Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

Marc Gallardo * marc.gallardo@alliantabogados.com

It’s an undeniable fact that Social Network Sites (SNSs) are a part of our lives and it looks as though they are here to stay. ey have grown exponentially. Facebook, alone, has more than 800 million registered users. Besides this internationally known platform, there are many others quickly gaining followers thanks to the spiral effect inherent to these networks: Twitter (200 million users), LinkedIn (120 million users), Tuenti (headquartered in Madrid and 10 million users) and more recently Google+ (which in its short lifetime, has already accumulated 40 million users) are all well-known success stories. us, it is very difficult nowadays to escape from the force of attraction that these social communication platforms exercise on us and our more or less immediate environment, both personally and professionally. Without going into details, there is undoubtedly something about SNSs because ever more suppliers and users are investing more of their time and resources in them.

Nonetheless, this article is focused on various legal constraints arising from its set-up and use by all the players involved, starting with another undeniable fact: the main business of these SNS consists of commercially exploiting a large quantity and quality of personal data we provide their owners in exchange for using their platform for free. Based on this, it is commonplace to refer to the risks of using these networks for people’s personal lives and, particularly, for minors who form the fasted-growing group on the networks and use them the most. Within the context of this new social network and Web 2.0 phenomenon, the legal issues raised are very diverse. is article focuses on identifying some of them exclusively from a privacy perspective and by using European personal data protection law as a reference in addition to the recommendations issued by some authorities, with an emphasis on the Spanish situation and the $rst resolutions passed by the Spanish Data Protection Agency (AEPD, as it is known by the Spanish acronym) sanctioning Web 2.0 conducts.

SUMMARY: 1. INTRODUCTION.- 2. LEGAL FRAMEWORK.- 3. REVISING DATA PROTECTION PRINCIPLES IN THE SCOPE OF SNSs: 3.1. Requirements of consent provided by SNS users; 3.2. Users can be data controllers; 3.3. Minors.- 4. LAW APPLICABLE TO SNSs.- 5. CONCLUSION.

___________________________________________________________________________

* Partner, Alliant Abogados Asociados S.L.P. and Head of the New Technologies and Data Protection Area. University of Barcelona (IL3) Professor of post-graduate courses on very different subjects in the "elds of trade and technology law.

Alliant Abogados is on Twitter, Facebook and Google+. If you’d like more information, you can visit our legal "rm's website www.alliantabogados.com and the LinkedIn pro"le: http://www.linkedin.com/in/marcgallardo

is article is disseminated under a BY-NC-ND Creative Commons license. You can download the electronic version of this document and keynote presentation in our legal "rm's website.

PRIVACY AND ONLINE SOCIAL NETWORKS

2

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

1. INTRODUCTION.

Before reviewing the main challenges SNS pose to people’s private lives, I shall brie$y explain what they are and how they work.

Broadly speaking, SNSs can be de"ned as Information Society Services1 that offer users an Internet communication platform to generate a pro"le with their personal data, facilitating the creation of networks based on common criteria and permitting users to connect and interact with each other. eir growth model is primarily based on a viral process whereby an initial number of users offer others the possibility of joining by sending e-mail invitations.

SNSs are just one more manifestation of what is known as the Web 2.02, where users are no longer mere spectators as they create and deposit information on the Internet. us, in this new framework the Internet has evolved towards, users are not just passive subjects who turn to the net exclusively to obtain some type of service or information, but rather they become active subjects who contribute information (their own or a third party’s) and interact with other users.

ere are many online social networks of all types, although they can be grouped into two major categories: generalist or leisure and professional3.

e main objective of generalist or leisure networks is to facilitate and strengthen personal relations among the individuals joining them. In general, these networks offer a large variety of applications and/or functionalities allowing users to do without external communication tools by making a platform available that integrates all of the necessary applications on a single screen.

It is "tting to establish sub-categories considering the purpose or theme of these networks: a) Information and content exchange platforms such as Youtube and Google Video which offer free, easy to use tools for exchanging and publishing digital content (videos, photographs, etc.) in order to later link to them in one’s pro"le on the network used; b) Pro!le-based networks such as Facebook, Google+, MySpace and Tuenti, the most representative and most-used of the social networks which offer more and more new possibilities for communicating and interacting with other users; and c) Microblogging or nanoblogging networks such as Twitter which allow you to send text messages (limited to 140 characters) to other users in the same network in order to inform them of activities, thoughts and opinions (your own or others’) you wish to share for some reason (social integration, professional promotion, fun, etc.).

Professional social networks are con"gured as support tools for establishing professional contacts with other users (for example, LinkedIn). ey are created and designed for the purpose

1 at is to say, any service normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services (Directive 98/34/CE).

2 e term Web 2.0 is associated with web applications that facilitate participatory information sharing, interoperability, user-centered design and collaboration on the World Wide Web. A Web 2.0 site allows users to interact and collaborate with each other in a social media dialogue as creators (prosumers) of user-generated content in a virtual community, in contrast to websites where users (consumers) are limited to the passive viewing of content that was created for them. Examples of Web 2.0 include social networking sites, blogs, wikis, video sharing sites, hosted services, web applications, mashups and folksonomies (http://en.wikipedia.org/wiki/Web_2.0).

3 is classi"cation was obtained from the Study on Personal Data Privacy and the Security of the Information on Online Social Networks, published by the Spanish National Communication Technologies Institute (INTECO) in collaboration with the AEPD; pp. 45 et seq.

3

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

of making contacts and maintaining professional relations with different people that may be of interest to the user.

Notwithstanding, there is an ever-growing trend to use networks initially con"gured for leisure and the exchange of personal information such as Facebook and Twitter for professional reasons meaning both SNS categories can easily be confused at the sole decision of the users, who, make the "nal decision at all times as to how to con"gure their space on the social network and for what purposes.

Another common aspect of SNSs lies in that, irrespective of their design or aim, in all reality they are databases that feed off of information of all kinds provided by users. ese databases are exposed to very sophisticated, continuous data mining techniques with an aim to make money off or pro"t from the platform as much as possible, offering targeted and speci"c advertising of products and services based on the information gathered in relation to user interests.

erefore, users utilize the social network for free, but not without “associated costs” as the price they (we) pay, many times unknowingly, is the commercial exploitation of their "pro"le" by the platform owners who generate most of their revenue with the advertising spread through the spaces network users create and those they access.

In general, SNSs operate in three phases: registration, usage and deletion from the social network. And in each one of these phases a series of conducts can often be identi"ed, performed by the different parties intervening in each one of these processes (typically the SNS provider and the service user), that can constitute serious personal data protection threats for members and non-members of any of the social networks.

At the time of registration, the SNS privacy policy may not be sufficiently clear and transparent to users or it may not accurately inform them of each and every one of the purposes for which their data will be used and they are not given the option to opt out of certain data processing. Likewise, the privacy options pre-set by default on the social network may be the most permissive for data publication even allowing for indexing by search engines. And when it comes to minors, there is a danger that the SNS provider does not implement effective measures to verify the age of their users and determine whether, in certain cases, parental or guardian consent is required to process their data4.

When using the service, the SNS provider may engage in invisible data processing (for example, through the IP address or the installation of a cookie on the user’s personal computer) without having duly informed the affected party or, consequently, obtained the necessary consent to do so. As far as SNS users, they may be responsible for the processing of the third party data they publish or spread through the social network without the third party's consent. It also can be difficult for users as well as people not affiliated with the SNSs whose data is processed in such virtual environments to exercise their rights of access and recti"cation.

Finally, when trying to delete an account, users can "nd that their data is not eliminated, or at least not completely, which raises great doubts about their right to have the SNS provider cancel their data.

4 Pursuant to Spanish law, parental authorization is required in order to process data on minors under 14 years of age.

4

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

2. LEGAL FRAMEWORK.

In Europe, the SNS regulatory framework concerning personal data protection is basically represented by two Directives: General Directive 95/46/EC5 and e-Privacy Directive 2002/58/EC6 (as per the "nal version provided by Directive 2009/136). Each one of the 27 EU Member States has incorporated the principles and aims of both Directives into their respective laws7. In the case of Spain, this has been done through Organic Law 15/1999, of 13 December, concerning Personal Data Protection (LOPD, as it is known by its Spanish acronym), Royal Decree 1720/2007, of 21 December, which enforces the LOPD, and Law 34/2002, of 12 June, on Information Society Services and Electronic Commerce (LSSI, as it is known by its Spanish acronym8).

Speci"cally, the General Directive applies to SNS providers as they are considered the data controllers9. In effect, they are the ones that provide the resources that make it possible to process user data as well as all of the "basic" services linked to user management such as account registration and deletion. ey are also the ones who decide how user data may be used for advertising purposes including third-party advertising which, let’s not forget, constitutes the most important source of revenue for an SNS10. As individuals obliged to comply with the provisions of the General Directive, SNS providers must respect a series of basic principles according to the internal Member State rules to which they are subject and which, in practice, translates into the following obligations:

• To register personal data "les they are responsible for with the National Data Protection Control Authority (the AEPD, in Spain).

• To inform users, when they provide their data, of the identity of the SNS provider, the existence of a "le and any data processing, the purpose or use of the data obtained, the possible assignment of the data to third parties, and their rights to access, rectify, oppose and cancel their data.

• To process the data in accordance with the data quality principle. What’s worth emphasizing here is that the data must be a) processed fairly and lawfully; b) processed in a manner that is compatible with the purposes for which they are collected and; c)

5 Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

6 Directive 2002/58/EC of the European Parliament and of the Council, concerning the processing of personal data and the protection of privacy in the electronic communications sector, as ammended by Directive 2009/136/CE.

7 For the speci"c regulations in each MS implementing these Directives, go to http://ec.europa.eu/justice/policies/privacy/lawreport/index_en.htm

8 is Law implements Directive 2000/31/EC of the Parliament and of the Council, on certain legal aspects of information society services, in particular electronic commerce, in the internal market (Directive on electronic commerce).

9 In summary, understood as the natural or legal person that determines the purpose and the essential means of the processing of data.

10 Some social networks combine advertising revenue with revenue obtained through the sale of Premium services to users. is is the case of the professional network LinkedIn.

5

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

adequate, relevant and not excessive in relation to the purposes for which they are collected and for which they are further processed.

• To obtain informed and unambiguous consent from users to process their data or have other legitimate grounds for processing it (for example, a formal law), which would hardly be the case of SNSs which means consent is the fundamental basis for any processing.

• To adopt the necessary security measures in order to guarantee the security and con"dentiality of the data stored in their information system, including noti"cation of security breaches according to e-Privacy Directive (thus, this noti"cation only applies to providers of publicly available electronic communications services).

• To guarantee the exercise of users' rights of access, recti"cation, cancellation and refusal.

Even though they were devised and formulated in the mid 90's, in my opinion these principles continue to be valid for regulating data processing in a technologically evolved environment with respect to the Web 1.0 where users were mere spectators of the websites they visited. But some review is necessary to enhance data protection rights. As a good example, the e-Privacy Directive adds other speci"c obligations of great signi"cance in an SNS environment given that it regulates speci"c cases for the use of cookies and other similar mechanisms that make it possible to track clicks or how a person browses through a speci"c website or on an SNS.

Article 5(3) of the former e-Privacy Directive which said (emphasis added): “the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia, about the purposes of the processing, and is offered the right to refuse such processing by the data controller”. is should be compared with the new wording of Article 5(3) of the e-Privacy Directive as amended by Directive 2009/136/EC, which states that “(…) the storing of information or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent(…)”

I follows from this change in the wording of Article 5(3), that the Members States should have incorporated into their laws no later than May 201111 , requires users' prior and informed consent to legally store information or gain access to information stored on their terminal equipment. Under the scope of the former article 5.3, no consent requirement was established meaning that the obligation of the data controller, an SNS for example, was limited to providing clear and comprehensive information to the user about the purposes of the processing and offering the right to refuse said processing. But the need of consent, now, is different from the right to object. is means consent based on the lack of individuals’ action, for example, browser settings, which would accept by default the targeting of the user through the use of cookies, should not meet Article 5(3) requirements.

In my opinion, this regulatory modi"cation requires a greater level of exigency from SNS

11 is is not the case of Spain which is not expected to comply with these obligations until the beginning of next year.

6

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

owners that should translate to the need to obtain explicit consent (and therefore an “opt-in”) from the users, giving them the opportunity to make a decision and to express it, for instance by ticking a box in view of the purpose of the data processing.

Insofar as the SMS provider integrates other functionalities in the platform (for example, a chat and e-mail or sms/mms service) susceptible to generating electronic communications within it, Directive 2006/24 concerning data conservation will also apply12.

Other parties responsible for data processing in an SNS include application suppliers whenever they develop applications that work on the SNS and that users decide to use, providing some personal data for this purpose to said supplier which then becomes a data controller. e SNS provider should clearly inform users of the data they will provide to the supplier of the application they wish to use so they may grant their informed consent.

3. REVISING DATA PROTECTION PRINCIPLES IN THE SCOPE OF SNSs.

Even though current EU data protection regulations can be considered valid for delimiting the responsibilities of SNS providers doing business in the EU, there are situations speci"cally created within these virtual spaces which, in my opinion, require that the “classical” principles as set out in Directive 95/46 be revised so as to more effectively protect personal data subjects.

is reassessment arises not only because of the technological advances but also because of the social changes the Web 2.0 has brought with it, which, in the case of SNSs, is re$ected in the ease with which social network users can voluntarily and conscientiously reveal their privacy and that of their acquaintances. Somehow a sort of conceptual tension is produced between privacy and SNSs that could create doubts about whether or not privacy actually exists in this new environment where it is characteristic of users to disseminate information.

3.1. Requirements of consent provided by SNS users.

As a general rule, consent to data processing must be freely given, unambiguous, speci"c and informed13. However, on most SNSs, consent could be mistakenly given from the start, especially among the youngest of users due to the very design of the network and the use of concepts such as “friends”, “community” and “my space14” which create a false notion of privacy. In order to prevent these confusions in users, SNS providers should supply clear and precise information on the scope of the possible publication of data on their platform15.

At other times, the consent does not ful"ll the necessary criteria to be considered informed.

12 Directive 2006/24/CE of the European Parliament and of the Council of 15 March 2006, on the retention of data generated or processed in connection with the provision of publicy available electronic communications services or public communications networks and amending Directive 2002/58/CE.

13 An accurate analysis on the de"nition of consent is in Opinion 15/2011 and also Opinion 5/2009 on online social networking http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/2011_en.htm

14 e name of the social network My Space could lead per se to error on the real effects of publishing information on the platform, generating a sort of “illusion” regarding an assumed private and intimate environment which it is not.

15 ink about, for example, minors who have a reasonable expectation for privacy when sharing their information on an SNS.

7

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

Supplying this information corresponds to the SNS providers and oftentimes they do so by means of clauses you access via links such as "disclaimer" or "privacy policy" but this information is not always written in simple and clear language which is a necessary requisite for social networks essentially aimed at minors. Moreover, the way it is granted may be classi"ed as weak when all you have to do when registering is click on a button that says “Send Form”, “I Agree” or something of the like when it would be more appropriate to set up a procedure where users have to actively participate in such manner that they may declare their will in one way or another through the SNS and with a warning of the consequences of their non-declaration. In short, SNS providers should offer a privacy policy that is not too extensive, that is easily accessible, with simple language that includes express information concerning the level of privacy applied by default on the network and the options and steps to modify it at the user's choice.

Another of the most common problems that arise in SNSs lies in users publishing personal information with a certain purpose - sharing the information with their "friends" or "acquaintances"- but then the information may later be used for uncertain purposes (for example, analyzing SNS user preferences obtained from their browsing or the publication of data in said medium and offering them custom advertising). erefore, SNS owners must be required to inform users of the purpose for which they will process personal data and speci"cally indicate the end purpose of the information provided. Again, SNS privacy policies need to comply with the aforementioned information requirements so users have a real power to control their data and grant informed consent in accordance with the essential content of their fundamental data protection rights.

It can also be questioned whether tacit consent is an adequate way to grant consent on an SNS. It is known that if the data processed are not specially protected or sensitive, current regulations do not oppose tacit consent formulas for valid data processing. However, the problem of admitting this type of consent on an SNS is there may be situations where a subject has seemingly granted consent to appear in a video or photograph when in all reality they are unaware how a net user is processing the image. For this reason, it does not seem adequate to admit tacit consent and it would be advisable that it be explicit, thus requiring a future modi"cation of the regulations.

Last but not least, consent should be revocable at any time by SNS users. is attribute is confronted with not just a few practical problems given that information published on the Internet is very difficult, if not impossible, to control a posteriori, which does not make it easy to effectively cancel personal data after consent is revoked by the data owner. is difficulty could be overcome, in part, by applying a privacy policy that permits users to delete their data from the SNS servers when they have deactivated their pro"le or even when they have deleted certain content from their pro"le. Likewise, it would be recommendable for SNS providers to have a “complaint center” so any affected party could request the cancellation of their image or other personal information published by a SNS user without the consent of the claimant16.

3.2. Users can become data controllers. Generally, users are considered to be interested parties with regards to the processing of their data by SNSs and, therefore, they are fundamentally subjects of rights whereas the SNS owners (and, where applicable, application suppliers) are the data controllers. But this equation is

16 National Data Protection Authorities can help facilitate the exercise of data subjects’ rights of cancellation and refusal: For example, the AEPD protects the right to oppose the indexing of personal data in search engines.

8

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

not always constant.

At times, a user may also be considered a data controller of third party data they disseminate on the social network when said processing is not covered by the household exemption provided for in Directive 95/46 and which each Member State has incorporated into their respective internal laws. is exemption, which was established in article 3.2 of the General Directive, implies that the data protection regulation does not apply to the processing of personal data by someone in the course of a purely personal or household activity.

e subsequent question that must be posed then is: In which cases could an SNS user be considered the data controller of a third party’s data?

One possible criterion could be that which was established by the European Court of Justice (ECJ) in the Lindqvist case17 to determine the application of data protection regulations to the publication of information on the Internet via a website. In this case, the ECJ declared that the conduct consisting of referring to various people and identifying them by their name or other means on a website constitutes data processing subject to Directive 95/4618 . It also stated that the household exemption did not apply because this exemption is only related to activities which are carried out in the course of private or family life of individuals, which is clearly not the case with the processing of personal data consisting in publication on the Internet so that those data are accessible to an inde"nite number of people.

Under the Lindqvist standard, the private life exception would only apply when users con"gure their social network space so that it is only visible to a group of expressly authorized friends.

is matter was speci"cally analyzed by the Article 29 Working Party in its Opinion 5/2009 on online social networks19. According to this advisory body, the household exemption would not apply in various circumstances: a) when an individual acts on behalf of a group, association or company; b) when an individual acquires contact data from third parties when there is no direct relationship between them; and, c) when an individual "knowingly" maintains its pro"le public.

If the household exemption does not apply, a user will assume full responsibilities as a data controller and, if they do not have consent or other legal grounds to lawfully process data, they could be sanctioned with a "ne or at least warned if this type of sanction is provided for in the internal law.

ere is still no court sentence in Spain sanctioning a social network user for having processed third party personal data without being covered by the household exemption. is is likely because SNS providers implement internal claims management systems that make it

17 Judgment of the ECJ of 6 November 2003 (C-101/01).

18 Although the Web 2.0 did not exist when this sentence was passed, the criteria can be perfectly extended to the new social network environment insofar as the characteristic behavior is publishing a text, photo or any other material on the Internet. e only difference is that now it is much easier to publish information on the Internet (just as on a social network) without needing to have the prior technical knowledge required to do so through a website.

19 http://ec.europa.eu/justice/policies/privacy/news/docs/pr_25_06_09_en.pdf

9

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

possible to solve these types of problems. However, the AEPD has sanctioned people who have published photographs or videos without the consent of the affected parties on other Internet platforms that do not constitute social networks in a strict sense. e "rst AEPD resolution sanctioning a social network user for identity theft was also recently revealed20.

3.3. Minors.

SNS providers should pay special attention to how the personal data of minors are processed. Although there are other legal instruments used to protect minors (civil and criminal laws protecting the honor and image of individuals, among others), they are particularly vulnerable in the scope of SNSs and therefore it needs to be considered whether the legal guarantees currently applicable are sufficient or not in guaranteeing their data is adequately protected.

Pursuant to Spanish law (Royal Decree 1720/2007), a data controller has three responsibilities here: a) at the information on how their data is processed is expressed in language that can be easily understood by them; b) at data is not collected that enables obtaining information on the other members of the family group without the consent of the data subjects; and c) at procedures are articulated guaranteeing effective age veri"cation and the authenticity of the consent granted by the parents or legal representatives if they are under 14.

e Spanish Data Protection Agency has demonstrated special concern for this group and has issued recommendations for mothers and fathers and also SNS providers. anks to these actions by the AEPD, Tuenti and Facebook revised the minimum age necessary to be a user of said social networks in Spain, setting it at 14 years old. And in the case of Tuenti, it seems that an age veri"cation procedure has been implemented that amply exceeds the standard system of asking users to declare they are over 14 by marking a box on the registration form. According to Tuenti, this procedure has led to the elimination of thousand of pro"les due to a lack of proof of the minimum age requirement.

e European Commission has fostered and implemented a self-regulation system based on 7 principles with a view to improve minor privacy and protection issues on SNSs without having to, at least for the time being, pass legislation on this matter21. ere are other initiatives aimed at creating international protection standards related to the safe use of the Internet and SNSs by children. In this regard, the Montevideo Memorandum and the Safer Internet program approved in 2009 by the European Parliament stand out22.

20 PS 137/2011, Resolution of 27 July 2011.

21 http://ec.europa.eu/information_society/activities/social_networking/eu_action/selfreg/index_en.htm 22 Memorándum sobre la protecciónde datos personales y la vida privada en las redes sociales en Internet, en particular de niños, niñas y adolescentes http://memorandumdemontevideo.ifai.org.mx . Safer Internet Program: http://ec.europa.eu/information_society/activities/sip/index_en.htm

10

Gran Vía de les Corts Catalanes, 702 Pral. 1ª Barcelona 08010 || t. 34 93.265.58.42 f.34 93.265.52.90 || info@alliantabogados.com www.alliantabogados.com

4.- LAW APPLICABLE TO SNSs.

Section 2 mentioned the fact that the SNSs operating in the EU are subject to a legal framework comprised of two Directives (General and e-Privacy) and, possibly, a third on data retention if the SNS provider offers electronic communication services. Determining the law applicable to SNS personal data processing matters means applying article 4 of Directive 95/46 which opts for the criteria of establishment without the location of the data processing, the nationality, legal address or residence of the subject whose data is processed being relevant. us, the law of the Member State where the SNS owner is located shall apply. If it has various establishments and processes personal data through the activities of each one of them, it shall be governed by the law of the country where each establishment lies.

In all, we must not lose sight of the fact that the most important SNSs by volume of users are established outside the EU and, speci"cally, in the United States, and any con$ict is submitted to the laws of the State where their principal place of business is located. us is the case of, for example, Facebook (Delaware), LinkedIn (California), Twitter and My Space (New York) which together account for more than 1 billion users!. In principle, these companies escape from the application of European data protection laws and as a result, from national control authorities except in situations where they use instruments or means situated in EU territory. is is the case, for example, when they use mechanisms such as cookies to actively collect data from user computers situated in a Member State for the purpose of future processing, unless such means are only used for purposes of transit (article 4.1.c of Directive 95/46).

5.- CONCLUSION

One of the greatest dangers of the SNSs is generated in the private life of users and not only theirs but also other people who may or may not be affiliated with these platforms and whose personal data, for whatever reasons, appear published on an SNS. It is essential that SNS owners comply with currently existing data protection regulations but we must also be aware that the technological changes and, as a consequence, social changes they bring with them demand a revision of the principles and guarantees currently applicable. e Law is not always the most ideal instrument for preventing violations in this area. is has been well understood by different international bodies (including EU institutions) upon promoting global self-regulations systems as well as awareness programs in order to achieve the responsible and safe use of the tools offered by the Web 2.0. Without a doubt, each one of us must be called upon to use social networks responsibly and conscientiously. Perhaps this is an important part of the solution to the problem. In short, the questions posed vary whereas the answers are not de"nitive. In matters of privacy, “today is tomorrow” and therefore, considering that SNSs are here to stay as mentioned at the beginning of this article, there is nothing more to do besides continuing to deepen the debate on how to better protect our data in environments such as social networks which, by nature, afford so little privacy.