Resolution on Privacy Protection in Social Network Services



Similar documents
Data protection issues on an EU outsourcing

Data Protection Good Practice Note

International Working Group on Data Protection in Telecommunications

Privacy & Big Data: Enable Big Data Analytics with Privacy by Design. Datenschutz-Vereinigung von Luxemburg Ronald Koorn DRAFT VERSION 8 March 2014

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

Online Ads: A new challenge for privacy? Jörg Polakiewicz*

Web Beacons Guidelines for Notice and Choice

Data Compliance. And. Your Obligations

Unsolicited Electronic Messages Act 2007

AlixPartners, LLP. General Data Protection Statement

1. What information do we collect?

privacy and credit reporting policy.

PRIVACY POLICY Personal information and sensitive information Information we request from you

DATA AND PAYMENT SECURITY PART 1

Data protection compliance checklist

Cookies and consent. The Article 29 Working Party has identified seven types of cookies that are not subject to the consent requirement.

European Commission initiatives on e- and mhealth

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

PRIVACY POLICY. What Information Is Collected

Appendix A Data Protection and Marketing Regulatory Considerations for the European Union

The British Academy of Management. Website and Social Media Policy

BEREC Monitoring quality of Internet access services in the context of Net Neutrality

Privacy Policy Statement

RECOMMENDATIONS COMMISSION

Privacy Rules for Customer, Supplier and Business Partner Data. Directive 7.08 Protection of Personal Data

GSK Public policy positions

The RFID agenda of the European Commission. Florent Frederix European Commission Directorate General Information Society and Media

Crawford Chondon &Partners LLP. Is your Business Ready for Canada s Anti Spam Law?

To this end ERCI fully endorses and adheres to the Principles of Personal Data Protection Act (2012). 1. The Purpose:

EU Data Protection Directive and U.S. Safe Harbor Framework: An Employer Update. By Stephen H. LaCount, Esq.

COMMISSION OF THE EUROPEAN COMMUNITIES COMMISSION RECOMMENDATION. of

European Investment Bank Group. Video-surveillance policy

The potential legal consequences of a personal data breach

PRIVACY POLICY. comply with the Australian Privacy Principles ("APPs"); ensure that we manage your personal information openly and transparently;

The purpose of this document is to provide a framework for ConnectGroups in dealing with privacy considerations.

ABC PRIVACY POLICY. The ABC is strongly committed to protecting your privacy when you interact with us, our content, products and services.

UNILEVER PRIVACY PRINCIPLES UNILEVER PRIVACY POLICY

1. TYPES OF INFORMATION WE COLLECT.

Information Sharing Policy

Next Business Telecom is also subject to other laws relating to the protection of personal information.

Public Health England, an executive agency of the Department of Health ("We") are committed to protecting and respecting your privacy.

EUROPEAN UNION. Brussels, 12 July 2002 (OR. en) PE-CONS 3636/ /0189 (COD) LEX 365 ECO 217 CODEC 778

Daltrak Building Services Pty Ltd ABN: Privacy Policy Manual

Assessment Strategy for. Audit Practice, Tax Practice, Management Consulting Practice and Business Accounting Practice.

Best Practice Data Collection for Marketers

CLOUD COMPUTING Contractual and data protection aspects

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

Data Protection Act 1998 The Data Protection Policy for the Borough Council of King's Lynn & West Norfolk

MEMBI PRIVACY POLICY

How To Use Social Media For A University

BLUE BADGE INSURANCE PTY LTD BLUE BADGE COMMUNITY AUSTRALIA PTY LTD PRIVACY POLICY

The Manitowoc Company, Inc.

Our standard terms and conditions for Your Advanced Personal Loan.

ORGANISATION FOR ECONOMIC CO-OPERATION AND DEVELOPMENT

Best Practices at Research Level

Organisation de Coopération et de Développement Economiques Organisation for Economic Co-operation and Development

Privacy Policy & Terms of Use Effective: 12/13/2011. Terms and Conditions. Changes in this Privacy Policy. Internet Privacy & Security

Privacy Seminar - Social Networks

T E R M S A N D C O N D I T I O N S FO R PR O M O R E PU B L I C SE R VI C E

NAI Mobile Application Code

Privacy and Electronic Communications Regulations

Hume Bank Limited Privacy Policy

How To Protect Your Privacy On The Net

ESOMAR PRACTICAL GUIDE ON COOKIES JULY 2012

Dutch Data Protection Authority - Annual Report 2014

ARRIS WHOLE HOME SOLUTION PRIVACY POLICY AND CALIFORNIA PRIVACY RIGHTS STATEMENT

DATA PROTECTION IN THE EUROPEAN UNION

TOY INDUSTRY CHECKLIST FOR MOBILE APPS AND PROMOTIONS

AASA Online Privacy Policy CRP.020

Data Protection and Privacy Policy

ANZ Privacy Policy PROTECTING YOUR PRIVACY 07.15

Privacy Policy Draft

fraud & billing For example, Layer4 will identify: Compliance of telecom operators with service level agreements

FISHER & PAYKEL PRIVACY POLICY

How To Know What You Can And Can'T Do At The University Of England Students Union

Transcription:

30 th International Conference of Data Protection and Privacy Commissioners Strasbourg, 17 October 2008 Resolution on Privacy Protection in Social Network Services Proposer: Data Protection and Freedom of Information Commissioner of the State of Berlin, Germany Co-sponsors: Commission Nationale de l Informatique et des Libertés (CNIL), France; Federal Commissioner for Data Protection and Freedom of Information, Germany; Garante per la protezione dei dati personali, Italy; College Bescherming Persoonsgegevens (The Netherlands) Privacy Commissioner, New Zealand; Federal Data Protection and Information Commissioner (FDPIC), Switzerland Resolution Social network services 1 have become very popular in recent years. Among other things, these services offer means for their subscribers to interact based on self-generated personal profiles, which support an unprecedented level of disclosure of personal information about the individuals concerned (and others). While social network services offer a new range of opportunities for communication and real-time exchange of all kinds of information, the use of these services can also place the privacy of its users and others at risk: Personal data about individuals become publicly (and globally) available in an unprecedented way and quantity, including huge quantities of digital pictures and videos. Individuals face the possible loss of control over how data will be used by others once they are published on the network: While the community basis of social networks suggests that publishing one s own personal data would just resemble sharing information with friends as it used to be face-to-face, profile information may in fact be available to an entire subscriber community (numbering in the millions). Very little protection exists at present against copying any kind of personal data from profiles by other network members, or by unauthorised third parties from outside the network and using them for building personal profiles, or re-publishing the data elsewhere. It can be very hard and sometimes even impossible to have information thoroughly removed from the Internet once it is published: Even after deletion from the original site (e.g. the social network), copies may rest with third parties or with the social network service providers. Personal data from profiles may also leak outside the network when they are indexed by search engines. In addition, some social network service providers make user data available to third parties via application programming interfaces, which are then under control of these third parties. One example of secondary uses that has gained wide public attention is the practice of company personnel managers crawling user profiles of job applicants or employees: According to press reports, one third of human resources managers already admit to use data from social network services in their work, e.g. to verify and/or complete details of job applicants. 1 A social network service focuses on the building and verifying of online social networks for communities of people who share interests and activities, or who are interested in exploring the interests and activities of others [ ]. Most services are primarily web based and provide a collection of various ways for users to interact [ ]. Quoted from Wikipedia: http://en.wikipedia.org/wiki/social_network_service.

Profile information and traffic data are also used by providers of social network services for delivering targeted marketing messages to their users. It is very likely that other unexpected uses for the information in user profiles will emerge in the future. Other specific privacy and security risks already identified include increased risks of identity fraud fostered by the wide availability of personal data in user profiles, and by possible hijacking of profiles by unauthorised third parties. The 30th International Conference of Data Protection and Privacy Commissioners recalls that these risks have already been analyzed in the Report and Guidance on Privacy in Social Network Services ( Rome Memorandum ) 2 of the 43 rd meeting of the International Working Group on Data Protection in Telecommunications (3-4 March 2008), and in the ENISA Position Paper No.1 Security Issues and Recommendations for Online Social Networks 3 (October 2007). The Data Protection and Privacy Commissioners convened at the International Conference are convinced that it is necessary, in the first place, to carry out an in-depth information campaign involving all public and private stakeholders from governmental authorities to educational institutions, such as schools, from providers of social network services to consumer and user associations, and including the Data Protection and Privacy Commissioners themselves in order to prevent the multifarious risks associated with the use of social network services. Recommendations Given the special nature of the services, and short and long term privacy risks to individuals, the Conference offers the following recommendations to users and providers of social network services: Users of Social Network Services Organisations having an interest in the wellbeing of users of social networks including service providers, governments and Data Protection Authorities should help educate users to protect their personal data and communicate the following messages. 1. Publication of information Users of social network services should consider carefully which personal data if any they publish in a social network profile. They should keep in mind that they may be confronted with any information or pictures at a later stage, e.g. in a job application situation. In particular, minors should avoid revealing their home address or telephone number. Individuals should consider the usefulness of using a pseudonym instead of their real name in a profile. However, they should keep in mind that the use of pseudonyms offers limited protection, as third parties may be able to lift such a pseudonym. 2. Privacy of other individuals Users should also respect the privacy of others. They should be especially careful with publishing personal information about somebody else (including pictures or even tagged pictures) without that other person s consent. 2 http://www.datenschutz-berlin.de/attachments/461/wp_social_network_services.pdf?1208438491 3 http://www.enisa.europa.eu/doc/pdf/deliverables/enisa_pp_social_networks.pdf 2

3

Providers of Social Network Services Providers of social network services have a special responsibility to consider and act in the interests of individuals using social networks. In addition to meeting the requirements of data protection law they should also implement the following recommendations. 1. Privacy regulations and standards Providers operating in different countries or even globally should respect the privacy standards of the countries where they operate their services. To that end, providers should consult with data protection authorities as necessary. 2. User information Providers of social network services should inform their users about the processing of their personal data in a transparent and open manner. Candid and intelligible information should also be given about possible consequences of publishing personal data in a profile and about remaining security risks, as well as about possible legal access by third parties (including e.g. law enforcement). Such information should also comprise guidance on how users should handle personal information about others contained in their profiles. 3. User control Providers should further improve user control over the use of their profile data by community members. They should allow for restriction of visibility of entire profiles, and of data contained in profiles, and in community search functions. Providers should also allow for user control over secondary use of profile and traffic data; e.g. for targeted marketing purposes. As a minimum, opt-out for general profile data, and opt-in for sensitive profile data (e.g. political opinion, sexual orientation) and traffic data should be offered. 4. Privacy-friendly default settings Furthermore, providers should offer privacy-friendly default settings for user profile information. Default settings play a key role in protecting user privacy: It is known that only a minority of users signing up to a service will make any changes. Such settings must be specifically restrictive when a social network service is directed at minors. 5. Security Providers should continue to improve and maintain security of their information systems and protect users against fraudulent access to their profile, using recognised best practices in planning, developing, and running their applications, including independent auditing and certification. 6. Access rights Providers should grant individuals (regardless of whether they are members of the social network service or not), the right to access and, if necessary, correct all their personal data held by the Provider. 7. Deletion of user profiles Providers should allow users to easily terminate their membership, delete their profile and any content or information that they have published on the social network. 8. Pseudonymous use of the service Providers should enable the creation and use of pseudonymous profiles as an option, and encourage the use of that option. 4

9. Third party access Providers should take effective measures to prevent spidering and /or bulk downloads (or bulk harvesting) of profile data by third parties 10. Indexibility of user profiles Providers should ensure that user data can only be crawled by external search engines if a user has given explicit, prior and informed consent. Non-indexibility of profiles by search engines should be a default setting. 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information