacy of the Europeanusers of social networking services, the Article 29 Working Party[1] adopted anopiniononsocialnetworkingservices,inwhichitincludedkeyrecommendationsontheobligations of providers of social networking services, so that they comply with theEuropean regulatory framework on the protection of personal data (Article 29 DataProtection Working Party, 2009). 3. Providers of social networking services under data protection scrutiny A major issue arises with regard to safeguard of European Union (EU) citizens’ privacyrights and the applicability of the European Data Protection Framework on providersestablished outside the EU, This issue is very important as the European dataprotection framework sets high standards with regard to the protection of individualsrelating to the processing of their personal data and imposes strict obligations toentities that process personal data. The Article 29 Data Protection Working Party is of the opinion that the provisions of the Data Protection Directive[2] apply to theproviders of social networking services “in most cases”, even if they are located outsidethe EU (Article 29 Data Protection Working Party, 2009). The Article 29 WorkingParty sees two potential bases for the applicability of the Data Protection Directive:(1) the Social Networking Services provider have an establishment in the territoryof an EU Member State; or(2) although the Social Networking Services provider does not have anestablishment within the EU, he makes use of equipment situated on an EUMember State (Article 29 Data Protection Working Party, 2008).In this paper, we make the assumption that the Data Protection Directive applies toproviders of social networking services, whose headquarters are established outsidethe EU[3].The Data Protection Directive defines two basic categories of parties, which arerelevant to be identified in the context of social networking services. On the one hand,there is the data subject, who is the individual to whom the personal data relate: in thecase of social networking the users of the services. According to the Data ProtectionDirective, the individual shall be identified or at least identifiable. Anonymousindividuals do not qualify as data subject in the scope of the European Data Protectionlegal framework. On the other hand, there is the data controller, who is a person(natural or legal), which alone or jointly with others “determines the purposes andmeans of the processing of personal data”[4]. The classification of a person as “datacontroller” is of great importance, as he exercises the decision making both on thepurposes for which personal data are collected and processed, as well as on the means Data protectionissues 195  to be used for a specific processing. The Data Protection Directive also foresees specificobligations for the data controllers regarding the processing of personal data, therespect of the rights of the users and their responsibility in case of breach of the law.The definition of the data controller in social networking is a very complicated andheavily debated issue. The introduction of new communication channels in the Web 2.0era facilitates interactive information sharing and collaboration between various actorsover social networking sites, who do not always fit in the traditional communicationsmodels. According to the Article 29 Working Party the providers of the socialnetworking services are the ones who determine the means for the processing of theuser data, as they provide the social networking platform and all the basic toolsregarding the user management, such as the registration and the deletion of the useraccounts. The providers of social networking services also determine some of thepurposes for which the data will be used, especially for advertising and marketingpurposes (Article 29 Data Protection Working Party, 2009). It shall also be noted thatthe providers of social networking services set the general frame regarding thepurposes for which users can process their data and the data of their contacts andfriends. Although it seems more or less clear that the providers of social networkingservices function as data controllers, the situation is much more complicated withregard to the users of social networking services. 4. Users of social networking services as data controllers The users of social networking services have a high degree of choice regarding theinformation they disclose. They share their personal information with their contactsand friends but often they share also information of other individuals. Users may alsousually decide on the specific application they use in order to reveal this information ina social networking service. Therefore, the user can be considered a data controller atleast “with regards to the content he chooses to provide and the processing operationshe initiates” (van Alsenoy et al. , 2009).Before examining if the users of social networking services may serve as datacontrollers and if they must fulfil the obligations that are foreseen by the DataProtection Directive for data controllers, it must be studied whether their actions fallwithin the scope of the Directive. Even when processing of personal data takes place,the Directive does not apply, when the processing is done by a natural person in thecourse of a purely personal or household activity (commonly known as “householdexemption”)[5]. It is to be examined at this point whether the user of social networkingservices can justify that they process personal data for a purely personal activity.Recital 12 of the Data Protection Directive clarifies that such activities shall be“exclusively personal or domestic” and mentions as examples the privatecorrespondence or the holding of records of addresses. The European Court of  Justice (ECJ, 2004a, b) in its ruling on the Lindqvist case expressed its thoughts on thehousehold exemption. The ECJ expressed the opinion that the household exemption: [ . . . ] must therefore be interpreted as relating only to activities which are carried out in thecourse of private or family life of individuals, which is clearly not the case with the processingof personal data consisting in publication on the internet so that those data are madeaccessible to an indefinite number of people. The ECJ considered the publication on the internet as not falling under the householdexemption, as the data are made accessible to an indefinite number of people. TG4,2 196
Search Related
We Need Your Support
Thank you for visiting our website and your interest in our free products and services. We are nonprofit website to share and download documents. To the running of this website, we need your help to support us.

Thanks to everyone for your continued support.

No, Thanks