Privacy and social networks

Computer Law and Security Review

Volumn 26, Issue 5, 2010, Pages 535-546

  Van Eecke, Patrick ^a,b   Truyens, Maarten ^b  

^a UNIVERSITY OF ANTWERP   (Belgium)

^b Intellectual Property and Technology Department   (Belgium)

Author keywords

Cookies; Obligations of data controllers; Personal data; Profiling; Scope of data protection; Social networks; Transfer of personal data

Indexed keywords

COOKIES; DATA CONTROLLERS; DATA PROTECTION; PERSONAL DATA; PROFILING; SOCIAL NETWORKS;

CONTROLLERS; SECURITY OF DATA;

SOCIAL NETWORKING (ONLINE);

EID: 77957955266     PISSN: 02673649     EISSN: None     Source Type: Journal    
DOI: 10.1016/j.clsr.2010.07.006     Document Type: Article

References (95)

1. ENISA Position Paper No. 1, Security Issues and Recommendations for Online Social Networks, October 2007, available at the Enisa website (www.enisa.europa.eu), p. 6.
2. Judicial actions to remove a harmful publication from the internet often end up in slow procedures that further increase the harm. The effectiveness of judicial actions is therefore often very low.
3. See the criticism of the Google Buzz default settings, expressed in the open letter referred to in footnote 22 below.
4. Depending on the survey considered, only 45% of all users (according to some surveys even only 3%) change the default settings. See Krishnamurthy B. and C.E. Wills, "On the Leakage of Personally Identifiable Information Via Online Social Networks", paper presented at the SIGCOMM 2009 conference, available at http://conferences.sigcomm.org/sigcomm/2009/workshops/wosn/papers/ p7.pdf. See also R. Gross and A. Acquisti, "Information Revelation and Privacy in Online Social Networks (The Facebook case)", ACM Workshop on Privacy in the Electronic Society (WPES), 2005, available at www.heinz.cmu.edu/%7Eacquisti/papers/privacy-facebook-gross-acquisti.pdf; and I. Brown, "Data protection: the new technical and political environment", Computers & Law, February/March 2010, p. 42.
5. R. Wong, "Social networking: a conceptual analysis of a data controller", Communications Law, Vol.14, No.5, 2009, p. 143.
6. I. Brown, "Data protection: the new technical and political environment", Computers & Law, February/March 2010, p. 41. available at www.sciencedirect.com www.compseconline.com/publications/prodclaw.htm comp u t e r law & s e c u rity rev iew 2 6 ( 2 0 1 0 ) 5 3 5 e5 4 6 0267-3649/e see front matter 2010 Patrick Van Eecke & Maarten Truyens. Published by Elsevier Ltd. All rights reserved. doi:10.1016/j.clsr.2010.07.006
7. R. Wong, o.c, Opinion 5/2009 on online social networking (hereinafter "Opinion 163"), approved on 12 June 2009, available at the Working Partys website, p. 4; ENISA Position Paper No. 1, o.c., p. 12e15; OFCOM, Social Networking: A quantitative and qualitative research report into attitudes, behaviours and use, 2 April 2008, p. 53.
8. " Rome memorandum" of the International Working Group on Data Protection in Telecommunications, 4 March 2008, available at www.datenschutz-berlin.de/attachments/461/WP-social
9. G. González Fuster and S. Gutwirth, "Privacy 2.0?", R.D.T.I. 32/2008, p. 353.
10. Rome memorandum, o.c., p. 3.
11. S. Deane-Johns, "Behavioural Targeting of Internet Advertising", Computers & Law, June-July 2009, p. 22
12. A.M. Matwyshyn, "Behavioural Targeting of Online Advertisements and the Future of Data Protection", Computers & Law, February/March 2009, p. 24e26; Working Party 29, Opinion 2/2010 on online behavioural advertising, adopted on 22 June 2010, available on the Working Partys website.
13. See J.M. Dinant, C. Lazaro, Y. Poullet and A. Rouvroy, "Application of Convention 108 to the profiling mechanism", September 2008, available at the website of the Council of Europe: www.coe.int/T/E/Legal-affairs/Legal-co- operation/Data- protection/Documents/).
14. Rome memorandum, o.c., p.3; ENISA Position Paper No. 1, o.c., p. 9.
15. Several new services constitute an interesting illustration. For example, Blippy.com enables a user to provide his friends with full access to his credit card payments; Belysio.com enables a user to inform his friends about his (geographical) whereabouts; Twitter.com allows a user to inform the public at large about his daily activities.
16. Statement of European Commissioner M. Kuneva, Keynote Speech on the Roundtable on Online Data Collection, Targeting and Profiling, Brussels, 31 March 2009.
17. See OFCOM, Social Networking: A quantitative and qualitative research report into attitudes, behaviours and use, 2 April 2008, p. 48.
18. See "Social Networking: Commission brokers agreement among major web companies", press release IP/09/232 of the European Commission of 10 February 2009.
19. I.e. the previously mentioned Opinion 163.
20. See footnote 9.
21. ENISA Position Paper No. 1, o.c.
22. See www.priv.gc.ca/media/nr-c/2010/let-100420-e.cfm. The letter was sent by the data protection authorities of Canada, France, Germany, Israel, Italy, Ireland, Netherlands, New Zealand, Spain and the United Kingdom. In the letter, the authorities express their concerns about privacy issues related to Google Buzz (particularly the initial default settings for Google Buzz).
23. Available at www.priv.gc.ca/cf-dc/2009/2009-008-0716-e.cfm.
24. See, for example, "Privacy battle looms for Facebook, Google", available at www.msnbc.msn.com/id/36017434/.
25. For an overview, see R. Wong, o.c., p. 145 and 146.
26. Working Party 29, Working document on determining the international application of EU data protection law to personal data processing on the Internet by non-EU based websites, 30 May 2002, p. 10 and 11; Opinion 1/2008 on data protection issues related to search engines, p. 11.
27. This position was repeated in Opinion 163, p. 5.
28. Working Party 29, Working document on determining the international application of EU data protection law., o.c., p. 9 ("The Working Party would advocate a cautious approach").
29. In the same sense: C. Kuner, European data protection law d corporate compliance and regulation, 2nd edition, 2007, nrs. 3.23 to 3.36, and in particular nr. 3.30.
30. " Session cookies" are merely temporary cookies, which are automatically deleted when the browser is closed. As a result, such cookies do not lend themselves to becoming a gateway for the collection of personal data. Also, many permanent ("persistent") cookies are used for merely technical reasons, without any hidden purpose to collect personal data.
31. Working Party 29, Working document on determining the international application of EU data protection law., o.c., p. 7.
32. For example a consumer who would place an order with an American supplier by telephone. See below, section 3.4.1.
33. See nr. 69 (own emphasis): "If Article 25 of Directive 95/46 were interpreted to mean that there is transfer [of data] to a third country every time that personal data are loaded onto an internet page, that transfer would necessarily be a transfer to all the third countries where there are the technical means needed to access the internet. The special regime provided for by Chapter IV of the directive would thus necessarily become a regime of general application, as regards operations on the internet. Thus, if the Commission found, pursuant to Article 25(4) of Directive 95/46, that even one third country did not ensure adequate protection, the Member States would be obliged to prevent any personal data being placed on the internet."
34. The notification duty (article 18) is another example. It is highly questionable whether the European legislator would have imposed this notification duty when it would have been aware that even the most basic actions on the internet may qualify as a processing of personal data, and thus require the submission of the notification.
35. R. Wong, o.c., p. 142.
36. In the same vein: C. Kuner, o.c., nrs. 2.23 to 2.26
37. B. Van Alsenoy, J. Ballet, A. Kuczerawy and J. Dumortier, "Social networks and Web 20: are users also bound by data protection regulations?", Identity in the Information Society, September 2009.
38. For example, the users web browsing behaviour, as registered by the log files and cookies.
39. If both the user and the social networks servers are located outside the European Union, then it could be argued that the Directive does not apply (not even according to the "cookie theory" upheld by Working Party 29).
40. Bebo (www.bebo.com/Privacy2.jsp) "Bebo may transfer information about you and your use of Bebo, such as your IP-address, information stored via cookies, and other demographic information about you, to our advertising affiliates (such as Advertising.com), partners (including Yahoo! and its affiliates) and other third parties. This information may be used to provide advertising, promotions and other products and services that may be of particular interest to you."; Myspace (www.myspace.com/index.cfm/ fuseactionmisc. privacy): "MySpace also may share your PII with Affiliated Companies if it has a business reason to do so."; Hyves (www.hyves.nl/privacy/): "Hyves uses the information about you to let Hyves respond better to your wishes and needs. It can for instance be used to make sure that you will see adverts better suited to you. Were trying to match adverts and campaigns to your profile."; Myspace (www.facebook.com/terms. php): "For content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sublicensable, royalty-free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License")."
41. For example using the users age or hobbies to display personalised advertisements.
42. For example Myspace, LinkedIn, Bebo and Hyves.
43. See below, section 5.2.3.
44. Opinion 1/2010 on the concepts of "controller" and "processor", 16 February 2010.
45. See the conclusion on p. 33: "However, [the Working Party] has not found any reason to think that the current distinction between controllers and processors would no longer be relevant and workable in that perspective."
46. See, for example, the explanation of the concept of "means" on p. 14: "means does not only refer to the technical ways of processing personal data, but also to the "how" of processing, which includes questions like "which data shall be processed", "which third parties shall have access to this data", "when data shall data be deleted".
47. For example, "purpose and means" is interpreted as "purpose or means": "while determining the purpose of the processing would in any case trigger the qualification as controller, determining the means would imply control only when the determination concerns the essential elements of the means." (p. 14).
48. See p. 9: "The concept of controller is a functional concept, intended to allocate responsibilities where the factual influence is, and thus based on a factual rather than a formal analysis. Therefore, determining control may sometimes require an in-depth and lengthy investigation."
49. For example when a law or established legal practice has imposed the distribution of responsibilities.
50. See p. 26: "the fact that the contract and its detailed terms of business are prepared by the service provider rather than by the controller is not in itself a sufficient basis to conclude that the service provider should be considered as a controller".
51. See, for example, the quotes in footnotes 47 and 52.
52. See p. 19: "joint control will arise when different parties determine with regard to specific processing operations either the purpose or those essential elements of the means which characterize a controller".
53. See p. 21.
54. Although the Opinion explicitly mentions the example of social networks in the section on joint controllership, it does not explicitly state that the social network operator and the users are effectively considered joint controllers.
55. In some cases (such as LinkedIn), the social network is deliberately targeted at professionals.
56. Rome memorandum, o.c., p. 2.
57. Recital 12 of the Directive.
58. Art. 9 of the Directive also refers to the exemption for journalistic purposes, or for the purpose of artistic or literary expression (see also Opinion 163, p. 6). In our opinion, this exemption will only rarely apply in the context of social networks. See also C-73/07, OJC44 (21 February 2009), regarding the publication of publicly available tax data from Finish citizens. A newspaper publishing this data was considered to fall within the scope of the exemption for journalistic purposes.
59. Case C-101/01 of 6 november 2003.
60. See nrs. 46e48.
61. The summary of Opinion 163 (p. 3) refers to "circumstances whereby the activities of a user of an SNS are not covered by the household exemption".
62. Opinion 163, o.c., p. 6 and 7.
63. For example, the default settings of Facebook allow every (even non-registered) user to get access to thumbnail pictures of random friends of users; the popular social network site LinkedIn presents itself as a professionally-oriented social network; the privacy policy of Twitter states that "our default is almost always to make the information you provide public"; etc.
64. In the same vein: P. James, "SNS Privacy Practices: Canada, the EU and Beyond", Computers & Law, November 2009, p. 28.
65. In addition, many social network operators partially expose their network to third parties through the use of so-called application programming interfaces ("API"), for example to foster the exchange of data. Many social networks (including Hi5.com, MySpace, Google/Orkut, Netlog, Friendster and Yahoo!) have also subscribed to the "OpenSocial" initiative (code.google.com/apis/opensocial), which provides a common interface for social networks. The privacy impact of such APIs depends significantly on the access granted by the social network operator.
66. P. James, o.c., p. 27. scape for social network operators.72
67. Position of the Canadian Privacy Commission, o.c., nr. 157.
68. Opinion 163, o.c., p. 5.
69. See for example the terms of use of Facebook: "Facebook is not just a website. It is also a service for sharing your information on Facebook-enhanced applications and websites. You can control how you share information with those third party applications." and MySpace: "Third party applications (such as widgets) created by third party developers may also be available on the MySpace Services.. (.) However, MySpace does not control the third party developers, and cannot dictate their actions. When a Member engages with a third party application, that Member is interacting with the third party developer, not with MySpace."
70. C. Kuner, o.c., section 2.10.
71. G. González Fuster and S. Gutwirth, o.c., p. 354. Position of Working Party 29: see Opinion nr. 4/2007 on the concept of personal data (WP 136), adopted on 20 June 2007 (p. 16 and 17), as well as Opinion 1/2008 on data protection issues related to search engines, adopted on 8 April 2008, p. 8
72. In addition to the obligations imposed by the legal framework, the Working Party also requests social network operators to: ensure privacy-friendly default settings; warn users to get the consent of third parties in order to publish their personal data; publish a clearly visible hyperlink to the complaints procedure on the homepage of het social network; allow the use of pseudonyms on the network; etc.
73. See, for example, "Facebook et vie privée, face face", 16 January 2008 (press release French CNIL); "CBP treedt op tegen onrechtmatig verzamelen van persoonsgegevens op internet", 24 March 2009 (press release Dutch College Bescherming Persoonsgegevens); "Facebook faces UK data probe", available at theregister.co.uk/2007/11/20/facebook-uk- data-protection/.
74. Lindqvist case, see section 3.4.1 above.
75. In the same vein: T. Leonard and A. Mention, o.c., p. 103; B. Van Alsenoy, J. Ballet, A. Kuczerawy and J. Dumortier, o.c., p. 11.
76. See Rome memorandum, o.c., p. 5, referring to a statement of Facebook, according to which less than 0.25% of all users effectively consult the privacy policy.
77. G. González Fuster and S. Gutwirth, o.c., p. 354e355.
78. P. Hutchinson, "Will social networking services survive only at the expense of privacy?", Computers & Law, November 2009, p. 31.
79. For example, in our opinion, a user does not require explicit consent in order to publish a holiday group photo or a blog in which a user describes a visit of a museum. On the contrary, explicit consent will be required to publish a photo that depicts a drunken friend or the children of a family member.
80. See section 3.9 of the Opinion.
81. For example, the Facebook privacy policy (www.facebook.com/policy.php) states in section 6: "Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users".conversely, the privacy policy of LinkedIn states "If you update any of your information, we may keep a copy of the information which you originally provided to us in our archives for uses documented herein." An independent survey seems to boil down to the same result for MySpace (see
82. See, however, our general reservations regarding privacy policies in section 12 above. Burying important privacy aspects in long privacy policies is increasingly criticized by Working Party 29 and the national data protection authorities.
83. See Commission Decision 2000/520/EC of 26.7.2000 on the adequacy of the protection provided by the safe harbor privacy principles and related frequently asked questions issued by the US Department of Commerce.
84. At the time of writing (Januari 2010), LinkedIn, Facebook and Microsoft were subscribed to the Safe Harbor list.conversely, the following American social network operators did not subscribe: Myspace, Twitter and Flickr.
85. Rome memorandum, o.c., p. 2. The use of the "Binding Corporate Rules", which is focused on multinationals, is not relevant in the relation between users and social network operators.
86. See the prior discussion in section 3.4.1 above.
87. See nr. 62: "It is in that light that it must be examined whether the Community legislature intended, for the purposes of the application of Chapter IV of Directive 95/46, to include within the expression transfer [of data] to a third country within the meaning of Article 25 of that directive activities such as those carried out by Mrs Lindqvist. It must be stressed that the fifth question asked by the referring court concerns only those activities and not those carried out by the hosting providers.".
88. See nr. 68.
89. See the Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries, under Directive 95/46/EC.
90. The user could, for example, have informed the data subjects about his publication intention at the moment the picture was taken by the user.
91. For example when a user would publish a photo depicting third parties. When the social network operator would analyse such photo using facial recognition software, then personal data is being processed. Unless the social network operator would be able to correctly identify the persons depicted on the photo and would dispose of their contact details, it will be virtually impossible to properly identify the data subjects involved.
92. See, for example, the "Virtual Suicide Machine" (suicidemachine.org), which allows users to easily unsubscribe from social networks. Another example is the pleaserobme.com website, which mocks users who publicly announce (tweet) that they have left home, thereby exposing themselves to robbery.
93. R. Wong, o.c., p. 143.
94. In the same sense: R. Wong, o.c., p. 144.
95. See the announcement of 9 July 2009, available at ec.europa. eu/justice-home/news/consulting-public/news-consulting-0003- en.htm.