If private persons use social networking services (e.g. Facebook, Twitter, GooglePlus) in the Internet these days, hardly anyone might think about legal obligations for these users under the current data protection regime. Why should natural, private persons be considered “data controllers” in the sense of Art. 2 (d) of the European data protection directive (95/46/EC), if they share photos or write comments? They are only acting in a private and personal capacity. Well, this view might be true from a factual perspective. But with regard to European data protection law, already in a 2009 opinion (PDF), the Article 29 Working Party (an independent European advisory body on data protection, formed by representatives of European data protection authorities) held that “a high number of contacts could be an indication that the household exception does not apply and therefore that the user would be considered a data controller”. Conclusion: if you share a photo, name etc. with many people on Facebook, you might be a data controller in the eyes of data protection authorities and would therefore have to proof the lawfulness of the respective data processing operation.
The household exception
The so called “household exception” is enshrined in Art. 3 para 2 of the European data protection directive: “This Directive shall not apply to the processing of personal data by a natural person in the course of a purely personal or household activity”. The European Court of Justice, in its famous “Lindqvist”-decision (C-101/01), held that this exception must be interpreted as “relating only to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the internet so that those data are made accessible to an indefinite number of people”. This interpretation (of a law enacted in 1995) does of course not reflect the actual circumstances in our digitized world.
Help is on its way?
As many of our readers will know, the future European General Data Protection Regulation (GDPR) is currently negotiated by European member states in the Council of the European Union (Council). After the European Commission presented the draft to the GDPR in January 2012 and the European Parliament adopted its position in March 2014, the Council of the European Union is the last institution to examine the draft law, before informal tripartite meetings (Trilogue) between the three institutions may begin.
In a recently published Council document (PDF), recital 15 of the GDPR has been amended in a way that might significantly extent the scope of the household exception. The Council included the following second sentence in the recital: “Personal and household activities include social networking and on-line activity undertaken within the context of such personal and household activities”. If a user shares personal data with a large number of people, this might very likely fall under the notion of “social networking activity”. But would this activity still be considered to be “personal”? To answer this question, one has to examine the (also amended first sentence of recital 15): “This Regulation should not apply to processing of personal data by a natural person in the course of a personal or household activity, and thus without a connection with a professional or commercial activity”. So, as long as a private user shares photos or posts comments in a social network that contain personal data, this data processing operation shall be regarded as being “personal” if there is no connection to his or her commercial or professional activity, even if an undefined number of persons would be able to read or access this information. Of course, these amendments to the GDPR are only proposals by the Council and might not make it into the final version of the law. Nevertheless, it’s recognizable that the Council tries to extent the scope of the household exception and to exclude data processing operations by private persons from the legal obligations of the GDPR.