The privacy law storm gripping social media

Avatar photo

By Marco De Roni on

Don’t trash the e-mails you receive from Facebook


Social media networks are beginning to obtain self-certification, according to the privacy shield.

This name may mislead people into thinking their data is safe even when handled by third parties. Yet, this self-certification simply grants nine months of time to companies to adapt their contracts with third parties to comply with the privacy shield.

While some social networks may have notified users by means of an e-mail, further complications (and perhaps lack of clarity) arise when such platform own or are owned by other ones, by means of corporate structures.

Although September 2016 is over, if you think workload is losing pace for legal departments, you’d be wrong.

An important deadline has just expired, and now multinationals won’t be able to obtain self-certification for the biggest legal mayhem of the year between European Union and United States: the privacy shield.

For those not acquainted with this, the privacy shield is the new framework allowing the exchange of personal data between EU and US. This is set to replace the prior safe harbour after well-hyped litigation regarding Facebook’s privacy policy and how US companies were actually misusing personal data collected online in Europe.

The previous framework did not go much beyond declaring compliance to various principles, while the new privacy shield promised to bear more protection to data by, for instance, setting an ombudsman in Washington to receive appeals against alleged misuses and by guaranteeing more transparency and periodical reviews.

Moreover, the programme offers an incentive to US companies through the so-called self-certification. This process — available only between 1 August and 30 September 2016 — permits a nine month stint where third party processors can comply with the onward transfer requirements (i.e. the transfer of data from the importer outside the EU to a third party, outside EU too, to process data for different purposes and with different modalities).

The clear advantage here is that companies waive the deadline by which their third party contracts need to comply to the privacy shield programme.

Such novelties affect equally a huge range of American companies seeking business across Europe (regardless of their B2C or B2B model), but some companies may be more “equal” than others, especially those whose strategy heavily relies on data transferred and processed/sold to third parties, whose re-assessment requires lot of time: social networks.

If anyone had/has a profile on such platforms, watch out. Several e-mails should be waiting for you in your inbox, in order to notify you about new developments in privacy policies with one common trait: they are filed right before the deadline for the early-certification. Therefore, if you thought your personal data was safe when handled by social networks and third parties, you may want to see what each platform declared and what you can expect.

Want to write for the Legal Cheek Journal?

Find out more

The first e-mail I received was from MailChimp, at whose privacy policy (at article 16) you can find a straightforward explanation of its business model: transfer of personal data to third parties acting as agents on its behalf, allegedly and perhaps also misleadingly, already complies to the onward transfers.


Article 9 makes clear that personal information can be disclosed with third parties, such as service providers and advertising partners and, moreover, article 18 points out that article 5 of the cookie policy explains how to opt out from sharing personal information with third parties.

Another social media titan to hit my inbox is Snapchat. The company, located in Venice, California, is not too generous in words, but it’s clear that as of the day of its most recent privacy policy update (27 September 2016) it has enrolled in the EU-US privacy shield framework, most likely due to the share of information the network bears with its “sellers, partners, advertisers and providers”. Last but not least, snapchatters beware: you may happen to share information through third-party integration directly to such third parties or Snapchat or “both”.


Dropbox too pops up across the board of early self-certified entities.

Dropbox’s business blog proudly reports the admission of its early-certification. Dropbox states it still relies on the safe harbour privacy principles (See Dropbox’s privacy policy upon “Where”) and no more words are either spent in DropBox’s help centre.

A further giant of social media achieving a last-minute early-certification is Twitter, which issued the news by means of (guess what) a tweet and by referring to updates to the “international aspects of the service”.


The San Francisco-based company gives another example of a not-too-prolixic explanation, but at least the users are warned, in Twitter’s privacy policy, about their data being potentially shared with “corporate affiliates, partners and third parties”. Yet, it seems like such entities do use personal data only on Twitter’s “behalf” and pursuant to Twitter’s “instructions” (although there is no mention to “purpose”, hence there is still some room for a better compliance to the privacy programme thus justifying its early self-certification).

Yet, social media either holding or being owned within a corporate structure can even become the third party itself, which detail could bear further consequences when it comes to their privacy policies.

For example, another platform to have updated its privacy policy in time before the final clock is Pinterest (fully owned by Facebook Inc.), whose team notified its users by means of an e-mail. Depsite the lack of terms like “shield” or “onward transfers” in its privacy policy, what stands out is that all data collected in Europe will now be managed by an Irish subsidiary — Pinterest Europe Limited (perhaps not the strictest jurisdiction when it comes to personal data protection). Moreover, from the point “How and when do we share data?”, Pinterest states that it does indeed share data with third parties. Should any user want to dig up more information, Pinterest suggests looking at its help centre, although in such section there is no proper reference to how third parties process personal data received through Pinterest.

Speaking of the devil, the next big platform is Facebook, whose update was not shared by e-mail but is well available on its privacy policy, within the EU-US privacy policy; here, the “big brother” kicks it off by bringing up its “certification… with the US Department of Commerce regarding… collection and processing of personal data from… advertisers, customers and business partners”, although a fairer wording would have mentioned it is actually a self-certification and for nine months Facebook is not going to be reviewed on it.

It is also very important to read the paragraph “Third Parties” because the statement “Facebook may transfer data within the Facebook family of companies” should ring a bell on other platforms owned by Facebook: Whatsapp and Pinterest, among others.

While none of these platforms seem to have updated their privacy policy, the former stands out firstly for not not mentioning whether it shares personal information with third parties and, secondly, for the recent frenzy regarding its new privacy policy (notified on mobile devices), that would have allowed it to share users’ personal information with the holding Facebook .

The whole Facebook group is well known for making a big business out of information collected from its users: although Q2 highlighted an increase in ARPU (average revenue per user) , it recently turned out that Facebook overestimated the amount of users active on its platform, when monetising third-parties adverstisers .

The Big G is also on the list of the self-certified entities for the purposes of the privacy shield framework, following its privacy policy. Google Inc.’s webpage on self regulatory framework is dated 20 September 2016 and it’s remarkable how this company does indeed figure on the list of US companies complying to the programme, while Alphabet does not appear (yet?).

Last but not least, let’s not forget that further companies are within Google’s corporate grop: YouTube, Picasa and Cardboard among the many others. For the record, YouTube’s privacy policy forwards to that of Google.

A further mention goes to Skype, which has been owned by Microsoft since mid-2011. Also its privacy policy weblink forwards to that of the holding company Microsoft, which is one of the first self-certified in the privacy shield programme. In its EU-US privacy shield page, Microsoft does not mention if and how it does share personal data with third parties but it clears up its liability in case of wrongdoings performed by these players (among which can result Skype too). Moreover, you may want to remember that Microsoft owns — and therefore manages the privacy of — Xbox, MSN, Bing, LinkedIn and Windows Phone, among others.

The last social network to deserve mention is Yahoo but for the astonishing fact that nowhere in its privacy policy does it mention the privacy shield. Instead, it states that it still participates on the defunct safe harbour, although it does not rely thereon to legitimise transfer of data. Perhaps the recent hack hampered further development and plans?

Lots of platforms have made use of the early self-certification, but will the privacy shield make it to the future?

Who knows, perhaps it does, or perhaps it will be struck down earlier than May 2017 (it will be soon challenged within EU law boundaries). Such a perspective carries lots of uncertainty but at least after the 2008 claims of Richard Thomas — former UK Information Commissioner — pointing out the inadequacy of the European privacy framework to the digital age, the good news is that the world is finally granting due attention to personal information.

In the end, we all have learned there is nothing like a free meal and this could help us all to realise that personal information too can be an appealing manner of paying for services.

Marco De Roni is a law graduate and paralegal in Amsterdam.

Want to write for the Legal Cheek Journal?

Find out more

Please bear in mind that the authors of many Legal Cheek Journal pieces are at the beginning of their career. We'd be grateful if you could keep your comments constructive.

Join the conversation