Even though SNSs are relatively recent, it does not mean that they exist in a juridical vacuum. Discussions regarding the existence of a separate social media law have emerged.
Daniel Solove aptly phrased it: “[n]ew technologies rarely give rise to questions we have never addressed before. More often they make the old questions more complex.”994, 995
991 On Facebook an event can be public (everyone sees it) or private (only invited guests see it), while a group can be public (everyone can see the members of the group and the posts in it), closed (the members are visible by everyone, but the posts are not) or secret (only people who have been granted access can see the members and the content).
992 On the functioning and challenges related to social network sites – such as the content published, the elusive concept of “friends” or the use of privacy settings – see also: Vallet 2012
993 Sprague 2011. p. 15.; Kajtár – Mestre 2016. pp. 24–25.
994 Solove 2007. p. 105.
995 Bill Thompson expresses a similar opinion stating that these new innovations of the online world do not raise fundamentally new questions compared to the physical world. Thompson 2007. pp. 222–223.
Indeed, applying existing rules – that were adopted in a different context – to these new phenomena can entail difficulties.996 However, in the Anglo-Saxon community there is tendency to treat these problems as separate,997 specific to social media, resulting in the creation of a “social media law”.998 In contrast to this approach, Valère Ndior suggests that SNSs should be attached to the already existing legal categories.999 George Weir, Fergus Toolan and Duncan Smeed also argue that SNSs do not raise fundamentally new challenges but alter already existing threats.1000 Based on the above, I hold the view that there is no need to create a new social media law for employee privacy; instead, it should be examined whether and with what alterations already existing provisions can regulate the question.1001
§1. Documents addressing social network sites and privacy/data protection Despite the existence of the general data protection framework (such as the DPD or the GDPR), it is welcomed that different organs and institutions have recognized their importance and the need to address them specifically. As a result, they adopted various documents targeting especially social media and data protection law. These documents usually emphasize the topicality and the importance of the subject and raise awareness to the privacy/data protection risks they can cause. However, they do not provide an exhaustive guidance, neither are they legally binding.
Among these documents, the first was the European Union Agency for Network and Information Security’s (hereinafter referred to as: ENISA) position paper, entitled Security Issues and Recommendations for Online Social Networks (October 2007). In this document, the ENISA recognizes the expansion of SNSs and analyses the different risks posed by them (such as for example data aggregation, secondary collection, identity theft or stalking), and the recommendations given in response to these risks, emphasizing the importance of raising awareness, reviewing the existing regulations or suggesting technical solutions.
In 2009, the WP29 adopted Opinion 5/2009 on online social networking.1002 The Opinion adopts a more practical point of view through the analysis of how the main points of the DPD could be applied to SNSs (such as who the data controller is, data security measures, how data subjects could exercise their rights, what information shall be provided to them, etc.). In 2018, the WP29 expressed its full support for the investigations conducted by national DPAs, taking place to examine recent data protection scandals (e.g. Cambridge
996 Costes 2011. p. 137.
997 Eric Goldman describes what phases Internet (and SNS) regulation went through and what exceptions were applied to it, treating it as a new emerging field of law. https://blog.ericgoldman.org/archives/2009/03/the_
third_wave.htm (Accessed: 20 January 2019).
998 Ndior 2015. p. 11.
999 Ndior 2015. pp. 11–12.
1000 Weir – Toolan – Smeed 2011. p. 38.
1001 Besides the implications for employment and privacy and/or data protection, SNSs raise a multitude of legal questions in fields such as cyber bullying, providing proof in legal proceedings, defamation and libel, etc.
For more on law and social media and/or SNSs see in: Stewart, Daxton R. (ed.): Social media and the law: a guidebook for communication students and professionals. Routledge, New York and London, 2013.; Lambert 2014.
1002 WP29 (2009) Opinion 5/2009 on online social networking. 01189/09/EN WP 163.
Analytica) and announced the establishment of a Social Media Working Group to develop a long-term strategy on the issue.1003
In the same year, different major SNS providers signed an agreement, entitled Safer Social Networking Principles for the EU, in consultation with the European Commission.1004 This agreement especially targeted the protection of young users and minors, and aims to give guidance regarding how to minimize potential harm to them by outlining different best practices.1005 The document outlines the principles by which SNS providers should be guided as they seek to help minimize potential harm to children and young people, and recommends a range of good practice approaches which can help achieve those principles.
Another very important document is the “Rome Memorandum”, issued by the International Working Group on Data Protection in Telecommunications1006 (hereinafter referred to as: IWGDPT) in March 2008.1007 In this document, the IWGDPT enumerates the change of paradigm in the sharing of personal data, both regarding its unprecedented scale and the novelty that they are published at the initiative of the user himself/herself.
The Memorandum details the risks related to social network sites (such as the not forgetting nature of the Internet, the deceptive notion of “friends” and community, the possible vetting of these sites by the employer, just to mention a few examples that can have relevance in the employment context, too) and then provides guidance to regulators and to the providers of these services on how these risks could be reduced.
In October 2008, the 30th International Conference of Data Protection and Privacy Commissioners1008 adopted the Resolution on Privacy Protection in Social Network Services. The Resolution briefly describes the new challenges posed by social network sites and provides recommendations not only to service providers but also to users. The recommendations destined for users include a call for increased consciousness from users (notably regarding the use of pseudonyms and considering that they might be later confronted with the shared information, for example, during a job interview) and draw attention to the importance of respecting other individuals’ privacy.1009
In 2011, the Council of Europe’s Parliamentary Assembly adopted a resolution on The protection of privacy and personal data on the Internet and online media,1010 in
1003 https://edps.europa.eu/sites/edp/files/publication/18-04-11_wp29_press_release_en.pdf (Accessed: 20 January 2019)
1004 https://ec.europa.eu/digital-single-market/sites/digital-agenda/files/sn_principles.pdf (Accessed: 20 January 2019)
1005 https://ec.europa.eu/digital-single-market/sites/digital-agenda/files/sn_principles.pdf (Accessed: 20 January 2019) p. 1.
1006 The International Working Group on Data Protection in Telecommunications (also called Berlin group as the secretariat is provided by the data protection authority of Berlin) was established in 1983 at the initiative of national data protection authorities in the world. It has among its members national data protection authorities, as well as representatives from the private and NGO sectors. https://edps.europa.eu/data-protection/data-protection/
glossary/b_en (Accessed: 20 January 2019). Although the IWGDPT adopts proposals and recommendations that are legally not binding, due to its composition, these documents can serve as important guideline to countries as well.
1007 International Working Group on Data Protection in Telecommunications 2008) Report and Guidance on Privacy in Social Network Services – ”Rome Memorandum” – . 675.36.5. Rome
1008 The International Conference of Data Protection and Privacy Commissioners is a global forum of data protection authorities, established in 1979, seeking to provide leadership in reaction to privacy and data protection on an international scale. The Conference is held at least once a year.
1009 30th International Conference of Data Protection and Privacy Commissioners 2008. p. 2.
1010 CoE: The protection of privacy and personal data on the Internet and online media. Resolution 1843 (2011)
which the CoE emphasized the importance of privacy and data protection in the age of ICT developments. In 2012, the CoE adopted its Recommendation on the Protection of Human Rights with Regard to Social Networking Services.1011 The Committee of Ministers emphasized the growing role of SNSs in promoting (or hindering) the exercise or enjoyment of human rights. In the Appendixes of the Recommendation attention is drawn to the importance of what measures should be taken in order to make users capable of dealing with these platforms, how children and young people can be protected and how these platforms could operate.
Regarding the merits and shortcomings of these international legal documents, these documents are significant in acknowledging the importance of SNSs in modern societies and in recognizing the need to provide legal regulation. They identify the possible risks and suggest different solutions to cope with them, contributing to enhancing privacy and data protection, and also to raising awareness to the issue.
Still, since these documents do not have obligatory force, their enforcement in practice might face certain difficulties. As regards our subject, another significant lack is that these documents dealt with the question of SNSs from a general point of view and did not focus specifically on employment. Despite the lack of a document exhaustively addressing employment and SNSs, it is a great achievement that the latest documents on privacy and data protection at work at least mention social network sites. Still, these documents usually contain only few provisions; they do not regulate the question exhaustively. Among these documents, the CoE’s recommendation of the Committee of Ministers to member States on the processing of personal data in the context of employment (2015)1012 and the Article 29 Data Protection Working Party’s opinion on data processing at work (2017)1013 should be mentioned. These provisions will be addressed in detail in Part II.
§2. Social network sites and data protection
Despite the fact that the general data protection regime – such as earlier the DPD and now the GDPR – is applicable to SNSs, in practice it is not always obvious how the general data protection rules laid down in different documents should be applied in the context of SNSs. These “general” questions might concern the qualification of data controllers and the application of the household exemption, as well as the lawful ground for processing.1014 Regarding employment – among the general data protection provisions – the principles of data processing and transparency have special significance.
1011 CoE: Recommendation CM/Rec(2012)4 of the Committee of Ministers to member States on the protection of human rights with regard to social networking services, 2012
1012 “5.3. Employers should refrain from requiring or asking an employee or a job applicant access to information that he or she shares with others online, notably through social networking.”
1013 See the section “5.1 Processing operations during the recruitment process”.
1014 On these questions see especially: WP29: Opinion 5/2009; Van Eecke – Truyens 2010.; Kosta, Eleni et al.:
Data protection issues pertaining to social networking under EU law. Transforming Government: People, Process and Policy, 4(2), 2010. pp. 193–201.; Van Alsenoy, Brendan et al.: Social networks and web 2.0:
are users also bound by data protection regulations? Identity in the Information Society, 2(1), 2009. pp.
65–79.; Garrie, Daniel B. et al.: Data Protection: The Challenges Facing Social Networking. Brigham Young University International Law & Management Review, 6(2), 2010. pp. 127–152.; Wong, Rebecca –Savirimuthu, Joseph: All or Nothing: This is the Question? The Application of Art. 3(2) Data Protection Directive 95/46/
EC to the Internet. John Marshall Journal of Computer & Information Law, 25(2), 2008. pp. 241–266.
From a general data protection aspect different questions need to be answered regarding data protection principles. As data controllers, organizational data controllers must comply with the data protection principles. Different questions arise in relation to the principle of proportionality and necessity. First, when a user decides to register on an SNS, the question is whether the personal data that the user is obliged to provide in order to create an account are indeed necessary to use the service (e.g. being obliged to use his/her real name, or having the possibility to choose a pseudonym).1015 As regards the storage of personal data, questions might also arise in relation to necessity and proportionality as infringements are possible. An extreme example is pointed out by Evelyne Sørensen, who described how Facebook users could not practice self-censorship because even if they started to type something, then decided not to post but to delete it, Facebook store that information.1016 Up-to-dateness might also be questioned, as on these sites personal data back to several years can be aggregated. A solution might be to set the default settings to delete personal data published by users after a determined period (for example, 3 years), and those users who wish should take active steps and change the default settings.
Transparency is a crucial question as well. SNS operators lay down the rules and the conditions of using their services in their privacy policy in a unilateral document, the terms of which are solely defined by the site operator. The user does not have the possibility to negotiate those terms and conditions and has to accept them when registering to the service.
Theoretically, users can learn more about data processing operations from these policies, in practice various difficulties arise: because of the lengthy wording, users usually do not read such policies, and even if they read them, they do not understand its provisions, and even if they understand them, they do not have the necessary background knowledge in order to make an adequate, informed decision.1017
Although in the above data protection principles were examined from a general angle, these issues might have relevancy in the employment context as well. Having the possibility to use these sites under a pseudonym might “break” the connection between the employee and the employer, as it would make the identification of the user more difficult to a third party (compared to cases when the employee uses his/her real name and may even identify the employer on his/her profile).1018 Or, the aggregation of less data by default would result in employers being able to trace a limited past of the prospective employee or the employee.
Privacy policies in their present form do not enable an average user to truly exercise control over his/her personal data. Informing users and raising awareness amongst them through a more appropriate, user-friendly way might enable more users to exercise their rights in a more conscious way and might contribute to their better understanding of the functioning of SNSs and the stakes relating to the processing of their personal data.
1015 WP29: Opinion 5/2009. p. 11.
1016 On this issue see more in: Sørensen, Evelyne J. B.: The post that wasn’t: Facebook monitors everything users type and not publish. Computer Law and Security Review, 32(1), 2016. pp. 146–151.
1017 Solove 2013. p. 1888.
1018 Although it does not mean in any case that hiding under a pseudonym would enable employees to escape from all responsibility.