Attention data subjects! Recommendations on publishing personal data on social networks

Attention data subjects!

Recommendations on the publication of personal data

on social networks

In light of the significant growth in the number of social networks over the last decade and the pressing need to protect the privacy of individuals’ personal data, the National Centre for Personal Data Protection (NCPDP) has the following recommendations:

With the appearance of social networks such as Twitter, Tumblr, Facebook, Telegram, Instagram, Linked In, Tik Tok, Snapchat, etc., social life has changed dramatically, becoming a powerful tool for socialising, making new friends and acquaintances, sharing photos, videos or promoting information. People easily share news, pictures, personal opinions and almost anything that happens in their lives. Disclosure of personal data creates a favorable environment for advertising companies, people launching charity appeals (fake fundraisers for humanitarian purposes), people seeking revenge, cyber criminals, and could involve collecting sensitive data about people’s online activities, interests, personal characteristics, political views, habits and behaviors.

The personal information a person posts online, along with data describing their actions and interactions with others, can create a comprehensive profile that may contain that person’s activities and passions.

Broadly speaking, social networking services (SNSs) can be defined as online communication platforms that allow people to join a network or create communities/groups of like-minded users with certain common characteristics:

– users are invited to provide personal data for the purpose of creating so-called “accounts/profiles”, which contain a personal description;

– SSR also offers tools that allow users to publish their own material (user-generated content such as a photo, music, videos or links to other sites);

– “social networking” is facilitated by the use of tools that provide each user with a contact list through which users can interact with each other.

In terms of the national legislative framework governing the protection of personal data, SRP providers are data controllers. They provide the methods for processing user data and provide all the “basic” means/services related to user management (e.g. registration and deletion of user accounts). Application providers may also be data controllers if they create applications that work/run alongside the SSR and if users decide to use such an application.

In most cases, users are considered to be data subjects. Data protection law does not impose obligations of a data controller on a natural person – a user who processes personal data “in the course of an exclusively personal or domestic activity” – the so-called “domestic activities exception”.

However, in certain situations, there is a possibility that the activities of an SSR user may not be covered by the domestic activities exception and the user may be deemed to have taken over some of the obligations of a data controller, in which case the provisions of data protection legislation must be respected.

Thus, the SSR user will be considered a controller and the domestic activities exception will not apply in the following situations:

– The user is acting on behalf of a company or association, or any other entity; or if they are using SSR specifically as a platform to promote commercial, political or charitable objectives. In this case, he/she is a data controller and is responsible for disclosing personal data to another data controller (SSR) and to third parties (other SSR users or other possible data controllers who have access to these data). In these situations, the user must have the consent of the data subjects or invoke another legitimate ground provided for by Law No 133/2011 on personal data protection.

– In general, access to the data (profile data, postings, reports…) with which a user operates/acts is limited to the contacts selected by the user. However, in certain situations, the user’s list of third party contacts may expand, without the user being aware of some contacts having access to his/her account. A high number of contacts may be an indication that the domestic activities exception does not apply and that the user may be considered a data controller. Thus, if access to profile information extends beyond the contacts selected by the user, as in the case of granting access rights to a profile to all SSR members, or where data is indexable by search engines, access is not limited to the personal or domestic domain. Similarly, if a user makes an informed decision to extend access to his or her profile by accepting more people beyond the selected “friends”, he or she will have to assume the responsibilities of a data controller.

– It should also be noted that even if the domestic activities exception does not apply, the SSR user may benefit from other exceptions, such as the exception for journalistic, artistic or literary purposes. In these cases, a balance must be struck between freedom of expression and the right to privacy.

Last but not least, it should be noted that even where the domestic activities exception applies, a user may be held liable under the general provisions of the relevant national civil or criminal law (e.g. defamation, tort liability for infringement, criminal liability).

Respectively, SSR users must show utmost caution what personal data they publish, what they write in public, what photos/videos or audio recordings they post or who they trust on a social network.

At the same time, the NCPDP warns that the collection and processing of personal data on social networks, like any data processing, must be carried out in strict compliance with the provisions of the Personal Data Protection Law, and the personal data being processed must be: processed fairly and lawfully; collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes; adequate, relevant and not excessive in relation to the purpose for which they are collected and/or further processed.

Thus, the NCPDP urges data subjects to protect their privacy before publishing or sharing certain information on social media or any other online platform.

It is very important that social media users read carefully and understand:

Privacy terms (e.g. content that can be shared with a third party, ability to remove content from the site, etc.);

Site features (e.g. who can see your messages, whether it will be only specified recipients or all users on the platform, etc.);

What biographical information should be provided (e.g. biographical data such as full name, year of birth, age or address should only be used when registering your account and not given to other users on social networks),

Account information (e.g. sensitive information such as: school attended, political affiliation, bank account information, place of living/domicile, etc. should never be provided);

Who the potential “Friends” are (e.g. by analysing their profile to understand who they are, what they do and what kind of content they distribute);

The need to disable the location sharing features of the gadget being used;

Extreme caution when posting photos/video or audio recordings online (it could be very difficult to delete them, as in the case of metadata or if someone has copied, shared or distributed them on other sites or social networks), etc.

Even though it is quite difficult to control privacy on social networks, it is not impossible. The NCPDP emphasises the responsibility of every citizen to ensure the protection of personal data, and the security and privacy of this data must be a priority.