Last month, the UK Information Commissioner’s Office (UK ICO) published guidance on the application of the Data Protection Act 1998 (UK DPA) to social networking sites and online forums. Although the guidance is specific to UK privacy legislation, the guidance is worth reading by a broader international audience. In particular, the guidance may be of interest to operators of social networking and online forum sites in Canada, given the similarity of some of the underlying principles in Canadian privacy legislation.

The overarching theme of the UK ICO guidance is that organizations must assess the extent to which the UK DPA applies to their activities. In most cases, it will be uncontroversial that the collection and use of subscription data falls within the provisions of the UK DPA. However, organizations must also consider whether the content of posts by users will fall within the UK DPA and the extent of the organization’s responsibilities for the accuracy of that content.

Social Media Activities Attract Obligations

The UK DPA does not apply to individuals who process personal information for their own personal purposes. This is referred to as the “domestic purposes” exemption. However, the UK ICO states that the domestic purposes exemption is not available to organizations engaged in social media activities. The fact that the social media activity is conducted by an individual employee makes no difference if the employee is engaged in the activity on behalf of the organization.

In view of the UK ICO’s guidance, organizations will have obligations in three broad situations:

• if the organization runs a website which allows third parties to add comments or posts about living individuals, and they are a data controller for the website content;

• if the organization or its employees (acting in the course of their duties or with encouragement of the organization) post personal information on the organization’s own website or a third-party’s website; and

• if the organization or its employees (acting in the course of their duties or with the encouragement of the organization) downloads and uses personal information from a third-party website.

As an aside, the UK ICO stated that it considers “it poor practice for an organisation to encourage or allow employees to use their own personal networking pages for corporate purposes.”

Data Controller of User Comments and Posts

One of the most difficult areas is determining the extent to which privacy laws apply to the host of social networking sites and forums in respect of comments and posts by the users of those sites. The obligations of a host under the UK DPA materially expand if the host is a “data controller” of the factual information in the posts.

Whether the host is a “data controller” depends, in part, on the degree to which the host determines the purposes for which and the manner in which the information on the site are processed. Thus, an actively moderated site could make the host a “data controller”. However, the UK ICO also suggests that a host engaged in less intensive moderation could be a “data controller”. For example, a free site with an acceptable use policy reserving to the host the right and ability to remove posts could still result in the host being a data controller.

If the host is a data controller, the UK ICO states that the organization must “take reasonable steps to check the accuracy of any personal data that is posted on its site by third parties and is presented as a ‘matter of fact’.” What constitutes reasonable steps will vary with the type of networking site or forum. The UK ICO states it may be sufficient in some cases to:

• maintain clear and prominent acceptable use policies;

• maintain clear and easy to find procedures to dispute the accuracy of posts and to request removal; and

• maintain a procedure to respond to disputes quickly, including procedures to remove posts, suspend posts while the dispute is resolved, or annotate them as disputed.

Distinguishing between a “fact”, which must be accurate, and an “opinion” may not always be easy.

Parallels and Differences in Canada

Although Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) is materially different from the UK DPA, there are also some important parallels.

Subsection 4(2) of PIPEDA contains an exemption for the collection, use and disclosure of personal information by an individual solely for personal or domestic purposes. However, like the UK DPA, PIPEDA applies to organizations that collect, use and disclose personal information in the course of commercial activities. The fact that those activities are carried out through an individual employee using a personal account may not on its own to exempt the activities from the scope of PIPEDA depending on the degree of involvement of the organization.

PIPEDA does not expressly use the concept of a “data controller”. However, PIPEDA does require an organization to be accountable for personal information under its “control”. If personal information is under the “control” of the organization, it must be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used. Furthermore, an individual must be able to challenge the accuracy and completeness of the information and have it amended as appropriate. To this end, the organization must have procedures to receive and respond to complaints regarding the accuracy and completeness of the information.

Determining whether information is under the “control” of an organization is equally tricky in Canada. However, an organization may be considered to “control” information if it has the right to determine whether and under what conditions it is used or produced. The UK ICO’s guidance is of interest, therefore, in assessing how one might interpret the accountability requirements under PIPEDA or distinguish them from the UK DPA.

The House of Commons Standing Committee on Access to Information, Privacy and Ethics tabled its Report, entitled “Privacy and Social Media in the Age of Big Data” on April 23, 2013.

The report is the result of 15 meetings of the Committee and 30 witnesses between May 29, 2012 and December 11, 2012. The Committee’s Report summarizes the witness’s testimony but doesn’t suggest any legislative response. Some issues are punted to the Office of the Privacy Commissioner of Canada (OPC) to establish guidelines. Other issues, such as children’s privacy interests, enforcement powers of the OPC, Do Not Track and “privacy as the default” are discussed but the Committee offers no recommendations.

OPC’s Homework

The Committee may not have had advice or solutions on many of the issues, but it was ready to recommend that the OPC develop more guidelines. Among the guidelines that the Committee wishes to see the OPC develop are:

• Guidelines for social media and data management companies regarding accountability and openness

• Guidelines for drafting policies, agreements and contracts in clear, accessible language that facilitates meaningful and ongoing consent

• Guidelines for mechanisms to ensure individuals have access to personal information held by them, mechanisms to limit how long information could be held, and mechanisms to facilitate deletion of information

Protection of Children

Although the Committee recognized the special issues of obtaining informed, meaningful consent and protecting children on the Internet, there were no calls by the Committee for a U.S.-style Children’s Online Privacy Protection Act (COPPA). Instead, the Committee simply recommended that the Government of Canada and social media companies “continue to provide support to organizations that provide education and training on digital activities and privacy.” The Committee also urged social media companies to promote safe online environments that are protective of the privacy interests of children and young persons.

No Comment on Enforcement Powers for the OPC

Intriguingly, after reviewing the competing perspectives on increasing the enforcement powers of the Office of the Privacy Commissioner, the Committee ducked the issue by stating that the Committee hoped the discussion would be of benefit to future legislative review:

“The evidence presented to the Committee demonstrates the competing views regarding the enforcement powers of the Privacy Commissioner. On the one hand, the current model facilitates the constant flow of information and good will between the private sector and the Privacy Commissioner, and has proven effective in ensuring that this relationship remains cordial and non-adversarial. On the other hand, much can and has been said regarding how the current model favours self-regulation and is not adequately prepared to ensure compliance when self-regulation fails. The Committee hopes that this valuable discussion will be of benefit to any future legislative review in this regard.”

Many will be disappointed, no doubt, with the lack of substance to the recommendations. No doubt we will hear more in the coming weeks as Canada’s approach is compared and contrasted with the U.S.’s recent  revamp of COPPA Rules and the U.S. Commerce hearings on Do Not Track.

The scourge of online defamation poses enforcement challenges for victims. So much so that there may be a temptation to begin looking for gatekeepers. The direction of the law appears to be ready to assist.

Consider, for example, the problem of the anonymous blogger. The path to justice requires a number of separate steps. Obtain an order requiring disclosure of subscriber information. Cajole the host of the blog to take down the content. Seek an order to validate service of proceedings on the blogger by email. Finally, pursue default judgment. In Manson v. John Doe, 2013 ONSC 628, the plaintiff followed that route and was awarded C$200,000 in damages and nearly C$50,000 in costs on a motion for default judgment. Whether the judgment will ever be satisfied is unknown.

A more direct route might be to seek compensation is to impose a gatekeeping function on the owner of the website. That route might just become easier. Last year, in Canoë inc c. Corriveau, 2012 QCCA 109, the Quebec Court of Appeal upheld an award of C$150,000 in damages and C$50,000 in punitive damages against the website owner who was found to have been grossly negligent in permitting defamatory statements to remain on the site. The hook was that the website owner failed to enforce promptly a website code of conduct.

More recently, in February, the English Court of Appeal, in Tamiz v. Google Inc., [2013] EWCA Civ 68, held that the host of a blog could be liable for defamatory material in circumstances where the host provided a platform, provided assistance and services relating to the platform, and imposed terms and conditions that enabled it to remove or block service in the event of a breach of the terms. The Court of Appeal held that such a host could become liable for allowing defamatory material to remain on the site once the host had been notified of the defamatory material and had a reasonable period of time to remove the material.

Of course national laws may differ with respect to what constitutes defamation and defences to defamation.  So, as always, it is necessary to seek local guidance before jumping to conclusions.

However, the risk management message is clear. If an organization is operating a platform or interactive site with a social media component where users may post comments, reviews and interact, that organization would do well to review its policies and whether it has the resources and compliance structure to ensure that it monitors the site or at least can respond quickly to complaints.

Draft Regulations recognize CASL should not apply to ”regular business communications” 

Industry Canada has published long-awaited draft Regulations that would lessen the impact of Canada’s Anti-Spam Law (CASL) on businesses.  Or in the words of the Regulatory Impact Analysis Statement, to: 

provide relief to businesses through targeted exemptions where the broad application of the Act would otherwise impede business activities that are not within the intended scope of the legislation.

Under the heading “Proposed exemptions to address stakeholder concerns”, the Statement explains:

Since it applies broadly to commercial electronic messages, the Act captures some regular business communications that are not the types of threats that were intended to be captured within the scope of the Act. To ensure these business communications are not regulated under the Act, the Regulations include business to business exemptions for commercial electronic messages that are sent within a business, or sent between businesses that are already in a business relationship, where the messages are sent by an employee, representative, contractor or franchisee and are relevant to the business, role, function or duties of the recipients. These proposed exemptions address many of the most serious concerns raised in the consultations about the unintended application of CASL to ordinary, transactional business communications.

The Canadian government has not issued a formal entry into force date for the Anti-Spam law, and the date has been a moving target since CASL was passed into law in December 2010.  Informally, CASL, the CRTC Regulations, and the proposed Industry Canada Regulations are expected to enter into force late in 2013.

Industry Canada’s Proposed Approach

Comments are due on February 4 on the proposed Regulations.  Here is a summary of Industry Canada’s proposed approach to clarify the application of the Act, and more importantly, to carve out “non-threatening” commercial electronic messaging.

1.  Limited Exemptions for Certain Types of Message

Exemptions are proposed for CEMs sent:

• within a business;
• between businesses already in a business relationship, sent by employee, representative, contractor or franchisee, where message is relevant to business, role, function or duties of recipient;
• by foreign businesses and accessed by a visitor to Canada;
• as a response to an inquiry; and
• due to a legal obligation, or to enforce a legal right.

2.  Third-Party Referrals

Existing business relationship (also non-business, personal or family relationship) would permit third-party referral. 

Example:  Client of Company and Potential Client of Company have a business, non-business, personal or family relationship.  Client refers Potential Client to Company.  Company sends a single consent request message to Potential Client, including name of Client and identification and unsubscribe requirements set out in the Act and CRTC Regulations.

3.  Clarifying What is Required where Sender is an “Unknown Third Party”

CASL permits consent to be obtained to receive messages from a third party unknown to the recipient, in certain circumstances.  The proposed Regulations specify that the recipient must have the ability to unsubscribe and alert the “original requester” that he has withdrawn his consent.  That “original requester” must notify each third party sender that the recipient’s consent has been withdrawn.

4.  Membership in a Club, Association or Voluntary Organization

The proposed Regulations clarify the definition and scope of these “non-business relationships”, and include references to the purpose and not-for-profit status of these organizations.

5.  Limited Exemptions for Protecting, Upgrading and Updating Computer Networks

The proposed Regulations include new definitions for computer programs that are to be excluded from the “installation consent” requirements:  those installed (i) to prevent illegal activites that present an imminent risk to network security; and (ii) to update and upgrade an entire network.

Certain Questions Clarified

The Regulatory Impact Statement clarifies that not all messages sent “in a commercial context” are necessarily CEMs.  For example, Industry Canada notes that:

• a CEM is a message that “encourages participation in a commercial activity”: therefore a message such as a courtesy SMS or an unsubscribe notification (without that encouragement) is not a CEM;
• a CEM is a message sent to an electronic address:  “…[t]he publication of blog posts or other publications on microblogging and social media sites is not within the intended scope of the Act”.

What Industry Canada has Not Done

Industry Canada has rejected stakeholder requests to:

• “grandfather” consents obtained under PIPEDA (rejected as the CASL consent requirements are much more stringent than PIPEDA’s);
• send CEMs from Canada to recipients outside Canada on behalf of foreign companies (rejected as a potential loophole to be exploited by spammers);
• permit manufacturers to send CEMs to end-users of their products (rejected as potentially too broad);
• revise the “unknown third party” approach to make it less complex and burdensome (rejected as tracking and managing consents is not “unduly onerous”).

A growing number of businesses in Canada, the United States and elsewhere has become involved in weighing in on the proposed Regulations.  The outcome of the current regulatory review will be worth watching, for all those impacted by CASL. 

It is 2013, and time for a bit of tough love. Here are five data governance matters that need your attention as soon as possible.

1. Enough of the Unencrypted USB Keys. December 2012 ended with Human Resources and Skills Development Canada reporting that a USB key containing personal information of Canadians had gone missing. Just months before, Elections Ontario apparently lost USB keys containing unencrypted personal information of Ontarians. The use of unencrypted USB keys to store or transfer personal information or any confidential corporate information is the number one practice that organizations should address in 2013. The solution is not overly complex. Just stop it already! And, also make sure that subcontractors don’t use unencrypted USB devices when handling your data.

2. BYOD is Here to Stay; Stop Pretending Otherwise. Employees are coming to work with their own smart phones, laptops, tablets, and other devices. There is no point pretending that employees don’t have proprietary rights and privacy rights in these devices with heavy-handed and unworkable policies on their use. But turning a blind eye to the fact these devices may introduce security risks and can be used as unencrypted USB keys is also not an option. It is time to develop a workable policy. Be clear with employees regarding appropriate use. Audit compliance. If your organization is of sufficient size, it may be a wise investment to employ a “show me – don’t just tell me” policy. Invest in a video showing proper use of these devices and, perhaps more importantly, the cost and consequences of improper use. If it is a condition of BYOD that the organization be able to wipe the whole device remotely, consider illustrating what that is going to mean so that employees understand that they may lose data that they consider to be theirs and that is not backed-up.

3. End the Denial About Your Website Data Collection. You know that part of the website privacy policy that says the organization doesn’t share personal information with third parties? Or, the bit about how the organization only uses information for the purposes described in the privacy policy? Saying it doesn’t make it so. Chances are that even in an organization with very good privacy practices this statement is not 100% accurate, particularly if the organization is engaged in on-line advertising, uses third-party website analytics services, or has third-party content on its site. These activities may involve the transmission of personal information about the user without the knowledge and consent of the individual. If staff in the marketing and technology departments say there is no personal information being shared, ask whether any non-personal data is being shared. Ask what that that non-personal information is. There is a decent chance that some of the data being shared is data that a Canadian Privacy Commissioner would consider to be personal information.

4. Stop Ignoring Unstructured Data; It Might Be Your Achilles’ Heel. Data privacy policy? Check. Records retention policy? Check. Litigation hold procedure? Check. Wait, what’s that? Your organization is using social media. Employees are storing documents in electronic and physical files that are not saved in a centralized repository with pre-defined fields or labels. All of this unstructured data is probably falling outside of the organization’s procedures and policies for dealing with the collection, use, retention and destruction of information. Unstructured data doesn’t need to be the weak link, provided that it is not ignored. It is time to start tackling why employees are using unstructured files and responding with solutions that can address the usefulness of the unstructured data while managing its risks.

5. Really, Why is “That” Confidential? Yes, yes, everything about the organization’s business is confidential. Except that half of it is on the corporate website or in public filings and everyone in the organization with a user ID has access to the other half of it. Okay, I’m being deliberately provocative. However, this one also falls in the category of “saying it doesn’t make it so”. If information is confidential, then there should be many contextual clues so that employees are re-sensitized to the need to protect the information. Limiting access, requiring higher levels of clearance and training, using watermarks to establish the custodian of the information, having properly labelled and locked shredding containers, all contribute to better information security practices by providing employees with contextual reminders of the importance of information security and confidentiality.

The Conference Board and the Stanford University’s Rock Center for Corporate Governance recently published its 2012 Social Media Survey, entitled “What Do Corporate Directors and Senior Managers Know about Social Media?” What is the bottom line from the survey of 180 senior executives and corporate directors of North American public and private companies? Senior executives and directors appreciate the power and the risk of social media. But they are not engaged from a governance perspective. The majority of organizations do not monitor social media to detect risks. Only a minority receive reports containing summary reports and metrics from social media. More disturbingly, the majority of companies did not have social media policies in place.

In Canada, the Canadian Institute of Chartered Accountants’ Risk Oversight and Governance Board published a helpful Director Alert in January 2012 providing directors with some basic questions to ask. The publication is a helpful primer on the basic issues.

In addition, here are 10 topics that Directors may wish to review from a governance perspective:

1.  Social Media Plan. Does the organization have a social media plan identifying the purposes of the organization’s social media, the persons accountable for implementing the social media plan, and the metrics by which the time and effort spent on social media will be measured?

2.  Type of Social Media Strategy. Will the social media be simply one-way promotion of the organization or will it truly be “social” in the sense of engaging with stakeholders? How does the strategy fit with the organization’s social media plan and other public relations efforts?

3.  Choice of Platforms. What social media platforms will be used to implement the social media plan? How do those platforms match the goals of the social media plan and the strategy to achieve those goals? Have the terms of use and end user licence agreements for those platforms been reviewed?

4.  Advertising Compliance. Does the organization’s social media plan comply with the Competition Act (Canada), Competition Bureau Guidelines, the Canadian Code of Advertising Standards and other legal restrictions that may affect the use of social media to promote the organization? Is the organization providing benefits to “influencers” (persons who have large followings on social media and who influence people to take actions, such as clicking on a link or signing up for a promotion)? Is this appropriately disclosed?

5.  Contests. Will social media be used to engage in contests? How will the organization ensure compliance with the Criminal Code and the Competition Act in respect of those contests?

6.  Criticism. How will the organization respond to criticism in social media platforms? Does the organization have clear guidelines on how to handle a disgruntled stakeholder or a negative social media report? How will criticism be elevated within the organization?

7.  Confidentiality. How will the organization ensure that postings through social media do not result in the inadvertent disclosure of non-public material information, confidential information or trade secrets of the organization or a third party to whom the organization owes a duty of confidence, or personal information of employees, customers or others?

8. Employee Engagement. Does the organization have a social media policy in place for employees? Does the policy balance the right of employees to engage in free speech while educating employees and protecting the organization against activities that may contravene advertising laws or be considered to be defamatory or discriminatory? Do employees understand the consequences of breaching the social media policy?

9.  Monitoring. Who is responsible for surveillance of the reputation of the organization and competitors in social media? Who will receive reports of major events? How will the social media strategy be fine-tuned to respond to the information received through social media?

10.  Disaster Plan. Does the organization have a 24/7/365 disaster plan in place in the event that the organization is under attack on social media platforms or a social media effort backfires? Are the appropriate personnel and external advisers in place to assist?

The scope of an employer’s right to discipline and terminate an employee for indiscreet or inappropriate remarks in social media is far from settled. Given that an employee’s social media activities have the potential to “go viral” (or at least be seen by hundreds, if not thousands of people), organizations must assess whether the activities of employees outside of work have the potential to negatively affect, even transiently, the reputation and goodwill of the organization.

Currently, the legal battle over an employer’s legitimate interest in an employee’s use of social media is being played out among employees who are relatively junior within organizations and may, justifiably or unjustifiably, believe that their actions are not under the gaze of their employers.

This post compares two recent cases from the United States and the United Kingdom with an earlier case from Canada.

Don’t Make Fun of the Customers

In a recent U.S. National Labour Relations Board (NLRB) decision, Karl Knauz Motors, Inc. (Re), the NLRB considered whether a car dealership could terminate a salesperson for comments on Facebook about an accident that involved a customer of the dealership. The customer had driven into a pond and the salesperson posted photos on Facebook with sarcastic comments. The employer argued that the comments violated employee handbook rules that required employees to be “courteous, polite, and friendly to our customers, vendors and suppliers, as well as to their fellow employees” and which prohibited conduct that was “disrespectful” or involved the “use of profanity or other language which injures the image or reputation” of the employer. In addition, not long before the post about the customer, the same salesperson had posted photos and comments criticizing food that had been served at a sales event at the dealership. The tenor of the earlier post was that the dealership should have served better food given the profile of the sales event.

The salesperson claimed that he was terminated in violation of the protections afforded by section 7 of the National Labor Relations Act (NLRA), which, among other things, provides rights to participate in concerted activity for the purpose of collective bargaining or other mutual aid or protection. The NRLB has previously issued decisions and guidance documents this year warning that social media policies must not stifle workers from communicating about workplace conditions as this would offend section 7 of the NLRA.

An administrative law judge concluded that the postings about the car accident did not fall within section 7 of the NLRA because it was posted by the employee on his Facebook page and not discussion took place on Facebook about the post. By contrast, the comments about the food at the sales event were made in the context of an exchange among employees on Facebook. The administrative law judge concluded that the comments were related to the dealership’s image at the event and this could affect the working conditions of the employees by affecting sales.

In a split decision, the NLRB upheld the decision of the administrative law judge. The employee’s termination for the comments about the customer was not protected by the NLRA. However, the NLRB ordered that the employee handbook rules were overbroad and not enforceable.

The dissenting NLRB member concluded that the requirement to be courteous did not violate section 7 of the NLRA and held that:

“[r]easonable employees know that a work setting differs from a barroom, room and they recognize that employers have a genuine and legitimate interest in encouraging civil discourse and non-injurious and respectful speech.”

Say What You Will About Gay Marriage

In the Smith v. Trafford Housing Trust, a housing manager of the Trust read a news article online regarding gay marriage and posted the link to his Facebook account with the comment “an equality too far”. The manager’s Facebook privacy settings had been set so that his posting could be viewed by his “Friends” and also “Friends of Friends”. This prompted an exchange with one of the employee’s colleagues at work, which was quite tempered but suggested that those gays and lesbians “have no faith and don’t believe in Christ”. The employee was suspended and subjected to a disciplinary proceeding that resulted in a finding of gross misconduct. The employee was offered a demotion to a non-managerial position in view of the length of his service.

According to the decision of the English High Court of Justice (Chancery Division), the Trust had over 300 employees. The court found that at the material time, the employee listed that he was a manager at the Trust. His profile stated “What can I say – it’s a job and it pays the bills”. He described his religious views as “full on charismatic Christian.” His profile and wall pages also listed that he was a manager at the Trust. In putting the post into context, the court held that it was one of a number of posts about “sport, food, motorcycles and cars.”

The court concluded that a reasonable reader of the manager’s wall would not have understood him to be a spokesperson for the Trust. The court rejected that any loss of reputation by the Trust would arise in the mind of a reasonable reader. The manager’s Facebook wall “was primarily a virtual meeting place at which those who knew of him, whether his work colleagues or not, could at their choice attend to find out what he had to say about a diverse range of non-work related subjects.” The court minimized the broader access to his wall by “friends of friends” by stating that “actual access would still depend upon the persons in that wider circle taking the trouble to access it.” The court found that the manager did not thrust his views onto colleagues at the office. The medium and context was not “inherently” work related. In the result, the court concluded that the manager had been constructively dismissed.

Don’t Diss and Threaten Other Employees or Your Employer

The problems for the employees in Lougheed Imports Ltd. (West Coast Mazda) v. United Food and Commercial Workers International Union, Local 1518 started when one of the employees posted on Facebook a post that could be interpreted as threatening: “Sometimes ya have good smooth days when nobody’s [expletive] with your ability to earn a living … and sometimes accidents DO happen, its [sic] unfortunate but thats [sic] why there [sic] called accidents right?” Another employee also was posting derogatory comments about managers.

The employees had close to 100 and 377 “friends” respectively. Significantly, the posts were escalating in tone and extreme enough that one person “de-friended” and even the girlfriend of one of the employees commented that ”[s]omethings just shouldn’t be broadcasted on facebook, especially when you still work there.”

The employer terminated the employment of the two employees. The union grieved but lost. In an interesting counterpoint to the Trafford Housing Trust case, the British Columbia Labour Relations Board concluded that there the comments on Facebook had sufficient proximity to the employer’s business. The comments had been used as a “verbal weapon”. They went beyond shop floor comments to insubordination in front of employees who were friends of the employees by degrading a manager and referring to discipline. The comments also counselled Facebook friends not to shop at the employer. In the result, the termination was upheld.

Substance, Purpose and Context

One should be careful to draw conclusions from a handful of cases in multiple jurisdictions with different approaches to employment and privacy laws. However, one theme that emerges in all three cases is that, in addition to the substance of the social media posts, the purpose and context for those postings are important considerations in concluding whether the employer has a legitimate interest in the activity of the employee’s social media activities.

In October, the U.S. Federal Trade Commission (FTC) issued a Staff Report, entitled “Facing Facts: Best Practices for Common Uses of Facial Recognition Technologies”. Organizations operating in Canada and the U.S. should carefully consider the guidance in the FTC Staff Report.  They should also have regard to earlier guidance on the collection of biometric information, including facial information, issued by the Office of the Privacy Commissioner of Canada (OPC).

In this post, I examine some of the privacy issues that facial recognition technologies present and compare and contrast the U.S. and Canadian guidelines on the use of facial recognition technologies.

A question of liberty and control

The Supreme Court of Canada has said that privacy is at the heart of liberty. “[R]estraints imposed on government to pry into the lives of the citizen go to the essence of a democratic state” (R. v. Dyment, 1988 CanLII 10 (SCC) at para. 17). Very recently, the Supreme Court of Canada reiterated that the underlying values of dignity, integrity and autonomy are fostered by protecting a biographical core of personal information from the state (R. v. Cole, 2012 SCC 53 at para 45, quoting R. v. Plant, 1993 CanLII 70 (SCC)).

Private sector privacy advocates may argue that those same values require that individuals have the right to protect (and control) a biographical core of personal information from private sector organizations, as well, should they choose to do so.

Facial recognition technologies create new challenges for privacy protection.  In public spaces, there is, of course, the possibility that people might recognize you.  However, one of the features of urban spaces is that an individual can often move around in a way that is relatively anonymous.

Advanced facial recognition technologies have the potential to match images across platforms. Pervasive private-sector passive security video surveillance, facial recognition in digital signage, and photos and videos uploaded to social media could, in theory, be combined and cross-matched.  The ability to move around in relative anonymity could, in theory, be lost, along with the ability to control the use of one’s own image. Moreover, the collection of this information could, in addition, be combined with public-sector data from government issued identification and licensing activities, leading to concerns of mass surveillance.

In Canada, we have already had some experience with the potential use of combining private sector data with public sector databases for law enforcement purposes.  Following a riot in Vancouver, the Insurance Corporation of British Columbia (ICBC) (a Crown corporation subject to private sector privacy legislation in British Columbia) offered its facial recognition technology to assist police in comparing images of individuals alleged to have participated in the riot with images in its database of drivers.  ICBC is the provincial insurers for drivers in British Columbia.  The plan was to take images contained on surveillance video and images uploaded to social media and compare them using facial recognition technology with those in ICBC’s database of driver photos. The Office of the Information and Privacy Commissioner of British Columbia (IPC) responded with an investigation that concluded that ICBC did not provide adequate notice of this potential use to citizens and that it must receive a warrant, subpoena or court order before using facial recognition software to assist law enforcement.

Notwithstanding the concerns raise by the IPC in British Columbia, it is easy to be drawn into being overly critical of the use of facial recognition. As the dissenting Commissioner, J. Thomas Rosch, stated in an appendix to the FTC Staff Report, there is, as yet, little evidence that facial recognition technologies is being systematically “misused”.  In Commissioner Rosch’s view, the Staff Report was, among other things, premature.

It is also important to acknowledge that reasonable people may disagree on a number of the values underlying suspicion of facial recognition technology.  Some may be sceptical as to whether facial recognition technologies present any material threat to liberty.  Others may be sceptical whether the relative anonymity that urban life affords has anything to do with liberty.  Reasonable people may also differ in the extent to which they are prepared to submit to surveillance for the purposes of public safety.

Moreover, when critiquing facial recognition technologies, it is important to acknowledge that not all facial recognition technologies are the same and not all uses have the same degree of intrusion on an individual’s ability to be “left alone” in relative anonymity.  As the FTC Staff Report notes, there is a spectrum of technological sophistication and a spectrum of uses. Facial recognition technologies may simply detect and locate a face in an image. Other technologies and uses may be to identify demographic characteristics or moods or emotions of the person to deliver targeted advertising.

FTC: technological neutrality but greater transparency and choice

For the most part, the FTC Staff Report is neutral with respect to the use of facial recognition technologies in consumer settings. The FTC acknowledges that facial recognition can be used “in ways that benefit consumers by providing them innovative products and services, such as the ability to try beauty products by uploading their faces to the Web, the ability to target search results, and the ability to organize and manage photos.” Facial recognition technology can also be used to enhance privacy protections. The technology can be used for authentication of mobile devices and to blur images of individuals captured in video.

However, the FTC is also concerned about potential erosions of privacy in ways that are unfair to consumers.  In providing guidance, the FTC has organized its analysis around three core principles:

1.  “Privacy by Design: Companies should build in privacy at every stage of product development.”

The FTC Staff Report states that the transmission of facial information should be encrypted or secured to protect against intrusion from a hacker who could view the images in real time. Organizations should also attempt to prevent unauthorized scraping of images. If images will be retained, there must be reasonable data security protections in place and the images should be subject to destruction once they are no longer necessary for the purpose for which they are collected.

2.  “Simplified Consumer Choice: For practices that are not consistent with the context of a transaction or a consumer’s relationship with a business, companies should provide consumers with choices at a relevant time and context.”

The FTC considers a consumer’s face to be a persistent identifier in the sense that it can’t simply be changed in the way that other identifiers can be such as a credit card number or a tracking cookie. Accordingly, it is critical that there be meaningful and informed choice.

The FTC Staff Report suggests that “walk-away choice” is sufficient if (a) the technology is being used to gather demographic information (age and gender), (b) images are not stored, and (c) the organization has been sufficiently transparent about its activities.

By contrast, using facial recognition technologies for identification purposes requires affirmative express consent. Similarly, using an image in a materially different way (for example, a new use) would require affirmative express consent.

3. “Transparency: Companies should make information collection and use practices transparent.”

The FTC is concerned that the public is not well-educated in the uses of facial recognition technology. For example, the FTC is of the view that facial recognition technologies in digital signage would not be consistent with reasonable consumer expectations. Therefore, it is important to provide prominent notice so that consumers have a meaningful choice as to whether they want to come into contact with these types of technologies.

The FTC Staff Report states that a notice should be prominently placed at the entrance to the store or at the entrance to the area of the store in which the technology is being used. When used with digital signage or other novel applications, a notice should be placed near the digital signage or area of novel use. The notice should state the purpose of the technology and how consumers can find out more information about the technology and the practices of the company operating the signs in that venue.

If facial recognition is used on image submitted in social media, the operators of those social networks should provide consumers with an easy to find, meaningful choice and the ability to turn off the feature and delete biometric data.

Canada’s focus on proportionality

The Canadian guidance from the OPC contains similar themes. Individuals should be informed that facial recognition is being collected. If facial information will be used for other purposes than those disclosed at collection, additional consent will be required.

However, unlike the U.S. approach, the Canadian approach by the OPC requires that organizations be prepared to justify the use of facial recognition. In part, this is probably because subsection 5(3) of the Personal Information Protection and Electronic Documents Act (PIPEDA) provides that “[a]n organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances” (emphasis added).

In determining what is reasonable, the OPC encourages organizations to apply a four-part test.

1. Is the use of the technology demonstrably necessary to meet a specific need?

2. Is the use of the technology likely to be effective in meeting that need?

3. Would the loss of privacy be proportionate to the benefit gained?

4. Is there are less privacy-invasive way of achieving the same end?

The application of this test means that technologies such as facial recognition are not to be employed simply because they are efficient, convenient or cost-effective. Instead, the OPC suggests that facial recognition should be “essential for satisfying a particular need”. Any loss of privacy must be proportional to the benefit obtained from the technology. If the benefit to the organization of using facial recognition is minor, then it will be difficult to justify the loss of privacy from technologies that may be used to identify individuals. By contrast, technologies that are being deployed for privacy enhancing purposes (such as blurring faces in photos) or that are based simply on sensing that there is a person facing a digital signage may be much easier to justify in the cost to privacy / benefit to the organization calculus.

Implications of the Philosophical Difference

The Canadian focus on the contextual reasonableness of facial recognition technologies is an important philosophical difference in approach, with practical implications. In particular, it may be necessary in Canada to more carefully calibrate the use of facial recognition technologies in consumer settings to a clearly defined need.

Although the use of facial recognition technologies may be more restricted in Canada, they can be used in privacy enhancing ways, as demonstrated by the experience in Ontario casinos.

The Ontario Lottery and Gaming Authority (OLG) facial recognition program is instructive.  OLG maintains a voluntary self-exclusion program for persons who do not want to be admitted to gaming sites. In collaboration with the Information and Privacy Commissioner and the University of Toronto, the OLG developed a facial recognition program that uses biometric encryption. A biometric pointer key is created from a sample image. The sample is then discarded. The identity of the person can only be unlocked by the biometrically encrypted pointer key derived from a person’s live image. Images that do not unlock a self-excluded gambler’s photograph are discarded, thereby protecting the privacy of the general public visiting the casino. If a likely match is identified, staff will check identification, which eliminates false positives. The Ontario Information and Privacy Commissioner has authored a paper describing the project and has presented on the topic recently.

Facial recognition technologies won’t be going away.  They are novel, useful, and fun for consumers.  However, developers should consider engaging in a privacy impact assessment with respect to any deployment of these technologies for new uses and applications.

One of the hot topics in privacy policy at the moment is the question of whether there should be a right to be forgotten. Should, for example, an indiscretion captured in a photo and shared via social media be purged?

The Canadian Civil Liberties Association (CCLA) has weighed into the debate by tackling a specific and pressing issue: The retention and disclosure of non-conviction records in police background checks. The CCLA’s recent report is provocatively titled “Presumption of Guilt?”

The CCLA notes that most people who interact with police will never be convicted of a crime. These people may be victims of crime, be witnesses, or be targets of an investigation or a “person of interest”. In some cases, a person is simply has an undiagnosed or untreated mental health need and law enforcement officers are first responders. Records of these interactions may be created in each of these cases. In addition, of course, records will be created in situations where the police lay charges that are subsequently withdrawn or individuals are acquitted of an offence.

In the case of adults, these varied “non-conviction” records are not subject to legal requirements for destruction. CCLA comments that Criminal Records Act provides for removal of records of absolute and conditional discharges from RCMP databases within relatively short time frames. However, there is no requirement with respect to other types of non-conviction records. Moreover, CCLA concludes in its Alberta investigation that records of absolute and conditional discharges of adults as well as other non-conviction records of adults may continue to be maintained in provincial databases for lengthy periods of time and possibly indefinitely. (There are greater restrictions on the retention of youth criminal records.)

The CCLA is calling for reform given the increasing use of criminal background checks in employment. The CCLA is concerned that these records may be misleading without sufficient context and be unfair to the subject of the records who may not be in a position to refuse to disclose those records.  To address these concerns, the CCLA has outlined seven recommendations which are reproduced below:

1.  Non-conviction records should be regularly reviewed and destroyed in the overwhelming majority of cases.

2.  Non-conviction records should be retained for inclusion in a police background check only in exceptional cases where police believe that doing so is necessary to reduce immediate public safety threats. The decision to treat a case as an exceptional one should be done at the time that the non-conviction record is created; i.e., immediately after the charge is dismissed, withdrawn or otherwise resolved by way of a non-conviction.

3.  Where the government requests that a decision be made whether to retain a non-conviction record, the affected individual should be notified and provided with a right to make submissions.

4.  If it is decided that retention is appropriate in a given case, the affected individual should have a right of appeal in front of an independent adjudicator.

5.  Where non-conviction records are retained, they should be disclosed only in relation to certain employment or volunteer positions.

6.  Proper monitoring mechanisms regarding the use and impact of all forms of police background checks should be put in place, including adequate data collection and public reporting.

7.  Provincial human rights legislation should protect individuals from unwarranted discrimination on the basis of non-conviction disposition records.

 In the meantime, employers should be cautious in their use of background checks to ensure that they are adhering to their legal obligations.  For more information regarding the law related to the use of background checks in employment, readers might consider checking out “The HR Manager’s Guide to Background Checks and Pre-Employment Testing” authored by Adrian Miedema (FMC lawyer) and Christina Hall.

In keeping with her stance on overly-invasive employee background checks, British Columbia’s Information and Privacy Commissioner, Elizabeth Denham, has issued her findings and recommendations with respect to the B.C. Government’s policies, as an employer, for employee criminal record checks.

Finding that the government’s polices resulted in the unnecessary or overbroad collection of personal information, the Commissioner issued a number of recommendations aimed at limiting the amount of data collected by the provincial government, as well as the instances in which collection would be justified. The report also contains 16 recommendations for “Best Practices for Public Sector Record Checks”.

A “Best Practices” for private sector employers will be released at a later date.

The Privacy Commissioner’s July 25, 2012 Report can be accessed at: http://www.oipc.bc.ca/orders/investigation_reports/InvestigationReportF12-03.pdf

The Privacy Commissioner’s guidelines on social media background checks can be accessed at:http://www.oipc.bc.ca/pdfs/private/guidelines-socialmediabackgroundchecks.pdf

In a decision that may one day be cited by Canadian courts on the extent of an employer’s rights over its social media properties, the United States District Court for Colorado has ruled that an employer’s MySpace Profile and “Friends” list can qualify as trade secrets.

In Christou et al. v. Beatport LLC et al., Regas Christou sued former employee turned rival nightclub owner, Bradley Roulier, for, amongst other things, theft of trade secrets. In particular, Christou alleged that Roulier had misappropriated the login information for the MySpace profiles of Christou’s nightclubs as well as their corresponding MySpace “Friends” lists.

Following a motion brought by Roulier to dismiss Christou’s trade secrets claim, the Court ruled that Christou had alleged sufficient facts to allow the claim to proceed. In so doing, the Court accepted Christou’s argument that the “Friends” list was more than a list of names; rather it was closer to a database of contact information:

“The names themselves, readily available to the public, are not the important factor. The ancillary information connected to those names cannot be obtained from public directories and is not readily ascertainable from outside sources, and thus this militates in favor of trade secret classification.”

In addition, having secured the MySpace profiles of his various nightclubs through web profile logins and passwords and expended some amount of money, time and resources into developing the list of “Friends”, Christou further bolstered the viability of his trade secret claim at this early stage in proceedings.

While this case dealt only with MySpace and therefore did not address other commonly used social media websites such as LinkedIn or Facebook, it nonetheless demonstrates the steps that employers should take to protect the social media accounts that have been registered on behalf of the company. In those circumstances, employers should be careful to limit access to the company’s social media profiles to only those employees who are responsible for establishing and advancing the company’s on-line presence. There is no reason for every employee to have access to the company’s on-line accounts. In addition, employers should also amend their policies and contracts to clearly indicate that the ownership of the contacts listed on these social media accounts rests with the employer.

This post is co-authored by Saba Zia.

Social media is great “word of mouth” advertising when things go right. It can also be a nightmare in damage control when things go wrong. Sometimes the unsatisfied customer just lets it rip fairly or unfairly.

In a recent Ontario case, 2964376 Canada Inc. (Ameublement Prestige Furniture) v. Bisaillon, a retailer was awarded Cdn. $15,000 in damages for defamation after the daughter of an unsatisfied customer began an e-mail campaign. Although the case deals with e-mail, there is no reason why it would not apply to social media.

The facts of the alleged unsatisfactory customer service were not unusual.  The customer had purchased a dining room table. It was damaged. There were attempts to fix it. The company offered to rebuild the table. The customer wanted a refund. When the customer didn’t get the refund, the customer’s daughter began an email campaign.

The daughter e-mailed 38 of her contacts using her work address. She inserted a logo that looked like the retailer’s and asked that the recipients to forward the email along to others. The email stated that the company was “an untrustworthy company and I strongly advise you to think twice before putting your trust and money in their hands!” and “We are all consumers and deserve to be made aware of deceitful companies who do not honour their Consumer’s Guarantee. BUYERS BEWARE!”

The Ontario court concluded that the daughter had gone too far and awarded the retailer Cdn. $15,000. E-mailing 38 people and asking them to pass it along constituted publication. Accusing the company of being untrustworthy and deceitful would clearly affect its reputation, character and business. The defence of fair comment was not available. The defamatory statements were not based on fact (at least not all of the available facts) and, in any event, the statements were based on malice. She openly stated that she wanted revenge.

Although there are other means for managing a company’s reputation, this recent case suggests that courts will take seriously an action in defamation as a last resort for dealing with a customer who goes too far.

News media have paid significant attention to court orders requiring production of relevant documents from Facebook and social media sites in the course of litigation.  As described in my recent post, the Ontario Information and Privacy Commissioner has recently published a booklet on privacy and reference checks.

From the Canadian litigator’s perspective, all the fuss might be difficult to appreciate.  In Ontario, for example, the Rules of Civil Procedure require that litigants must disclose to all of the parties to the litigation the existence of every relevant document in their possession, power or control and must produce to the other parties all of those relevant documents that are not privileged.

A document is defined by the Ontario Rules of Civil Procedure to include data and information in electronic form.  Electronic information will be in the power of a party if that party could obtain a copy of it.  So, pictures and posts accessible through your social media account are documents and within your power to produce. The only question is whether those posts are relevant.

Photographs and posts to social media accounts may be relevant to litigation in a number of ways.  In a personal injury or long-term disability case, they may suggest that claims of being unable to enjoy life or to work are exaggerated or false.  They may suggest that a  litigant was in a location or with people as alleged and contrary to protestations otherwise.  They may contain evidence of defamation or the truth of what might otherwise be defamatory statements.

Once litigation has been commenced or is contemplated, litigants and potential litigants should be careful, however, that they do not take steps to “cleanse” their social media accounts.  It often comes as a surprise to litigants that they are required to preserve physical and electronic documents – even if that material might be unhelpful to their case.  However, the preservation obligation will often begin even before litigation has been commenced.  Once a demand letter is drafted or received, or legal advice is sought with respect to potential litigation, a potential litigant may be required to preserve evidence.  Therefore, individuals involved in litigation or where litigation is a reasonable possibility should seek legal advice on their obligations.

Intentionally destroying evidence is called spoliation.  Spoliation occurs where a party (the spoliator) has intentionally destroyed evidence relevant to ongoing or contemplated litigation in circumstances where a reasonable inference can be drawn that the evidence was destroyed to affect the litigation.  In Canada, spoliation usually produces an adverse inference that the evidence would have been unhelpful to the spoliator and may result in sanctions.

A recent U.S. case illustrates some of the pitfalls and, in the U.S. sanctions, for spoliation and social media (Lester v. Allied Concrete Co., Case No. CL09‐223 (Va. Cir. Ct. Sep. 1, 2011), and Lester v. Allied Concrete Co., Case Nos. CL08‐150, CL09‐223 (Va. Cir. Ct. Oct. 21, 2011):

•  The plaintiff was the husband of a woman who was killed in an automobile accident.  He sued the truck driver and the driver’s employer and initially won a substantial damage award.
• During the discovery process for his trial, he was asked about his Facebook account.  The defendants had produced a photo justifying the request that was apparently taken after his wife’s death and showed him holding a beer can and wearing a “I [heart] hot moms” t-shirt.
• The plaintiff, with the lawyer’s advice, deleted the Facebook account and responded that he did not have a Facebook account at the time of responding to the discovery requests.

The Virginia court was not impressed. It cut the damages award to the plaintiff in half and awarded cost sanctions against both the plaintiff and his lawyer.

In Canada, courts are reluctant to make similar awards preferring to remedy the wrong in other ways, such as providing procedural remedies for additional discovery and drawing adverse inferences that the destroyed documents would have been unhelpful to the party who destroyed them.  Courts can also award cost sanctions.  To date, however, courts have not awarded damages against the spoliator.  Nevertheless, once litigation is contemplated – resist the urge to press delete!

.

The Ontario Information & Privacy Commissioner (OIPC) has published booklet regarding social media and reference checks, entitled “Reference Check: Is Your Boss Watching? The New World of Social Media: Privacy and Your Facebook Profile“.

The booklet warns employees and job-hunters of the perils of indiscreet postings on social media sites.  The booklet is directed at educating Ontarians about what the OIPC describes as intrusive background checking activities.  However, the booklet is also an excellent HR resource for educating employees regarding social media best practices.

For more on this subject, see my previous post.

On April 23, 2012, Nova Scotia Liberal MLA Andrew Younger introduced Bill 40, which would amend the Labour Standards Code (Nova Scotia) to prohibit an employer from requiring an employee or prospective employee to provide access to the employee or job candidate’s social networking account or discriminating against the employee or job candidate for refusing to provide such access.  The Nova Scotia NDP government is reported to be considering the Bill.

If the Bill were to pass, it would be the first legislation to pass in Canada specifically addressing the practice of employers requiring employees or job candidates to provide access to social networking accounts.  Last week, Maryland became the first state in the United States to pass legislation prohibiting an employer from requesting or requiring that an employee or job candidate disclose passwords (among other things) for accessing personal accounts or social networking services and disciplining any employee who refused to release such information. The bill has not yet been signed into law.  California Senate Bill 1349 would go further and prohibit a post-secondary institution or an employer from requiring a student, employee or prospective student or employee, to provide access to that persona’s personal social media account.

It is questionable whether such specific legislation is required in Canada.  In a recent post on Employment and Labour Law, my colleague, Naomi Horrox, wrote about the practice of accessing personal information about job candidates by asking candidates for their passwords to social networking sites that they use.  Naomi reported in her article that the Ontario Human Rights commission warned that doing so could lead to claims against the employer of discrimination allegations.

In addition, any employer who seeks access to social networking sites should obtain legal advice regarding Canadian privacy obligations as the employer who logs on as the job candidate will have access to and may be accessing and collecting personal information about third parties (the candidate’s contacts) by reviewing and copying any information on the site.  Employers should seek legal advice regarding whether such access and collection might be contrary to the third parties’ reasonable expectations and whether consent of those third parties is required in the circumstances, depending on the third parties’ privacy settings.

Canadian Privacy Commissioners have expressed concerned regarding the collection and use of personal information from children.  In the Office of the Privacy Commissioner of Canada’s 2010 Report on Consultations on Online Tracking, Profiling and Targeting, and Cloud Computing, released in May 2011, the Privacy Commissioner stated:

“[...] the OPC is of the view that baseline standards need to be developed to support parents and educators in terms of knowing that children’s personal information is being protected. A framework needs to be put in place that will better inform parents and educators and, ultimately, will better protect the personal information of children [...]“

South of the border, the United States Federal Trade Commission (FTC) recently issued a staff report regarding the adequacy of privacy practices disclosures in the mobile app market for kids.

Although the report was focused on disclosures of privacy practices, the FTC stated that it will be conducting additional investigations to determine whether any of the mobile apps violate the U.S. Children’s Online Privacy Protection Act of 1998 (COPPA).  COPPA regulates the collection, use, and disclosure of personal information from children and generally requires verifiable parental consent to the collection, use and disclosure of such personal information.

Regarding privacy practices disclosure, the FTC Staff report concluded that:

• there was insufficient disclosure of the data collection, data sharing and interconnectivity of mobile apps for children;
• parents should not have to navigate to lengthy privacy policies and terms of use to determine whether personal information is being collected and used;
• disclosure should be provided prior to downloading and use because by that point the child may already be using the app and the parent may have already been charged a fee; and
• icons and short disclosures should be used to alert parents if the mobile app (a) permits information to be shared with social media, (b) allows “in-app” advertising to occur, or (c) permits “in-app” purchases.

On the subject of “in-app” advertising, the FTC raised three concerns with what it assessed was an inadequate level of disclosure:

• parents may want to limit the data collected by advertisers and ad networks about their children;
• even if the advertising is not based on any information collected from the child, parents may want to limit their children’s exposure to ads; and
• parents may not want children to be able to call numbers or visit websites appearing on in-app advertisements.

In Canada, mobile app developers and marketers should seek legal advice regarding, among other things, the Quebec Consumer Protection Act restrictions on advertising to children.  With few exceptions, Quebec prohibits commercial advertising directed at persons under 13 years of age.