FACEBOOK TO MAKE CHANGES TO COMPLY WITH CANADIAN PRIVACY LAWS

Transcription

1 Editor-in-Chief: Professor Michael A. Geist, Canada Research Chair in Internet and E-Commerce Law University of Ottawa, Faculty of Law VOLUME 10, NUMBER 7 Cited as ( ) 10 I.E.C.L.C. NOVEMBER 2009 FACEBOOK TO MAKE CHANGES TO COMPLY WITH CANADIAN PRIVACY LAWS Eric Smith Fraser Milner Casgrain LLP In This Issue FACEBOOK TO MAKE CHANGES TO COMPLY WITH CANADIAN PRIVACY LAWS Eric Smith...57 WEBSITE OWNERS MAY FACE LIABILITY FOR HYPERLINKS TO DEFAMATORY MATERIAL David Crerar and Michael Skene...61 On August 27, 2009, the Office of the Privacy Commissioner of Canada ( OPC ) announced that Facebook, the world s largest social networking site, has agreed to make significant changes to the manner in which it collects and safeguards the personal information of individuals. This agreement, reached over one year after the original complaint against Facebook was made, is significant not only as it relates to Facebook s operations, but also for the clear message it sends to all organizations, both Canadian and foreign, that compliance with Canada s privacy laws must not be taken lightly. BACKGROUND The OPC s investigation into the practices of Facebook was initiated in response to a complaint filed with the OPC by the Canadian Internet Policy and Public Interest Clinic ( CIPPIC ) dated May 30, In its complaint, the CIPPIC alleged that Facebook was engaged in "unnecessary and nonconsensual collection and use of personal information" and in doing so, was in violation of the Personal Information Protection and Electronic Documents Act, S.C. 2000, c. 5 ( PIPEDA ). The complaint focused on 12 areas in which CIPPIC alleged that Facebook was not compliant with PIPEDA. Some of the areas identified in the complaint were the collection of date of birth, default privacy settings, disclosure of personal information through third party applications, account deactivation and deletion, use of personal information of deceased users, and the collection of personal information of non-users. REPORT OF FINDINGS Following the OPC s investigation into theallegations made by CIPPIC, which included consultations with and representations by Facebook, the OPC

2 Internet and E-Commerce Law in Canada November 2009 Volume 10, No. 7 INTERNET AND E-COMMERCE LAW IN CANADA Internet and E-Commerce Law in Canada is published monthly by LexisNexis Canada Inc., 123 Commerce Valley Drive East, Suite 700, Markham, Ontario L3T 7W8 LexisNexis Canada Inc All rights reserved. No part of this publication may be reproduced or stored in any material form (including photocopying or storing it in any medium by electronic means and whether or not transiently or incidentally to some other use of this publication) without the written permission of the copyright holder except in accordance with the provisions of the Copyright Act. ISBN: ISSN ISBN: (print & PDF) ISBN: (PDF) Subscription rates: $180 plus GST per year (print or PDF) $285 plus GST per year (print & PDF) Please address all editorial inquiries to: Boris Roginsky, Journals Editor LexisNexis Canada Inc. Tel. (905) ; Toll-Free Tel Fax (905) ; Toll-Free Fax Internet ieclc@lexisnexis.ca. EDITOR-IN-CHIEF EDITORIAL BOARD Michael A. Geist, LL.B., LL.M., J.S.D., Canada Research Chair in Internet and E-Commerce Law, University of Ottawa, Faculty of Law, Ottawa ADVISORY BOARD MEMBERS Peter Ferguson, Industry Canada, Ottawa Bradley J. Freedman, Borden Ladner Gervais, Vancouver John D. Gregory, Ministry of the Attorney General, Toronto Dr. Sunny Handa, Blake Cassels & Graydon, Montréal Mark S. Hayes, Hayes elaw LLP, Toronto Ian R. Kerr, University of Ottawa, Faculty of Law, Ottawa Cindy McGann, Halogen Software Inc., Kanata Suzanne Morin, Bell Canada, Ottawa Roger Tassé, Gowling Lafleur Henderson, Ottawa. Note: This newsletter solicits manuscripts for consideration by the Editor-in-Chief, who reserves the right to reject any manuscript or to publish it in revised form. The articles included in Internet and E-Commerce Law in Canada reflect the views of the individual authors. This newsletter is not intended to provide legal or other professional advice and readers should not act on the information contained in this newsletter without seeking specific independent advice on the particular matters with which they are concerned. released its "Report of Findings" on July 16, In the Report of Findings, the OPC stated that, on four of the 12 subjects identified in the complaint (i.e. new uses of personal information, collection of personal information from sources other than Facebook, Facebook Mobile safeguards, and deception and misrepresentation), it found no evidence of contravention of PIPEDA. With respect to another four subjects identified in the complaint (i.e. collection of date of birth, default privacy settings, advertising, and monitoring of anomalous activity), the OPC concluded that the allegations were well-founded, but that they had been resolved by corrective actions taken by Facebook in response to recommendations made by the OPC during the investigation and consultation process. Finally, the report indicated that the four remaining subjects identified in the complaint (i.e. third-party applications, account deactivation and deletion, accounts of deceased users, and personal information of non-users) were wellfounded and had not been resolved, as Facebook had not agreed to adopt the recommendations of the OPC. A closer look at these unresolved issues provides insight into the conflict between an organization s desire to use personal information for its business purposes and its legal obligation to safeguard such information and only use it with the informed consent of the individual to whom the information relates. (I) THIRD-PARTY APPLICATIONS In May 2007, Facebook opened its platform to allow third party developers to create applications (e.g. games, quizzes, etc.) that are accessible to users within Facebook. 2 By adding an application to their Facebook account, users enable such applications to access most of the personal information found in such account, including personal information related to their Facebook friends. 3 In its Report of Findings, the OPC identified a number of concerns with third party applications. These include: the making available of more personal information than is necessary for the purpose of the application; 58

3 Internet and E-Commerce Law in Canada November 2009 Volume 10, No. 7 the reliance on contractual covenants by the developers to respect users privacy settings and safeguard their personal information in lieu of technological safeguards and effective monitoring of compliance; a lack of meaningful consent to the collection and use of personal information by the user who adds the third party application; and a lack of meaningful consent from users when their friends and fellow network members add applications that expose their own personal information to access the application. In its recommendations, the OPC asked Facebook to implement measures that would limit third-party developers access to personal information that is not required for the purposes of the application, inform users of the specific information that an application requires and for what purpose, obtain the express consent of users in each instance, and prohibit all disclosures of personal information of users that are not themselves adding the application. 4 Facebook declined to implement such measures. (II) ACCOUNT DEACTIVATION AND DELETION Facebook allows users to deactivate or delete their account. When a user deactivates an account, his or her personal information is retained indefinitely, a practice which the OPC concluded is a contravention of Principle 4.5 and of PIPEDA. In addition, while a user can find information concerning how to delete an account, such option is not given the same exposure as the deactivation option, making it less obvious to users as to how their accounts and personal information can be deleted from the service. To address these concerns, the OPC recommended in a preliminary report that Facebook set a cutoff date after which Facebook would no longer retain the personal information of users who had deactivated accounts. The OPC did not suggest what a reasonable period of time would be, rather it suggested that the period of time be a period "that a reasonable person would consider appropriate in the circumstances and based on [Facebook s] experiences with user reactivation patterns". 5 The OPC also recommended that Facebook include an account deletion option on the users Account Settings pages, as is the case with the deactivation option. Facebook declined to act on these recommendations. (III) ACCOUNTS OF DECEASED USERS When Facebook is notified that a user has died, it generally keeps such user s profile active in a "memorialized" status (i.e. with certain information removed and only confirmed friends provided access) for a period of time. Such a practice is not referred to in Facebook s Privacy Policy. 6 In its Report of Findings, the OPC concluded that the failure to advise users of this potential use of their personal information was a contravention of Principles 4.2.1, 4.2.3, and 4.8 of PIPEDA which, in essence, require organizations that collect personal information to advise individuals as to the purposes for which such information is collected. Facebook declined to follow OPC s recommendation of referencing such use in its Privacy Policy. (IV) PERSONAL INFORMATION OF NON-USERS Facebook allows users to post personal information of non-users to their Facebook pages, thereby making it available to anyone who has access to the applicable portions of that user s Facebook account. While the majority of such postings are made for the personal use of the user, and therefore outside the scope of PIPEDA, the OPC determined that, in some instances, Facebook uses such non-user personal information for its own purposes. For example, when a user tags a non-user in a photograph that has been uploaded to his or her Facebook account, Facebook gives the user the option of providing to Facebook the non-user s address, which is then used by Facebook to send a notification to the non-user of the tagging and an invitation to join Facebook. While the notification of tagging is for the benefit of the non-user, the invitation to join Facebook is for the benefit of Facebook. In addition, Facebook allows users to provide Facebook with the addresses of non-users that Facebook uses to send invitations to nonusers to join Facebook. Facebook retains such information for an indefinite period of time. In 59

4 Internet and E-Commerce Law in Canada November 2009 Volume 10, No. 7 addition to using the addresses to deliver invitations, Facebook uses the addresses to provide users with a history of invitations sent out on their behalf and for tracking the success of the referral program. The OPC concluded that in instances where personal information about an individual (i.e. the nonuser) is being collected from another individual (i.e. the user), it is reasonable to allow Facebook to rely on the user to obtain the direct consent of the nonuser, provided that Facebook takes reasonable measures to ensure that such consent is obtained. In the opinion of the OPC, merely referencing the requirement for the user to obtain the non-user s consent in the Privacy Policy is not sufficient, and Facebook should include a reminder each time that a user discloses a non-user s address to Facebook. Facebook should also take action against those users who violate such consent requirements. In addition, the OPC concluded that the retention of non-users addresses for the purpose of invitation history and tracking without informing nonusers of such use is a contravention of PIPEDA s informed consent requirement. Retaining such addresses indefinitely beyond the time necessary for the initial purpose of collection was also a violation of PIPEDA. RESOLUTION OF OUTSTANDING ISSUES As part of its Report of Findings, the OPC requested that Facebook reconsider the OPC recommendations that it had declined to adopt, and that the OPC would give Facebook 30 days in which to do so. We do not know what actions the OPC would have taken had Facebook not satisfied the OPC s request, as, on August 27, 2009, the OPC announced that the outstanding matters had been resolved to its satisfaction. In a letter to CIPPIC dated August 25, 2009, the OPC advised CIPPIC of the outcome of its discussions with Facebook regarding the CIPPIC allegations that it determined were well-founded, including those that remained unresolved at the time that the OPC issued its Report of Findings. With respect to the previously unresolved matters, the OPC reported as follows: (i) Third-Party Applications Facebook agreed to redesign its API so that users will have greater control over the type of personal information that third party application developers may access, and the purposes for which such information can be used. While access to the personal information of friends and fellow network members may still be accessed by the third party applications, users will be able to control whether such information is made available to developers. Users will also be presented with a link to a statement of the developer explaining how it will use such personal information. The introduction of this new model for information sharing with third-party applications is to take place on or before September 1, (ii) Account Deactivation and Deletion On the basis that most users reactivate accounts and expect to have access to their personal information when they do so, Facebook has not accepted the OPC s recommendation that a finite retention period be instituted for deactivated accounts. The OPC accepted this position, provided that users are well informed of the differences between deactivating and deleting an account. To this end, Facebook has undertaken to include a more complete explanation of the differences between the two options in its Privacy Policy and Help Center, and include links to each option. (iii) Accounts of Deceased Users In accordance with the recommendations of the OPC, Facebook has agreed to include a reference to the use of accounts to memorialize deceased users in its Privacy Policy within ten weeks time. (iv) Personal Information of Non-Users Facebook has agreed to include additional language in its Statement of Rights and Responsibilities that informs users of their obligation to obtain the consent of non-users before providing the non-user s address to Facebook. Facebook further undertook to follow up on any complaints by non-users with respect to the use of their address. Facebook also confirmed that it does not retain the 60

5 Internet and E-Commerce Law in Canada November 2009 Volume 10, No. 7 addresses of non-users in order to track the success of its invitation feature. While the CIPPIC may take further action if it is not satisfied that the actions taken by Facebook adequately address its concerns, the OPC letter indicates that, so long as Facebook follows through on its undertakings, the OPC is satisfied with Facebook s response. CONCLUSION The investigation into the practices of Facebook, and the resulting changes that Facebook has agreed to make to its service, were the result of a lengthy and, no doubt, costly process. While some suggest that individuals should resign themselves to the fact that privacy does not exist in the on-line world, the CIPPIC complaint and its apparent resolution illustrate the power that users have to change the behaviour of on-line business organizations, even if they are located outside of the country in which the users reside. This matter also demonstrates the seriousness with which Canadian regulators treat well-founded complaints. The Facebook complaint is a strong reminder that all businesses should be proactive in examining their practices in relation to the collection, use and safeguarding of personal information. Failing to do so can be costly, not only in time and money, but also with respect to the damage it can cause to relationships with customers. [Editors note: Eric Smith is the Co-Chair of Fraser Milner Casgrain LLP's National Technology Transactions Practice Group. This article first appeared on FMC's website at: < A copy of the complaint, as well as the report of findings and other announcements by the OPC referenced below can be found on the website of the Office of the Privacy Commissioner of Canada at < As of June 4, 2009, Facebook stated that there were over 350,000 Facebook applications from over 950,000 developers in over 180 countries see para. 148 of the Report of Findings. To illustrate the sharing of personal information with third-party applications, the Northern California chapter of the American Civil Liberties Union ( ACLU ) created a Facebook application that allows users to see personal information that the ACLU application can access on the user s Facebook account. See Report of Findings, para Ibid. para As noted in para. 275 of the Report of Findings, the practice of using accounts for memorial purposes was, at the time of complaint, identified in Facebook s Terms of Use. In the time between the filing of the complaint and the issuance of the Report of Findings, Facebook replaced its Terms of Use with a Statement of Rights and Responsibilities ( SRR ). The SRR does not include a reference to using accounts for memorial purposes. WEBSITE OWNERS MAY FACE LIABILITY FOR HYPERLINKS TO DEFAMATORY MATERIAL David Crerar and Michael Skene Borden Ladner Gervais LLP The British Columbia Court of Appeal has just issued an important judgment on the increasingly important issue of Internet defamation: Crookes v. Newton, [2009] B.C.J. No. 1832, 2009 BCCA 392 ( Crookes ). The decision is vital to every person and business that publishes material on the Internet or that operates a website. The judgment provides more good news than bad to persons participating on the Internet, confirming that hyperlinks will not in themselves implicate a website owner in publishing defamatory material found on the hyperlinked website. But, if a Court finds that the hyperlinking website endorses or adopts the defamatory content, or explicitly encourages the reader to link to the offending material, then the hyperlinking website owner may be deemed to have participated in a republication of the offending material, and face liability and damages. THE CROOKES FACTS The plaintiff in Crookes is a Vancouver-based businessman and sometime member of the Green 61

6 Internet and E-Commerce Law in Canada November 2009 Volume 10, No. 7 Party of Canada. His Green Party ties were the subject of various articles he claimed to be defamatory. In an earlier lawsuit, he sued the supposed author of those articles. This case arises from a second lawsuit commenced by Mr. Crookes. In the facts leading to the present decision, the defendant Jon Newton runs a website, < On his website, Mr. Newton published an article entitled, Free Speech in Canada. The Newton article referred to the earlier Green Party article, and provided a hyperlink to that article. Newton did not quote the earlier article, or comment on its content. PUBLICATION It is not widely known, but almost everyone who plays a role in the writing, publication, or distribution of a defamatory article can be sued and can be found liable in defamation. It is not generally a defence that one is only repeating what another person originally said. A plaintiff in a defamation lawsuit must prove, among other matters, that the defendant published the defamatory words. The primary question is whether that person played a role in writing, publishing, or distributing those words. The issue of publication looks to both the giver and receiver of the offending material. On the one hand, did the defendant participate in disseminating the offending material? On the other, did anyone actually receive and read the offending material? Crookes considers both sides of the question of publication. PUBLICATION VIA HYPERLINK In order to be liable for defamation, it must be proved that the defendant published the offending words. When the offending words appear in a newspaper or magazine, or are directly placed or quoted on a website, publication seems obvious. But what if the website does not directly publish the offending words on its own website, but instead provides for its readers a hyperlink to another website where the offending words are found? The British Columbia Court of Appeal concluded that providing a hyperlink, in itself, does not establish that publication has occurred. If the website simply provides a hyperlink, or describes the hyperlinked contents in a neutral manner, then the hyperlink is serving as no more than a footnote or a card in a library catalogue. The website is not adopting the offending words as its own, and is not indirectly publishing them. If, however, the linking website endorses the content of the hyperlinked material or encourages the reader to click to the hyperlinked material, the website defendant may be seen to be participating in the dissemination of the offending material, and publication may be found. To provide hypothetical examples, the first may well lead to a finding of publication, while the second would probably be safe: Click here to learn the truth about Mr. Smith s history of fraud and corruption. As shown here, Mr. Smith s business practices have been the subject of some (unproven) criticism and litigation. The Court also confirmed that providing a website address (as opposed to providing a clickable hyperlink), without more, does not constitute publication. PRESUMPTION THAT THE MATERIAL WAS READ WITHIN THE JURISDICTION The plaintiff must also prove the other aspect of publication: that the offending material was received and read by someone. This proof is fundamental to a claim in defamation. It is also fundamental to the issue of whether it is appropriate to sue in a given jurisdiction. A plaintiff suing in British Columbia must prove that at least one person in British Columbia read the offending material. In Crookes, the Newton article providing the hyperlinks had been accessed a total of 1,788 times. It was not clear whether anyone accessing the Newton article had actually clicked on the hyperlinks to the offending material. Nor was it clear what number of these hits came from independent or repeat visits. Nor was it clear how many hits came from humans or from information-gathering Internet robot software. Nor was it clear whether any of the readers were located in British Columbia. In the circumstances, the Court found that the bald fact that there was a certain number of hits on the website article could not prove that anyone had 62

7 Internet and E-Commerce Law in Canada November 2009 Volume 10, No. 7 clicked the hyperlink to read the Green Party article via the Newton article. Accordingly, the plaintiff had also failed to prove that anyone in British Columbia had read the article, and thus could not show that British Columbia courts had jurisdiction to hear the matter. In contrast, the one dissenting justice on the Court of Appeal would have found that 1,788 hits on an article on the topic of free speech provided ample evidence from which a court could infer that at least one person had read the article and clicked on the hyperlink to the offending article, which then establishes publication. LIABILITY FOR REFUSING TO REMOVE DEFAMATORY MATERIAL Mr. Crookes also argued that publication should be established because Mr. Newton refused to remove the hyperlinks to the offending material after Mr. Crookes had asked that he do so. Mr. Crookes argued that this refusal showed that Mr. Newton exercised control over the hyperlinks, and that he had participated in their dissemination. The Court declined to address this issue, which had not been argued on a full evidentiary record in the Court below. As the lower Court had found that it could not be inferred that anyone had clicked on the hyperlinks, it was unnecessary to address this issue. This issue remains unsettled, but cases both in British Columbia and England suggest that a defendant website host that fails to remove defamatory postings after having received notice of their potentially defamatory content may be liable for republication of those materials: Godfrey v. Demon Internet Ltd. [2001] Q.B. 201 and Carter v. B.C. Federation of Foster Parents Assn., [2005] B.C.J. No. 1720, 2005 BCCA 398. RECOMMENDATIONS The Court of Appeal decision provides useful guidance for Internet participants, and rules out the possibility that publication flows from the simple act of hyperlinking. But Crookes confirms that each case will turn on its own specific facts, including the wording, tone, and placement of the introduction to the hyperlink. A website owner or manager would be wise to seek legal advice before hyperlinking to a potentially defamatory website, or else risk a finding of publication and liability just as if it were the author of the offending material. [Editors note: Michael Skene is a partner at the Vancouver office of Borden Ladner Gervais LLP. Michael practises in the areas of media law and defamation, construction and surety law, and commercial litigation. He was selected by peers for inclusion in the 2010 edition of The Best Lawyers in Canada (Defamation and Media Law). David Crerar is a partner at the Vancouver office of Borden Ladner Gervais and an Adjunct Professor at the University of British Columbia Faculty of Law, lecturing in civil procedure. He practises in the areas of civil and commercial litigation, media law and defamation, injunctions, shareholder disputes, and banking and pension litigation. A version of this article originally appeared in the November 20, 2009 issue of The Lawyers Weekly published by LexisNexis Canada Inc.] ELECTRONIC VERSION AVAILABLE A PDF version of your print subscription is available for an additional charge. A PDF file of each issue will be ed directly to you 12 times per year, for internal distribution only. 63

8 Internet and E-Commerce Law in Canada November 2009 Volume 10, No. 7 INVITATION TO OUR READERS Do you have an article that you think would be appropriate for Internet and E-Commerce Law in Canada and that you would like to submit? AND/OR Do you have any suggestions for topics you would like to see featured in future issues of Internet and E-Commerce Law in Canada? If so, please feel free to contact Michael A. OR ieclc@lexisnexis.ca 64