According to the latest press release, the Art. 29 Working Party has issued an
opinion (pdf) on social networking sites ("SNS") . In particular, it addresses how the SNS can meet its data protection obligations by considering who is the data controller (SNS providers; application providers; users are exempt under Art. 3.2 Data Protection Directive, but leaves the possibility that they could have data controller responsibilities); information to be provided by SNS; third party access and whether retention of data under a SNS. In sum, the Art. 29 Working Party provides:
Applicability of EC Directives
1. The Data Protection Directive generally applies to the processing of personal data by SNS, even when their headquarters are outside of the EEA.
2. SNS providers are considered data controllers under the Data Protection Directive.
3. Application providers might be considered data controllers under the Data Protection Directive.
4. Users are considered data subjects vis-à-vis the processing of their data by SNS.
5. Processing of personal data by users in most cases falls within the household exemption. There are instances where the activities of a user are not covered by this exemption.
6. SNS fall outside of the scope of the definition of electronic communication service and therefore the Data Retention Directive does not apply to SNS.
Obligations of SNS
7. SNS should inform users of their identity, and provide comprehensive and clear information about the purposes and different ways in which they intend to process personal data.
8. SNS should offer privacy-friendly default settings.
9. SNS should provide information and adequate warning to users about privacy risks when they upload data onto the SNS.
11. Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual’s consent.
12. At a minimum, the homepage of SNS should contain a link to a complaint facility, covering data protection issues, for both members and non-members.
13. Marketing activity must comply with the rules laid down in the Data Protection and ePrivacy Directives.