Should Online Information be a Prohibited Ground?
Prepared for the Office of the Privacy Commissioner of Canada by Avner Levin
DISCLAIMER: The opinions expressed in the reports and related summaries are those of the authors and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.
The proliferation of information in digital form is causing societal shifts that are difficult to anticipate, yet alone regulate. Contemporary mainstays of social interaction online did not even exist a decade ago. Although the list of technological innovations and their impact on personal information grows longer, in this short paper I wish to focus on the resulting societal change that has occurred and is continuing to occur online and off-line, and how privacy-eroding changes may be negated.
Societal Changes and the Risks they Carry
The increasing permanency and availability of personal information that modern technology facilitates is causing our social norms on “appropriate” information processing to change,Footnote 1 and will ultimately erode whatever legal protection that personal information currently enjoys. Our Canadian personal information protection legislation, enacted with databases and mainframes in mind, is ill-suited to protect the privacy of individuals as it changes conceptually before our eyes.
As personal information proliferates online it is increasingly processed not only for commercial or governmental purposes, but also for other purposes, serving as evidence in litigation, as a basis for hiring decisions, workplace disciplinary proceedings, educational application decisions, and generally featuring in the critical junctures that we traverse as we journey through life. This is of great relevance particularly for the generations of children and young adults growing up with a digital dossier that will accompany them throughout their lives.
Currently, little or no thought is given to the origins of information in making a decision on its basis. In litigation, for example, courts have rejected arguments that information located on social networks is private and should not be disclosed. On the contrary, information shared with a group of online friends is treated as public, with the number of friends often cited in support, and courts fail to consider that privacy online is contextual and network-specific.Footnote 2 In workplace disciplinary proceedings arbitrators have applied the same approach as the courts, ruling that Facebook posts are public and can be used by employers since they were available to a number of people.Footnote 3 This regardless of empirical research that has demonstrated how our sense of privacy online (called network-privacy) is based not only on how many people have access to our personal information but also on who has access to our information.Footnote 4
At the same time, stories in which individuals are harmed in real life by their online activities have generated incredible media and public interest. A notable Canadian example was the Ryerson student disciplined for his Facebook study group.Footnote 5 In some recent US examples academic institutions and employers have disciplined students and employees on the basis of online information such as blogs, clips and social network posts. A student at teacher's college was denied her teaching degree after posting a photo she captioned “Drunken Pirate” on her MySpace page.Footnote 6 A waitress lost her job after calling a customer “cheap” on an online Facebook rant.Footnote 7 A banking intern lost his job after being caught in lie – he had told his bosses that “something had come up at home” and showed up on Facebook in a fairy outfit at a costume party.Footnote 8 Two Domino’s Pizza employees were fired after posting a video clip on YouTube that showed them preparing sandwiches at work while one put cheese up his nose.Footnote 9 Employers are also looking up information on applicants via search engines, data brokers, friends of friends, and requiring applicants to hand over passwords and access to their social networking profiles.Footnote 10
Widespread public awareness to the harm that can be caused by online information therefore exists. Furthermore, individuals harmed by such uses of online information describe their privacy as being invaded. “Privacy” means here, however, not so much personal information protection as it does network-privacy, or contextual privacy. The current Canadian regulatory regime does not view network-privacy as a form of personal information protection governed by existing legislation,Footnote 11 and so the extent to which Canadians perceive the OPC or provincial commissioners as a complaint venue is not clear. Still, OPC has dealt with online privacy and the potential harms that could ensue as part of its education and outreach mandate, and there is room for more OPC activity in this area.
Attempts at Mitigation
The risks posed by online information have led to several ongoing attempts to curtail its effect. One thread of thought has focused on creating new rights in online information, derived from the basic right of dignity and the basic instrument of data protection – control. So far, attempts to mitigate the impact of online information include such European suggestions as the right to delete and the right to be forgotten.Footnote 12 These are noteworthy proposals, but they face opposing societal interests that have led to calls to increase the retention periods of data.Footnote 13
Others have called for formalizing the use of online information. Unlike the formal pre-litigation evidentiary discovery process, the processing of online information by employers is often done informally, outside of the formal applicant evaluation process. As a result, the practice disadvantages not only younger applicants on whom a more substantive digital dossier may exist, but also applicants that would otherwise be protected from discrimination under human rights legislation. Similarly, the collection and use of such information in university and private school application decisions is also an informal practice, and may cause greater harm to members of groups that we wish as a society to protect.
Formalizing such processes may eliminate decisions that would be in violation of human rights legislation, but will do little to minimize the broader harm caused by decision-makers basing their decisions on personal information obtained across contexts and against individual wishes. To combat these, there are already calls for the application of statutory standards of fairness and transparency for social media background checks and evaluation of off-duty conduct.Footnote 14 In the US, for example, employer requests for access to password- protected sites can be considered coercive in certain circumstances.Footnote 15 These too are noteworthy, but in my opinion insufficient, since they fail to fully address the ubiquity of information online.
This increasing ubiquity means that it may not be possible to stop or rewind the process of information dissemination – which is caused not only by government and commercial interests, but also by our social interests in sharing, socializing and fettering out information that others want to conceal. If that is indeed the case then privacy will be better served in the future by measures that restrict actions on the basis of online information and not only by rules governing its processing.
A Prohibited Ground
Substantive protection from the effects of online information requires setting constraints on the purposes for which such information can be processed. Given the increasing proliferation of information online it is practically, although perhaps not normatively preferable, to base such protection on formal rules. As we deal with information, and as we make, and are the subject of, decisions that impact our lives and the lives of others, we must consider not only the information’s substantive content but, with much greater importance, its form.
One publicly accepted model of limiting action on the basis of publicly available information is the prohibited grounds model. Members of Canadian society are prohibited from acting against individuals on the basis of prohibited grounds, which are listed in our federal and provincial human right codes.Footnote 16 These are substantive grounds upon which discrimination is prohibited – such as an individual’s sex, colour or religion. Individuals have a right that decisions will not be made against them on the basis of a prohibited ground.
The significance of the prohibited ground model for this paper is that the information is known and available – it is the action upon it which is forbidden. If we are to accept as given the proposition that information online will be available to employers, educational institutions and other members of society, we must look for a proposal which will limit the actions of these members on the basis of online information. Such a proposal should be aimed at negating the negative impact of online information as online information – impact due to form, not substance. What individuals find most troubling about online information is its ability to blur boundaries and collapse contexts, so that information that we carefully aim to keep separate for respective social circles (such as our employer, our family, our high-school friends) leaks across boundaries in a permanent, accessible and widely-spread fashion, causing us harm along the way.
I propose therefore to limit action on the basis of online information so that individuals will be protected in instances where the information obtained online does not harm other members of society, and merely reveals to them aspects of an individual’s private life. On the other hand criminal, unethical and truly harmful activities will not be protected, even in situations where these are evidenced exclusively online. The proposal can be enhanced by considering additional “procedural” rules:
- Individuals are protected from action against them on the basis of their online information, unless the information reveals criminal or unethical conduct or has caused significant harm.
- Individuals have a right to rebut online information if it is to be used against them.
- Online information must be supported by off-line information if it is to be used against individuals.
In such a manner online information would be analogous to a prohibited ground – action on its basis, by and large, would be prohibited, or would require additional, supportive information from other sources that would demonstrate that the action is based on other substantive grounds. To illustrate how such a limitation would work let us work through the workplace examples above as if the proposed prohibition was in place.
As further details on the “Drunken Pirate” student-teacher emerged it became clear she was not disciplined exclusively on the basis of online information.Footnote 17 Her college provided more evidence of her low level of professionalism. Under this proposal therefore she still would not get her degree and could not embark on a teaching career. On the other hand, the pizza waitress was dismissed exclusively on the basis of her Facebook rant.Footnote 18 Under this proposal her employer would have had to provide additional information in support of her dismissal, or else the waitress would have kept her job. Several factors would work against the employer in this scenario: the waitress had a strong expectation of network-privacy as her post was only available to her Facebook friends (one of which apparently forwarded it to her employer); her at-work performance was not an issue; and her employer was not financially harmed.
The banking intern scenario is a good example on a situation in which action on the basis of online information would be permissible.Footnote 19 Although the intern expected network-privacy since his photo was posted on Facebook for his friends (one of whom forwarded it to management) he would be given by his employer an opportunity to rebut the suspicion that he lied. Action would be permitted once he presumably failed to rebut the veracity of the online evidence. Similarly, the pizza employees who compromised the health of their customers and immortalized their actions on YouTube, would be given a similar opportunity to rebut the evidence, and then probably disciplined.Footnote 20
Intuitively, this seems right – we do not want to protect individuals that have been involved in nefarious affairs, we are willing to recognize that sometimes online information is the tip of an off-line iceberg, yet we do not want to harm individuals only because online media have made their information accessible across contexts and boundaries.
Concluding Thoughts and Next Steps
The proposal above, framing online information as a prohibited ground of action, may seem far-reaching to some and its details require further refinement. If adopted and endorsed it would ultimately lead to a substantive change of the regulatory framework protecting personal information in Canada. Online information would be protected even if it does not fit the traditional definition of “personal information” that deserves privacy, and by default actions on the basis of online information would not be allowed. In light of the erosion our privacy has been suffering in an increasingly digitized and connected world, I hope it will be given careful consideration by the Office of the Privacy Commissioner.
- Date modified: