Who is the controller in social networking sites?

February 14th, 2010, Tomasz Rychlicki

The question of who is the “controller” and the differences between a “controller” and “processor” as defined in the article 2(d) and (e) of the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, in the context of social networking sites (SNS), are at least controversial not only in Polish case law. See for instance T. Zeggane, W. Maxwell, US and EU Authorities Review Privacy Threats On Social Networking Sites, Ent. L.R. 2008, 19(4), 69-74.

The second area requiring clarification is the concept of “data controller” in an SNS environment. Under European privacy law, the controller is the entity which determines the purposes and means of the processing of personal data. In an SNS context, there are two broad categories of data: the information that the user provides to the SNS platform to register (such as the user’s real name and email address), and the data that the user uploads onto his or her profile. The former is personal data which the SNS platform controls. The latter is “user generated content”, which the user controls and can choose to share (or not) with others. Some SNS platforms provide the user with tools to control the extent to which information such as photos, personal tastes and the like are used to develop targeted advertising. Where such tools exist, the argument can be made that the user (and not the SNS platform itself) is the “controller” of the content the user uploads onto the profile. The concept of data controller is the cornerstone of European privacy law. The concept of controller as it is traditionally interpreted does not fit easily into the SNS environment, where the user is the focal point

As you can read from the above, the authors suggest that the situation requires a clarification of the concept of “controller” in terms of SNS. A similar view was also presented in the report of the European Network and Information Security Agency (ENISA), “Security Issues and Recommendations for Online Social Networks“, PDF file, p. 25.

See also “Polish regulations on personal data protection” and “Polish case law on personal data protection“.