Importing online contacts and data protection

To say that online networking has revolutionised the way we interact socially and professionally with others is a massive understatement. Social and professional networking services, which did not even exist at the beginning of the 21st century, have become the driving force of Web 2.0 and their growth rate is a simply a reflection of the role they play in today’s world. Facebook and LinkedIn have been particularly influential on the social and professional fronts respectively thanks to their clever and useful features.

A key functionality of those services is the ability of the user to “import” the contact details of existing friends and acquaintances. This functionality is a simple technological solution that relies on the sharing of personal information – which is what online networking is all about – so it is essential to know how to make the most of it in a non-intrusive and responsible way.

Facebook’s “friend finder”

Facebook’s “friend finder” function is an essential element of the service. Whilst it is perfectly possible to find other users by carrying out a simple name search, that can prove time-consuming and difficult due to the sheer number of Facebook users and the chances of many of them having the same name. Therefore, by far the easiest way of finding people is to use the tool to import contacts directly from the user’s addressbook. Before doing that, the user is presented with a link that opens a window stating that Facebook will not share e-mail addresses with anyone, but will store them on the user’s behalf and use them to generate friend suggestions. The notice goes on to recommend that users only import contacts from accounts they have set up for personal use.

Importing contacts through Facebook’s “friend finder” function could not be easier. One can simply click on the “Find friend” button associated with the web email account of the user, which will open an opt-in window asking the user to allow Facebook to use the relevant ID to access the contacts associated with that account. Alternatively, the user can upload the contacts file directly from Outlook or equivalent email program. Once the contacts have been uploaded, the user can see whether those real-world friends are also on Facebook.

Facebook also provides an “invitation tool” which allows users to reach out to non-members and invite them to join Facebook. The use of this tool will normally generate one invite and up to two reminders in the name of the user. The reminders can be cancelled at any time, so essentially this is a “refer a friend” tool which is triggered when the user invites a non-member to join Facebook. The email received by the non-member allows that individual to unsubscribe from further emails from Facebook and includes a link to a privacy notice that explains how that email address may be used.

LinkedIn’s importing facility

LinkedIn operates in a similar fashion. Whilst LinkedIn offers greater granularity in terms of its search functionality, users can save time by importing their own contacts from a variety of web email services and programs like Outlook or Apple Mail. LinkedIn users who choose to take advantage of this functionality will also be presented with a link to a detailed privacy policy and a statement indicating that LinkedIn will not send those contacts any email. However, users are given the opportunity to send an invitation to their contacts when importing their details.

Privacy and data protection implications

The act of importing contact details into online networking sites like Facebook and LinkedIn amounts to processing of personal data under EU data protection law. (See Europa for the overall legislation). This means that to the extent that EU law applies, such an activity may be affected by specific conditions and obligations.


From a legal and practical perspective, informing individuals about the uses made of their data is a top priority. Both Facebook and LinkedIn have comprehensive privacy policies that explain how any personal data collected will be used. That applies to data of users and non-users. Recipients of invitations to join Facebook triggered by existing users are told via a privacy notice that people with Facebook accounts can import their contacts to Facebook and send email invitations to their friends. The notice goes on to say that the emails received may include the names of other people (besides the person who sent the invite), such as those who previously imported the recipient’s details or friends of the person who sent the invitation.

In LinkedIn’s case, whilst the email with the invitation to connect on LinkedIn does not have a link to a privacy notice, this is consistent with the fact that the invitation is being sent by the existing user rather than LinkedIn itself. However, if the recipient clicks on the email to confirm that they know the sender, that opens a joining page with a clear link to LinkedIn’s privacy policy. So, both networks are pretty transparent about the uses made of the data of recipients of emails initiated by existing users.


Both Facebook and LinkedIn make a very limited use of the data of non-users imported by users. Therefore, the sites make it clear that it is the users’ responsibility to ensure that their contacts will be happy to accept invitations. In the case of Facebook, the screen used to send invites says “Please send invites only to people you know personally who will be glad to get them”. Similarly, LinkedIn’s privacy policy states “You may not invite anyone you do not know and trust to connect with you”. Clearly, in both cases the onus is on the user (who under EU law would be regarded as a “data controller”) to ensure that there is a legitimate basis, such as the recipient’s consent or reasonable expectations, to send invitations to people.

Direct marketing

Should an invitation to join Facebook or to connect on LinkedIn be regarded as a direct marketing communication? On the one hand, the concept of direct marketing is sufficiently wide to capture any promotional activity which is directed to a particular individual. However, the way Facebook and LinkedIn have devised their contacts importer tool and the invitation email is such that the communications that follow – as long as they are always triggered by the user – are unlikely to fall within the scope of direct marketing.

Users – be sensible!

In summary, users of online networking sites can benefit from the simplicity and ease of use of the contacts importer tool and invitation emails to reach out to their friends and business contacts. The potential of these tools is in direct proportion to the size and accuracy of someone’s addressbook. From a privacy and data protection perspective, Facebook’s and LinkedIn’s practices in this regard appear to meet the basic transparency and lawfulness requirements, but it is ultimately the users who must exercise caution and reasonableness when making use of such powerful tools.

Eduardo Ustaran is a partner and the head of the Privacy and Information Law Group at international law firm Field Fisher Waterhouse based in London.


Note. This topic was raised in Germany earlier this year. See NYT article.