Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Hayes Privacy And Social Media PowerPoint, October 29, 2010


Published on

PowerPoint presented at IT.Can Annual Meeting in Montreal, October 29, 2010

Published in: Business
  • Be the first to comment

  • Be the first to like this

Hayes Privacy And Social Media PowerPoint, October 29, 2010

  1. 1. Privacy and Social Media: Challenges in the Facebook Age Mark Hayes Hayes | eLaw LLP October 29, 2010 Montréal, Québec
  2. 2. The Real World
  3. 3. Public v. Private: Blurring the Line, Online • Advances in social media technology  blurring the line between private and public spheres for personal information – Alters ways in which rights interpreted • Examine some implications of Facebook decision by PCC (July 2009) – Reasonableness – Third party information – Data retention
  4. 4. What is “reasonable”? • PIPEDA and provincial privacy statutes use “reasonable” hundreds of times to describe required standards and restrictions on collection, use and disclosure • What does “reasonable” mean in online context and how is it to be assessed? • Special challenges
  5. 5. Reasonableness • Wide range of legitimate privacy expectations – Your privacy expectations may be far more stringent than mine – Why are your expectations reasonable and mine aren't, or vice-versa? – PIAC studies from 2001 (in paper) • 2009 studies about online tracking shows similar division of opinion
  6. 6. Reasonableness • Online context produces new challenges – Online vs. offline – Generational – Changes over time • Some of these recognized by PCC in online tracking paper released October 25 – Not sure how or if they will be addressed in future
  7. 7. The Facebook Case - Reasonableness • What types of advertising constitute a reasonable purpose? • Issue was whether Facebook had to allow opt out of receiving targeted ads – Generally agreed that serving of ads was acceptable to support service – Some users did not want to receive targeted ads
  8. 8. The Facebook Case – Reasonableness • Facebook distinguished between: – “Facebook Ads” (“targeted to demographic profiles or key words in a user’s profile”) – “Social Ads” (“triggered not by individual words in a profile, but rather by social “actions”, such as the action of becoming a fan of a page, joining a group, or doing something else that would appear in the feature “News Feed””) • Users could opt out of Social Ads but not Facebook Ads
  9. 9. The Facebook Case – Reasonableness • Aggregation of PI is a use: correct? • Reasonableness: “I view Social Ads to be the more problematic because of their inherently intrusive nature. … In effect, the Social Ad takes on the appearance of an endorsement of the product by the user. For this reason, users would not reasonably expect their information to be used in such a manner.” (emphasis added) – Unclear how this decision was arrived at
  10. 10. The Facebook Case – Reasonableness • How was reasonable expectation if users determined? – Surveys? – User behaviour? – Assistant Commissioner’s own experience? • Reasonableness generally has both a subjective and objective element – Views of involved individuals – Views of “reasonable person” • Neither seem to have been used here
  11. 11. The Facebook Case – Reasonableness • Echoes of earlier decisions involving privacy breaches – now more sophisticated • Online “reasonableness” must be contextual – Consider user population, nature of site and use, changes in attitudes over time – Perhaps more sophisticated analysis in future
  12. 12. The Facebook Case: Non-user consent • Third party consent issue arises in many multi-party transaction contexts – Credit bureaus – Retailers and credit cards • Arises from the nature of social media – Posting of photos, text, etc. containing PI – Invitations of non-members • How can social media site ensure that appropriate consent is obtained?
  13. 13. Again, Must Deal with Reality….
  14. 14. The Facebook Case: Non-user consent • Some uses (e.g. tagging by photos) by users would be a personal use; outside of scope of PIPEDA – However, other uses by Facebook for its purposes (e.g. sending invitations to non- users) would be commercial use • PCC found that “Facebook should assume some responsibility for seeking consent in these [latter] contexts.”
  15. 15. The Facebook Case: Non-user consent • Ultimately decided that “Facebook may reasonably rely on users to obtain non- users’ consent, if it exercises due diligence.” – Essentially notice of consent requirement • Facebook rejected recommendations that it enforce “punitive measures to deal with users who are found to be in violation of the consent requirement”
  16. 16. The Facebook Case: Non-user consent • PCC approach good start to a complex analysis • Some questions: – Nature of the PI use in issue – Relationship between intermediary (i.e. FB user) and third party (i.e. non-user) – Reliability of intermediary in obtaining consent (viz. credit bureaus and banks) – Where does it make the most sense to obtain consent?
  17. 17. The Facebook Case: Deactivation and Deletion • Online applications (including social media) necessarily involve storage of lots of data, including PI • PIPEDA requires PI to be deleted or anonymized when no longer required for an identified purpose • Facebook indefinitely retained data of inactivated accounts – PCC found that this should be limited
  18. 18. Where Do We Go From Here? • Before PCC had closed first Facebook file, another controversy erupted • “Instant Personalization” – “Powerful, inventive and creepy tool” – If Facebook user goes to a licensed IP site for 1st time, site can access Facebook profile and combine with publicly available information to produce personalized experience
  19. 19. Facebook Instant Personalization • Announced in April 2010 – Initial partners Microsoft, and Pandora – In September added Scribd – In October added Bing and Skype • Potential problems – Opt out only – Some unexpected “features” – e.g. undisclosed invitations to FB friends – 2-way data exchange – partner gets your identity, FB gets clickstream
  20. 20. Facebook Instant Personalization • Complaints filed with FTC in US, but it’s unclear if there has been any Canadian complaint launched – No statements from PCC • Clearly Facebook will continue to develop new features – Inevitably will have privacy implications
  21. 21. Some Concluding Comments • Notion of privacy is different in online contexts such as Social Media • Fluid standards of “reasonableness” must be considered • PIPEDA enforcement regime way too slow to deal with evolving privacy issues • For businesses, understanding how to use Social Media without incurring commercial and legal privacy-related liability is crucial
  22. 22. Thank You! If you have any questions or want a copy of these slides: