EU Privacy Law Applies to Social Networks Headquartered Outside of Europe

This posting was written by Thomas A. Long, Editor of CCH Privacy Law in Marketing.

European data protection law applies to online social networking services (SNS), such as Facebook and MySpace, even if their headquarters are located outside Europe, according to the Article 29 Data Protection Working Party.

In an opinion adopted on June 12, 2009, the Working Party stated that SNS operators and, in many cases, third-party application providers are "data controllers," for purposes of European law.

As data controllers, SNS operators should disclose the ways they intend to process users' personal data, as well as the risks inherent from uploading data onto the SNS. Marketing activities by SNS operators must comply with the EU's Data Protection and ePrivacy Directives, the Working Party said.

Adoption of Security and Privacy Practices

The Working Party urged SNS operators to adopt robust security practices and privacy-friendly default settings, with particular care taken regarding the processing of the personal data of children and minors. A tool for lodging complaints regarding privacy and protection of personal data should be made available to members and non-members on the services' homepages.

The Working Party is an independent advisory body on data protection and privacy, composed of representatives from the national data protection authorities of the EU Member States, the European Data Protection Supervisor, and the European Commission.

Text of the Working Party's opinion on online social networking appears at CCH Privacy Law in Marketing ¶60,346.