The Spanish Data Protection Agency has issued a report called the “Study on privacy of personal data and information security on online social networks” in collaboration with INTECO (the Instituto Nacional de Tecnologías de la Comunicación).
This report provides a study of users’ profiles on social networks and the risks they are exposed to, principally in relation to personal data. It also provides information on what measures have been adopted or must be adopted by social networks providers in order to avoid those risks.
The report states that the legal framework applicable to social networks providers in Spain is the Data Protection (Organic Law 15/1999, on Protection of Personal Data, based on Directive 95/46/CE) and the Information Society Providers (Law 34/2002, about Information Society Services and Electronic Commerce).
Based on an analysis of a wide spectrum of different social networks (about 75 in total) the Agency has identified certain common areas that should be improved by all of them, both in legal and in technological aspects, for example:
o Conditions of use are usually located in areas that the user finds it difficult to access.
o The conditions of use are confusing and too long.
o The conditions of use are difficult to understand for a normal user with no legal and technological background.
o Security measures are not strong enough to protect users.
o There is not enough training for users about how to configure their profiles and the advantages of restrictions on a profile’s publication.
o Changes should be made to the setup defaults for the privacy level (it does not always default to the maximum level).
o Control of profiles indexation and storage by search engines.
o Networks have not implemented identification systems to check users’ ages.
o Systems for remote identification of users through certified digital signature must be established.
One of the main topics of the report was the protection of minors on social networks. In addition to the report, the Director of the Agency, Mr. Artemi Rallo, expressed his considerations about this matter in his appearance at Congress on June 17. The Director said that he was extremely worried about the risks that minors are facing on certain services on the internet, particularly as they are making public personal data such as email, ID for instant messaging or phone number, which makes them easily contactable.
The Director emphasised certain specific risks that he thought minors are exposed to on social networks: access to inappropriate content for their age; possibility of contact with malicious users; or the proliferation of personal and graphic information related to them published by themselves or by third parties without noticing the potential risks. Furthermore, he announced that the Agency is promoting that social networks implement real and efficient measures for checking users’ ages and to exclude them as users if they are under-14 years old.
Datonomy will follow with interest whether the report and the statements by the Director of the Spanish Data Protection Agency lead to any changes in the way that social networks treat personal data.