This document discusses privacy issues related to social media. It outlines key topics discussed at a conference on managing privacy and disclosure in social media, including: - The Facebook privacy decision by the Canadian Privacy Commissioner which found Facebook must get express consent for sharing personal information with third parties. - The concept of reasonableness in privacy law and how attitudes towards privacy are changing, especially among younger generations more open about sharing personal information online. - Ways for social media operators to manage privacy liability, such as clear terms of use and controls over third party access to personal information. - The increasing use of social media evidence in litigation and courts generally ordering production of relevant social media content despite privacy objections.

1. Privacy and Disclosure Minefields in Social Media: Identifying and Overcoming the Key Issues and Challenges MANAGING SOCIAL MEDIA October 6-7, 2009 Sutton Place Hotel, Toronto Mark S. Hayes Martin P.J. Kratz Ariane Siegel

2. Outline Introduction – Privacy Issues and Social Media The Facebook Decision Reasonableness Managing Privacy Related Liability for Social Media Operators Social Media and Litigation Social Media and Children Questions

3. Managing Social Media Introduction – Privacy Issues and Social Media

4. Privacy Issues and Social Media Social Media is all about sharing personal information A new dimension to the way people interact Role similar to what local newspapers and radio stations once did-bring a community of people with common interests and values together to share ideas Platform now reaches multitudes of peoples simultaneously Includes ability to interact instantaneously and share not only printed information but rich media, with pictures, music, videos Privacy issues affect website operators and their affiliates, advertisers, users, hackers, employers and law enforcement Raises issues on knowledge and consent for lawful uses

5. Privacy Issues and Social Media Business, legal and technology issues intersect Target audience (jurisdiction, age, business) What personal information will be posted What personal information will be collected How will personal information be used Will personal information be shared (developers, other third parties) How long will personal information be retained Where will personal information be processed Safeguards Access

6. Privacy Issues and Social Media More Canadians on Facebook than… Study of 2000 young people Dr. Avner Levin at Ryerson, more than 48% log on more than once a day Attitudes about OSN – not too much concern that personal information would be accessed by employer Lots of personal information posted OPC Study: Focus Testing Privacy Issues and Potential Risks of Social Networking Sites http://www.priv.gc.ca/information/survey/2009/decima_2009_02_e.cfm

7. Privacy Issues and Social Media More Canadians on Facebook than… Young Canadians have a unique perception that we call network privacy (Levin) Privacy concerns relate to personal information ending up in “unauthorized” social network They believe they can control online presence feel largely accountable for breaches

8. Managing Social Media The Facebook Decision

9. The Facebook Decision Complaint Against Facebook by CIPPIC Key Issues: Application to non-Canadian website operators Advertising Consent of non-members Sharing of Personal Information with Third Parties Data Retention /Account Deactivation

10. The Facebook Decision APPLICATION Underlying assumption - PIPEDA applies to website operators collecting personal information of Canadians Lawson v. Accutech PIPEDA not long arm statute Would not apply to entities without infrastructure / employees in Canada FTC similar approach, COPPA applies to any website operator collecting personal information about Americans

11. The Facebook Decision ADVERTISING Facebook needs revenue to offer service Advertising is essential to the provision of the service, and persons who wish to use the service must be willing to receive a certain amount of advertising. Facebook Ads - Aggregate information given to advertisers Targeted ads delivered - non invasive No opting out Social Ads can opt-out

12. The Facebook Decision CONSENT OF NON-USERS Resolution: Facebook agreed to provide information users need to ensure that they have the consent of non-users to share their e-mail addresses with Facebook Company must exercise reasonable due diligence to make sure this is happening

13. The Facebook Decision SHARING OF PERSONAL INFORMATION Key Issues: Sharing of Personal Information with developers Resolution: will prevent an application from accessing information until it obtains express consent for each type of data it wants to access

14. The Facebook Decision DATA RETENTION Facebook keeping Personal Information for long periods Deactivation does not mean deletion Resolution: Notice and deletion option Facebook agreed to make it clear that users have the option of either deactivating their account or deleting their account. No prescribed retention period

15. Managing Social Media Reasonableness

16. Reasonableness Reasonableness is a flexible and adaptable concept Can adapt to specific circumstances Can change over time The requirement of “reasonableness” is inherent throughout Canadian privacy law Threshold issues Extent of disclosure Security Etc.

17. Reasonableness There is a reasonableness threshold An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances. Where an organization collects, use or discloses personal information, it may do so only to the extent that is reasonable for meeting the purposes for which it was collected, used or disclosed.

18. Reasonableness Basic Privacy Compliance Question: Is it reasonable to permit the collection of personal information by Facebook from users in exchange for the free service Facebook offers? Facebook decision All users receive Facebook ads, can not opt out Traditionally Privacy Commissioner distinguished between primary and secondary marketing purposes Finds advertising is essential to the provision of Facebook’s service and persons who use the service must accept some ads

19. Reasonableness Who decides what is reasonable? Privacy Commissioner’s office applies objective test Facebook’s user feedback is not determinative While a protective standard – what happens when the culture changes underneath the objective assessment of what is reasonable?

20. Reasonableness Is reasonableness different for web collection, use and disclosure? Is there a discrete internet culture to which a different standard might apply? The acceptance of compulsory ads on Facebook was seen as reasonable, a departure from traditional privacy analysis Courts and tribunals, however, have consistently applied the general law as applicable to the Internet

21. Reasonableness Internet Culture is different The sense of what is reasonable is different on the web Barlow, EFF (1996) "Governments of the Industrial World, you weary giants of flesh and steel, I come from Cyberspace, the new home of Mind. On behalf of the future, I ask you of the past to leave us alone. You are not welcome among us. You have no sovereignty where we gather.“

22. Reasonableness What are users sharing on social media sites? Is it “reasonable”? Estimated 61% of 13-17 year olds have a profile on line Half with pictures Much of the social network information may be kept private but only if the privacy features are turned on. What does your child say about herself? What information is an invitation to ID theft or worse?

23. Social Network Profile Information

26. Reasonableness Is there any privacy expectation left on the web? Emily Nussbaum, writing in the New Yorker, identifies a generational trend. It is only the older generations that still seem to care about privacy. “Say Everything As younger people reveal their private lives on the Internet, the older generation looks on with alarm and misapprehension not seen since the early days of rock and roll. The future belongs to the uninhibited.” Nussbaum writes beginning with a 26 year old bartender who, among other things, has posted nude pictures of herself on her MySpace page but sees it all as a way to document her life and share it with others. Will she think so positively of it when she seeks to get married, changes jobs, etc.? http://www.nymag.com/news/features/27341

27. Reasonableness Emily Nussbaum’s conclusions are: There is a true generational gap last one was 50 years ago They think of themselves as having an audience They have archived their adolescence Their skin is thicker than yours

28. Reasonableness Young people seem to accept that the idea of a private life is an illusion Maybe they are correct We live in an age of surveillance Security cameras on the streets, train stations Transaction details tracked every time you swipe your Starbucks card, use a debit card Your employer monitors your emails The NSA monitors your telephone calls Our lives are lived in public whether we seek to acknowledge it or not …

29. Reasonableness But it can go too far … Poor choices are harder to erase or forget “Susie's” 2000 “special” video for her (then) boyfriend Posted on the web, becomes a viral video Paris Hilton sex tape 2004 In the public there has been a dramatic shift in what is considered reasonable 20 years earlier Miss America lost her crown for a similar expose What will be “routine” in 10 years or 20?

30. Reasonableness Is privacy an antiquated concept? Will the Facebook generation live to regret what they have shared with others? Do the earlier generations just have to get used to a new way of thinking about privacy? How does a privacy commissioner’s office confront a generational attitude change to the concept of privacy? Which generation gets to decide? How will that shift the view of what is “reasonable”?

31. Reasonableness Acceptance of the Facebook ads for access to the social media service was found reasonable How far might that go? Would that change if it became a paid site?

32. Managing Social Media Managing Privacy Related Liability for Social Media Operators

33. Managing Privacy Related Liability for Social Media Operators Social Media Site operators face evolving legal and regulatory scrutiny Operate in an environment of less legal certainty over their liability Seek means to manage their own liability on various issues, including privacy compliance obligations Typical approaches involve User acceptance of Terms of Use / Terms of Service User acceptance of risks Dispute resolution mechanisms

34. Managing Privacy Related Liability for Social Media Operators Mere reliance on the Terms of Service is alone insufficient Facebook approach to state a requirement for application developers in the applicable terms was found not sufficient to address Facebook‘s responsibility Facebook required to take further steps to ensure developers were aware of the applicable requirement (to obtain consent in this case) and comply with it

35. Managing Privacy Related Liability for Social Media Operators Additional means contemplated in the Facebook case included: Prominence to specific obligations in developer guidelines Adjust template to facilitate space for explanation for users But mere warnings may not be sufficient: COPPA experience - consider the audience and the ability to understand the terms and warnings Avoid “legalese”

36. Managing Privacy Related Liability for Social Media Operators Address all of the customary safeguards sought in any outsourcing Audit rights Data ownership and immediate access rights Controls Addition of security measures where applicable Restriction of access Segregation of personal information and limiting access to only that strictly necessary for a specific function by a party

37. Managing Privacy Related Liability for Social Media Operators Other options for social media operators to manage risk Facilitate the ability of 3rd parties to get direct user consent where applicable Identified for application developers in the Facebook case

38. Managing Privacy Related Liability for Social Media Operators Shifting risk to the user In the Facebook case users post personal information on non-members Vulnerability from use of mobile devices Becomes the responsibility of the Facebook user to obtain the consent, address security of own devices Facebook may reasonably rely on user’s to obtain non-user’s consent … provided Facebook exercises due diligence Important that Facebook informs users Notification when applicable

39. Managing Privacy Related Liability for Social Media Operators Reliance on 3rd party or privacy compliance verification process Common under COPPA Optional with Facebook for third party application developers Advantages of compulsory vs. voluntary approach

40. Managing Privacy Related Liability for Social Media Operators For social media operators other than Facebook … … safety of the herd In the absence of defined standards adoption of practices commented upon as acceptable becomes a risk mitigation approach

41. Managing Social Media Social Media and Litigation

42. Social Media and Litigation Recent explosion in cases involving social media issues Most common types of cases: Family Criminal Personal injury

43. Social Media and Litigation Uses for evidence from social media sites: Evidence that party’s actions are inconsistent with positions or evidence in action (e.g. extent of disability) Party’s “friends” or contacts belie claim that party did not know or have contact with an individual Party’s communications (sent or received) are inconsistent with evidence or legal obligations (e.g. non-contact order)

44. Privacy and Social Media Evidence Issues raised: Is production of social media evidence prohibited by privacy statutes? When can party be compelled to divulge contents of social media profile or pages? When can social media site operator be required to divulge information such as IP address of subscriber?

45. Privacy Statutes and Litigation Exemptions All Canadian personal information privacy statutes have exemptions for litigation production PIPEDA: disclosure without consent if: Required to comply with a subpoena or warrant issued or an order made by a court, person or body with jurisdiction to compel the production of information (s. 7(3)(c)) Required to comply with rules of court relating to the production of records (s. 7(3)(c)) Required by law (s. 7(3)(i))

46. Privacy Statutes and Litigation Exemptions S. 7(3)(i) and latter part of s. 7(3)(c) will require party to litigation to disclose any relevant personal information in their possession or control May still be subject to PIPEDA restrictions in hands of opposing party In any event, implied undertaking of confidentiality will apply S. 7(3)(c) will require third party to disclose personal information, but only in response to court order Subpoena issued by party’s lawyer (as is allowed in many provinces) will not suffice Provincial statutes are generally similar

47. Privacy Statutes and Litigation Exemptions Litigants who tried to resist production of relevant evidence on basis of privacy consistently unsuccessful Ferenczy v. MCI Medical Clinics (2004), 70 O.R. (3d) 277 Plaintiff tried to exclude damning surveillance evidence Court found implied consent by plaintiff to surreptitious observation of personal injury plaintiffs when physical capabilities in issue In any event, violation of PIPEDA has no direct impact on the issue of the admissibility of evidence PCC has not accepted Ferenczy as precedent

48. Production of Social Media Evidence Social media evidence is primarily a relevance issue, not a privacy issue Privacy one factor to be considered in determining relevance and proportionality of requested production Court will order production of “private” Facebook pages if there is sufficient grounds to conclude that they contain relevant evidence Will not allow “fishing expedition”

49. Murphy v. Perger, 2007 Ont. S.C. Motor vehicle accident Plaintiff had publicly available site which contained photographs of the plaintiff engaged in social activities Defendant requested access to private Facebook profile - plaintiff had 366 “friends” Successful ex parte preservationmotion to avoid spoliation Facebook production ordered: given nature of Facebook and that plaintiff’s public site includes photographs, reasonable to conclude Facebook profile would as well Any invasion of privacy is “minimal”

51. Leduc v. Roman, 2009 Ont. S.C. “That a person’s Facebook profile may contain documents relevant to the issues in an action is beyond controversy.” Where party has both public and private profile, reasonable to infer that content on public profile similar to content on private profile Where user has only private profile, can infer from social networking purpose of Facebook "that users intend to take advantage of Facebook's applications to make personal information available to others” Facebook “likely contains some content relevant to the issue of how Mr. Leduc has been able to lead his life since the accident”

52. Production of Social Media Evidence Appears to be open season on production of almost any social media information Precise test to be applied will depend on nature of action At this point, likely professional negligence not to: Look at social media sites in any case where character or activities of individual party or witness may be relevant Seek production if information not forthcoming Must advise clients that relevant portions of web sites relating to them must be listed in affidavit of documents

53. Disclosure of Subscriber Details Numerous criminal cases involving voluntary disclosure to police of subscriber information by ISPs General rule is that disclosure is permitted under PIPEDA and Charter if subscriber agreement permits disclosure No reasonable expectation of privacy Same reasoning likely applies to social networking sites, although no cases yet

54. Terms of Service Facebook: “We may be required to disclose user information pursuant to lawful requests, such as subpoenas or court orders, or in compliance with applicable laws. We do not reveal information until we have a good faith belief that an information request by law enforcement or private litigants meets applicable legal standards. Additionally, we may share account or other information when we believe it is necessary to comply with law, to protect our interests or property, to prevent fraud or other illegal activity perpetrated through the Facebook service or using the Facebook name, or to prevent imminent bodily harm. This may include sharing information with other companies, lawyers, agents or government agencies.” Based on ISP cases, this would likely allow disclosure

55. Terms of Service Google/YouTube: “We have a good faith belief that access, use, preservation or disclosure of such information is reasonably necessary to (a) satisfy any applicable law, regulation, legal process or enforceable governmental request, (b) enforce applicable Terms of Service, including investigation of potential violations thereof, (c) detect, prevent, or otherwise address fraud, security or technical issues, or (d) protect against harm to the rights, property or safety of Google, its users or the public as required or permitted by law.” Not as clear – what is an “enforceable governmental request”?

56. Bottom Line Courts are not going to pay much attention to “privacy” if it impacts on: Providing full disclosure Finding the truth Being fair to both parties Where production right is questionable and information is very sensitive, privacy may be one factor of many to be considered in determining proportionality of request for information In most cases, if you have made information available on social media sites, it is going to be produced

57. Managing Social Media Social Media and Children

58. Social Media and Children COPPA in US Age screen for under 13 Sliding scale over 13 and over 18 CMA Guidelines in Canada 13, 14 and 15 Contact information only Express Consent Teenager 13, 14 and 15 Personal information beyond contact information Express Consent of Teenager and parent or guardian Capacity to consent in Canada

59. Social Media and Children Capacity to consent in Canada Minor under 18 can’t give valid consent to contract contrary to their interests Criminal Code Issues re consent FTC DOB recommendations: don’t encourage lying Note Aspects of Facebook findings limited to users over 18

60. Social Media and Children FTC wants sites to prevent children from back-clicking to change their DOBs once they have been blocked. Facebook Agreement in May 2008 with 49 U.S. attorneys general. prevent underage users from accessing the site; protect minors from inappropriate contact; protect minors from inappropriate content; and provide safety tools for all social networking site users. Agreed to implement and enforce the feature of “age locking”, monitor and review the profile of any user who initiates an age change indicating that he or she is over or under 18.

61. Questions Mark S. Hayes Martin P.J. Kratz Ariane Siegel

62. Follow Up Martin Hayes, mark@hayeselaw.com 416-966-ELAW (3529) Martin Kratz, kratzm@bennettjones.com 403 298 3650 Ariane Siegel, ariane.siegel@gowlings.com 416 369 7228