Social Networking: Anybody is a Data Controller
16 Pages Posted: 23 Sep 2008 Last revised: 27 Feb 2014
Date Written: September 21, 2008
This paper will look at the definition of a "data controller" within the Data Protection Directive 95/46/EC and consider whether the phenomenom of social networking (through Facebook (FB), MySpace and Bebo) has produced unintended consequences in the interpretation and application of the Data Protection Directive 95/46/EC to the online environment. The Data Protection Directive 95/46/EC defines a "data controller" broadly to refer to the 'natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.' If the definition of the Data Protection Directive 95/46/EC (DPD) is applied literally to social networking sites such as Facebook and MySpace, arguably, not only organisations such as FB and MySpace are regarded as "data controllers" (through Art. 4 of the DPD), but individuals who posted information about others (friends or work colleagues etc.) would also be regarded as "data controllers" and thus have to adhere to the legal rules laid down under the Data Protection Directive 95/46/EC (ie. Art. 7 of the DPD fair and lawful processing; not excessive etc) unless it could be shown that the exemptions under Art. 9 that processing was intended for journalistic, artistic and literary purposes or that Art. 13 exceptions apply. As identified in an earlier paper, Art. 3.2 DPD (Wong and Savirimuthu, Art. 3(2) All or Nothing: This is the Question? The Application of Art. 3(2) Data Protection Directive 95/46/EC to the Internet) is unlikely to apply whereby processing was carried out for private and domestic purposes. This paper is an attempt to address a definitional difficulty that the legislatures did not anticipate. In attempting to protect the privacy of individuals, it is now possible to argue that it is becoming easier for individuals (and not merely organisations) to be brought within the scope of the Data Protection Directive 95/46/EC in a social networking environment.
Keywords: Data controller; Data Protection Directive 95/46/EC; Social networking; Facebook; MySpace
Suggested Citation: Suggested Citation