It is a key topic to work on and will require a lot of your time. Here at Swiss Re, for our internal deployment, we had the advantage of a very solid and global Code of Conduct we could build on. However my colleagues spent many hours with our legal people from the different regions to put a policy for our new platform in place and worker councils representatives to get it accepted.
So no silver bullet from my side neither, except to get the right people involved very early to have enough time to discuss the details.
I'm far from an expert on EU Data Privacy Laws, but my understanding is that at least the 1995 Data Protection Directive (Directive 95/46/EC) bars any collection and processing of data that can identify or be linked to an individual without the individual's consent. Presenting Terms and Conditions that include your policies around data retention as part of registration, and storing any collected information in the EU or elsewhere with a data privacy agreement in place, may be a way to address this.
Janet, Olivia is correct, good end user terms certainly help in this regard.
And I've been saying to who ever will listen - this is the one area that presents the most challenge to Enterprise 2.0 tools! Companies that are truly global (where our foreign operations are well represented in terms of contribution to revenue and employee/office representation) have to work with and around these laws (and European laws aren't the only ones to consider).
Fortunately for us at CSC, we have worked on our collaboration strategy for years, so we had a good foundation to work from for our end user terms. For our pilot, we augmented the terms to indicate that anyone who opted to participate would volunteer their registration information and any other data they contributed. What is interesting - is that these tools finally give what Knowledge Managers have always wanted - a way to accumulate one's activity (easy to find what I've done, where I've done it and where my interests are). But the downside to that, is that our some European counterparts don't like that type of user breadcrumb and history. It is an interesting challenge right now.
We are moving our sign on solution to an 'integrated' single sign on facility (will integrate with our internal SSO capability). When that is in place the 'rules' for what is fed over to our Jive internal instance will still only match any global, corporate, pre-approved directory rules (i.e. bare minimum data). And the end user terms for our next "SSO release" have been slightly modified and have been approved by our global data privacy and data protection groups (the review of these terms almost took our entire pilot duration - 6 months - to work through).
I can't tell you I have the silver bullet. I think working through this for any company requires a unique approach that is required by your company culture and rules.
All I can tell you is that you are not alone. These tools do raise new concerns for companies. Technologies are innovating faster than global laws and corporate policies are able to keep up with.
Good luck! Get your stakeholders involved. Be persistent. Understand their concerns - and do what you can to provide good guidance in addressing those concerns. That's all I can say.
Would every post made by an EU user or made by another person in reference to an EU user be considered personal data?
The basic rule is that if data identifies, or could be used to identify, any living individual, that classes as personal data for EU purposes.
What your obligations are in relation to that data depends on who it relates to, what they consented to, who is collecting it, and what is being done with it.
What they consented to is critical here, hence why Olivia, Claire & Wolfgang all mentioned how important good terms & conditions are, and how you need to work with all the relevant parties to draw up those terms & conditions appropriately for your organization, and, in some countries, of which France is definitely one, you really must work pro-actively with your Workers Councils in order to obtain their agreement.