The evolution of the internet has brought the development of social networks, this has caused changes in the life of citizens and problems in the field of privacy protection arose. This issue has been taken into account by the European Union that has adopted a new project to update the system of data protection; this new regulation is necessary to deal with the new challenges coming from the frequent use of the internet. The core of this regulation is the informed consent, its aim is allowing the user to maintain the power over his personal data, the means to achieve this goal are: the knowledge of who have this data and for which purpose and to maintain the control over their circulation.
A main law source characterizes the Italian scenario: it is the Privacy Code (legislative decree 196/2003) that grants the right to protect personal data to every citizen. To achieve such a result two means are provided: data should be correctly treated, in fact who receives data is obliged to inform users about aims and ways of treatment of data; users have the right to intervene, it states the possibility to check the accuracy of treatment and to annul his consent to the treatment (art 7 D.Lgs. 196/2003).
The above-mentioned provisions share the objective to be rules that discipline and make the circulation of data accountable in order to create a better system that could grant and safeguard the rights of citizens. These norms do not want to obstruct the circulation of information, but make it fair.
The application of these norms to social networks and internet is not easy for the specific features of this instruments that increase the difficulty of monitoring the compliance. The general principle that social networks have to comply with is that the publication of data that relate to others is admissible only with the unmistakable consent of the interested person (art 23 D.Lgs 196/2003). Generally speaking, users give their consent when they subscribe to the social network; at this stage users declare that they are owner of the photos, videos and data in general that will be shared on the platform and they accept that everybody that has access to the data that are shared can use them, in a lawful manner of course; in other words private data becomes public. This represents one of the main risks because data that flow from the user to the internet become no more controllable by the person that has provided them. The situation is exacerbated by the fact that, most of the times, users are not aware of this consequence; furthermore users can give information about individuals that are not using the social network, in this case there will be a breach of the right to privacy of certain individuals.
The business model of most social networks is based on the selling of information given by user to third parties that use data for profiling and marketing purposes. The subscription to social networks is often free, but in reality the user pays his access with data that nowadays can be considered a good. This circulation of information is not unlawful because the user accepts that his data can be shared with third parties, but the problem is to what extend users are aware of this clause and of its consequences.
Another problem concerns the deletion of user profile. In fact, it is easy to delete a personal profile from a social network, but sometimes this does not imply the elimination of personal data of the user related to the account. It could happen that data shared on the social network are stored in the servers even after the cancellation of a user profile; the described situation is lawful only if this is stated in the general condition of services accepted by the person when he decides to start using the platform.
During the 30th International Conference of Data Protection and Privacy Commissioners, the authority of different member states discussed about risks, concerning privacy, linked to the technological developments. At the end of the conference they adopted the Resolution on Privacy Protection in Social Network Services that highlights the necessary changes in data protection laws. This document focuses the attention on social networks and it gives advices on how providers of social networks services have to behave to solve several problematic issues:
· Inform users about the processing of their personal data in a transparent and open manner;
· Allow restrictions of visibility for profiles, and for data contained there; allow users to have control over secondary use of profile and traffic data; e.g. for targeted marketing purposes;
· Users shall have the right to access and to correct all their personal data held by the Provider;
· Offer privacy-friendly default settings for user profile information;
· Allow users to easily terminate their membership and to delete their profile and any content or information;
· Improve and maintain security of information systems and protect users against fraudulent access to their profile;
· Assure that user data can only be crawled by external search engines if a user has given explicit, prior and informed consent.
These provisions are not binding, but they can be considered soft law. The importance of this declaration comes from the unanimity vote reached by the privacy commissioner of Member States on these bullet points. Commissioners agreed even on the necessity of a reform on the protection of personal data that will take into account problems caused by the development of internet. Some social networks already comply with these best practices, but a binding provision that forces providers to comply with the above mentioned rules is still necessary. The regulation that has been recently approved at EU level follows the path designed by the 30th International Conference of Data Protection; this act will be directly applicable in Member States, but it will be binding only after two years from the publication in the Official Journal.