The relevance of social media is, today, beyond question. It is a service of the information society, the provision of which involves data processing, whether to provide the service itself or for other objectives such as offering personalized advertising to users. In this context, the social network service provider, as the data controller, must implement corresponding measures to ensure compliance with their obligations in accordance with data protection regulations.
The owner of the social media, as the one offering the service, having the technical means for it, and deciding on the purpose, content, and use of data processing, is clearly to be considered the data controller. Therefore, the key to their action must be based on proactivity, privacy by design, and privacy by default. This means that users should be offered the service with the highest possible level of privacy from the start. Thus, it’s up to the user, if they wish, to reduce this privacy through explicit consent acts, and their account should by default have the least amount of data, making the profile public only when the user explicitly allows it. In this way, the social network provider must, both when determining the means and during the processing itself, adopt suitable technical and organizational measures to effectively implement data protection principles and integrate the necessary guarantees into the processing. Some examples of specific measures include having a suitable legal basis for the legitimacy of processing, applying data minimization and purpose limitation, adhering to the information principle, or limiting the data retention period.
Regarding consent, except for certain exceptions, personal data processing on social media must be based on consent provided by its holders as a legitimizing basis. And this consent must be free, informed, unequivocal, revocable, explicit, transparent, positive, and verifiable, thus requiring an explicit declaration or affirmative action, once the relevant information has been received. However, it should be noted that when the processing has multiple purposes, consent must be given for each of them.
Furthermore, it’s necessary to consider the position of social media users as controllers, or not, of the processing. In this respect, a distinction must be made between individual and corporate users. Regarding individual users, they use social media for personal purposes and benefit from the personal or domestic processing exception provided by the regulation, as they have no connection with any professional or commercial activity. Therefore, individual users will not be considered controllers for personal data processing of third parties they might carry out during their activities on the social network. However, it should not be forgotten that they would be liable for the use of third-party data in accordance with any other legal position, such as the protection of the right to honor, personal or family privacy, and image. However, there are cases where an individual user’s activities do not benefit from this exemption, such as when all members belonging to a social network can access a profile or when data is indexable by search engines. In these cases, access exceeds the personal or domestic scope, and therefore, open dissemination to third parties is considered data processing subject to the regulation.
On the other hand, corporate users, as they use the network as platforms for commercial or professional activity development, can be considered, conversely, as data controllers. It should be noted here that this corporate user will be responsible, along with the social network provider, establishing the joint nature of both concurrent responsibilities, without prejudice that between them, they can delimit their responsibilities by mutual agreement.
Finally, it’s necessary to determine the responsibility of the social media provider for the unlawful acts of its users. In these cases, beyond the user’s own responsibility, the provider’s responsibility must also be affirmed, not due to the user’s activity but because of its own action upon noticing the unlawful act committed by the user using its service. Consequently, the causes of responsibility exemption that the provider can claim are the following: 1) the absence of actual knowledge on its part about the unlawful nature of the contents provided by the user or; 2) failing that, the diligent removal of such content, or having made its access impossible. In conclusion, after the analysis conducted, it’s clear that social networks are subject to data protection regulations, identifying the various data processing controllers within this service provision, as well as the position of users and their rights.
