Social Networking: Anybody is a Data Controller

16 Pages Posted: 23 Sep 2008 Last revised: 27 Feb 2014

See all articles by Rebecca Wong

Rebecca Wong

Bournemouth University - Centre for Intellectual Property Policy & Management (CIPPM)

Date Written: September 21, 2008

Abstract

This paper will look at the definition of a "data controller" within the Data Protection Directive 95/46/EC and consider whether the phenomenom of social networking (through Facebook (FB), MySpace and Bebo) has produced unintended consequences in the interpretation and application of the Data Protection Directive 95/46/EC to the online environment. The Data Protection Directive 95/46/EC defines a "data controller" broadly to refer to the 'natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.' If the definition of the Data Protection Directive 95/46/EC (DPD) is applied literally to social networking sites such as Facebook and MySpace, arguably, not only organisations such as FB and MySpace are regarded as "data controllers" (through Art. 4 of the DPD), but individuals who posted information about others (friends or work colleagues etc.) would also be regarded as "data controllers" and thus have to adhere to the legal rules laid down under the Data Protection Directive 95/46/EC (ie. Art. 7 of the DPD fair and lawful processing; not excessive etc) unless it could be shown that the exemptions under Art. 9 that processing was intended for journalistic, artistic and literary purposes or that Art. 13 exceptions apply. As identified in an earlier paper, Art. 3.2 DPD (Wong and Savirimuthu, Art. 3(2) All or Nothing: This is the Question? The Application of Art. 3(2) Data Protection Directive 95/46/EC to the Internet) is unlikely to apply whereby processing was carried out for private and domestic purposes. This paper is an attempt to address a definitional difficulty that the legislatures did not anticipate. In attempting to protect the privacy of individuals, it is now possible to argue that it is becoming easier for individuals (and not merely organisations) to be brought within the scope of the Data Protection Directive 95/46/EC in a social networking environment.

Keywords: Data controller; Data Protection Directive 95/46/EC; Social networking; Facebook; MySpace

Suggested Citation

Wong, Rebecca, Social Networking: Anybody is a Data Controller (September 21, 2008). Available at SSRN: https://ssrn.com/abstract=1271668 or http://dx.doi.org/10.2139/ssrn.1271668

Rebecca Wong (Contact Author)

Bournemouth University - Centre for Intellectual Property Policy & Management (CIPPM) ( email )

89 Holdenhurst Road
Bournemouth
Dorset, BH8 8EB
United Kingdom

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Downloads
973
Abstract Views
4,418
rank
34,123
PlumX Metrics