EU Advisory Group Proposes Tighter Privacy Regulation On Social Networks

The influential Article 29 Working Party, an independent European advisory body on data protection and privacy to the EC, has argued that social networks like Facebook, Twitter and MySpace need more regulation to ensure that personal data of their respective users is not put at risk. Even though the majority of sites that the report mentions are based in the United States, the group states their large presence in Europe means that they should be subject to European Union privacy and data protection legislation.

This isn’t exactly news, since the FT wrote about the report last week when it was still unpublished. It is now, and I’ve embedded it below.

In it, the advisory group mainly addresses issues with the fact that social networking services as well as third-party developers have access to personal data of users, including minors. It basically deems SNS providers to be ‘data controllers’ (rather than merely ‘data processors’), bringing along corresponding responsibilities and legal obligations with regards to these users. Topics like the processing of sensitive data and images, advertising and direct marketing on social networks and data retention issues are also addressed.

Essentially, the group says users of social networking sites have no legal obligations as data controllers as long as the use is purely personal (the so-called ‘household exemption’), but that they carry the same responsibility as the operators of the social networks in case they act on behalf of a company, association or in pursuit of commercial, political or charitable goals. Also worth noting: the opinion states sites like Facebook, MySpace and Twitter should clearly inform users of their identity, and provide comprehensive information about the purposes and different ways in which they intend to process personal data. They should also offer privacy-friendly settings by default and provide easy and visible access to a complaints process on their home page.

We’re awaiting comment from Facebook, MySpace and Twitter representatives and will update accordingly.

Update: Hemanshu Nigam, Chief Security Officer of News Corporation and MySpace, sends us this statement:

“MySpace considers the privacy of its users a top priority. As an industry leader in safety, security and privacy, we proactively worked with the European Union and the Article 29 Working Party to provide input into their recommendations based on the privacy best practices that we already deploy for our users. We look forward to continuing to engage in an open dialogue with the European Union on these issues.”

Update 2: statement from Facebook:

Facebook has been engaged in discussions with European data protection officials for nearly four years now, showing how Facebook’s industry-leading privacy practices meet concerns such as those expressed in the Article 29 working party opinion. We are continuing our dialog with these officials as we innovate to provide useful and engaging services to people across the globe.

As an aside, the Article 29 Working Party is the same group that recently called for Google to set a time limit for how long it retains pictures of people in its Street View application. In the past, they’ve also called for Google to reduce the time it retains users’ cookies – Google ultimately volunteered to anonymize information held after 18 months following earlier EC concerns.

ARTICLE 29 DATA PROTECTION WORKING PARTY – Opinion 5/2009 on online social networking