Don’t trash the e-mails you receive from Facebook
Social media networks are beginning to obtain self-certification, according to the privacy shield.
This name may mislead people into thinking their data is safe even when handled by third parties. Yet, this self-certification simply grants nine months of time to companies to adapt their contracts with third parties to comply with the privacy shield.
While some social networks may have notified users by means of an e-mail, further complications (and perhaps lack of clarity) arise when such platform own or are owned by other ones, by means of corporate structures.
Although September 2016 is over, if you think workload is losing pace for legal departments, you’d be wrong.
An important deadline has just expired, and now multinationals won’t be able to obtain self-certification for the biggest legal mayhem of the year between European Union and United States: the privacy shield.
The previous framework did not go much beyond declaring compliance to various principles, while the new privacy shield promised to bear more protection to data by, for instance, setting an ombudsman in Washington to receive appeals against alleged misuses and by guaranteeing more transparency and periodical reviews.
Moreover, the programme offers an incentive to US companies through the so-called self-certification. This process — available only between 1 August and 30 September 2016 — permits a nine month stint where third party processors can comply with the onward transfer requirements (i.e. the transfer of data from the importer outside the EU to a third party, outside EU too, to process data for different purposes and with different modalities).
The clear advantage here is that companies waive the deadline by which their third party contracts need to comply to the privacy shield programme.
Such novelties affect equally a huge range of American companies seeking business across Europe (regardless of their B2C or B2B model), but some companies may be more “equal” than others, especially those whose strategy heavily relies on data transferred and processed/sold to third parties, whose re-assessment requires lot of time: social networks.
If anyone had/has a profile on such platforms, watch out. Several e-mails should be waiting for you in your inbox, in order to notify you about new developments in privacy policies with one common trait: they are filed right before the deadline for the early-certification. Therefore, if you thought your personal data was safe when handled by social networks and third parties, you may want to see what each platform declared and what you can expect.
Want to write for the Legal Cheek Journal?Find out more
Dropbox too pops up across the board of early self-certified entities.
A further giant of social media achieving a last-minute early-certification is Twitter, which issued the news by means of (guess what) a tweet and by referring to updates to the “international aspects of the service”.
Yet, social media either holding or being owned within a corporate structure can even become the third party itself, which detail could bear further consequences when it comes to their privacy policies.
It is also very important to read the paragraph “Third Parties” because the statement “Facebook may transfer data within the Facebook family of companies” should ring a bell on other platforms owned by Facebook: Whatsapp and Pinterest, among others.
The whole Facebook group is well known for making a big business out of information collected from its users: although Q2 highlighted an increase in ARPU (average revenue per user) , it recently turned out that Facebook overestimated the amount of users active on its platform, when monetising third-parties adverstisers .
Lots of platforms have made use of the early self-certification, but will the privacy shield make it to the future?
Who knows, perhaps it does, or perhaps it will be struck down earlier than May 2017 (it will be soon challenged within EU law boundaries). Such a perspective carries lots of uncertainty but at least after the 2008 claims of Richard Thomas — former UK Information Commissioner — pointing out the inadequacy of the European privacy framework to the digital age, the good news is that the world is finally granting due attention to personal information.
In the end, we all have learned there is nothing like a free meal and this could help us all to realise that personal information too can be an appealing manner of paying for services.
Marco De Roni is a law graduate and paralegal in Amsterdam.