The popularity of social networking sites has increased dramatically over the past decade. A recent report indicated that thirty-eight percent of online users have a social networking profile. Many of these social networking site users (SNS users) post or provide personal information over the internet every day. According to the latest OfCom study, the average adult SNS user has profiles on 1.6 sites and most check their profiles at least once every other day. However, the recent rise in social networking activity has opened the door to the misuse and abuse of personal information through identity theft, cyber stalking, and undesirable screenings by prospective employers. Behavioral advertising programs have also misused personal information available on social networking sites. Society is now facing an important question: what level of privacy should be expected and required within the social networking environment? As social networking technology has raced forward, it has left corresponding legislation in the dust. Although several countries have enacted various laws governing personal data protection to address this growing problem, these data protection laws have remained sorely inadequate to protect personal information in the social networking environment. In this Article, we wish to focus our attention on the Data Protection Directive 95/46/EC (DPD), which the European Commission enacted in 1995. It was drafted long before the web 2.0 era, and therefore without social networking in mind. As we will explain below, strictly applying the DPD to some SNS users – in particular, those acting as “data controllers” under the DPD – is highly problematic and impractical. To understand why, we will first explain more about the DPD – namely, its definitions and what it requires of those falling under the definition of “data controller.” Modest recommendations are also made to the current data protection framework to respond to social networking concerns.

To read the full article, go to BYU Law Library