Privacy, SNSs and the law Dr. Natali Helberger, Institute for Information Law, University of Amsterdam “ Privacy in Social Network Sites”, Delft, 24 October 2008

Content Overview European Data Protection Law Users as data controllers The rights of data subjects – theory and practice Minors and European data protection law Conclusions and thoughts for further discussion

Overview European Data Protection Law

Users as data controllers

The rights of data subjects – theory and practice

Minors and European data protection law

Conclusions and thoughts for further discussion

Overview of European data protection law European Data Protection Directive 95/47/EC Automated processing of personal data Directive on Privacy and Electronic Communications (ePrivacy D.) 2002/58/EC Data protection in publicly available electronic communications networks Additional obligations concerning data security, communications secrecy, cookies, spam

European Data Protection Directive 95/47/EC

Automated processing of personal data

Directive on Privacy and Electronic Communications (ePrivacy D.) 2002/58/EC

Data protection in publicly available electronic communications networks

Additional obligations concerning data security, communications secrecy, cookies, spam

What European DPL is about: Informational privacy: fair and legitimate data processing Communications privacy (ePrivacy Directive) Harmonising national rules: Internal Market The relationship between data subject and data controller

Informational privacy: fair and legitimate data processing

Communications privacy (ePrivacy Directive)

Harmonising national rules: Internal Market

The relationship between data subject and data controller

Users as data controllers Data controller is anyone who “determines the purposes and means of the processing of personal data” (Art. 2d Data Protection Directive)

Data controller is anyone who “determines the purposes and means of the processing of personal data” (Art. 2d Data Protection Directive)

The rights of data subjects: privacy policies prevail Anything goes … … as long as it is in the privacy policies and the user has consented. What does “operation of the website” mean in a web 2.0 context? Take it or leave it.

Anything goes …

… as long as it is in the privacy policies and the user has consented.

What does “operation of the website” mean in a web 2.0 context?

Take it or leave it.

Personal data as the new currency in the SNS market The theory: Right to be informed when data shared Right to opt out against direct marketing Obligation to secure personal data Right to take legal action and claim damages The practice: many of the provisions are toothless tigers.

The theory:

Right to be informed when data shared

Right to opt out against direct marketing

Obligation to secure personal data

Right to take legal action and claim damages

The practice: many of the provisions are toothless tigers.

The right to be forgotten Users can demand “… as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data” (Art. 12 (b) of het Data Protection Directive)

Users can demand “… as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data” (Art. 12 (b) of het Data Protection Directive)

The rights of minors Minors as data subjects No special provisions for children in DPD Problems: notion of “consent”, informing children, storage time Minors as data controllers

Minors as data subjects

No special provisions for children in DPD

Problems: notion of “consent”, informing children, storage time

Minors as data controllers

Fields for future regulatory attention The role of amateur data controllers The right not to be overregulated The right to demand co-operation Privacy policies The right to be better informed The right to be forgotten The right to have privacy policies monitored The right to negotiate privacy policies Processing of personal data to/by third parties Duties of care for data controllers Behavioural advertising The right to opt-in for behavioural advertising The rights of minors

The role of amateur data controllers

The right not to be overregulated

The right to demand co-operation

Privacy policies

The right to be better informed

The right to be forgotten

The right to have privacy policies monitored

The right to negotiate privacy policies

Processing of personal data to/by third parties

Duties of care for data controllers

Behavioural advertising

The right to opt-in for behavioural advertising

The rights of minors

But before you get started … Privacy as an individual or public interest? Personal autonomy vs. public regulation The role of technology The sense and non-sense of self-regulation Will the problems persist?

Privacy as an individual or public interest?

Personal autonomy vs. public regulation

The role of technology

The sense and non-sense of self-regulation

Will the problems persist?

Thank you for your attention Dr. Natali Helberger Institute for Information Law, University of Amsterdam helberger@ivir.nl http://www.ivir.nl

Dr. Natali Helberger

Institute for Information Law,

University of Amsterdam

helberger@ivir.nl

http://www.ivir.nl