Privacy in the era of social networking: Legal obligations of social media sites

This page has been archived on the Web

Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.

Remarks at the University of Saskatchewan College of Law Lecture Series

November 22, 2010
Saskatoon, Saskatchewan

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you.  I welcome the opportunity to be here and to discuss with you the very important and timely topic of privacy in the era of social networking.

I intend to speak in particular about the legal obligations of social networking sites with respect to privacy. We will examine this issue through the lens of our work with two giants of the online world – Facebook and Google. 

Social networking sites and other online services have become the front lines in the privacy protection battles for my Office, and for our counterparts around the world. Enforcing privacy law in this realm is raising complex new challenges for all of us.

I also thought it would be interesting to take a brief look at some of the recent case law that is developing on privacy issues related to social networking.

In the narrow sense, the legal obligations of social networking sites with respect to privacy is a straightforward matter – they have the same legal obligations under the Personal Information Protection and Electronic Documents Act – PIPEDA – as traditional bricks-and-mortar organization in the private sector.

The purpose of PIPEDA is to balance the individual’s right of privacy with an organization’s need to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances. 

Fortunately, the architects of PIPEDA had the foresight to create a law that is technology neutral.  So far, the law has done a reasonably good job of meeting the challenges of new technologies that operate under business models that did not exist when PIPEDA was developed.

The law is not prescriptive; rather, it requires organizations to adhere to a set of fair information practices or principles. Each organization, given its business model and other regulatory requirements, must find ways to adhere to these principles and achieve the balance between its own legitimate needs and the rights of individuals to their privacy.

While they may be equal before the law, however, social networking sites differ fundamentally from traditional bricks-and-mortar business in both style and substance, and also in their impact on society.

A bricks-and-mortar business collects from consumers the personal information needed to provide a desired service. With a social networking site a framework platform is provided so individuals can proactively post their personal information online in order to share it with others.  Individuals may or may not understand what personal information is scooped up in return for the service.

Changing Environment

A minute ago, I used the phrase “era of social networking,” but this is an era still very much in its infancy. Those of you who have seen the current hit movie “The Social Network” will have been reminded that Facebook was conceived a mere six years ago in a Harvard dorm. Yet already Facebook claims close to 550 million active users, making it the largest of the social networking sites.  Almost half of Canadians are on Facebook.

Other social networking sites have experienced similar explosive growth. YouTube launched in 2005, and the company says that some 24 hours of new videos are now being uploaded every minute. Twitter was introduced in 2006 and, by this summer, an estimated 65 million tweets were being posted daily.

The voluntary sharing of personal information on such a scale represents a tectonic shift in social mores and behaviour with which networked societies are struggling to come to terms.

Obviously, media like Twitter, YouTube and Facebook have dramatically altered the way people communicate. Not so obviously, social networking has also helped transform personal information into a commodity, which is increasingly being “scraped” from online fora and sold to companies that use it – among other things – to target advertising.

Privacy and Facebook

My Office began investigating the privacy practices and policies of Facebook as a result of a complaint by the Canadian Internet and Public Interest Clinic at the University of Ottawa.

After an investigation of unparalleled scope and complexity we announced our findings in July 2009. While some concerns were satisfactorily dealt with, we had not been able to reach agreement with the company on a handful of others. After extensive discussions and negotiations between our Office and the company, we were able to announce in late August 2009 that Facebook had agreed to undertake comprehensive policy and technical changes to address our unresolved concerns. The company did so by this September, applying the changes to its global operations.

Changes to the default personal privacy controls in December 2009, however, came after our formal investigation concluded. Nonetheless our Office expressed new concerns over this further erosion of personal privacy. As a result of this intervention and the protests of many others, including users, Facebook subsequently scaled back the categories of information that cannot be protected from seven to only four – name, profile photo, gender and networks, again over its entire global network.     
For us, the central focus of our work with Facebook has been to ensure stronger protections for personal information, and that users have an informed and meaningful say over how their personal information is collected, used and disclosed.

Facebook Applications

There’s more to the Facebook saga.

We are currently investigating a handful of new complaints about the site.  Those deal with Facebook’s invitation feature and its “Like” button on other websites.

We also have ongoing concerns about applications on the Facebook site.

The focus of our initial Facebook investigation was the sharing of personal information with third-party developers of applications such as games and quizzes accessed through the site.

Almost three-quarters of Facebook users take advantage of apps every month.  The most popular app, FarmVille, is a virtual farm game with 55 million users per month.  Causes, an advocacy tool for non-profits, has 27 million monthly users. In total, a mind-boggling profusion of hundreds of thousands of applications from unknown developers in some 180 different countries operate on the Facebook site.

Our initial concern was that Facebook lacked technical safeguards to effectively restrict those developers from accessing the personal information of users, along with the personal information of their friends. In addition, users were not informed of what information the applications were accesssing or why.

As a result of our investigation, Facebook limited applications to accessing only the parts of a user’s profile for which the user grants explicit permission, and only those bits which the application needs to operate.

New privacy issues related to applications arose last month, when the Wall Street Journal reported that many of the most popular applications on Facebook had been transmitting users’ unique Facebook ID numbers to at least two dozen advertising and data firms who build intimate profiles of Internet users by tracking their online activities. Facebook subsequently confirmed that a handful of applications were intentionally sharing user IDs with a third-party data broker.

In this case, the application developers would be the parties potentially in violation of PIPEDA and our Office is currently looking into the matter. 

After hearing about our ongoing work with Facebook, you could be excused for seeing parallels with a classic arcade game – now available on your iPhone! –whac-a-mole. In that game, a mole pops his head up through a hole and you whack it with a rubber mallet. As fast as you can whack, however, another mole pops up in a different hole.

Sometimes trying to respond to infringements of personal privacy by social networking and other online sites seems dangerously close to playing whac-a-mole.

Privacy and Google

Our dealings with that other online giant, Google, have had a similar feel to them.

  • Street View

When Google came to Canada to collect images for its Google Street View service, we had the impression that the California-based company had made no attempt to ascertain in advance that its plans for capturing the high-resolution images along neighbourhood streets in Canada and posting them online conformed to PIPEDA requirements.

Our Office took the initiative by drawing those requirements to Google’s attention in August 2007.  We received no response until we made public our letter to the company a month later.

Considerable to-ing and fro-ing followed, but when Street View went live last year, most of the privacy concerns had been met. Neighbourhoods were being advised in advance of impending picture-taking and potentially sensitive parts of images, such as licence plates and faces, were blurred before being published. As well, people were offered the option of having images of their homes taken down from the site.

Unfortunately, it wasn’t too long before a new privacy problem arose.

  • Buzz

In February, Google unilaterally added a new social network service called Buzz to the accounts of the 146 million users of its free Gmail service. The default settings initially revealed the people with whom Gmail users e-mailed and chatted most, a network of “followers” which Google had assembled without consulting the users. There was an immediate and vociferous protest from the Gmail community. Within days, Google apologized and remedied the most privacy-intrusive features of Buzz.

The Buzz debacle has two positive aftershocks.

First, the public outcry put the lie to some of the more extreme claims that people no longer see personal privacy as an important value to be protected. Clearly they do care.

Second, the Buzz debacle engendered an unprecedented collaboration by the privacy guardians from 10 countries representing the privacy interests of more than 375 million people around the world. Together in April this year we wrote a letter to Google’s CEO expressing deep concern about his company’s privacy practices, particularly in relation to the launch of Google Buzz.

The letter was also a clear warning to all the multinational technological titans that their previous tendency to largely pay lip service to privacy would no longer be tolerated by countries such as Canada, France, Germany, Ireland, Israel, Italy, the Netherlands, New Zealand, Spain and the United Kingdom.

As we wrote:  “It is unacceptable to roll out a product that unilaterally renders personal information public, with the intention of repairing problems later as they arise. Privacy cannot be sidelined in the rush to introduce new technologies to online audiences around the world.”

The letter went on to spell out the privacy obligations of social networking sites, which include, at a minimum:

  • collecting and processing only the minimum amount of personal information necessary to achieve the identified purpose of the product or service;
  • providing clear and unambiguous information about how personal information will be used to allow users to provide informed consent;
  • creating privacy-protective default settings;
  • ensuring that privacy control settings are prominent and easy to use;
  • ensuring that all personal data is adequately protected, and
  • giving people simple procedures for deleting their accounts and honouring their requests in a timely way.

Coordinated approaches such as the Buzz letter may be one of the most promising ways to get the technological titans to first listen, and then to abide by the widely accepted standards for privacy protection.

However, I am less pleased to report that Google CEO Eric Schmidt did not personally respond to the letter from 10 data protection authorities, delegating that task instead to his lawyers.

  • WiFi

Google’s operations continue to raise privacy concerns.

Just last month, I reported that an investigation by my Office had found that the company had seriously violated the privacy rights of Canadians by inadvertently scooping up e-mail addresses, passwords, and even complete e-mail messages from unsecured home wireless networks as its StreetView vehicles roamed neighbourhoods.

This happened because of a Google engineer’s careless error as well as a lack of controls to ensure that necessary procedures to protect privacy were followed.

Google collected the personal information because of a particular code integrated into the software used to collect WiFi signals.  The engineer had developed this code to sample all categories of publicly broadcast WiFi data and included lines that allowed for the collection of “payload data,” which refers to the content of the communications. It wound up being used in the Google Street View cars when the company decided to collect information about location of publicly broadcast WiFi radio signals in order to feed this information into its location-based services database.

The engineer failed to forward his code design documents to the Google lawyer responsible for reviewing the legal implications of the WiFi project.

We are already seeing some changes as a result of the investigation and recommendations. Google has until February 1 of next year to show compliance.  Hopefully, the end result of our investigation will be a comprehensive privacy regime at Google that prevents future privacy missteps.

Law and the Online World

Protecting privacy in this rapidly transforming online landscape demands agile, creative and effective responses.

The reality is, however, that we have a situation where legislative amendments wind their way through the Parliamentary process at a glacial pace in comparison to the rate at which the world is changing.  A dispute over a point of law can take several years to resolve through the courts.

It is not realistic to anticipate dramatic change in how the wheels of the legal and Parliamentary systems move in the foreseeable future.  Therefore, it is incumbent upon us to think about how we can make existing laws work for Canadians.

What I am hearing from lawyers at global conferences is that realistic guidance from regulators is increasingly important.  This is because few issues in privacy law ever go to litigation, which is seen as too long and too risky and often the wrong place to try to resolve highly complex IT issues.

My own Office is increasingly developing guidance documents for organizations – for example, on covert surveillance and on the collection of driver’s licence information by retailers.

Another trend is that data protection authorities and other regulators are increasingly involved in developing rules that flow from a continuing dialogue with technological innovators, with consumers and with legal scholars and specialists.

For example, the U.S. Federal Trade Commission has held consultations on privacy issues; and the Europeans have also launched a dialogue on how to amend their Directive on data protection. My own Office held public consultations on the online tracking, profiling and targeting of consumers by marketers and other businesses and cloud computing practices.

Privacy Enforcement

The global and rapidly changing nature of social networking sites and other online services has also raised questions around effective privacy law enforcement.

My Office is examining its own structure and function as a data-protection authority. Should we, for instance, continue to emphasize my role as an ombudsman? Or should we suggest to Parliament the need for stronger enforcement and order-making powers?

Last year, we engaged two noted academics – Dean of Osgoode Hall Law School Lorne Sossin and France Houle, of the Université de Montréal – to look at the broad economic, legal and political context under which PIPEDA was first enacted, compared to the environment in which we find ourselves now.

They examined the effectiveness of the ombuds model in protecting personal information in the private sector, particularly in light of changes in the technological, economic and legal context since PIPEDA was first enacted.

In their analysis, these authors suggest the current ombuds model has had mixed success.

They have submitted as an option going forward, that my Office could acquire targeted and limited power to make orders, including the ability to impose penalties such as fines.  They also propose explicit guideline-making power, to assist with the fair and transparent implementation of new order-making powers.

My Office is currently assessing the authors’ analysis, mapping it onto what we believe has been our experience under PIPEDA to date, and comparing it with our own views of the merits and effectiveness of the ombuds model. 

The authors’ analysis will undoubtedly make a significant contribution to the public discourse on future evolutions of PIPEDA.

Courts and Social Networking

Before closing, I’d like to shift gears somewhat and speak with you briefly about how Canadian courts have been interpreting privacy issues in the context of social networking sites.

Courts are now familiar with Facebook and social networking sites and recognize that they contain private or personal information.

Several cases have dealt with the relatively new issue of privacy and the production of the contents of a Facebook profile. The majority of cases are from Ontario, but have relevance across the country. They offer us some insight on how the courts will weigh the competing requirements for fairness and transparency during the discovery process against privacy interests of litigants.

Generally, where the courts have determined that the personal information on a litigant’s social networking site is relevant to the matter before the court, they have ordered disclosure of that information.

Courts have also affirmed in these cases that determining the relevance of information includes a consideration of privacy interests.  This may include any prejudice to the litigants or any third parties that may result from the production of information from a social networking site.

However, courts have refrained from broadly concluding that privacy overrides established production obligations. Determinations are made on a case-by-case basis. The test for relevance involves weighing the probative value of disclosing the information from a social networking site versus its prejudicial effect.

While sometimes critical or dismissive of a litigant’s privacy claims to a Facebook profile to which dozens or hundreds of ‘friends’ are connected,  courts have nevertheless refrained from broadly ruling that information posted to a litigant’s social networking site is inherently relevant to litigation, and therefore must be produced on discovery as a matter of course. Parties must still prove the information’s relevance, and privacy is still a factor the courts considers when ordering disclosure.

Conclusion

This has been a long and winding trail to follow.  Despite the fact that these are still early days in the social networking era, there have already been significant legal developments.

I hope that I have left you with a better appreciation of the action on today’s front lines of privacy and the increased need to be eternally vigilant about the protection of personal information.

Thank you. I would welcome any questions about social networking or other issues – it might also be interesting, for example, to exchange thoughts on some recent Federal Court and Supreme Court decisions with important implications for privacy.

Date modified: