Privacy and Social Media:Challenges in the Facebook Age

Mark HayesHayes | eLaw LLP

October 29, 2010

Montréal, Québec

The Real World

Public v. Private: Blurring the Line,Online

• Advances in social media technology blurring the line between private andpublic spheres for personal information– Alters ways in which rights interpreted

• Examine some implications ofFacebook decision by PCC (July 2009)– Reasonableness

– Third party information

– Data retention

What is “reasonable”?

• PIPEDA and provincial privacy statutesuse “reasonable” hundreds of times todescribe required standards andrestrictions on collection, use anddisclosure

• What does “reasonable” mean in onlinecontext and how is it to be assessed?

• Special challenges

Reasonableness

• Wide range of legitimate privacyexpectations

– Your privacy expectations may be far morestringent than mine

– Why are your expectations reasonableand mine aren't, or vice-versa?

– PIAC studies from 2001 (in paper)

• 2009 studies about online tracking showssimilar division of opinion

Reasonableness

• Online context produces new challenges

– Online vs. offline

– Generational

– Changes over time

• Some of these recognized by PCC inonline tracking paper released October 25

– Not sure how or if they will be addressed infuture

The Facebook Case -Reasonableness

• What types of advertising constitute areasonable purpose?

• Issue was whether Facebook had toallow opt out of receiving targeted ads

– Generally agreed that serving of ads wasacceptable to support service

– Some users did not want to receivetargeted ads

The Facebook Case –Reasonableness

• Facebook distinguished between:

– “Facebook Ads” (“targeted to demographic profilesor key words in a user’s profile”)

– “Social Ads” (“triggered not by individual words in aprofile, but rather by social “actions”, such as theaction of becoming a fan of a page, joining a group, ordoing something else that would appear in the feature“News Feed””)

• Users could opt out of Social Ads but notFacebook Ads

The Facebook Case –Reasonableness

• Aggregation of PI is a use: correct?

• Reasonableness: “I view Social Ads to bethe more problematic because of theirinherently intrusive nature. … In effect, theSocial Ad takes on the appearance of anendorsement of the product by the user. Forthis reason, users would not reasonablyexpect their information to be used in such amanner.” (emphasis added)– Unclear how this decision was arrived at

The Facebook Case –Reasonableness

• How was reasonable expectation if usersdetermined?– Surveys?

– User behaviour?

– Assistant Commissioner’s own experience?

• Reasonableness generally has both asubjective and objective element– Views of involved individuals

– Views of “reasonable person”

• Neither seem to have been used here

The Facebook Case –Reasonableness

• Echoes of earlier decisions involvingprivacy breaches – now moresophisticated

• Online “reasonableness” must becontextual

– Consider user population, nature of siteand use, changes in attitudes over time

– Perhaps more sophisticated analysis infuture

The Facebook Case: Non-userconsent

• Third party consent issue arises inmany multi-party transaction contexts– Credit bureaus

– Retailers and credit cards

• Arises from the nature of social media– Posting of photos, text, etc. containing PI

– Invitations of non-members

• How can social media site ensure thatappropriate consent is obtained?

Again, Must Deal with Reality….

The Facebook Case: Non-userconsent

• Some uses (e.g. tagging by photos) byusers would be a personal use; outside ofscope of PIPEDA

– However, other uses by Facebook for itspurposes (e.g. sending invitations to non-users) would be commercial use

• PCC found that “Facebook should assumesome responsibility for seeking consent inthese [latter] contexts.”

The Facebook Case: Non-userconsent

• Ultimately decided that “Facebook mayreasonably rely on users to obtain non-users’ consent, if it exercises duediligence.”– Essentially notice of consent requirement

• Facebook rejected recommendations thatit enforce “punitive measures to deal withusers who are found to be in violation ofthe consent requirement”

The Facebook Case: Non-userconsent

• PCC approach good start to a complexanalysis

• Some questions:– Nature of the PI use in issue

– Relationship between intermediary (i.e. FBuser) and third party (i.e. non-user)

– Reliability of intermediary in obtainingconsent (viz. credit bureaus and banks)

– Where does it make the most sense to obtainconsent?

The Facebook Case:Deactivation and Deletion

• Online applications (including socialmedia) necessarily involve storage oflots of data, including PI

• PIPEDA requires PI to be deleted oranonymized when no longer requiredfor an identified purpose

• Facebook indefinitely retained data ofinactivated accounts– PCC found that this should be limited

Where Do We Go From Here?

• Before PCC had closed first Facebookfile, another controversy erupted

• “Instant Personalization”

– “Powerful, inventive and creepy tool”

– If Facebook user goes to a licensed IP sitefor 1st time, site can access Facebookprofile and combine with publicly availableinformation to produce personalizedexperience

Facebook InstantPersonalization

• Announced in April 2010– Initial partners Microsoft, Yelp.com and

Pandora– In September added Scribd– In October added Bing and Skype

• Potential problems– Opt out only– Some unexpected “features” – e.g.

undisclosed invitations to FB friends– 2-way data exchange – partner gets your

identity, FB gets clickstream

Facebook InstantPersonalization

• Complaints filed with FTC in US, but it’sunclear if there has been any Canadiancomplaint launched

– No statements from PCC

• Clearly Facebook will continue todevelop new features

– Inevitably will have privacy implications

Some Concluding Comments

• Notion of privacy is different in onlinecontexts such as Social Media

• Fluid standards of “reasonableness” mustbe considered

• PIPEDA enforcement regime way too slowto deal with evolving privacy issues

• For businesses, understanding how touse Social Media without incurringcommercial and legal privacy-relatedliability is crucial

Thank You!

If you have any questions or want a copyof these slides:

mark@hayeselaw.com