Social networking sites are legally responsible for their users' privacy, Europe's privacy watchdogs have confirmed. A committee of data protection regulators has said that the sites are 'data controllers', with all the legal obligations that brings. Users of the sites are also data controllers with legal obligations when they …
Fair enough, but...
If I have to provide my date of birth (or other personal info) to a web site then I expect them to keep that personal data confidential. If I then use their service to advertise to the whole world 'Hey, I was born on...' then that is MY responsibility, not theirs.
But what does it mean?
What does this mean for us humble non-lawyery people? Does it mean the next time I go to a site unrelated to facebook and see an advert on that site which has my facebook details as part of their adverts, its unfair processing (I didn't give permission for my facebook details to be used as part of an advert on a 3rd party site.... I think).
What change would this mandate for SN sites? Does wikipedia count as a social networking site? Do forums count as a social networking site? Is using my facebook details as an advert against the DPA?
I'm always interested in these legal articles on The Reg, they are very well written and presented, I just wish I understood the implications.
What I wonder is...
Do Facebook and MySpace have enough of a physical presence in Europe for the EU to make this stick. It is one thing to declare that: "...social networking companies count as data controllers under EU law 'even when their headquarters are outside of the [European Economic Area]'", but if there isn't a (non-headquarters) physical operation within the EU, I am not sure whether there is any reason for Facebook and MySpace to pay attention to what the Article 29 Working Party says. There are some on this site who are quick to admonish Americans that US law is sovereign only within the United States. This is an opportunity for me to point out that this particular street runs 2 ways, with EU mandates only being enforceable within the EU.
Are the covered? Are the various Yahoo! Groups covered by this?
It doesn't matter about physical presence...
... it's all about where EU data is held.
You are an EU citizen, and your name, email address, date of birth is held on a server. I believe it's actually illegal for a company to store your details on a server outside of the EU without express permission.
Ah yes - the storer of the information must obtain express permission from the resident country of each of their users - England, Scotland, Wales, France, Spain, Holland, Brussels, Poland, etc, etc, etc... not sure how many countries there are at the moment, and I wouldn't predict a reply within seven days.
I've heard of requests taking months.
I think you are missing my point, if Facebook and MySpace have all of their servers and offices outside the EU, they can tell the Article 29 Working Party "ODFO" and the EU can do ... What?... about it. It is not illegal in the US, so far as I know (IANAL), to store customer details on a server here regardless of where the customers come from- no permission needed, so if all the offices and servers are in the US that is all that matters. That is the two way street I was talking about, if it is unreasonable for Americans to expect, say, 1st Amendment rights to speech to apply outside the US, it is similarly naive for Europeans to expect EU data laws to apply extraterritorially.
- iPad? More like iFAD: We reveal why Apple ran off to IBM
- +Analysis Microsoft: We're making ONE TRUE WINDOWS to rule us all
- Climate: 'An excuse for tax hikes', scientists 'don't know what they're talking about'
- Analysis Nadella: Apps must run on ALL WINDOWS – PCs, slabs and mobes
- Apple: We'll unleash OS X Yosemite beta on the MASSES July 24