Social Media And Privacy October 9 2009
Upcoming SlideShare
Loading in...5

Social Media And Privacy October 9 2009






Total Views
Views on SlideShare
Embed Views



3 Embeds 4 2 1 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

Social Media And Privacy October 9 2009 Social Media And Privacy October 9 2009 Presentation Transcript

  • Privacy and Disclosure Minefields in Social Media: Identifying and Overcoming the Key Issues and Challenges
    October 6-7, 2009 Sutton Place Hotel, Toronto
    Mark S. Hayes
    Martin P.J. Kratz
    Ariane Siegel
  • Outline
    Introduction – Privacy Issues and Social Media
    The Facebook Decision
    Managing Privacy Related Liability for Social Media Operators
    Social Media and Litigation
    Social Media and Children
  • Managing Social Media
    Introduction – Privacy Issues and Social Media
  • Privacy Issues and Social Media
    Social Media is all about sharing personal information
    A new dimension to the way people interact
    Role similar to what local newspapers and radio stations once did-bring a community of people with common interests and values together to share ideas
    Platform now reaches multitudes of peoples simultaneously
    Includes ability to interact instantaneously and share not only printed information but rich media, with pictures, music, videos
    Privacy issues affect website operators and their affiliates, advertisers, users, hackers, employers and law enforcement
    Raises issues on knowledge and consent for lawful uses
  • Privacy Issues and Social Media
    Business, legal and technology issues intersect
    Target audience (jurisdiction, age, business)
    What personal information will be posted
    What personal information will be collected
    How will personal information be used
    Will personal information be shared (developers, other third parties)
    How long will personal information be retained
    Where will personal information be processed
  • Privacy Issues and Social Media
    More Canadians on Facebook than…
    Study of 2000 young people
    Dr. Avner Levin at Ryerson, more than 48% log on more than once a day
    Attitudes about OSN – not too much concern that personal information would be accessed by employer
    Lots of personal information posted
    OPC Study: Focus Testing Privacy Issues and Potential Risks of Social Networking Sites
  • Privacy Issues and Social Media
    More Canadians on Facebook than…
    Young Canadians have a unique perception that we call network privacy (Levin)
    Privacy concerns relate to personal information ending up in “unauthorized” social network
    They believe they can control online presence
    feel largely accountable for breaches
  • Managing Social Media
    The Facebook Decision
  • The Facebook Decision
    Complaint Against Facebook by CIPPIC
    Key Issues:
    Application to non-Canadian website operators
    Consent of non-members
    Sharing of Personal Information with Third Parties
    Data Retention /Account Deactivation
  • The Facebook Decision
    Underlying assumption - PIPEDA applies to website operators collecting personal information of Canadians
    Lawson v. Accutech
    PIPEDA not long arm statute
    Would not apply to entities without infrastructure / employees in Canada
    FTC similar approach, COPPA applies to any website operator collecting personal information about Americans
  • The Facebook Decision
    Facebook needs revenue to offer service
    Advertising is essential to the provision of the service, and persons who wish to use the service must be willing to receive a certain amount of advertising.
    Facebook Ads - Aggregate information given to advertisers
    Targeted ads delivered - non invasive
    No opting out
    Social Ads can opt-out
  • The Facebook Decision
    Resolution: Facebook agreed to provide information users need to ensure that they have the consent of non-users to share their e-mail addresses with Facebook
    Company must exercise reasonable due diligence to make sure this is happening
  • The Facebook Decision
    Key Issues: Sharing of Personal Information with developers
    Resolution: will prevent an application from accessing information until it obtains express consent for each type of data it wants to access
  • The Facebook Decision
    Facebook keeping Personal Information for long periods
    Deactivation does not mean deletion
    Resolution: Notice and deletion option
    Facebook agreed to make it clear that users have the option of either deactivating their account or deleting their account.
    No prescribed retention period
  • Managing Social Media
  • Reasonableness
    Reasonableness is a flexible and adaptable concept
    Can adapt to specific circumstances
    Can change over time
    The requirement of “reasonableness” is inherent throughout Canadian privacy law
    Threshold issues
    Extent of disclosure
  • Reasonableness
    There is a reasonableness threshold
    An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
    Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed.
  • Reasonableness
    Basic Privacy Compliance Question:
    Is it reasonable to permit the collection of personal information by Facebook from users in exchange for the free service Facebook offers?
    Facebook decision
    All users receive Facebook ads, can not opt out
    Traditionally Privacy Commissioner distinguished between primary and secondary marketing purposes
    Finds advertising is essential to the provision of Facebook’s service and persons who use the service must accept some ads
  • Reasonableness
    Who decides what is reasonable?
    Privacy Commissioner’s office applies objective test
    Facebook’s user feedback is not determinative
    While a protective standard – what happens when the culture changes underneath the objective assessment of what is reasonable?
  • Reasonableness
    Is reasonableness different for web collection, use and disclosure?
    Is there a discrete internet culture to which a different standard might apply?
    The acceptance of compulsory ads on Facebook was seen as reasonable, a departure from traditional privacy analysis
    Courts and tribunals, however, have consistently applied the general law as applicable to the Internet
  • Reasonableness
    Internet Culture is different
    The sense of what is reasonable is different on the web
    Barlow, EFF (1996)
    "Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.“
  • Reasonableness
    What are users sharing on social media sites?
    Is it “reasonable”?
    Estimated 61% of 13-17 year olds have a profile on line
    Half with pictures
    Much of the social network information may be kept private but only if the privacy features are turned on.
    What does your child say about herself?
    What information is an invitation to ID theft or worse?
  • Social Network Profile Information
  • Social Network Profile Information
    • Typical information on Facebook
    U Guelph study 2008
  • Social Network Profile Information
    • Likelihood to post information (out of 7 max)
    U Guelph study 2008
  • Reasonableness
    Is there any privacy expectation left on the web?
    Emily Nussbaum, writing in the New Yorker, identifies a generational trend. It is only the older generations that still seem to care about privacy.
    “Say Everything
    As younger people reveal their private lives on the Internet, the older generation looks on with alarm and misapprehension not seen since the early days of rock and roll. The future belongs to the uninhibited.”
    Nussbaum writes beginning with a 26 year old bartender who, among other things, has posted nude pictures of herself on her MySpace page but sees it all as a way to document her life and share it with others.
    Will she think so positively of it when she seeks to get married, changes jobs, etc.?
  • Reasonableness
    Emily Nussbaum’s conclusions are:
    There is a true generational gap
    last one was 50 years ago
    They think of themselves as having an audience
    They have archived their adolescence
    Their skin is thicker than yours
  • Reasonableness
    Young people seem to accept that the idea of a private life is an illusion
    Maybe they are correct
    We live in an age of surveillance
    Security cameras on the streets, train stations
    Transaction details tracked every time you swipe your Starbucks card, use a debit card
    Your employer monitors your emails
    The NSA monitors your telephone calls
    Our lives are lived in public whether we seek to acknowledge it or not …
  • Reasonableness
    But it can go too far …
    Poor choices are harder to erase or forget
    “Susie's” 2000 “special” video for her (then) boyfriend
    Posted on the web, becomes a viral video
    Paris Hilton sex tape 2004
    In the public there has been a dramatic shift in what is considered reasonable
    20 years earlier Miss America lost her crown for a similar expose
    What will be “routine” in 10 years or 20?
  • Reasonableness
    Is privacy an antiquated concept?
    Will the Facebook generation live to regret what they have shared with others?
    Do the earlier generations just have to get used to a new way of thinking about privacy?
    How does a privacy commissioner’s office confront a generational attitude change to the concept of privacy?
    Which generation gets to decide?
    How will that shift the view of what is “reasonable”?
  • Reasonableness
    Acceptance of the Facebook ads for access to the social media service was found reasonable
    How far might that go?
    Would that change if it became a paid site?
  • Managing Social Media
    Managing Privacy Related Liability for Social Media Operators
  • Managing Privacy Related Liability for Social Media Operators
    Social Media Site operators face evolving legal and regulatory scrutiny
    Operate in an environment of less legal certainty over their liability
    Seek means to manage their own liability on various issues, including privacy compliance obligations
    Typical approaches involve
    User acceptance of Terms of Use / Terms of Service
    User acceptance of risks
    Dispute resolution mechanisms
  • Managing Privacy Related Liability for Social Media Operators
    Mere reliance on the Terms of Service is alone insufficient
    Facebook approach to state a requirement for application developers in the applicable terms was found not sufficient to address Facebook‘s responsibility
    Facebook required to take further steps to ensure developers were aware of the applicable requirement (to obtain consent in this case) and comply with it
  • Managing Privacy Related Liability for Social Media Operators
    Additional means contemplated in the Facebook case included:
    Prominence to specific obligations in developer guidelines
    Adjust template to facilitate space for explanation for users
    But mere warnings may not be sufficient:
    COPPA experience - consider the audience and the ability to understand the terms and warnings
    Avoid “legalese”
  • Managing Privacy Related Liability for Social Media Operators
    Address all of the customary safeguards sought in any outsourcing
    Audit rights
    Data ownership and immediate access rights
    Addition of security measures where applicable
    Restriction of access
    Segregation of personal information and limiting access to only that strictly necessary for a specific function by a party
  • Managing Privacy Related Liability for Social Media Operators
    Other options for social media operators to manage risk
    Facilitate the ability of 3rd parties to get direct user consent where applicable
    Identified for application developers in the Facebook case
  • Managing Privacy Related Liability for Social Media Operators
    Shifting risk to the user
    In the Facebook case
    users post personal information on non-members
    Vulnerability from use of mobile devices
    Becomes the responsibility of the Facebook user to obtain the consent, address security of own devices
    Facebook may reasonably rely on user’s to obtain non-user’s consent … provided Facebook exercises due diligence
    Important that Facebook informs users
    Notification when applicable
  • Managing Privacy Related Liability for Social Media Operators
    Reliance on 3rd party or privacy compliance verification process
    Common under COPPA
    Optional with Facebook for third party application developers
    Advantages of compulsory vs. voluntary approach
  • Managing Privacy Related Liability for Social Media Operators
    For social media operators other than Facebook …
    … safety of the herd
    In the absence of defined standards adoption of practices commented upon as acceptable becomes a risk mitigation approach
  • Managing Social Media
    Social Media and Litigation
  • Social Media and Litigation
    Recent explosion in cases involving social media issues
    Most common types of cases:
    Personal injury
  • Social Media and Litigation
    Uses for evidence from social media sites:
    Evidence that party’s actions are inconsistent with positions or evidence in action (e.g. extent of disability)
    Party’s “friends” or contacts belie claim that party did not know or have contact with an individual
    Party’s communications (sent or received) are inconsistent with evidence or legal obligations (e.g. non-contact order)
  • Privacy and Social Media Evidence
    Issues raised:
    Is production of social media evidence prohibited by privacy statutes?
    When can party be compelled to divulge contents of social media profile or pages?
    When can social media site operator be required to divulge information such as IP address of subscriber?
  • Privacy Statutes and Litigation Exemptions
    All Canadian personal information privacy statutes have exemptions for litigation production
    PIPEDA: disclosure without consent if:
    Required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information (s. 7(3)(c))
    Required to comply with rules of court relating to the production of records (s. 7(3)(c))
    Required by law (s. 7(3)(i))
  • Privacy Statutes and Litigation Exemptions
    S. 7(3)(i) and latter part of s. 7(3)(c) will require party to litigation to disclose any relevant personal information in their possession or control
    May still be subject to PIPEDA restrictions in hands of opposing party
    In any event, implied undertaking of confidentiality will apply
    S. 7(3)(c) will require third party to disclose personal information, but only in response to court order
    Subpoena issued by party’s lawyer (as is allowed in many provinces) will not suffice
    Provincial statutes are generally similar
  • Privacy Statutes and Litigation Exemptions
    Litigants who tried to resist production of relevant evidence on basis of privacy consistently unsuccessful
    Ferenczy v. MCI Medical Clinics (2004), 70 O.R. (3d) 277
    Plaintiff tried to exclude damning surveillance evidence
    Court found implied consent by plaintiff to surreptitious observation of personal injury plaintiffs when physical capabilities in issue
    In any event, violation of PIPEDA has no direct impact on the issue of the admissibility of evidence
    PCC has not accepted Ferenczy as precedent
  • Production of Social Media Evidence
    Social media evidence is primarily a relevance issue, not a privacy issue
    Privacy one factor to be considered in determining relevance and proportionality of requested production
    Court will order production of “private” Facebook pages if there is sufficient grounds to conclude that they contain relevant evidence
    Will not allow “fishing expedition”
  • Murphy v. Perger, 2007 Ont. S.C.
    Motor vehicle accident
    Plaintiff had publicly available site which contained photographs of the plaintiff engaged in social activities
    Defendant requested access to private Facebook profile - plaintiff had 366 “friends”
    Successful ex parte preservationmotion to avoid spoliation
    Facebook production ordered: given nature of Facebook and that plaintiff’s public site includes photographs, reasonable to conclude Facebook profile would as well
    Any invasion of privacy is “minimal”
    • Leduc v. Roman, 2009 Ont. S.C.
    Motor vehicle accident
    No questions on discovery about Facebook
    Medical exam: plaintiff told doctor “that he did not have friends in his current area, although he had “a lot on Facebook””
    Defendant demanded production of all pages of plaintiff’s Facebook profile
    Master refused production – SCJ overturned
  • Leduc v. Roman, 2009 Ont. S.C.
    “That a person’s Facebook profile may contain documents relevant to the issues in an action is beyond controversy.”
    Where party has both public and private profile, reasonable to infer that content on public profile similar to content on private profile
    Where user has only private profile, can infer from social networking purpose of Facebook "that users intend to take advantage of Facebook's applications to make personal information available to others”
    Facebook “likely contains some content relevant to the issue of how Mr. Leduc has been able to lead his life since the accident”
  • Production of Social Media Evidence
    Appears to be open season on production of almost any social media information
    Precise test to be applied will depend on nature of action
    At this point, likely professional negligence not to:
    Look at social media sites in any case where character or activities of individual party or witness may be relevant
    Seek production if information not forthcoming
    Must advise clients that relevant portions of web sites relating to them must be listed in affidavit of documents
  • Disclosure of Subscriber Details
    Numerous criminal cases involving voluntary disclosure to police of subscriber information by ISPs
    General rule is that disclosure is permitted under PIPEDA and Charter if subscriber agreement permits disclosure
    No reasonable expectation of privacy
    Same reasoning likely applies to social networking sites, although no cases yet
  • Terms of Service
    Facebook: “We may be required to disclose user information pursuant to lawful requests, such as subpoenas or court orders, or in compliance with applicable laws. We do not reveal information until we have a good faith belief that an information request by law enforcement or private litigants meets applicable legal standards. Additionally, we may share account or other information when we believe it is necessary to comply with law, to protect our interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This may include sharing information with other companies, lawyers, agents or government agencies.”
    Based on ISP cases, this would likely allow disclosure
  • Terms of Service
    Google/YouTube: “We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.”
    Not as clear – what is an “enforceable governmental request”?
  • Bottom Line
    Courts are not going to pay much attention to “privacy” if it impacts on:
    Providing full disclosure
    Finding the truth
    Being fair to both parties
    Where production right is questionable and information is very sensitive, privacy may be one factor of many to be considered in determining proportionality of request for information
    In most cases, if you have made information available on social media sites, it is going to be produced
  • Managing Social Media
    Social Media and Children
  • Social Media and Children
    COPPA in US Age screen for under 13
    Sliding scale over 13 and over 18
    CMA Guidelines in Canada
    13, 14 and 15 Contact information only
    Express Consent Teenager
    13, 14 and 15 Personal information beyond contact information
    Express Consent of Teenager and parent or guardian
    Capacity to consent in Canada
  • Social Media and Children
    Capacity to consent in Canada
    Minor under 18 can’t give valid consent to contract contrary to their interests
    Criminal Code Issues re consent
    FTC DOB recommendations: don’t encourage lying
    Note Aspects of Facebook findings limited to users over 18
  • Social Media and Children
    FTC wants sites to prevent children from back-clicking to change their DOBs once they have been blocked.
    Facebook Agreement in May 2008 with 49 U.S. attorneys general.
    prevent underage users from accessing the site;
    protect minors from inappropriate contact;
    protect minors from inappropriate content; and
    provide safety tools for all social networking site users.
    Agreed to implement and enforce the feature of “age locking”, monitor and review the profile of any user who initiates an age change indicating that he or she is over or under 18.
  • Questions
    Mark S. Hayes
    Martin P.J. Kratz
    Ariane Siegel
  • Follow Up
    Martin Hayes,
    416-966-ELAW (3529)
    Martin Kratz,
    403 298 3650
    Ariane Siegel,
    416 369 7228