PowerPoint presented at IT.Can Annual Meeting in Montreal, October 29, 2010

1. Privacy and Social Media:
Challenges in the Facebook Age
Mark Hayes
Hayes | eLaw LLP
October 29, 2010
Montréal, Québec

2. The Real World

3. Public v. Private: Blurring the Line,
Online
• Advances in social media technology
 blurring the line between private and
public spheres for personal information
– Alters ways in which rights interpreted
• Examine some implications of
Facebook decision by PCC (July 2009)
– Reasonableness
– Third party information
– Data retention

4. What is “reasonable”?
• PIPEDA and provincial privacy statutes
use “reasonable” hundreds of times to
describe required standards and
restrictions on collection, use and
disclosure
• What does “reasonable” mean in online
context and how is it to be assessed?
• Special challenges

5. Reasonableness
• Wide range of legitimate privacy
expectations
– Your privacy expectations may be far more
stringent than mine
– Why are your expectations reasonable
and mine aren't, or vice-versa?
– PIAC studies from 2001 (in paper)
• 2009 studies about online tracking shows
similar division of opinion

6. Reasonableness
• Online context produces new challenges
– Online vs. offline
– Generational
– Changes over time
• Some of these recognized by PCC in
online tracking paper released October 25
– Not sure how or if they will be addressed in
future

7. The Facebook Case -
Reasonableness
• What types of advertising constitute a
reasonable purpose?
• Issue was whether Facebook had to
allow opt out of receiving targeted ads
– Generally agreed that serving of ads was
acceptable to support service
– Some users did not want to receive
targeted ads

8. The Facebook Case –
Reasonableness
• Facebook distinguished between:
– “Facebook Ads” (“targeted to demographic profiles
or key words in a user’s profile”)
– “Social Ads” (“triggered not by individual words in a
profile, but rather by social “actions”, such as the
action of becoming a fan of a page, joining a group, or
doing something else that would appear in the feature
“News Feed””)
• Users could opt out of Social Ads but not
Facebook Ads

9. The Facebook Case –
Reasonableness
• Aggregation of PI is a use: correct?
• Reasonableness: “I view Social Ads to be
the more problematic because of their
inherently intrusive nature. … In effect, the
Social Ad takes on the appearance of an
endorsement of the product by the user. For
this reason, users would not reasonably
expect their information to be used in such a
manner.” (emphasis added)
– Unclear how this decision was arrived at

10. The Facebook Case –
Reasonableness
• How was reasonable expectation if users
determined?
– Surveys?
– User behaviour?
– Assistant Commissioner’s own experience?
• Reasonableness generally has both a
subjective and objective element
– Views of involved individuals
– Views of “reasonable person”
• Neither seem to have been used here

11. The Facebook Case –
Reasonableness
• Echoes of earlier decisions involving
privacy breaches – now more
sophisticated
• Online “reasonableness” must be
contextual
– Consider user population, nature of site
and use, changes in attitudes over time
– Perhaps more sophisticated analysis in
future

12. The Facebook Case: Non-user
consent
• Third party consent issue arises in
many multi-party transaction contexts
– Credit bureaus
– Retailers and credit cards
• Arises from the nature of social media
– Posting of photos, text, etc. containing PI
– Invitations of non-members
• How can social media site ensure that
appropriate consent is obtained?

13. Again, Must Deal with Reality….

14. The Facebook Case: Non-user
consent
• Some uses (e.g. tagging by photos) by
users would be a personal use; outside of
scope of PIPEDA
– However, other uses by Facebook for its
purposes (e.g. sending invitations to non-
users) would be commercial use
• PCC found that “Facebook should assume
some responsibility for seeking consent in
these [latter] contexts.”

15. The Facebook Case: Non-user
consent
• Ultimately decided that “Facebook may
reasonably rely on users to obtain non-
users’ consent, if it exercises due
diligence.”
– Essentially notice of consent requirement
• Facebook rejected recommendations that
it enforce “punitive measures to deal with
users who are found to be in violation of
the consent requirement”

16. The Facebook Case: Non-user
consent
• PCC approach good start to a complex
analysis
• Some questions:
– Nature of the PI use in issue
– Relationship between intermediary (i.e. FB
user) and third party (i.e. non-user)
– Reliability of intermediary in obtaining
consent (viz. credit bureaus and banks)
– Where does it make the most sense to obtain
consent?

17. The Facebook Case:
Deactivation and Deletion
• Online applications (including social
media) necessarily involve storage of
lots of data, including PI
• PIPEDA requires PI to be deleted or
anonymized when no longer required
for an identified purpose
• Facebook indefinitely retained data of
inactivated accounts
– PCC found that this should be limited

18. Where Do We Go From Here?
• Before PCC had closed first Facebook
file, another controversy erupted
• “Instant Personalization”
– “Powerful, inventive and creepy tool”
– If Facebook user goes to a licensed IP site
for 1st time, site can access Facebook
profile and combine with publicly available
information to produce personalized
experience

19. Facebook Instant
Personalization
• Announced in April 2010
– Initial partners Microsoft, Yelp.com and
Pandora
– In September added Scribd
– In October added Bing and Skype
• Potential problems
– Opt out only
– Some unexpected “features” – e.g.
undisclosed invitations to FB friends
– 2-way data exchange – partner gets your
identity, FB gets clickstream

20. Facebook Instant
Personalization
• Complaints filed with FTC in US, but it’s
unclear if there has been any Canadian
complaint launched
– No statements from PCC
• Clearly Facebook will continue to
develop new features
– Inevitably will have privacy implications

21. Some Concluding Comments
• Notion of privacy is different in online
contexts such as Social Media
• Fluid standards of “reasonableness” must
be considered
• PIPEDA enforcement regime way too slow
to deal with evolving privacy issues
• For businesses, understanding how to
use Social Media without incurring
commercial and legal privacy-related
liability is crucial

22. Thank You!
If you have any questions or want a copy
of these slides:
mark@hayeselaw.com