Strasbourg, 20 September 2011
COMMITTEE OF EXPERTS ON NEW MEDIA
20-21 September 2011
Draft Recommendation of the Committee of Ministers to member states on the protection of freedom of expression and the right to private life with regard to
social networking services
1. Social networking services are increasingly becoming an important part of people’s daily lives. They are a tool for expression but also for communication between individuals or for mass communication. This complexity gives them a great potential to promote the exercise and enjoyment of human rights and fundamental freedoms, in particular the freedom to express, to create and to exchange content and communication.
2. Given their increasingly prominent role, social networking services and other social media services also offer great possibilities for enhancing the individual’s right to participate in political, social and cultural life. Bearing in mind Recommendation (2007)16 of the Committee of Ministers on the public service value of the Internet which states that the Internet and other ICT services have high public service value in that they serve to promote the exercise and enjoyment of human rights and fundamental freedoms for all who use them, greater efforts could be put into exploring how social networking services and other social media could act as a means to enhancing participation (especially of marginalised groups in society) and contributing to the strengthening of democracy and social cohesion.
3. The right to freedom of expression and information, as well as the right to private life, non discrimination and human dignity, may also be challenged on social networking services. These challenges may arise, for example, through lack of due process preceding the exclusion of users, insufficient protection of children1 and young people against the harmful behaviour of others, violation of other people’s rights, lack of privacy-friendly default settings, and lack of transparency about the purposes for which personal data is being collected and processed.
4. Users of social networking services need to respect other people’s rights and freedoms. Media education is particularly important in the context of social networking services in order to make the users aware of their rights when using these tools. Media literacy should also help individuals to acquire the human rights values and behaviour necessary to respect other people’s rights and freedoms.
5. A number of co- and self-regulatory mechanisms have already been set up in some Council of Europe member states. It is important that procedural safeguards are respected by these mechanisms, in line with the human right to a fair trial, within reasonable time, and starting with the presumption of innocence.
6. The Committee of Ministers recommends that member states, in cooperation with private sector actors and civil society, develop and promote coherent strategies to protect and promote respect for human rights with regard to social networking services, in line with the European Convention on Human Rights (ETS No. 5), especially Article 8 (Right to respect for private and family life) and Article 10 (Freedom of expression) and with the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108), in particular by:
i. providing an enabling environment for social networks that offers opportunities for people to further exercise human rights and fundamental freedoms, in particular the freedom to express, to create and to exchange content and communication.
ii. ensuring users are aware of the possible challenges to their human rights on social networking services (in particular their freedom of expression and information and their right to private life and protection of personal data) as well as on how to avoid having a negative impact on other people’s rights when using these services;
iii. protecting users of social networking services from harm from other users while also ensuring all users’ right to freedom of expression and access to information;
iv. encouraging transparency about data processing, and in particular about the kinds of personal data that are being collected and the legitimate purposes for which they are being processed, including further processing by third parties;
v. preventing the illegitimate processing of personal data;
vi. encouraging providers of social networking services to set up self-regulatory mechanisms, and engage in dialogue with them about the setting up of co-regulatory mechanisms where appropriate in order to contribute to the respect of the principles set out in the Appendix to this Recommendation;
vii. taking measures with regard to social networking services in line with the principles set out in the Appendix to this Recommendation;
viii. bringing these principles to the attention of all relevant public authorities and private actors, in particular social networking providers, and civil society.
Appendix – Principles
I. Raising awareness as regards freedom of expression and access to information
1. Social networking services offer the possibility to both receive and impart information. Users can invite recipients on an individual basis, but in most cases the recipients are a dynamic group of people, sometimes even a “mass” of unknown people (all the members of the social network). In cases where users’ profiles are indexed by search engines there is potentially unlimited access to parts of or all information published on the profile.
2. It is important for participants to be able to feel confident that information that they share will be processed appropriately and to know whether this information has a public or private character and the implications that follow from choosing to make information public. In particular, children, especially teen agers, and other categories of vulnerable people need guidance in order to be able to manage their profile and understand the impact that the publication of information of a private nature could have, in order to prevent harm to themselves and others.
3. In cooperation with the private sector and civil society, member states should ensure that users’ right to freedom of expression is guaranteed, in particular by:
i. informing users clearly about the difference between private and public communication and the possible consequences of unlimited access (in time and geographically) to their profile and communication;
ii. providing information about the core conditions of participating in the social networking service in a form and language that is geared to, and easily understandable by, the target groups of the social networking service;
iii. fostering awareness initiatives for parents and teachers to supplement information provided by the social networking service. This is even more important in respect of much younger children in case they participate in social networking;
iv. providing users with clear information about the editorial policy of the social networking provider in respect of how he deals with apparently illegal content and what he considers inappropriate content and behaviour in the network.
II. Appropriate protection of children against harmful content and behaviour
4. Freedom of expression includes the freedom to impart and receive information which may be shocking, disturbing and offensive and content that is unsuitable for particular age groups. Since social networking services play an increasingly important role in the life of children, as part of the development of their own personality and identity, and as part of their participation in debates and social activities, there are reasons for protecting children because of the inherent vulnerability that their age implies. This does not, however, entail an obligation on social a networking service to control, supervise and/or rate all content uploaded by its users. Parents should play a primary role in working with children to ensure that they are using the services in an appropriate manner.
5. Age-verification systems are often described as a possible solution for protecting children from output that may be harmful to them. However, at present there is not a single technical solution with regard to online age verification that does not infringe on other human rights and/or does not facilitate age falsification, thus causing greater risks than benefits to the children involved.
6. In cooperation with the private sector and civil society, member states should ensure children’s safety and protect their dignity while also guaranteeing procedural safeguards and the right to freedom of expression and access to information, in particular by:
i. providing clear information about what kinds of content or content-sharing risks being in contravention of existing legal provisions;
ii. providing clear information about the editorial policy with regard to what content or behaviour is considered “inappropriate” according to the core conditions of the social networking service, while ensuring that such provisions do not restrict the freedom of expression rights guaranteed by the European Convention on Human Rights;
iii. encouraging law enforcement bodies and social networking services to establish transparent mechanisms for cooperation, respecting the procedural safeguards required under Article 8 and 10 of the European Convention on Human Rights, and promote qualified initiatives such as hotlines;
iv. ensuring that users have easy access to mechanisms for reporting to the social networking service provider inappropriate and illegal content or behaviour of other users;
v. examining whether other specific measures would help to prevent cyberbullying and cybergrooming; however, age-differentiated access should be treated carefully, as a best effort that is based on age input provided by the children themselves;
vi. ensuring that any decisions to block or delete content should be taken in accordance with Recommendation (2008)6 of the Committee of Ministers to member states on measures to promote the respect for freedom of expression and information with regard to Internet filters and its guidelines;
vii. guaranteeing that blocking and filtering, and, in particular, nationwide general blocking or filtering measures, are introduced by the state only if the conditions of Article 10, paragraph 2, of the European Convention on Human Rights are fulfilled and refraining from the general blocking of offensive or harmful content for users who are not part of the groups for which a filter has been activated to protect. Instead, encouraging social networking services to offer adequate and transparent voluntary individual filter mechanisms may suffice to protect those groups.
III. Ensuring users’ control over their data
7. Social networking services process large amounts of personal data, including users’ profiling data and traffic data. Publishing personal data in a profile can lead to access by third parties, including, amongst others, employers, insurance companies, law enforcement agencies and the secret services.
In order for users to exercise control over their data, social networking services should offer privacy-friendly default settings, as already highlighted by a number of instruments adopted at both European and international level2. The interface must be clear and allow users to effectively exercise their rights.
8. Social networking services should not process personal data beyond the legitimate and specified purposes for which they have collected it. They should limit processing only to that data which is strictly necessary for the agreed purpose and for as short a time as possible. Social networking services must seek the informed consent of users if they wish to process new data about them, share their data with other categories of people or companies and/or use their data in other new ways. As stated in Recommendation (2010)13 on the protection of individuals with regard to automatic processing of personal data in the context of profiling, users should be informed where their personal data is used in the context of profiling. The user’s decision (refusal or consent) should not have any effect on the continued availability of the service to him or her. When allowing third party applications to access users’ personal data, the services must provide sufficiently multi-layered access to allow users to specifically consent to access to different kinds of data.
9. The default setting for users should be that access is limited to self-selected contacts. Users should be able to make an informed decision to grant access to a larger public, in particular with regard to indexability by external search engines. Social networking services should clearly inform users of the consequences of making information publicly available, including unrestricted access to, and collection of, data by third parties. The social networking service must offer adequate, refined possibilities to ‘opt in’ for (consent to) wider access. In case a user wants to widen access to all users of a social networking service or even globally, through indexability by external search engines, it must be clear - and the appropriate tools must be easily accessible - how they may restrict access again, including removal from archives and search engine caches. The use of techniques that may have a significant impact on users’ privacy, where for instance processing involves sensitive or biometric data (such as face recognition) requires enhanced protection and should not be activated by default.
10. It is key that social networking services apply the most appropriate security measures to protect personal data against unlawful access by third parties. Such measures should include end to end encryption of communication between the user and the SNS website. In case there is no applicable data-breach legislation, social networking services should report personal data breaches to their users, to enable them to take preventive measures, such as changing their password and/or keeping a close eye on their financial transactions (where the providers are in possession of bank or credit card details). Social network services are invited to address data protection needs at the stage of conception of their services or products and continuously assess the privacy impact of changes to existing services with a view to strenghtening security and users' control of their personal data.
11. Users should be informed about the processing of their personal data, including the existence of, and means of exercising their rights (i.e. access, rectification, erasure), in a clear and understandable manner, in language geared to the target audience. Users should be informed about possible challenges to their right to private life, not only in the social networking services’ core conditions (including when changes are brought to terms of service), but every time such a challenge may arise, for example, when the users make information on their profile available to new (groups of) users or when they install a third party application.
12. Users should be informed as to what law is applicable in the execution of the social networking services and the related processing of their personal data.
13. The practice of pseudonymous profiles offers both possibilities and challenges for human rights. In its Declaration on freedom of communication on the Internet (adopted on 28 May 2003), the Committee of Ministers stressed that “in order to ensure protection against online surveillance and to enhance the free expression of information and ideas, member states should respect the will of users of the Internet not to disclose their identity”.
The right of being able to use an online pseudonym should be guaranteed both from the perspective of free expression of information and ideas and from the perspective of the right to private life. In case a social networking service requires users to register with their real identity, publication of that real identity on the internet should be optionnal for the users. This does not prevent law enforcement to gain access to the real identity when necessary.
14. Users should always be able to withdraw their consent to the processing of their personal data. Before terminating their account, users should be able to easily and freely move the data they have uploaded to another service or device, in a usable format. Upon termination, all data from and about the users should be permanently eliminated from the storage media of the social networking service.
15. In addition to applicable legal provisions, appropriate complaint handling mechanisms should be guaranteed against abusive behaviour of users, in particular with regard to identity theft.
16. Non-users of the social network may also be affected by incautious disclosure of their personal data by users of the service or by use of their data by the social networking service itself. Non users should thus have effective means of exercising their rights without having to become a member of the service and/or otherwise provide excessive personal data. Social networking providers should refrain from collecting and processing personal data about non-users, for example e-mail addresses and biometric data (e.g. photographs). Users should be made aware of the obligations they have towards other individuals and, in particular, that the publication of personal data related to other people must respect rights of those individuals.
17. In cooperation with the private sector and civil society, member states should work upon operators of social networks that they ensure that users’ right to private life is protected, in particular by:
i. enforcing applicable privacy principles, especially that social networking services have default privacy-friendly settings that limit access to self-selected contacts, that they apply the most appropriate security measures and ask for the informed consent of their users before they share data about them, share their data with other categories of people or (categories of) companies and/or use their data in other new ways;
ii. ensuring that users are able to effectively exercise their rights by offering, amongst other things, a clear user interface, understandable and readily accessible information about the purposes of the data processing, and sufficiently multi-layered access for third parties;
iii. ensuring that users are informed about possible consequences of publishing personal data in a profile, as well as about possible legal access by third parties (including also e.g. law enforcement authorities);
iv. ensuring that users are informed about the need to obtain the prior consent of other people before they publish their personal data.Where possible such consent should include, audio and video content, in cases where they have widened access beyond self-selected contacts;
v. ensuring that users must be able to completely delete their profile and all data stored about and from them in a social networking service; [this includes tools for parents to manage their children’s data];
vi. ensuring the possibility of using a pseudonym;
vii. ensuring that the processing of personal data stemming from the use of social networking services for law enforcement purposes is carried only out under an appropriate legal framework, or following specific orders or instructions from the competent public authority made in accordance with the