Yesterday, Facebook reached an agreement with German data protection officials in order to end a dispute over the social networking site’s “Friend Finder” application. Hamburg’s Data Protection Authority received complaints about the feature, which allows Facebook to send unsolicited email invitations to non-members through current members’ address books. The agreement comes as a response to legal proceedings launched by German officials last year against Facebook for accessing and saving the private data of non-members without their permission. For more information, see this article from the Globe and Mail.
The power of social media was on full display this past week, as the unauthorized publication of a recipe for apple pie drew a quick and virulent online response. The story begins on November 3, when blogger Monica Gaudio announced on her blog that Cooks Source, a small New England magazine, had republished an article on the history of apple pie (she had previously written it for another publication) without permission. While Gaudio was credited for her work, she never consented to, nor was she compensated for, the use of the article. After emailing the magazine’s editor, Gaudio received a response informing her that the internet is “public domain”. The email, which Gaudio published on her blog, sparked a fierce response from an online community that quickly coalesced on Facebook to disparage the magazine’s conduct.
Contrary to what Gaudio was told, works are not considered to be in the public domain simply because they are published on the internet. Rather, works are considered to be in the public domain if they are not protected by intellectual property rights, if such rights have expired or if the rights have been forfeited. The fact that a work is published on the internet rather than on paper does not change the definition of the public domain and, while there are public domain works on the internet, such works are not in the public domain simply because of their publication on the Internet.
Under the Berne Convention for the Protection of Literary and Artistic Works and the Copyright Act (Canada), copyright protection is automatically provided to a work as soon as the original work is written down, recorded or entered as a computer file. Under the “fair dealing” provisions of the Copyright Act, individuals may use original works without infringing upon the works’ copyright only if used for specific purposes: criticism and review, news reporting, and private study or research. The Copyright Act also exempts certain categories of users, such as non-profit educational institutions. Republishing a work that first appeared on the internet does not provide for a fair dealing exception simply because the work first appeared online.
Beyond the public domain issues, the Cooks Source case also provides a good example of the power and influence that social media can have on a business. As discussed above, online reaction to allegations of copyright infringement was swift, with Cooks Source’s Facebook page quickly overrun with derogatory posts. According to a statement by Cooks Source, its Facebook page was hacked and fake Facebook and Twitter accounts were created to spread word of the uproar. Facebook users also began publishing links to other articles that Cooks Source had allegedly copied, and a list of the magazine’s advertisers was soon posted online (with contact information), prompting Cooks Source to issue a plea that users stop bombarding their advertisers with “distasteful messages”.
In this age of social media, therefore, businesses must be more careful than ever to ensure the propriety of their actions to avoid the type of response seen in this case. While Cooks Source may be a small regional magazine, the response to its actions came from across the online universe and the story was widely reported in the mainstream press. Thus, while the internet and social media can be invaluable in building a business and a brand, this case provides an example of how powerful social media can be when going the other direction.
Yesterday, the European Commission released a draft strategy for the protection of individuals’ data entitled “A comprehensive approach on personal data protection in the European Union”. The strategy is the result of public and stakeholder consultation throughout 2009 and 2010. While the protection of personal data is currently a hot topic, this strategy is not the first time the European Commission has addressed issues of data protection and electronic privacy. In 1995, the European Union release the Data Protection Directive (95/46/EC), which was a milestone in the EU’s protection of personal data. The Directive, however, has struggled to keep up with the rapid pace of technological advancement, particularly in the area of social media.
The new strategy appreciates the challenges of modern technology and recognizes that the protection of electronic information cannot be seen as a purely national concern. The strategy focuses on the strengthening of individual rights, through the provision of control and autonomy over one’s own personal data, and aims at providing users with greater information about who has access to their data and when such data has been viewed. Most interestingly, the strategy calls for a “right to be forgotten” whereby individuals have the right to completely remove their data from electronic forums, such as social networking sites, if and when they no longer want to participate.
The goal of the Commission is to propose a new general legal framework by mid-2011 that will protect personal data in the EU for all sectors. Currently, the EU has left the door open for public response with the deadline for comment set as January 15, 2011.
Facebook users will now have the option to "opt-in" before third-party applications can access their data
Prompted by meetings with the Office of the Privacy Commissioner of Canada (OPC) earlier this year to improve its privacy settings, Facebook has announced that users can now choose an “opt-in” option before allowing third-party applications to access their personal information. This will allow the website’s users to see exactly which parts of their personal data third-party applications will need before they choose to download them.
Previously, third-party applications were required to ask for a user’s permission before accessing any personal information, but they were not asked to specify exactly what information was needed. Now, third-party applications must list exactly what information they will need, such as photos, videos or friends’ lists. The new privacy settings also allow users to give permission to a third-party application before it can access their friends’ data.
Although the option to “opt-in” is a welcome change from the option to “opt-out”, most third-party applications must still be allowed to access all the data before they can run.
Location-based services are becoming big business in everything from mobile advertising to on-demand multimedia services. Individuals can already use applications such as Clip Mobile’s coupon application to receive deals, sign into FourSquare to let their social networks know where they are, and get turn-by-turn navigation details on their smartphones.
Apple maintains that the location-based data collected by Apple will be anonymous, and will be used only to offer specialized location-based services to its users.
A post on Slaw today contains a discussion of Alberta's Personal Information Protection Amendment Act, 2009 by Stikeman Elliott partner Wesley Ng. Specifically, Mr. Ng considers the new requirements respecting written policies and procedures and notification.
On May 25, 2010, the Canadian government introduced Bill C-28, an act that would establish the federal Fighting Internet and Wireless Spam Act (“FIWSA”), and make significant consequential amendments to other federal legislation, including Canada’s Competition Act; Telecommunications Act; and Personal Information Protection and Privacy Act (PIPEDA).
Bill C-28 is extremely similar in substance to Bill C-27, which was introduced in April 2009 and titled the Electronic Commerce Protection Act. Bill C-27 received unanimous support in the House of Commons following its third reading, but it died upon prorogation in December of 2009 while at the Standing Senate Committee on Transport and Communications. Given the strong resemblance between the two bills, many expect that Bill C-28 will move quickly through the legislative process.
Like its predecessor, Bill C-28 was designed to reduce unsolicited or junk e-mail, commonly referred to as “spam”. Most importantly, the legislation aims to bolster consumer confidence in electronic commerce, which the government has described as necessary in order to position Canada as a leader in the digital economy. The bill incorporates a number of the legislative recommendations made in 2005 by the government-mandated “Task Force on Spam”. The proposed FIWSA aims to regulate activities such as spam, counterfeit websites (known as “phishing”) and spyware.
The FIWSA would also establish a regime whereby the Canadian Radio-television and Telecommunications Commission (“CRTC”), Competition Bureau of Canada and the Office of the Privacy Commissioner could share information and evidence with law enforcement agencies outside Canada, in an effort to enforce similar international laws and pursue violators beyond Canadian borders. Currently Canada is the only G8 country and one of only four OECD (Organisation for Economic Cooperation and Development) countries without specific spam legislation. Thus, when the government first introduced Bill C-27 it was cast as a necessary step in fulfilling Canada’s international duty to join global partners in passing laws to combat spam and related cyber threats.
The anti-spam provisions remain largely unchanged from Bill C-28. They would prohibit sending (or causing or permitting to be sent) a commercial “electronic message” (which is defined broadly to include a text, sound, voice or image message) to an electronic address, unless the recipient has given express or implied consent. Implied consent would apply to situations in which there is an existing business or non-business relationship between the sender and recipient, and to certain limited circumstances where the recipient has, within a business context, conspicuously published or disclosed the electronic address and the disclosure was not accompanied by any statement that the person did not wish to receive commercial messages (there is also a provision that would permit future regulations to further define implied consent).
The FIWSA also sets requirements for the form of permitted messages: the message must identify the person who sent the message (and, if it is different, the identity of the person on whose behalf the message was sent), along with contact information for those identified. Moreover, permitted messages must include an unsubscribe mechanism, which includes either a hyperlink (valid for at least 60 days after the message is sent) that the recipient can follow, or a specified electronic address to which an unsubscribe request can be sent. Requests must be given effect within 10 days.
The anti-phishing provisions are drafted as prohibitions against “altering transmissions data”, and would prohibit the unauthorized redirection of an electronic message to a destination other than or in addition to that specified by the sender, except with the sender’s express consent. As with the anti-spam provisions, an electronic address must be provided to which the sender may give a notice of withdrawal of consent, and the request must be given effect within ten days.
Notably, the prohibitions in Bill C-28 are broader than those previously provided for in Bill C-27. The prohibitions in both bills apply to anyone who procures or causes to procure a prohibited act. However, the language in Bill C-28 has been extended to also apply where someone aids in or induces such an act.
Administrative Monetary Penalties and Private Actions
Provisions of the FIWSA that would subject violators of the Act to an Administrative Monetary Penalty (“an AMP”) remain the same as those originally envisaged in Bill C-27. An individual who violates any of the foregoing prohibitions may be subject to an AMP of up to $1 million and corporate entities would be liable to an AMP of up to $10 million. Officers, directors, and agents of corporations that violate the prohibitions could also be held liable for such actions if they directed, authorized, acquiesced in or participated in the commission of the violation.
Anyone charged under the Act can raise a due diligence defence. They must show that they exercised due diligence to prevent the violation, but there is no indication as to what actions will constitute due diligence. Furthermore, any relevant common law rule or principle that would create a justification or excuse may be relied on to the extent that it is not inconsistent with the Act.
The process for imposing liability under the AMP is a fairly expedited administrative process, administered through the CRTC. A notice may be served where the CRTC has reasonable grounds to believe that a person has committed a violation under the FIWSA. The notice must include details of every act or omission for which the notice is served, the relevant provisions and the amount of the fine. The recipient of the notice has 30 days to respond, after which time he or she will be deemed to have committed the violation and will be liable to pay the amount set out in the notice. If the recipient does provide a response, the CRTC must decide on a balance of probabilities whether the violation was committed. Upon determining that there was a violation the CRTC may impose the original fine, impose a reduced fine, or may suspend payment of the fine subject to any conditions that it considers necessary to ensure compliance with the Act. Decisions of the CRTC can be appealed to the Federal Court of Appeal. However, where the issue is one of fact, leave to appeal must be granted by the Court. The CRTC can also agree to an undertaking, which is in essence an agreement to settle an alleged violation on terms acceptable to both the CRTC and the offender.
One of the most controversial provisions of the Bill C-27 remains largely unchanged in Bill C-28. It would establish a private right of action for persons who allege that they have been affected by a contravention of the anti-spam, anti-phishing or anti-spyware provisions of the FIWSA. The application must include the alleged contravention, all relevant provisions, acts or omissions at issue, and should state the nature and amount of the loss, damage or expense. If the court is satisfied that the contravention occurred it may order the responsible individual(s) to pay the applicant compensation for any loss, damage or expenses incurred by the applicant. The court may also grant an additional award, up to a maximum of $200 per day for most contraventions, and $1 million for each day on which a contravention occurred. Again, officers, directors, or agents of corporations would be subject to this private right of action, if it could be proved that they directed, authorized or participated in the commission of the contravention.
That same private right of action would apply to persons who allege that they have been affected by breaches of the new provisions of PIPEDA and the Competition Act. These new provisions, discussed in detail below, would be brought into effect by the FIWSA.
The FIWSA would establish new prohibitions under PIPEDA in relation to collecting personal information, including a ban on (i) collecting an individual’s electronic address through a computer program designed or marketed for use in generating (or searching for) and collecting electronic addresses, or using any address collected by the foregoing means; and (ii) collecting personal information through any means of telecommunications if the collection involves accessing a computer system (or causing one to be accessed) without authorization, or using any personal information that is collected that way.
The FIWSA also proposes numerous amendments to the Competition Act, including the addition of section 52.01, which broadens the criminal false or misleading representation provisions of the Competition Act. This new section would prohibit knowingly or recklessly sending, for business promotion purposes: (i) a false or misleading representation in the sender or subject matter information of an electronic message; or (ii) an electronic message that contains a materially false or misleading representation. Under the proposed new section 74.011 of the Competition Act, such actions would also qualify as reviewable conduct, thus permitting the Commissioner of Competition to apply to a court or the Competition Tribunal for an order prohibiting the conduct and/or imposing AMPs under the Competition Act.
Impact on Other Statutes
The FIWSA, if enacted, would amend the Telecommunications Act to permit the government to either maintain the current “Do Not Call” list in such a way that it would not overlap with the FIWSA regime, or to have the responsibility for regulating telemarketing fall under the FIWSA entirely.
Responding to the latest public outcry, Facebook CEO Mark Zuckerberg recently announced a number of new policies and settings; however, the changes may not be enough to satisfy regulators and critics. The Office of the Privacy Commissioner of Canada (OPC) recently responded to Facebook’s new privacy settings, warning that Facebook has not gone far enough to satisfy its commitments to the OPC.
Recent Changes to Privacy Settings
In the past, Facebook has been criticized for requiring users to adjust multiple buttons across several different pages to control privacy. The new simplified privacy controls aim to make this process easier by reducing and simplifying the number of privacy settings.
Users will also have the ability to set up lists of different kinds of friends. For example, family members, individuals from work, or teammates from sports can set different privacy preferences for each category of friend. Facebook’s “social plug-ins” will additionally allow users to set who can see their friends and show the pages they’ve "liked.” Previously, these fields were automatically made public.
Facebook has also made it easier to turn off the controversial “instant personalization” function, which allows people to share their information through other web services like Yelp, Pandora, and Microsoft Docs. Now, users can opt-out of this with one click.
Previous OPC Investigations of Facebook
The OPC conducted an in depth investigation of Facebook in response to complaints from University of Ottawa law students interning at the Canadian Internet Policy and Public Interest Clinic (CIPPIC). It struck a settlement with the social media company in 2009 to agree to comply with Canadian privacy laws.
The investigations and the settlement were followed by further changes to Facebook’s privacy settings and another OPC probe commenced this January 2010 in response to a complainant who “alleged that the new default setting [at that time] would have made his information more readily available than the settings he had previous put in place.”
OPC Response to Recent Changes
The OPC’s initial response to the recent changes indicates that the OPC believes that Facebook has not gone far enough to satisfy the commitments it made to the OPC in its 2009 settlement. The new settings do not affect what Facebook refers to as users’ “basic directory information”, including name and profile picture, pictures, gender and networks to the broader internet. The OPC remains concerned that users are still by default required to reveal personal information to the internet public when Canadian law demands greater user control.
Barbara B. Johnston, Gary T. Clarke, Birch K. Miller and April Kosten
Effective May 1, 2010, amendments to Alberta's Personal Information Protection Act (PIPA) are in force, which provide new and notable requirements applicable to organizations.
Notification respecting service providers outside of Canada
Organizations that use service providers outside of Canada to collect personal information about individuals or that transfer personal information to service providers outside of Canada must notify individuals of:
- the ways in which they may obtain access to written information about the organization's policies and practices with respect to service providers outside of Canada; and
- the person who is able to answer questions on behalf of the organization about the collection, use, disclosure or storage of personal information by service providers outside Canada.
Such notification must be provided before personal information is collected by, or transferred to, the service provider.
Additionally, organizations that use service providers outside of Canada, must develop and follow policies and practices that identify:
- the countries outside of Canada in which collection, use, disclosure or storage of personal information is occurring or may occur; and
- the purposes for which service providers have been authorized to collect, use or disclose personal information for or on behalf of the organization.
Expanded definitions of "employee" and "personal employee information"
The definition of "employee" now includes individuals who perform a service for organizations as partners, directors or officers. This amendment allows organizations to collect, use and disclose personal information about their partners, directors and officers under PIPA's special provisions for personal employee information.
PIPA's definition of "personal employee information" has also been expanded to include personal information reasonably required for the purposes of "managing a post-employment or post-volunteer-work relationship." The expansion allows employers to collect, use and disclose personal information about former employees under PIPA's special provisions for personal employee information.
Retention and destruction of personal information
A new provision has been added to PIPA requiring organizations to destroy records containing personal information (or to render such information non-identifying) when such information is no longer reasonably required for legal or business purposes.
Notice to Individuals of security breach
The Alberta Information and Privacy Commissioner has been given the authority to require organizations that suffer a privacy breach to notify individuals to whom there is a real risk of significant harm. The Commissioner is able to exercise this power at any time and an individual complaint need not be filed.
If notification is ordered, the notice must include a description of the incident that led to the privacy breach, the time the incident occurred, a description of the personal information involved, information about any steps taken to reduce the risk of harm and contact information for a person who can answer questions about the breach.
New offence provisions
There are two new offence provisions. It is now an offence under PIPA to:
- fail to notify the Commissioner of a privacy breach that poses a real risk of significant harm to individuals; and
- take any adverse employment action against individuals who disclose a contravention of PIPA by their employer or fellow employees, who take action in order to avoid having any person contravene PIPA, or who refuse to do anything in contravention of PIPA.
On November 16, 2009, the Office of the Comptroller of the Currency, Treasury; the Board of Governors of the Federal Reserve System; the Federal Deposit Insurance Corporation; the Office of Thrift Supervision, Treasury; the National Credit Union Administration; the Federal Trade Commission; the Commodity Futures Trading Commission; and the Securities and Exchange Commission (collectively, the Agencies) published a final rule amending the rules that implement the privacy notice obligations under the Gramm-Leach-Bliley Act (GLBA). Pursuant to the final rule, the Agencies are adopting an optional model privacy form that financial institutions may rely on as a safe harbour and that will satisfy their privacy notice obligations under the GLBA. The final rule will come into effect on December 31, 2009.
The model form replaces the “sample clauses” previously contained in the Agencies’ privacy rules and used by many financial institutions in their GLBA notices as a safe harbour. The Securities and Exchange Commission is eliminating the guidance associated with, and the other Agencies are eliminating the safe harbour permitted for, notices based on the sample clauses if the notice is provided after December 31, 2010.
The final rule includes three versions of the model form: (1) a model form with no opt-out; (2) a model form with opt-out by telephone and/or online; and (3) a model form with opt-out by telephone, online and/or mail-in.
An Ontario Court judge recently rejected Royal & Sun Alliance Insurance Co.’s bid to see a woman’s Facebook profile in a case where the woman was suing to recover for injuries suffered in a car crash. The judge stated that the plaintiff’s privacy would be respected unless the defendant could prove a legal entitlement to the ruling. The judge gave the defendant an opportunity to cross-examine the plaintiff to try to prove a legal entitlement, but refused to do anything further. This decision represents a slightly stronger stance towards privacy than the Leduc v. Roman case discussed in an earlier post.
All parties in a litigation have an obligation to disclose all relevant documents to the other side. The plaintiff did not disclose any information from Facebook and the defendant argued the plaintiff must have violated her obligation to disclose. The judge held that one could not assume that the plaintiff had relevant information on Facebook just because people normally put information on Facebook.
The judge noted that the plaintiff had restrictive privacy settings and that she did not intend to share her information with the public at large. The judge allowed the defendant to cross-examine the plaintiff to ensure that all relevant information on Facebook had been disclosed.
In response to inquiries from organizations seeking clarification as to the application of privacy laws in the private sector workplace during the H1N1 pandemic, the Office of the Privacy Commission of Canada, together with the Office of the Information and Privacy Commission for British Columbia and the Office of the Information and Privacy Commission of Alberta published a guidance document on the issue.
The federal Personal Information Protection and Electronic Documents Act, and the provincial privacy legislation in Alberta, British Columbia and Quebec apply in the usual way in the event of “non-emergency” situations. However, in the event of the declaration of a public emergency, the powers to collect, use and disclose personal information to protect the public health may be very broad. Orders issued under public health legislation could require the collection, use and disclosure of certain information relating to employees and customers, which collection would not be impeded by private sector privacy legislation.
The guidance document encourages employers to provide employees with information on prevention rather than asking employees personal questions that go beyond what is reasonable and minimally necessary.
The Office of the Privacy Commissioner of Canada (OPC) issued a guidance document outlining the privacy obligations and responsibilities of private sector organizations contemplating and engaging in covert video surveillance.
The OPC notes that it considers covert video surveillance to be an extremely privacy-invasive form of technology, the use of which should only be considered in the most limited cases.
The guidance document notes that capturing images of identifiable individuals through covert video surveillance is considered to be a collection of personal information, irrespective of the fact that it may occur in a public place, and as such, is governed by the Personal Information Protection and Electronic Documents Act (PIPEDA).
PIPEDA requires that organizations contemplating the use of covert video surveillance ensure that the collection, use or disclosure of such personal information is limited to purposes that a reasonable person would consider appropriate in the circumstances. The guidance document notes that what is considered appropriate in the circumstances involves an analysis of several factors, including whether:
- there is a demonstrable, evidentiary need for the collection, beyond mere suspicion
- the personal information collected is clearly related to a legitimate business purpose and objective
- the loss of privacy from the covert video surveillance is proportional to the benefit gained; and
- less privacy-invasive measures were exhausted prior to the implementation of covert video surveillance.
Cross-examination of plaintiff allowed on supplementary affidavit of documents regarding content of Facebook profile
Leduc v. Roman, 2009 CanLII 6838 (Ont. S.C.J.).
Existence of Facebook profile allowed for inference that private portion of profile may contain relevant material
The parties in this case were involved in a motor vehicle accident in 2004. The plaintiff subsequently initiated an action claiming that the defendant’s negligence resulted in a lessened enjoyment of life. Sometime after Mr. Leduc’s examination for discovery, defence counsel discovered that the plaintiff maintained a Facebook account. The privacy settings on the account, however, restricted access to his profile, resulting in only the plaintiff’s name, city of residence and profile photograph being accessible to the defendant.
Under Rule 30.06 of Ontario’s Rules of Civil Procedure, a court may make certain orders, such as for the production of a document for inspection or the service of a further and better affidavit of documents, where it believes that relevant documents have been omitted from a party’s affidavit of documents. Relying on Rule 30.06, in June 2008 the defendant moved for, among other things, the production of all information on the plaintiff’s Facebook profile and the production of a sworn supplementary affidavit of documents. While the plaintiff consented to producing a supplementary affidavit of documents, the production issue remained unresolved.
At the motion level, while Master Dash recognized that Facebook profile pages are “documents” for the purposes of the Rules of Civil Procedure, he refused to order the production of the Facebook pages. According to Master Dash, the defendant’s request, based simply on the evidence that Facebook profiles typically include such things as photographs, was “clearly a fishing expedition.”
On appeal, Justice Boswell considered the case of Murphy v. Perger,  O.J. No. 5511 (Ont. SCJ), which also dealt with the production of a limited-access Facebook profile. In Murphy, the Court had ordered production of documents posted on the plaintiff’s private profile based on photographs on the publicly-accessible portion of her profile showing the plaintiff engaged in various social activities. The Court in Murphy found that the nature of Facebook and the photographs existing on the public portion of the plaintiff’s profile made it reasonable to conclude that the private portion of the profile would also contain photographs.
The Superior Court in the immediate case agreed with the Court in Murphy that the presence of content on a party’s publicly-accessible profile would allow for the inference that similar content exists on the private portion of a profile. Taking it one step further, however, the Court found that even in cases where there is no publicly-accessible profile,
a court can infer from the social networking purpose of Facebook, and the applications it offers to users such as the posting of photographs, that users intend to take advantage of Facebook’s applications to make personal information available to others.
The Court disagreed with the categorization of the defendant’s request as a “fishing expedition” even though there existed no evidence of relevant content beyond the mere existence of the plaintiff’s Facebook profile. While the Court disagreed that production should extend to all material on such a profile, the Court found that a party that discovers a profile following examination for discovery “should enjoy some opportunity to ascertain and test whether the Facebook profile contains content relevant to any matter in issue in an action.” This would include requiring the preservation and printing out of posted material, the swearing of a supplementary affidavit of documents identifying relevant Facebook documents and where few or no documents are disclosed, permitting a cross-examination of documents. Ultimately, therefore, the Court allowed the appeal and granted leave to the defendant to cross-examine the plaintiff on his supplementary affidavit of documents with respect to the nature of material on his Facebook profile.
Of particular note to counsel, the Court found that
[g]iven the pervasive use of Facebook and the large volume of photographs typically posted on Facebook sites, it is now incumbent on a party’s counsel to explain to the client, in appropriate cases, that documents posted on the party’s Facebook profile may be relevant to allegations made in the pleadings.
While the court’s findings would obviously apply to other similar social networking sites, it is unclear whether they would extend beyond such websites. For example blogs have traditionally been more focused on the exchange of ideas rather than the sharing of photographs and it is questionable whether the existence of a private blog would lead to the inference that relevant material existed on the site.