• EU Working Group Indicates Social Networks and Some Users Must Comply with EU Privacy Laws
  • July 30, 2009
  • Law Firm: Winston & Strawn LLP - Chicago Office
  • Under the EU Data Privacy Directive, a working group was set up to examine the impact of the directive on the protection of individuals with regard to the processing of their personal data. Over the years, the working group has issued a variety of opinions, including an opinion in May 2002 that in certain circumstances, if a company located outside of the European Union places a cookie on the computer of a user located within the European Union, that company may be subject to local European laws. This opinion was revisited in August last year, when the working group examined the obligations of search engines under the directive, and concluded that search engines using cookies (including for behavioral tracking purposes) could be subjecting themselves to European laws, even if the search engine companies were located outside of the EU. Last month, the impact of the use of cookies was reviewed again, this time in the context of social networking Web sites, which the working party viewed as information society services that must respect the rights and freedoms of site users (including users' privacy rights). To the extent that social networking sites use cookies, the working party concluded that even sites that are based in countries outside of the EU must follow the requirements of the directive.

    According to the working group, complying with the directive means that social networking sites should have "privacy-friendly" settings, such as (a) having a user's profile default to require consent before others can access the user's data, (b) not having a user's postings "findable" by search engines, and (c) not having decisions about whether to extend access to a user's profile be implicit (so that a user would have to opt-out of such extension of access). Social networking Web sites should also follow the notice requirements of the directive, including letting users know (a) if their information will be used for direct marketing, (b) if their information will be shared with third parties, (c) how profiles of users are created (and where the data comes from to create the profiles), and (d) how sensitive data is used. The working party also recommended that sites give users warnings about privacy risks to themselves and to others when uploading data, that uploading information about other people might infringe on those individuals' rights, and that if users want to upload photos of other people, they need those people's consent. The working party also indicated that data should be deleted if the user terminates his or her account or if an account is inactive for a set period of time (but only after first notifying the user that data will be deleted)

    TIP: If you host social networking Web sites that use cookies, keep in mind that you may be viewed as subject to the laws of European Union Member States, and thus will need to consider whether you must have "privacy-friendly" settings as defaults, among other requirements.