Privacy and Disclosure Minefields in Social Media: Identifying and Overcoming

the Key Issues and Challenges

MANAGING SOCIAL MEDIAOctober 6-7, 2009 Sutton Place Hotel, Toronto

Mark S. HayesMartin P.J. Kratz

Ariane Siegel

Outline Introduction – Privacy Issues and Social Media The Facebook Decision Reasonableness Managing Privacy Related Liability for Social

Media Operators Social Media and Litigation Social Media and Children Questions

Managing Social Media

Introduction – Privacy Issues and Social Media

Privacy Issues and Social Media Social Media is all about sharing personal information A new dimension to the way people interact Role similar to what local newspapers and radio stations

once did-bring a community of people with common interests and values together to share ideas

Platform now reaches multitudes of peoples simultaneously Includes ability to interact instantaneously and share not

only printed information but rich media, with pictures, music, videos

Privacy issues affect website operators and their affiliates, advertisers, users, hackers, employers and law enforcement

Raises issues on knowledge and consent for lawful uses

Privacy Issues and Social Media Business, legal and technology issues intersect Target audience (jurisdiction, age, business) What personal information will be posted What personal information will be collected How will personal information be used Will personal information be shared (developers, other third

parties) How long will personal information be retained Where will personal information be processed Safeguards Access

Privacy Issues and Social MediaMore Canadians on Facebook than… Study of 2000 young people Dr. Avner Levin at Ryerson, more than 48% log on more than

once a day Attitudes about OSN – not too much concern that personal

information would be accessed by employer Lots of personal information posted OPC Study: Focus Testing Privacy Issues and Potential Risks

of Social Networking Sites http://www.priv.gc.ca/information/survey/2009/decima_2009_02_e.cfm

Privacy Issues and Social Media

More Canadians on Facebook than…

Young Canadians have a unique perception that we call network privacy (Levin)

Privacy concerns relate to personal information ending up in “unauthorized” social network

They believe they can control online presence feel largely accountable for breaches

Managing Social Media

The Facebook Decision

The Facebook Decision Complaint Against Facebook by CIPPIC Key Issues:

Application to non-Canadian website operators Advertising Consent of non-members Sharing of Personal Information with Third

Parties Data Retention /Account Deactivation

The Facebook Decision APPLICATION Underlying assumption - PIPEDA applies to

website operators collecting personal information of Canadians

Lawson v. Accutech PIPEDA not long arm statute Would not apply to entities without infrastructure /

employees in Canada FTC similar approach, COPPA applies to any

website operator collecting personal information about Americans

The Facebook Decision ADVERTISING Facebook needs revenue to offer service Advertising is essential to the provision of the

service, and persons who wish to use the service must be willing to receive a certain amount of advertising.

Facebook Ads - Aggregate information given to advertisers

Targeted ads delivered - non invasive No opting out Social Ads can opt-out

The Facebook Decision CONSENT OF NON-USERS Resolution: Facebook agreed to provide

information users need to ensure that they have the consent of non-users to share their e-mail addresses with Facebook

Company must exercise reasonable due diligence to make sure this is happening

The Facebook Decision SHARING OF PERSONAL INFORMATION Key Issues: Sharing of Personal Information with

developers Resolution: will prevent an application from

accessing information until it obtains express consent for each type of data it wants to access

The Facebook Decision DATA RETENTION Facebook keeping Personal Information for long

periods Deactivation does not mean deletion Resolution: Notice and deletion option Facebook agreed to make it clear that users have

the option of either deactivating their account or deleting their account.

No prescribed retention period

Managing Social Media

Reasonableness

Reasonableness Reasonableness is a flexible and adaptable

conceptCan adapt to specific circumstancesCan change over time

The requirement of “reasonableness” is inherent throughout Canadian privacy law Threshold issues Extent of disclosure Security Etc.

Reasonableness There is a reasonableness threshold

An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed.

Reasonableness Basic Privacy Compliance Question:

Is it reasonable to permit the collection of personal information by Facebook from users in exchange for the free service Facebook offers?

Facebook decision All users receive Facebook ads, can not opt out Traditionally Privacy Commissioner

distinguished between primary and secondary marketing purposes

Finds advertising is essential to the provision of Facebook’s service and persons who use the service must accept some ads

Reasonableness Who decides what is reasonable?

Privacy Commissioner’s office applies objective testFacebook’s user feedback is not

determinative

While a protective standard – what happens when the culture changes underneath the objective assessment of what is reasonable?

Reasonableness Is reasonableness different for web collection, use

and disclosure? Is there a discrete internet culture to which a

different standard might apply? The acceptance of compulsory ads on Facebook was

seen as reasonable, a departure from traditional privacy analysis

Courts and tribunals, however, have consistently applied the general law as applicable to the Internet

Reasonableness Internet Culture is different

The sense of what is reasonable is different on the web

Barlow, EFF (1996) "Governments of the Industrial World, you weary

giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.“

Reasonableness What are users sharing on social media sites?

Is it “reasonable”?

Estimated 61% of 13-17 year olds have a profile on line Half with pictures

Much of the social network information may be kept private but only if the privacy features are turned on.

What does your child say about herself? What information is an invitation to ID theft or

worse?

Social Network Profile Information

Basic – gender, hometown, DOB, political & religious views

Education – high school and post secondary institutions, dates

Contact – address, email address, IM screen names, telephone & cell numbers

Work – current and previous employment/employers

Relationship – status, sexual orientation

Picture – photos of you, family, friends, school mates

Personal – activities, interests (music, movies, quotations)

Groups – names and links to all the groups and networks you join

Social Network Profile Information Typical information on Facebook U Guelph study 2008

Birthdates 96%

E-mail 85%

Relationship status 81%

Personal interests 58%

Current city 42%

Phone number 24%

Social Network Profile Information Likelihood to post information (out of 7 max) U Guelph study 2008

Profile photos 6.6

Traveling photos 6.17

Photos with boy / girl friend 5.91

Photos in Bikini / swim suit 4.23

Photos making out 2.52

Photos doing something illegal

2.45

Photos doing drugs 1.99

Naked photos 1.49

Reasonableness Is there any privacy expectation left on the web? Emily Nussbaum, writing in the New Yorker, identifies a

generational trend. It is only the older generations that still seem to care about privacy.

“Say Everything As younger people reveal their private lives on the

Internet, the older generation looks on with alarm and misapprehension not seen since the early days of rock and roll. The future belongs to the uninhibited.”

Nussbaum writes beginning with a 26 year old bartender who, among other things, has posted nude pictures of herself on her MySpace page but sees it all as a way to document her life and share it with others.

Will she think so positively of it when she seeks to get married, changes jobs, etc.?http://www.nymag.com/news/features/27341

Reasonableness Emily Nussbaum’s conclusions are:

There is a true generational gap last one was 50 years ago

They think of themselves as having an audience They have archived their adolescence Their skin is thicker than yours

Reasonableness Young people seem to accept that the idea of a

private life is an illusion Maybe they are correct

We live in an age of surveillance Security cameras on the streets, train stations Transaction details tracked every time you

swipe your Starbucks card, use a debit card Your employer monitors your emails The NSA monitors your telephone calls

Our lives are lived in public whether we seek to acknowledge it or not …

Reasonableness But it can go too far … Poor choices are harder to erase or forget “Susie's” 2000 “special” video for her (then)

boyfriend Posted on the web, becomes a viral video

Paris Hilton sex tape 2004 In the public there has been a dramatic shift in

what is considered reasonable 20 years earlier Miss America lost her crown

for a similar expose What will be “routine” in 10 years or 20?

Reasonableness Is privacy an antiquated concept? Will the Facebook generation live to regret what

they have shared with others? Do the earlier generations just have to get used to

a new way of thinking about privacy? How does a privacy commissioner’s office confront

a generational attitude change to the concept of privacy? Which generation gets to decide?

How will that shift the view of what is “reasonable”?

Reasonableness Acceptance of the Facebook ads for access to the

social media service was found reasonable

How far might that go?

Would that change if it became a paid site?

Managing Social Media

Managing Privacy Related Liability for Social Media Operators

Managing Privacy Related Liability for Social Media Operators Social Media Site operators face evolving legal

and regulatory scrutiny Operate in an environment of less legal certainty

over their liability Seek means to manage their own liability on

various issues, including privacy compliance obligations

Typical approaches involve User acceptance of Terms of Use / Terms of Service User acceptance of risks Dispute resolution mechanisms

Managing Privacy Related Liability for Social Media Operators Mere reliance on the Terms of Service is alone

insufficient Facebook approach to state a requirement for

application developers in the applicable terms was found not sufficient to address Facebook‘s responsibility

Facebook required to take further steps to ensure developers were aware of the applicable requirement (to obtain consent in this case) and comply with it

Managing Privacy Related Liability for Social Media Operators Additional means contemplated in the Facebook

case included: Prominence to specific obligations in developer

guidelines Adjust template to facilitate space for

explanation for users But mere warnings may not be sufficient:

COPPA experience - consider the audience and the ability to understand the terms and warnings

Avoid “legalese”

Managing Privacy Related Liability for Social Media Operators

Address all of the customary safeguards sought in any outsourcingAudit rightsData ownership and immediate access rightsControls

Addition of security measures where applicable

Restriction of access Segregation of personal information and

limiting access to only that strictly necessary for a specific function by a party

Managing Privacy Related Liability for Social Media Operators Other options for social media operators to

manage riskFacilitate the ability of 3rd parties to get

direct user consent where applicableIdentified for application developers in

the Facebook case

Managing Privacy Related Liability for Social Media Operators Shifting risk to the user

In the Facebook case users post personal information on non-membersVulnerability from use of mobile devices

Becomes the responsibility of the Facebook user to obtain the consent, address security of own devices

Facebook may reasonably rely on user’s to obtain non-user’s consent … provided Facebook exercises due diligence

Important that Facebook informs users Notification when applicable

Managing Privacy Related Liability for Social Media Operators Reliance on 3rd party or privacy compliance

verification process Common under COPPA Optional with Facebook for third party

application developers Advantages of compulsory vs. voluntary approach

Managing Privacy Related Liability for Social Media Operators For social media operators other than

Facebook …

… safety of the herd

In the absence of defined standards adoption of practices commented upon as acceptable becomes a risk mitigation approach

Managing Social Media

Social Media and Litigation

Social Media and Litigation Recent explosion in cases involving social media

issues Most common types of cases:

Family Criminal Personal injury

Social Media and Litigation Uses for evidence from social media sites:

Evidence that party’s actions are inconsistent with positions or evidence in action (e.g. extent of disability)

Party’s “friends” or contacts belie claim that party did not know or have contact with an individual

Party’s communications (sent or received) are inconsistent with evidence or legal obligations (e.g. non-contact order)

Privacy and Social Media Evidence Issues raised:

Is production of social media evidence prohibited by privacy statutes?

When can party be compelled to divulge contents of social media profile or pages?

When can social media site operator be required to divulge information such as IP address of subscriber?

Privacy Statutes and Litigation Exemptions All Canadian personal information privacy statutes

have exemptions for litigation production PIPEDA: disclosure without consent if:

Required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information (s. 7(3)(c))

Required to comply with rules of court relating to the production of records (s. 7(3)(c))

Required by law (s. 7(3)(i))

Privacy Statutes and Litigation Exemptions S. 7(3)(i) and latter part of s. 7(3)(c) will require

party to litigation to disclose any relevant personal information in their possession or control May still be subject to PIPEDA restrictions in hands of

opposing party In any event, implied undertaking of confidentiality will

apply S. 7(3)(c) will require third party to disclose personal

information, but only in response to court order Subpoena issued by party’s lawyer (as is allowed in

many provinces) will not suffice Provincial statutes are generally similar

Privacy Statutes and Litigation Exemptions Litigants who tried to resist production of relevant

evidence on basis of privacy consistently unsuccessful

Ferenczy v. MCI Medical Clinics (2004), 70 O.R. (3d) 277 Plaintiff tried to exclude damning surveillance

evidence Court found implied consent by plaintiff to

surreptitious observation of personal injury plaintiffs when physical capabilities in issue

In any event, violation of PIPEDA has no direct impact on the issue of the admissibility of evidence

PCC has not accepted Ferenczy as precedent

Production of Social Media Evidence Social media evidence is primarily a relevance

issue, not a privacy issue Privacy one factor to be considered in determining

relevance and proportionality of requested production

Court will order production of “private” Facebook pages if there is sufficient grounds to conclude that they contain relevant evidence

Will not allow “fishing expedition”

Murphy v. Perger, 2007 Ont. S.C. Motor vehicle accident Plaintiff had publicly available site which contained

photographs of the plaintiff engaged in social activities

Defendant requested access to private Facebook profile - plaintiff had 366 “friends”

Successful ex parte preservation motion to avoid spoliation

Facebook production ordered: given nature of Facebook and that plaintiff’s public site includes photographs, reasonable to conclude Facebook profile would as well

Any invasion of privacy is “minimal”

Leduc v. Roman, 2009 Ont. S.C. Motor vehicle accident No questions on discovery about Facebook Medical exam: plaintiff told doctor “that he did not

have friends in his current area, although he had “a lot on Facebook””

Defendant demanded production of all pages of plaintiff’s Facebook profile

Master refused production – SCJ overturned

Leduc v. Roman, 2009 Ont. S.C. “That a person’s Facebook profile may contain documents

relevant to the issues in an action is beyond controversy.” Where party has both public and private profile,

reasonable to infer that content on public profile similar to content on private profile

Where user has only private profile, can infer from social networking purpose of Facebook "that users intend to take advantage of Facebook's applications to make personal information available to others”

Facebook “likely contains some content relevant to the issue of how Mr. Leduc has been able to lead his life since the accident”

Production of Social Media Evidence Appears to be open season on production of

almost any social media information Precise test to be applied will depend on nature of

action At this point, likely professional negligence not to:

Look at social media sites in any case where character or activities of individual party or witness may be relevant

Seek production if information not forthcoming Must advise clients that relevant portions of web

sites relating to them must be listed in affidavit of documents

Disclosure of Subscriber Details Numerous criminal cases involving voluntary

disclosure to police of subscriber information by ISPs General rule is that disclosure is permitted under

PIPEDA and Charter if subscriber agreement permits disclosure

No reasonable expectation of privacy Same reasoning likely applies to social networking

sites, although no cases yet

Terms of Service Facebook: “We may be required to disclose user information

pursuant to lawful requests, such as subpoenas or court orders, or in compliance with applicable laws. We do not reveal information until we have a good faith belief that an information request by law enforcement or private litigants meets applicable legal standards. Additionally, we may share account or other information when we believe it is necessary to comply with law, to protect our interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This may include sharing information with other companies, lawyers, agents or government agencies.”

Based on ISP cases, this would likely allow disclosure

Terms of Service Google/YouTube: “We have a good faith belief that

access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.”

Not as clear – what is an “enforceable governmental request”?

Bottom Line Courts are not going to pay much attention to

“privacy” if it impacts on: Providing full disclosure Finding the truth Being fair to both parties

Where production right is questionable and information is very sensitive, privacy may be one factor of many to be considered in determining proportionality of request for information

In most cases, if you have made information available on social media sites, it is going to be produced

Managing Social Media

Social Media and Children

Social Media and Children

COPPA in US Age screen for under 13 Sliding scale over 13 and over 18 CMA Guidelines in Canada 13, 14 and 15 Contact information only

Express Consent Teenager 13, 14 and 15 Personal information beyond contact information

Express Consent of Teenager and parent or guardian Capacity to consent in Canada

Social Media and Children

Capacity to consent in Canada Minor under 18 can’t give valid consent to

contract contrary to their interests Criminal Code Issues re consent FTC DOB recommendations: don’t encourage

lying Note Aspects of Facebook findings limited to users

over 18

Social Media and Children FTC wants sites to prevent children from back-

clicking to change their DOBs once they have been blocked.

Facebook Agreement in May 2008 with 49 U.S. attorneys general. prevent underage users from accessing the site; protect minors from inappropriate contact; protect minors from inappropriate content; and provide safety tools for all social networking site

users. Agreed to implement and enforce the feature of “age

locking”, monitor and review the profile of any user who initiates an age change indicating that he or she is over or under 18.

Questions

Mark S. HayesMartin P.J. Kratz

Ariane Siegel

Follow Up Martin Hayes, mark@hayeselaw.com 416-966-ELAW (3529)

Martin Kratz, kratzm@bennettjones.com 403 298 3650

Ariane Siegel, ariane.siegel@gowlings.com 416 369 7228