Marcin Klisiak

Rauno Korhonen

Introduction to legal informatics

14 December 2012

Legal issues concerning internet social media with a special reference to privacy

Table of contents

I. Outline of the problem......................................................................................................................2

II. Applying international law to the internet.......................................................................................4

III. Contractual issues regarding the social media................................................................................5

IV. Determining the administrator........................................................................................................7

V. Users displaying sensitive information..........................................................................................11

VI. Concern about applications..........................................................................................................12

VII. Applying law in case of involuntarily infringement of privacy..................................................13

VIII. Analysis of the report of findings of the Canadian Privacy Commissioner...............................15

1. Collection of Date of Birth.................................................................................................16

2. Default Privacy Settings.....................................................................................................17

3. Facebook Advertising.........................................................................................................17

4 Third Party Applications......................................................................................................18

5 New Uses of Personal Information......................................................................................19

6 Collection of Personal Information from Sources other then Facebook.............................19

7.1 Account Deactivation and Deletion..................................................................................19

7.2 Accounts of Deceased Users............................................................................................20

8. Personal Information of Non-users....................................................................................22

9. Facebook Mobile and Safeguards......................................................................................24

10. Monitoring for Anomalous Activity.................................................................................24

11. Deception and Misrepresentation....................................................................................25

Outline of the problem

While the field of data protection on the internet is still a relatively untrodden area with

respect to law, it is becoming a more viable concept for our daily lives. Modern internet

technologies are used in many fields, from allowing people to check tomorrow's weather to

ushering new possibilities for the government, including online law publishing to and e-auctions.1 A

part of this field consists of people communicating with each other through various internet

websites, which focus on human interaction. This section saw a great increase in its use during the

recent years. These websites are known as social network sites, and are often defined as sites on the

internet which allow users to create profiles, have a list of people they are connected with and watch

the profiles and connection lists of other users2. One of the most popular ones is facebook, which

currently has over 1 billion users3.

Due to the relatively recent rise of such networks, there are no comprehensive legal regimes

which can govern legal issues steaming from their use. Instead, an analogy needs to be made each

time law is to be applied to such media. As the analogy needs to be made from the legal sources

developed mainly for direct interaction, it is not an easy and direct thing to accomplish. Another

problem with the application of law to the social media comes from the fact that the said media are

applied internationally, but most often the law which deals with them is national. Thus, rules of the

private international law, dealing with the application of the proper legal system have to be applied..

Since the legal issues are solved predominantly in national courts, I will use the law of different

countries as example. I will also most often use facebook as an example of social media, as it has

probably the largest collection of legal issues. There are many other challenges which a lawyer who

wants to understand this branch of law has to overcome, for instance how to deal with the fact that

data is physically stored on servers.

What is privacy?

The majority of cases which will be discussed has a connection to the problem of privacy.

Privacy is a subject raised in many fields of law, but it is especially important regarding the internet.

The concept was best described in an article by Warren and Brandeis as “the right to be left alone”.4

1 25 Years of Data Protection in Finland. Helsinki: Ahti Saarenpää, 2012. Print. 2 Boyd, Danah M., and Nicole B. Ellison. "Social Network Sites: Definition, History, and Scholarship." Journal of

Computer-Mediated Communication (n.d.): n. pag. Social Network Sites: Definition, History, and Scholarship. Web. 14 Dec. 2012.

3 "Facebook Tops Billion-User Mark". The Wall Street Journal (Dow Jones). October 4, 2012. Retrieved December 14, 2012.

4 Saarenpää, Ahti. Legal Privacy. Zaragoza: Prensas Universitarias De Zaragoza, 2008. Print.

It was possible to see how controversial and popular the topic is, during the demonstrations in the

European Union against ACTA, a legislation which was thought to limit the amount of privacy the

internet users enjoy.56 While the question of privacy was not ushered by the advent of the IT and

social media, it is much easier to infringe one's right to privacy while working online then in the

“real world”. Additionally it is important that the right to privacy is not absolute and often clashes

with other norms and values, such as the good of the public safety, when the police search users

private data in order to apprehend both “real world” and internet criminals. This is not so prominent

in the social media, which are generally concerned with the issues of other users and firms being

able to find out too much information about a user. The governments role in these situations is

generally thought to be reversed with regards to the criminal and intellectual property matters, and

instead of attempting to limit the amount of privacy justifying it with protecting other values, it

often sides with the internet user to assist him in gaining more control over the usage of private data

which he inputs, even if most users themselves do not see that as a major problem. It must be noted

that the right to privacy is not synonymous with the right of personal data protection. Privacy is a

wider term, used both for information systems, like the internet and for regular activities. On the

other hand, Data protection does not only encompass data about the private sphere of the individual.

The right to privacy has Roman origins7, while data protection started developing more recently.

Privacy seems to be on a gradable scale, as the sphere of privacy of a government official is

smaller then the one of a typical person. Also different groups might have a legitimate interest in

knowing about one's private affairs, for instance biological children have the right to know their

parents identities or bosses are thought to have more information about their employees, although

only to some extent, as will be shown later in the essay. Another distinction that often happens on

social media sites is the distinction between “friends” - who are able to view the majority of a

persons profile and non-fiends, who have relatively restricted access to this information. In contrast

to the previous examples, this distinction is drawn solely by the user, which signifies an important

aspect – like most rights, the right to privacy can be denounced in certain cases, with regard to part

of it and central people. Not in any way though, privacy is cited in many constitutions as an

inalienable right, which essentially means that law prohibits giving it up in a contract – a good

example would be the constitution of California, which states it in article 18

5 "ACTA: EU Privacy Watchdog Warns of Internet Spying Threat." EurActiv.com. N.p., 25 Apr. 2012. Web. 20 Dec. 2012.

6 Lee, Dave. "Acta Protests: Thousands Take to Streets across Europe." BBC News. BBC, 02 Nov. 2012. Web. 20 Dec. 2012.

7 Saarenpää, Ahti. Legal Privacy. Zaragoza: Prensas Universitarias De Zaragoza, 2008. Print.8 "Constitution of the State of California 1849*." Constitution of the State of California 1849. Ed. Debra Bowen.

California Secretary of State, n.d. Web. 20 Dec. 2012. <http://www.sos.ca.gov/archives/collections/1849/full-text.htm>.

Applying international law to the internet

A particularly interesting topic for the debate about using private international law for

delimiting the legal regime to be used for internet based cases is finding the place where the effect

happened. While the internet is using transmitting data internationally to a great extent, it was not

the first device to do so – before the television and radio also sent information over long distances,

in many cases across boundaries as well. Neither of them ushered a dramatic change in the

international private law, so why should the internet do so?

One of the early ideas for a legal control over the internet came from the state of Minnesota.

In 1990 the state legislation was as follows “[p]ersons outside of Minnesota who transmit

information via the internet knowing that information will be disseminated in Minnesota are subject

to jurisdiction in Minnesota courts for violations of state criminal and civil laws”9 This decision is

controversial, especially since people from other countries might not be subject to the same

regulations, which means that one might undertake a perfectly legal action while working on the

internet in his own country, which is not legal under Minnesota rules and be subject to a penalty

there. In order to prevent this, certain countries, such as Poland, introduced the principle of the

double incrimination. The principle states that for an action to be punishable, it must be considered

a crime under both legal regimes10. Another problem which arises, even if the offense is

indisputable the question about which law to use – for example when a person from South Korea

working on a computer in Singapore tags a person from Malaysia incorrectly as a citizen of China

on the facebook, which server is stored in USA but the offended people were in Vietnam and Japan,

respectively, where will the offense be committed? Is tagging someone wrongly really an offense

will be discussed later, now I will attempt to answer what would be the place of jurisdiction if it was

considered a reasonable breech of one's rights. In reality the answer varies from system to system,

but if it was judged according to the Polish penal code, all of these places are accurate, as it is

possible to talk about the place of jurisdiction where the offender acted (or refrained from acting),

the effect occurred or where the effect should have occurred according to the offender. According to

other articles, also committing a crime against a citizen of Poland would constitute an offense

punishable under the Polish law, as well as in the case of a citizen of Poland committing it abroad..

9 Memorandum of Minnesota Attorney General as reproduced in: B. Jew, 'Cyber Jurisdiction – Emerging Issues & Conflict of Law when Overseas Courts Challenge your Web' (1998) 24 Computers and Law, 23.

10 Wróbel, Włodzimierz, and Andrzej Zoll. Polskie Prawo Karne: Część Ogólna. Kraków: Wydawnictwo Znak, 2011. Print. (Text in Polish)

To make matters even more complicated, there exists a theory under which if one posts text

in social media or anywhere on the web, which contains information disallowed by law, for instance

defamatory, it is sufficient when someone from the country reads it for it to be the basis of a

litigation process11. This view is based on an idea that the effect occurred in each country the

material was seen and downloaded. While this is not an unanimous vision, as certain countries, such

as the USA do not accept it, many other, important countries do. For instance, the EU law held in

the Mines de Potasse case, where the European Court of Justice decided in a preliminary ruling that

the offended party may sue the offender in any country where the law applies12. A valid question

which should be asked in this case is – should we apply all the laws at the same time? The answer is

unfortunately positive, although there exist procedures which allow a country to exchange prisoners

or count a sentence served under a foreign legal system as a sentence served in the own prison. Of

course, in case of private proceedings, when the court orders that a compensation should be paid,

one person would not need to pay a fine from the civil jurisdictions of all the countries in the world

where downloading or viewing the criminalized content occurred, as the plaintiff has a choice from

where does he want to sue, this view was even put forward in the aforementioned case. In

conclusion, while according to the popular image, the internet is considered to be a place there no

legal rules are applied, not entirely dissimilar to the 21 century wild west. However, in reality, it is

governed by the laws of every country.13

Contractual issues regarding the social media

There are two types of legal disputes that arise in social media: infringing of the right of the

user by the media and infringing of the right of one user by another user or a third party. Although it

may seem that the cases of litigation between social media infringing the user there is some form of

vertical relationship, the “equality of arms” before the court in civil matters is one of the

fundamental principles of today's jurisdiction and ensures that the sides have equal rights and

responsibilities. The cases often touch upon the aspects of data protection, privacy and terms of

contract, while the cases of a user versus another user or third party often concern the protection of

intellectual property and various forms of slander.

11 Svantesson, Dan Jerker B. Private International Law and the Internet. Alphen Aan Den Rijn: Kluwer Law International, 2007. Print.

12 Judgment of the Court of 30 November 1976. - Handelskwekerij G. J. Bier BV v Mines de potasse d'Alsace SA. - Reference for a preliminary ruling: Gerechtshof 's-Gravenhage - Netherlands. - Brussels Convention on jurisdiction and the enforcement of Judgment, article 5 (3) (liability in tort, delict or quasi-delict). - Case 21-76. EurLex database, case 61976J0021

13 Svantesson, Dan Jerker B. Private International Law and the Internet. Alphen Aan Den Rijn: Kluwer Law International, 2007. Print.

An interesting exception from this is the argument over which actions on social media

constitute as “free speech” and should be protected which took place in the USA in 2011. It is a

prime example of applying old law to the conflicts which were developed only recently due to the

rise of social media. The actions which were put into doubt consisted of “liking” other users on

facebook, and the subsequent reactions of third parties. In several cases, state employees were fired

from their work for “liking” a profile page of the competitor of their bosses. These actions were

thought to breech the 1st amendment of the constitution and various case law which arose from it. In

the well established US case law, one of the important rules states that “A public employer may not

fire an employee for speech relating to a matter of public concern where that speech causes no

disruption to the workplace”. However the court ruled negatively in this case, stating that a “like”

was not a “substantive statement” that was protected by the amendment. The ruling was so

controversial that American Civil Liberties Union and Facebook itself voiced their negative opinion

about it. In my view, the explanation of the court in this case is not satisfactory, as in a previous

Supreme Court ruling, and incident of flag-burning was treated as “symbolic speech”14 and the

second amendment of the constitution was thought to apply to it. Therefore, clicking a “like” on

facebook should fall under the same category of actions, only without the profanation of a national

symbol controversy. So, what does this case mean to the civil law world? This question is hard to

answer, as each country has different regulations and different interpretations of these regulations

and terms, as well as a different policy on the freedom of speech. Nonetheless, the ruling was only

negative when the “likes” were considered, as writing comments on social media was considered to

be an action guaranteed by the free speech. This brings another factor to the equation, namely why

would posting a message which reads “I approve of that” be any different then clicking the like

button? The controversy is enhanced by the fact that a text message that is displayed after pressing

the “like” button consists of the words “[list of people who clicked 'like'] like this”. In conclusion,

the effects of clicking “like” are not that different from posting a message, and even if they were,

more controversial things were considered “speech” in the meaning of amendment 1 previously.

While the above case is, at the moment, marginal, there is another recently widespread issue

which connects using social media and employment. This case consists of job interviews during

which the interviewer asks for the password to facebook. This problem once again surfaced in

America, and was so severe that federal legislation was proposed to deal with it, which did not pass

only due to its poor wording15 At the moment, the legal situation is unclear, because an analogy has

14 Epstein, Lee and Walker, Thomas G. (1998) "Constitutional Law for a Changing America: rights, liberties, and justice" 3rd ed. pp. 258-280 Washington D.C.: Congressional Quarterly Inc.

15 Protalinski, Emil. "House Votes down Stopping Employers Asking for Facebook Passwords." ZDNet. N.p., n.d. Web. 14 Dec. 2012.

been made at times with the employer running background checks on potential employees or asking

specialized firms to make private investigation into the workers details. These practices are

currently legal, and asking for a password allowing access to other private data can hardly seem a

different matter. However it includes some dubious points: currently in the US law it is forbidden,

depending on the states, for employers to ask their potential employees certain questions, for

instance regarding their religion, orientation or political affiliation. Asking the potential employee

the password to his facebook profile might be a way of circumventing the regulations, as most of

these details are often stored inside. Another potential problem consists of the fact that such a

request can be considered accessing computers and electronically stored information in an illegal

manner. More specifically, it could infringe the federal Stored Communications Act (SCA), or the

Computer Fraud and Abuse Act (CFAA). The question about the legality of such practices depends

on whether the giving of one's password in such a way may be considered voluntary or is it just a

form o coercion, which would infringe these regulations. On two occasions, in 2002 and 200916,

courts sided with the plaintiffs who accused their supervisors of accessing the private information

using the obtained passwords. The more recent case was also an example of social media being

used, as the website accessed was Myspace and the password was thought to be obtained using

coercion. 17 Not only worker protection and human rights groups advocate disallowing this practice,

asocial media on some occasion also sometimes create regulations which ban it. For example,

giving away the facebook password constitutes of a breech of the terms of service of the site.

Facebook stated that it would sue the employers on the basis that their actions constitute a breach of

contract.18

Determining the administrator

When dealing with privacy cases connected to social media, or media available

internationally in general, some problems occur which are unheard of while discussing issues

happening within a country One of the most important questions to answer in such a case is “who is

the administrator of personal data?”, because this entity will assume special rights and obligations

which will be discussed below. It is not an easy question to answer, as various legal regimes have

different theories on this subject, in this essay I will present two: the concept within the Polish law

16 Konop v. Hawaiian Airlines, Inc and Pietrylo v. Hillstone Restaurant Group respectively17 Ramasastry, Anita. "Can Employers Legally Ask You for Your Facebook Password When You Apply for a Job?

Why Congress and the States Should Prohibit This Practice." Verdict, Legal Analysis and Commentary from Justia. N.p., n.d. Web. 14 Dec. 2012.

18 Brodkin, Jon. "Facebook Says It May Sue Employers Who Demand Job Applicants’ Passwords." ArsTechnica. Ministry of Innovation/Business of Technology, 23 Mar. 2012. Web. 14 Dec. 2012. <http://arstechnica.com/business/2012/03/facebook-says-it-may-sue-employers-who-demand-job-applicants-passwords/>.

(in the Personal Data Protection Act) and the definitions created by directive 95/46 of the European

Union. According to the directive, the administrator is called the “controller” and is “the natural or

legal person, public authority, agency or any other body” which “determines the purposes and

means of processing of personal data”. The same article allows the laws of member states to

designate their own definition of the controller.19 It is applied, for example in the Polish legislation,

where the controller is called “administrator of personal data” and only falls under the regulations if

it has its place of business or living in the Republic of Poland or manages data with technological

measures located in this country. The material definition is the same as in the EU directive,

though.20 After establishing the definitions of the data administrator, I will attempt to establish does

facebook fall under it (regarding Polish law, which will serve as an example of the legal questions

that have to be asked to determine the case), and if yes – what are the consequences for the

company.

It is difficult to say, if Facebook fulfills the geographical criteria for being an entity which

has to follow Polish Law, the question what exactly are “technological measures located in a

country” is a complex one. However, according to an official interpretation of the Polish agency

GIODO (General Inspector of the Protection of Private Data), “The legislation is not to be applied

in case of […] entities having their place of business or living in a third country (not belonging to

the European Economic Area), using technological means located in the Republic of Poland only

for the transmission of data”21 However, while the principal place of business of Facebook is

located in the United states, it does have an office in Poland22, which has a potential to make the law

of the protection of personal data applicable in this case.

While the claim that facebook is the administrator of our personal data is widespread, the

portal itself attempts to lessen its responsibility by stating that the real person who is the personal

data administrator is the owner of the profile himself.23 The reasoning that Facebook gives is that

certain solutions regarding transmitting data are customizable by the users to a great extent. Let us

asses this claim from the perspective of the Polish and European law – first of all, in the directive it

is written that the controller can act “alone or jointly with others” - so, even though the users may

19 Luxembourg. European Parliament and the Council. Official Journal. 31995L0046 - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Luxembourg: n.p., 1995. EUR-Lex. Web. 15 Dec. 2012.

20 Ustawa z dnia 29 października 2010 r. o zmianie ustawy o ochronie danych osobowych oraz niektórych innych ustaw (Dz. U. Z 2011 r. Nr 229, poz. 1497) (Text in Polish)

21 "ABC Wybranych Zagadnień Z Ustawy O Ochronie Danych Osobowych." GIODO Generalny Inspektor Ochrony Danych Osobowych -. WYDAWNICTWO SEJMOWE, n.d. Web. 15 Dec. 2012.

22 Cohen, David. "AllFacebook Newsletter." Facebook Opens Office For Central, Eastern Europe In Warsaw, Poland. N.p., 28 Sept. 2012. Web. 15 Dec. 2012.

23 "GIODO Przestrzega Polaków Przed Facebookiem." Newsweek.pl. N.p., n.d. Web. 15 Dec. 2012. (Text in Polish)

attain enough control over the information that the claim of Facebook that users are data

administrators too could be upheld – it does not absolve the company from responsibility. Rather it

should attempt to prove that it lost enough authority over the data for it to be an option. Also, recent

developments suggest that the argument is invalid for the reason that Facebook imposes the

“purposes” of processing personal data on the user, for instance by a new mandatory feature which

automatically creates a page which lists all the activities of two people who are “romantically

involved”, be it long standing married couples or people in a short lived relationship.24 Apart from

that, the users have even less means of processing personal data, as they can only fill in the spaces

left by facebook, such as age, movies that they like, already mentioned relationships, and their sex.

The last field of input can be regarded as the final argument that Facebook is, in reality, controlling

the means of data transmission, as a controversy arose when a gay activist demanded Facebook to

introduce the option of picking a “third gender” or “neither” in the “sex” column, and the website

refused.25. The definition falls under the Polish law as well. Many countries outside Europe already

hold the view that facebook should be governed by their regulations, for example Canada decided

that Facebook is a subject to its federal law on the basis that one third Canadians have their profiles

on Facebook, which constitutes a “substantial connection” between the social media and the

country. Certain Polish authorities decided that even if Facebook would not be a subject to Polish

law according to the country's legislation, it should be on the basis of the non-discriminatory

principle.26

Now that it is established that most probably Facebook should fall under the jurisdiction of

most countries personal data protection law, what does it mean? As will most cases, there are

different obligations for the personal data administrators. Under the Polish law, one of their greatest

responsibilities is the “information obligation”. This obligation comes stems from two situations,

when the administrator collects personal data from the person in question and from other sources. In

any of these cases, the administrator has the obligation of informing these people about the

collection of their data, along with providing the information regarding the location where the data

was collected, the what reason for what will it be used, the whereabouts of the data administrator

and the right to correct the data. This is a major disadvantage to the data administrator, as the person

from whom the data was collected from has the ability to disallow the usage of the data. Being a

data administrator is the cause of more negative situations, however. The legislation imposes 5 rules

24 Ramasastry, Anita. "Facebook's Mandatory Couples Pages: The Site's Creating Them May Be Legal, But Is It Wise?" Verdict, Legal Analysis and Commentary from Justia. Justa, 20 Nov. 2012. Web. 15 Dec. 2012.

25 Protalinski, Emil. "Facebook Doesn't Add Third Sex, Gay Activist Disables Account." ZDNet. N.p., 30 Mar. 2012. Web. 15 Dec. 2012.

26 "GIODO Przestrzega Polaków Przed Facebookiem." Newsweek.pl. N.p., n.d. Web. 15 Dec. 2012. (Text in Polish)

of data transmission, which of course are specified more clearly in the law.27

(1) Legality, which implies that the data must be collected according to certain rules, and consists of

a few obligations, such as the obligation of asking the person from whom data will be collected for

permission to make use of it. It also requires that a special care is displayed when transmitting data

which are deemed to be “sensitive data” - such as ethnic origin, political opinions, orientation and

so forth. These are generally not allowed to be transmitted at all, except under enumeratively

specified list.

(2) Connection to the purpose, which states that when collecting personal data, the reason for

collecting them must be provided and generally it is illegal to use the data for another purpose then

was given during their collection. This has the potential to be a dangerous regulation for facebook,

if the data collected for another reason would be used for, for example, their sale to other data-

collecting firms.

(3) Content-based correctness, which signifies that the data should be correct, complete and up to

date. The administrator should verify the data. Facebook is obviously a difficult place for this rule

to be applied in a proper manner, unless the theory of counting the user as an administrator is

applied.

(4) Adequateness, which is closely connected with the connection to the purpose principle and

states that the collected data must be necessary for the purpose of the data collection.

(5) Time restriction, which implies that the personal data must be connectable with the person who

it is connected with only until it serves the outlined purpose of data collection. Afterward, it has to

be rendered anonymous by the administrator.

Applying the rules of data transmission does not constitute all of the disadvantages

experienced by the data administrators under the Polish law. Perhaps shockingly, there is also a

possibility of the application of criminal law should the infringement of private data provide

sufficient, this will be discussed and exemplified later in the essay. As the above cases signify,

Facebook is rightfully concerned about the possibility of these regulations being applied to it. All of

the outlined mechanisms not only make data collecting more difficult but also render following the

regulations expensive as well. In previous years, there were many cases in which the website did

not comply with the legislation of various countries and refused to be sued by their courts28.

However, recently Facebook seems more cooperative and it acknowledges the fact that it is bound

27 "ABC Wybranych Zagadnień Z Ustawy O Ochronie Danych Osobowych." GIODO Generalny Inspektor Ochrony Danych Osobowych -. WYDAWNICTWO SEJMOWE, n.d. Web. 15 Dec. 2012. (Text in Polish)

28 "Facebook Stawia Się Polskiemu Urzędowi. "Nie Możecie Nas Pozwać"" Wyborcza.biz Biznes Ludzie Pieniądze (2010): n. pag. Wyborcza.biz. 19 Nov. 2010. Web. 16 Dec. 2012. (Text in Polish)

by those or similar rules, which is signified by its data use policy, where, “your information” is

defined as “information that's required when you sign up for the site, as well as the information you

choose to share.”29

Users displaying sensitive information

Disregarding the argument is Facebook is the data administrator, the users also can violate the

privacy of other people, even involuntarily. The most often cited example is a disclosure of the

personal data of other users. A simple post on the facebook wall is an action which has the

capability of unlawful revealing personal data. Worse, even if both people have limited access to

their profiles, which renders the chance for the posts to be seen by others minimal, it is still

considered as an action which can reveal the information. There are several types of posts which

can be deemed unlawful. First, the already discussed sensitive data. The difficult part about dealing

with them is the fact that the definition of sensitive data varies from country to country, and

sometimes from state to state. It has already been discussed the cases in which law could possibly

work while dealing with acts committed abroad, so if the data is not sensitive for the legislators in

Mexico, but is for the courts of France, and a Mexican displays sensitive data of a French citizen,

could he stand for a trial in an of the countries? It is hard to give a definite answer, as everything

depends on the laws and agreements of both countries. Before seeking litigation, however, the

person whose data have been disclosed should ask the offender to remove them. In case he

complies, no more action is required. Only when the person refuses, a complaint can be filed to

authorities, for example to the General Inspector of the Protection of Private Data, or directly to a

court.

It is interesting that according to Wojciech Wiewiórski, the current Polish General Inspector of the

Protection of Private Data, not only posting messages on Facebook may be considered revealing

private data, but also inviting someone to groups or events, as by doing so, one is using the private

information to send the invitation, it is thus important to “think for a minute does the person want to

be invited”.30 While the Inspector does not give any examples, I would assume that by inviting

somebody to an event for the republicans, while knowing that he is a follower of this party might

reveal his political affiliation or, similarly, an invitation to a gay parade will possibly reveal

someone's orientation. I do not agree with this opinion, as there is always a possibility to invite a

friend to an event that he will specifically not attend, as some might find it amusing to invite a

declared homophobic to an aforementioned event or a Nazi-sympathizer to a Jewish religious

29 "Data Use Policy." Facebook. N.p., n.d. Web. 15 Dec. 2012. 30 "GIODO Przestrzega Polaków Przed Facebookiem." Newsweek.pl. N.p., n.d. Web. 15 Dec. 2012. (Text in Polish)

ceremony. I can even relate to my personal experiences where I was invited to a facebook group of

the local secondary school class representative elections in a different city, despite being a

university student studying hundreds of kilometers away. While it is arguable that the same can be

said for the possibility to post incorrect messages but while posting a direct message about

someones personal data, it is possible to either post the data, which is disallowed without

permission or give incorrect information, which also might be illegal. Inviting someone to an event,

however, is not making a direct statement, as the person needs to confirm that he is coming there.

Besides, it is possible to reinforce this with a precedent mentioned before, where courts in the USA

refused to consider “liking” something a case of “speech”. Same can be said about invitations,

except that they are not as affirmative as giving “thumbs up”.

Concern about applications

Not only Facebook itself and its users have the potential to disclose private data. Recently,

there seems to be a growing concern about so called applications, often abbreviated to apps, which

are programs that are developed specifically for Facebook (usually by independent companies,

considered third parties in regards of Facebook and users) and are run on this website for the

purpose of allowing users to play games or be connected with people having similar interests31.

These applications often require the users to provide them their personal data, which they share with

various other companies, for instance specializing in internet tracking and displaying

advertisements. According to the cited article, the data is collected and transmitted regardless of the

privacy setting. This, apart from being legally questionable at best, was also against the policy of

Facebook, which resulted in some of the applications being closed down after Facebook learned

that the their owners were sharing data of the users. The specific type of data that was shared were

the ID numbers. They are the basic recognizable values for Facebook, which allows the site to keep

track of its every page and, while containing no personal information themselves, allow other

parties to have an immediate access to all of the data a user does not set to “private” - such as the

persons name and his pictures, which often contain a large amount of private and even sensitive

data. The background for the issue consists of the fact, that a growing number of companies builds

user databases. The firms which create and own the applications have been proven to be sharing the

users' identification numbers with the aforementioned companies.

As mentioned previously, these actions go against the policy of Facebook. The website does

not allow it applications to transfer data of its users to outside sources, even if the user himself

31 "Facebook." Daily Definition RSS. Techterms.com, 14 Jan. 2008. Web. 17 Dec. 2012.

agrees. Another event which proves this policy occurred when Facebook limited the amount of

information received by the applications to only the publicly displayed data, unless the user agrees

otherwise. On the other hand, until recently Facebook was itself passing the data about the user to

third parties which occurred, when a user clicked on an add, causing some of his data to be

disclosed to the advertising company. Only after the Wall Street Journal pointed the case to

Facebook, it changed the regulations. Interestingly, it is difficult to say if the owners of the

companies possessing the applications which disclose, collect and share private data are aware of

these processes. The representative of one of the application developers, RapLeaf stated that “We

didn't do it on purpose” when interrogated about sharing and collecting the data. This claim might

be true, as the information was passed by an internet standard, known as the “referer”, which

displays the address of the last visited site when the user clicks on a link. As the last visited site,

when using the social media, is often one's own profile, it is possible to conclude that the last visited

site is most probably the users personal page on, for example, Facebook, which provides the

application with the ID number of the user.

Applying law in case of involuntarily infringement of privacy

An interesting question that could be asked is whether disclosing the information without

knowing about it is an explanation which would absolve the firm from responsibility? This is a

complex issue, which differs from one legal system to another, but nonetheless certain methods of

dealing with it were developed. Due to my knowledge of the Polish law, I will attempt to answer

how would it be possible to answer this question on the grounds of the legislation of Poland, so

henceforth until resolving this issue an assumption will be made that any persons will be held liable

according to this legal system. First of all, it has to be decided whether the infringement of rights is

to be persecuted on the basis of criminal or civil law.

Interestingly, there is a possibility of subjecting the persons who infringe the right of internet

data protection to the criminal law regime in Poland. It mainly stems from the already mentioned

Act of Protection of Personal Data. The articles of chapter 8 starting from article 49 discuss

criminal penalties for breaching the provisions mentioned in the Act. Article 49 states that “Who

transmits personal data in a database, although their transmitting is not allowed or who is not

entitled to such transmission, faces a fee, restriction of liberty [a specific punishment in the Polish

legal system which most often involves imposed community service] or up to 2 year incarceration.”

As the provision does not mention involuntary action, it can be only used if the case when the

transmission of data was done on purpose32. There are, however, provisions in the same article

which allow applying criminal penalty to an involuntarily action. For instance, article 51§ 2

threatens a data administrator who will involuntarily disclose, or enable access to, data to

unauthorized parties, with equal punishments to the ones in the previously cited article. This would

be the probable basis of criminal legal action against the administrators of data which happens to be

social media, as it was revealed that the particular infringement happens often. There are more

provisions concerning involuntary actions of administrators outlined in the Act, but this one will

suffice as an example.

It is not sufficient to show an article which punishes involuntarily action, in the court

proceedings it must be pointed that there was the so-called “involuntarily guilt”. This concept

involves the requirement for the offender to predict or to be rationally able to predict the action.

When asking the question does this condition apply to this case, it would probably be easy to

determine that board of directors of Facebook or any major application would conduct the required

analysis, provided that they anticipated the possibility that the regulations could breech privacy

rights. The sheer amount of IT employees that could asses the risk without much delay, providing

an almost immediate answer to the problem – and if they did, not prompting an action on behalf of

the company, it would be guilty of an incident of voluntary guilt, covered in the previous provision

of article 52. An entirely different problem, however, is the possibility of them being able to foresee

the consequences, but not doing that. I believe that in this case, it is an innovative sector, so

demanding a firm to predict how entirely new innovations might work is not a reasonable thing to

do. The polish doctrine usually modifies the American doctrine of assuming that the person under

trial is a reasonably prudent person, replacing the “person” in this case with “specialist” as

Facebook and the Application companies work professionally on this field. Every case would have

to be interpreted differently, as there could be instances of a technical error so obvious that

assuming the unforeseeability of the issue would be incorrect.33 In any case, expert witnesses would

be need to be called into court to argue about the technical matters. The most striking question

regarding the procedure is the ability of applying criminal law to firms without personal liability,

such as Facebook or application providers. On the grounds of the Polish law this is possible, but a

few conditions must be met, for instance the crime must be committed by a person working in the

name of the company, the company should potentially be able to benefit from the action, The

punishments applicable in this case range from a fine of 1.000 zł to 20.000.000 zł (about 250 –

32 Wróbel, Włodzimierz, and Andrzej Zoll. Polskie Prawo Karne: Część Ogólna. Kraków: Wydawnictwo Znak, 2011. Print. (Text in Polish)

33 Wróbel, Włodzimierz, and Andrzej Zoll. Polskie Prawo Karne: Część Ogólna. Kraków: Wydawnictwo Znak, 2011. Print. (Text in Polish)

5.000.000 €) and a variety of other sanctions, such as disallowing it to advertise or sell its products

or services (the latter not being applicable to social media, due to their free nature and acting on the

internet, over which national legislations do not have much control.34

Although there are provisions which enable criminal action against firms infringing the

private data, this matter would most likely be filled by individual users to a civil court. The

possibility of a person do demand compensation on the grounds of Civil law is included under the

book three (obligations), title IV (unlawful actions), in the articles § 415 – § 44911 . From these

articles it can be read that anybody who is guilty of causing damage to someone else is under the

obligation to rectify it. Also a legal person needs to rectify the damage caused due to the fault of its

organs.35 It must be said that the interpretation of “damage” in Polish civil code is wide, as it

encases both financial and non financial damage. The non financial damage encases any damage

done to protected values, and the privacy of information in one of them.36

A similar case, which was questionable from the perspective of protective private data

occurred when the “Find friends” feature was introduced. This option accessed private e-mail

databases in order to send an invitation to Facebok e-mail message to every friend which was stored

on e-mail database. By looking on various people's information, it then compiled a list of the e-mail

friends a non registered person had there in order to encourage them to join. Certain users claimed

that Facebook was accessing their e-mail address books without permission. The Canadian privacy

commissioner was not convinced by this claim, however she found that the situation was against the

Canadian Personal Information Protection and Electronic Documents Act (presumably violating

article 7 of this document)37, as Facebook did not ask for the non-users' agreement before obtaining

their e-mail address. As mentioned before, Facebook can be held responsible under the Canadian

law, due to the substantial connection clause. After receiving the report, the website addressed the

issue in a way which was considered adequate by the Canadian officials.38

Analysis of the report of findings of the Canadian Privacy Commissioner

34 � � �Łyjak, Olga. "Odpowiedzialność Karna Spółki Za Przestę pstwa Czł onków Zarzą du I Pracowników." Kancelaria Adwokacka. N.p., 2009. Web. 17 Dec. 2012. <http://lyjak.pl/publikacje/odpowiedzialnosc-karna-spolki-za-przestepstwa-czlonkow-zarzadu-i-pracownikow/>. (Text in Polish)

35 Pietrzykowski, Krzysztof, and Zbigniew Banaszczyk. Kodeks Cywilny. Warszawa: Wydawnictwo C. H. Beck, 2008. Print.

36 "Szkoda Cywilnoprawna." Openlaw.pl. Ed. Marcin Krzymulski. N.p., 3 Dec. 2012. Web. 17 Dec. 2012. (Text in Polish)

37 Canada. Department of Justice. Personal Information Protection and Electronic Documents Act. (S.C. 2000, c. 5). Web. 17 Dec. 2012.

38 "Canada's Privacy Commissioner Flags Facebook Concerns." CTVNews. N.p., 4 Apr. 2012. Web. 17 Dec. 2012.

Generally, Canadians quite often successfully argued both using laws and softer measures, against

Facebook. The aforementioned case brought up by Elizabeth Denham, Assistant Privacy

Commissioner of Canada, concerned a wider variety of issues then just asking non-users for e-mail

addresses. In fact it was a report made about the allegations that the Canadian Canadian Internet

Policy and Public Interest Clinic (CIPPIC) made against Facebook.39 As many of these can shed

some light on the matter of issues regarding social media, I will proceed to discuss the cases and the

findings of the Canadian institution, often attempting to include wider issues which revoke about

the discussed problem.

1. Collection of Date of Birth: There were several issues in this topic. Firstly, while interrogated on

the subject of the necessity of the collection of such a personal topic, which cannot be asked without

a valid purpose according to the principle 4.4.1 Canadian law, Facebook representative argued that

the laws of USA prevent children under the age of 13 to use such media, so asking about the date of

birth was a necessity. This shows an interesting feature about applying law to the internet – actions

that are deemed mandatory by one country can be illegal in another, which gives rise to many

possible conflicts. Assuming that the Canadian law was less liberal and making disclosing one's age

requirement it would be possible that Facebook would have to chose between operating in Canada

and USA or possibly set a different requirement for users in both countries. Another problem which

was addressed was disclosing the age to the advertisement companies, which used it to market their

products to a particular audience. This itself was not controversial, but Facebook was found to

provide this information even when the user set the age displaying option to “hidden”. This was not

denied, but the representatives of facebook made an argument that by “hiding” data, a user only

keeps it hidden from people visiting his page and not from companies which are are provided with

this information by Facebook itself. The language of the privacy policy was considered vague. The

Canadian side looked upon the purpose of asking the age with sympathy, however it mentioned that

passing information which were assumed to be “private” by even rational users went against the

principles of 4.3.2 and 4.3.5 of the Personal Information Protection and Electronic Documents

Act40. Facebook amended the problem by making it clear that the collected data will be always

usable for advertising purposes. This shows that the issues regarding privacy can sometimes be

solved by two means, either by ensuring that a greater protection of data takes place or by clearly

stating the situation prior to reviving the data.

39 Denham, Elizabeth. "Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)." Office of the Privacy Commissioner of Canada, 16 July 2009. Web. 17 Dec. 2012. <http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.asp>.

40 Canada. Department of Justice. Personal Information Protection and Electronic Documents Act. (S.C. 2000, c. 5). Web. 17 Dec. 2012.

2. Default Privacy Settings: Two issues were critically addressed by the Canadian commissioner.

Firstly, the default sharing of the information in the photo albums was not looked upon favorably, as

it stood in contrast with the principle 4.3.5 presented in the Personal Information Protection and

Electronic Documents Act, which states that a person's reasonable expectations should be

considered. Making the default option for sharing photos as “available to all” seems to, in the

opinion of the commissioner, as an action going against the rational expectations which would

upheld the view that if, by default, the profile settings are set as accessible only to friends the

pictures should share this setting, as a similar number of personal data can be stored on them. I

would disagree with this statement, as in my opinion the reasonable thing to do would be checking

the privacy settings once it becomes clear that they are customizable. Another issue which was

brought up was the search engines, which would have access to the private profiles of Facebook's

users. This also was thought to be contrary to the mentioned principle, however no reasoning was

given about it, just that Facebook did not present the evidence that users wished to have their

profiles appearing on search engines. The commissioner also mentioned that “it should be left up to

the individual user to decide for himself or herself whether to make information available outside

the [Facebook] community.” The sole fact that this is not the default settings does not make it

impossible or significantly harder for the user to change the settings if he is not feeling comfortable

by being able to be displayed by Google, therefore I do not agree with the findings of the

commissioner on article 2.

3. Facebook Advertising: According to the report, Facebook makes use of two types of

advertisements: Facebook ads and Social ads. The former target a person, who has a certain

information in her profile, signifying that he or she is in the optimal demographic to be targeted by

this ad. Not only the age and gender plays a role in determining the ad, but also the favorite books,

shows etc. which the user specifies in profile. It is impossible to disallow these ads, as a large

proportion of Facebook's income comes from them. There is a number of third parties, which use

these ads and receive some data like IP addresses or download some information of the user's

computer (although only in a minority of cases the ads are not served by Facebook directly). This

might be the basis of the argument that a rational user agreed to share his data with Facebook itself,

but not with the other producers of such ads and not with the other companies. While the argument

was not brought up by the commissioner, it is a logical one to make. Another category of

advertisements are social ads. These ads are triggered by an action that a facebook user or his friend

preforms. This of course raises the question of the legality of facebook to post an ad which will

indirectly disclose the actions of the person. Interestingly enough, Facebook stated that by

preforming the action, the user gives consent for the ad to be displayed. Social ads use the persons

name and picture while posting this, which inevitably raises the issue of possible impersonation.

4. Third Party Applications: The possible problems which arise due to the third party applications,

however the report was quite effective in summarizing the most controversial features. Firstly,

applications collect data of their users and their friends. His raises the question about sharing the

data of the friends – they did not agree to share their private information with the applications and if

they do not specifically block various applications their friends are using their private data will be

revealed. Applications are not allowed to view all the data, however. As a general rule, they may

access the already publicly displayed page. Also, they may not do it at any time, but only when the

user has the application running. The application cannot allow other users to access the data which

the user does not allow them to see. Most importantly, the application has to destroy all the data 24

hours after accessing it and may only use it for the purposes of the application, or at least had to

before Facebook's last update (as of the time of the report). Creators of applications must also abide

by Facebook's regulations, both these in place for regular users and the more specialized ones for

the application developers (which, for instance, compels the app provider to reveal which

information is going to be used, and for what reason). Facebook does not monitor the actions of the

apps and the users themselves should take notice of any misuse of their data and report it, as is

quoted directly in the terms of use. Facebook does, however, encourage developers through quality

certificates and increased recommendations to adopt a policy aimed at data protection. In a response

to the report, Facebook stated that although it is under no contractual obligation to monitor the

applications, in reality it has a system which does that. Moreover, the types of data an application

may receive is strictly regulated, for example the e-mail of a user will never be disclosed. The list of

possible types of information has little to do with them being “sensitive” information or not, as for

example political views and dating interest are displayed to the third parties without problem. It is

an interesting fact, that consent is a condition sine qua non for using the applications. Should a user

change his privacy settings to not allowing the applications to make use of his data, all will be

deleted without notice. An interesting way was developed to conceal the real meaning of the

agreement that the user signed with the application provider – there was a reference to the “platform

application terms of use” in the “Facebook terms of use. When a user signed the agreement with the

application provider, he was only informed that he will abide by the Facebook terms of use. This

made the users more likely not to be check the general terms and conditions before they agree to

them. I could argue that the incident might be against the spirit of principle 4.3.2 of the act, which

obliges the organizations to put a “reasonable effort” to reveal the purpose of the collected

information. A survey was done on the University of Virginia, which found out that over 90% of the

applications receive more private information then they require, which could be accounted for going

against principle 4.4.2, which states that the organizations must limit themselves to collecting

information they will use, however I think that this is not the case, as there is no mention what

percentage of the applications actually make use of excessive available data. Another important

aspect are the applied safeguards. Safeguards, which are measures which protect the information,

are supposed to be in part technological. Facebook was found to rely almost solely on legal

safeguards which are easily passable by the applications.

5. New Uses of Personal Information: The problem developed because Facebook at times decides to

use the information provided by the users for different reasons, which were not explained to them

previously. The website was thought to not seek the users agreement in a proper way before making

alternative use of their personal information. In response, facebook cited their terms and conditions,

in which its competence to do so is clearly stated, saying moreover that it has not used this

possibility since it was established. Another controversy lied in the method of changing the terms of

service – Facebook had a possibility to do it any time it wished to, just leaving the information

about the changes on a separate page that the users were under the obligation to visit regularly, and

cease to use Facebook if they did not agree with the changes. The commissioner did not find

anything suspicious about these rules, and I have to agree that while they impose a duty on the user,

the user has to agree on it before starting to use Facebook. However, the terms and conditions have

been since changed in a way that the further changes will be preformed in a clearer manner.

6. Collection of Personal Information from Sources other then Facebook: Facebook has stated in its

terms of service that it might collect personal information from other sources than its website,

which could be a serious threat to the data protection. To illustrate this, it is possible to once again

bring up the Polish Personal Data Protection Act, where obtaining personal data from users without

consent required a different procedure and had much more restrictions imposed on it.41 Facebook

was not specific about the procedures by which it collects these data, and when inquired, its

representative stated that currently no such procedure is happening, however this is something that

the firm plans to impose in the future. Of course, without more precise statements or enforced

procedures there is not much that can be discussed.

7a. Account Deactivation and Deletion: The problem stems from the fact that there are opinions that

the two forms of removing the account are nearly indistinguishable. The opponents of the current

system point out that the information which was on deleted accounts stays for a number of days

before it is permanently removed. Facebook claimed this happens due to technical issues and the

41 "ABC Wybranych Zagadnień Z Ustawy O Ochronie Danych Osobowych." GIODO Generalny Inspektor Ochrony Danych Osobowych -. WYDAWNICTWO SEJMOWE, n.d. Web. 15 Dec. 2012. (text in Polish)

commissioner did not find it to be a legally questionable practice. After the report, Facebook

changed its screen informing about the effects of deletion to inform users about this issue. When

deactivation is taking place instead of deletion, the data is hidden but stored indefinitely. The

commissioner found that it was contrary to the principle 5.3, which states that information should

not be kept for longer then it is needed. She suggested that Facebook adopts a retention policy

which will cause the data to be stored for only a limited period of time and deleted afterward.

Facebook stated that preserving data is important from the point of view of the deactivated users,

the majority of which return, expecting to find their imputed information intact. I agree with the

opinion of Facebook, as if deactivated accounts were deleted after some time, this would render the

two forms of account removal to be too similar, which was the situation attacked in the first

accusation. In addition, I can say from my experience that I was not an active user of facebook for

about 2 years and if I decided to formally deactivate my account before this period, and the

Commissioners opinion would prevail, my account would be deleted, which is not an action that I

wanted to preform. Possibly the best idea would be to merge the two options into one action, which

would require a user which deactivates his account to input the time period that must elapse before

its deletion, with “never” or “immediately” being options which could be chosen.

7b. Accounts of Deceased Users: The question about the fate of the personal data after the death of

a user is a controversial one. Facebook resolves the issue by “memorializing” a user's profile which

consists of removing more sensitive information and only allowing existing friends to access the

rest. Immediate family can also request the data to be removed, which brings up the controversial

topic of inheriting the rights to personal information. This topic was not brought up in the report,

although Facebook has stated that “we concluded that the legal next of kin is the proper person to

make a decision as to whether the deceased would have wanted the site to stay up for their friends.

In my opinion, an analogy should be drawn between this and the inheritance of intellectual property

– there should be an option to state in one's last will who should be the successor to the facebook

account. The reason why I believe in this is that it is possible to inherit physical photographs and

unfinished writings recorded in physical media. There seem to be no differences between the

concept of ownership of photographs or writings as long as the author is alive – infringing one's

intellectual property rights to a picture or essay by using it without the author's permission is

punished just as severely if the materials were obtained by hacking somebody's account protected

by a password as it would be for physical materials stolen from somebody's locker. Therefore it

does not make sense to treat these materials differently as far as inheritance law is concerned. If

somebody wished to pass the rights to his digital collection of pictures of insects, stored on his

account on social media, to his nephew who is interested in entomology he should be allowed to do

so. The same applies if someone developed a popular facebook profile which is used as a board for

posting updates or reviews about a certain topic and wishes for the service to be continued by his

co-worker after his death on the same domain. It would be justifiable to treat this issues in a

different way if it was stated that the ownership of data passes to the social media provider in the

contract that the user signs, however with facebook it does not seem to be the case – quite the

opposite, it is clearly stated in the statement of rights and responsibilities that “You [the user]

own[s] all of the content and information you post on Facebook, and you [the user] can control how

it is shared through your privacy and application settings”42 Therefore allowing “the next of kin” to

determine the fate of his deceased family member's account should only happen if the deceased user

did not leave any dispositions about it, which would effectively only require facebook to change the

term “next of kin” to “legal successor”. Another potential topic for debate is whether the “next of

kin” has the right to be informed about the “memorization” of the account with the personal data of

their relative. In many circumstances the “next of kin” would not know that his deceased relative

had a facebook account. So, as Facebook has a policy of allowing the relatives to decide on what

will happen to the memorialized account, there should be some procedures which will be used to

inform these people, who might not have signed the terms of service with Facebook, about the

decisions they can make. The last issue that should be raised is the procedure which Facebook uses

to determine if someone is dead. As logging in at regular intervals is not a required action for

maintaining one's account, the information about someone's death must come from other users. At

the present day, there are forms which a person can fill, attaching evidence about someone's death43.

However such precautions do not seem adequate – it would be perfectly possible for a group of

friends (including the “next of kin” of the victim) to collaborate and, using obituaries prepared by a

graphic program, tricked Facebook's administrators into believing that a person is dead and request

his profile to be permanently deleted. This is another reason that I do not agree with the

commissioner’s opinion about issue raised under point 7a – there should be a way to reactivate

deleted accounts for a reasonable time on the request of the owner, as a person considered dead by

facebook might log on his profile a few months later only to find out that it was deleted due the

actions of his friends and relatives. A possible way to solve some of the issues which were brought

up would be requiring the civil authorities (for example the General Registry Office in the UK) to

inform Facebook once they register someone's death44. This, of course, would require a new level of

cooperation between the governments of various countries and a private corporation – causing a

42 "Facebook Statement of Rights and Responsibilities." Http://www.facebook.com/legal/terms. N.p., 11 Dec. 2012. Web. 15 Dec. 2012.

43 "Memorialization Request | Facebook." Facebook, n.d. Web. 15 Dec. 2012. <http://www.facebook.com/help/contact/305593649477238?rdrhc>.

44 "Facebook's Death Problem." Http://theweek.com. N.p., 21 July 2010. Web. 15 Dec. 2012. <http://theweek.com/article/index/205158/facebooks-death-problem>.

wide range of legal problems which will not be discussed here.

8. Personal Information of Non-users: There are two areas in which the rights of non-users of

facebook might be infringed. The first case was already discussed and concerns accessing the e-

mails of non users by facebook, and using them to send invitations to join the website. This can be

considered violating of the rights of both users, who did not necessarily agree to share the e-mails

with Facebook and the rights of the non-users who have their personal data retained by Facebook

often without their knowledge. While this topic was not looked upon by the Canadian

commissioner, the way facebook acquires the email addresses is important, as it determines whether

sending “spam” emails can be considered an unlawful action in the light of certain legislation, most

notably the United States legislative act Controlling the Assault of Non-Solicited Pornography and

Marketing Act, known as the CAN SPAM act of 2003.45 Under its provisions, sending automatically

generated emails by facebook can be considered illegal if the email serves a commercial purpose

(which is stated to include advertising “content on an Internet website operated for a commercial

purpose”) and does not meet one of the 3 of the “basic types of compliance”. The potential problem

with Facebook is based on the “sending behavior compliance”, in case the method Facebook uses to

acquire the email addresses it sends the correspondence to includes “harvesting” them. The exact

definition of email harvesting is controversial, but generally it states that “Email harvesting is the

process of obtaining a large number of email addresses through various methods”. The methods do

not have to include viruses or malware, obtaining them in large quantities from other users can also

be classified as “harvesting” them.46 This seems to be similar to the technique used by Facebook,

which asks its members to grant it temporary access to their email address book. The emails stored

in this book could have themselves be obtained through various methods, and not necessarily all of

the people who own them would like to receive an email from a social media on behalf of a person

they barely know, or who they know and dislike.47 Another method used by Facebook consists of

obtaining addresses from emails added to tags of non registered users, which itself is a highly

controversial practice, possibly infringing the rights of non users, as will be discussed later. The

question remain unanswered: does Facebook break the US law by its policy toward emails? The

answer is most probably negative, as there were no cases found on the internet in which anybody

sued Facebook on these grounds – quite the contrary, Facebook itself used the CAN SPAM act to

45 "15 USC Chapter 103 - CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING." Cornell.edu. Cornell University Law School, n.d. Web. 16 Dec. 2012. <http://www.law.cornell.edu/uscode/text/15/chapter-103>.

46 "Email Harvesting." Techopedias. Ed. Cory Janssen. N.p., n.d. Web. 16 Dec. 2012. <http://www.techopedia.com/definition/1657/email-harvesting>.

47 Riley, Carole. "How Did Facebook Get My Email Address?" Social Media and Genealogy. N.p., 22 Apr. 2011. Web. 16 Dec. 2012. <http://socialmediagen.com/how-did-facebook-get-my-email-address/>.

hold a successful trial against a company which used it for commercial reasons.48 Despite not

breaching the aforementioned act, the procedure goes against principle 4.5 of the Canadian Personal

Information Protection and Electronic Documents Act – which disallows retaining email addresses

beyond the purpose they were collected. Facebook did not respond to the accusation, and the case is

not resolved yet.

The other case which was brought up in the section 8 of the commissioner’s report describes

one of the most important and often discussed issues of social media – specifically “tagging” people

on posted pictures. This is highly controversial, as it enables third parties to view information that

might be sensitive, without the permission or even knowledge of the interested persons. Tagging

people can possibly infringe the rights of 2 people: the person whose name is displayed on the

picture and the person who the picture was taken of. The second one can be either tagged correctly,

but without giving permission to be tagged – or he can be tagged wrongly, which usually means that

there can be a case of a person whose name was marked instead. It is furthermore impossible for the

people to “untag” themselves if they do not have an account on facebook. The Canadian

Commissioner proposed a set of harsh regulations, like the need to obtain consent from the third

party before posting any information of non-users and a system of sanctions for the offending

parties, including banning of their account. It was however found in the investigation that the new

Statement of Rights and Responsibilities already covers most of the suggestions, as it prohibits

facebook users from “infringing someone else's rights or otherwise violating the law” This is, of

course, a very general statement, and from my perspective a completely unnecessary one, as it only

duplicates the existing regulations. More importantly, it does not specify the law of which countries

must the user abide by – the law of his country (rendering the regulation ineffectual) or all the

regulations of countries that facebook is working in. However the next provision allows facebook to

remove any content which the company feels as violation to the previous bylaw and to disable

accounts for frequent repeated breeches. The Statement contains some detailed provision, such as

disallowing the posting of identification documents or sensitive financial information of third

parties and stating that consent must be acquired before collecting information from other users on

one's behalf. The procedure of tagging people has not been addressed in detail, however according

to facebook, every user can ask for the tag with his name to be removed. In addition to this every

non-user who is tagged with his email address receives an email from facebook notifying him about

the fact that he has been tagged and that he can join facebook which will enable him to request the

tag to be removed. This procedure, while allowing a non user to remove his tag by joining is highly

controversial, as it both discriminates users who did not have their email included and it is a

48 Levi, Stuart D., and Gregory T. Palumbo. ""Application of the CAN-SPAM Act to Social Networking Sites"" Application of the CAN-SPAM Act to Social Networking Sites. Skadden, Arps, Slate, Meagher & Flom LLP, 12 May 2011. Web. 16 Dec. 2012. <https://www.skadden.com/insights/application-can-spam-act-social-networking-sites>.

dubious action at best in the light of the CAN SPAM act, as mentioned previously. The dispute was

not resolved until this date.

9. Facebook Mobile and Safeguards: The next potential legal issue which was brought up about

facebook was the supposed possibility of logging to a Facebook account from the device that was

being used previously, even if the password was changed using another device. The allegation was

not well founded, but the legal issue did not cease to be interesting: are social media required by

law to provide a safe password scheme? Looking globally, this question must be answered

positively, as there exists a number of regulations on this topic, notably article 13 in the Dutch Data

Protection Act49, which states that “The responsible party shall implement appropriate technical and

organizational measures to secure personal data against loss or against any form of unlawful

processing “, whereas article 1 determines that the “responsible party” is any physical or legal entity

that decides about the transfer of user data. Failure to comply with this article could lead to

sanctions defined under Directive on Privacy and Electronic Communications50, which include

holding social media responsible for the loss caused by insufficient password security.

10. Monitoring for Anomalous Activity: The penultimate problem looked on by the Commissioner

was the procedure of monitoring for “anomalous activity” of its users. The problem that the

Canadian commissioner had with these procedures had more to do with not informing the users

adequately about the practice, however one of the findings included in the report proved to be very

interesting from the point of view of assessing the cooperation between legal authorities and social

media. One of the proposed cases in which Facebook monitors for “anomalous activity” is regulated

by an agreement between Facebok and attorneys general of 49 states within USA. According to this

agreement, a number of steps must be taken by Facebook – for instance, it monitors where a user

significantly changes his or her age, which might indicate faking it in order to gain access to the

features not available for underage users. Also, due to this agreement, Facebook takes notice when

someone becomes “friends” with a person who is significantly younger then him or her, which

could enhance the safety of its youngest demographic. The article mentioned that the agreement is a

part of a larger project which encompasses various other social media sites, such as MySpace. 51

This, while demonstrating how governments and social media can cooperate to achieve a socially

admirable goal, it also triggers a question – are the benefits of such endeavors always worth their

49 "Personal Data Protection Act (Unofficial Translation)." Dutch DPA. N.p., n.d. Web. 18 Dec. 2012. <http://www.dutchdpa.nl/Pages/en_wetten_wbp.aspx>.

50 "Offences and Penalties under the Data Protection Act - Data Protection Commissioner - Ireland." N.p., n.d. Web. 18 Dec. 2012. <http://www.dataprotection.ie/viewdoc.asp?DocID=97>.

51 Stone, Brad. "Facebook Agrees to Devise Tools to Protect Young Users." New York Times, 9 May 2008. Web. 18 Dec. 2012. <http://www.nytimes.com/2008/05/09/technology/09face.html?_r=0>.

price, such as the conflict in this example: is increased safety, which is embodied by data protection,

worth the lost privacy? This question, however is more philosophical then legal, and demonstrates

that problems which arise from the conflict of two spheres of rights are not absent from debates

about social media.

11. Deception and Misrepresentation: The last issue assessed by the Canadian commissioner was a

short one, however it serves as an ideal epilogue for the whole essay. The accusation stated that

“CIPPIC alleged that Facebook […] was misrepresenting itself by claiming to be purely a social

networking site [...]” The allegations were quickly dismissed due to lack of evidence, but I could

not allow such a question to slip by: “What makes Facebook a social network site?” In the first part

of the essay I have established that social network sites focus on human communications through

the internet, however if this definition was comprehensive, all the websites allowing the sending

and receiving of emails would be considered as examples of social media. Some other parts of the

definition have to be added for the term to receive a meaning akin to the one used commonly.

According to one of the proposed definitions, the biggest criteria which makes social media unique

is sharing the information between people by the means of “virtual communities and networks”.52

While emails were the virtual representations of sending letters, social media go one step further

and seek to emulate the direct contact between people. This is precisely the reason why, although

they exist a short time compared to emails, the legal issues regarding their usage received such a

great amount of interest from governments and lawyers. It is impossible to predict in which way the

social media will evolve, however one thing is certain – whatever technology will be discovered

and put into use regarding social media communication, legislators and jurists will always be a step

behind and will find ways to scrutinize breaching existing regulations if appropriate or create new

laws which will combat the activities which are deemed harmful by the majority of the society

otherwise.

52 Ahlqvist, Toni; Bäck, A., Halonen, M., Heinonen, S (2008). "Social media road maps exploring the futures triggered by social media". VTT Tiedotteita - Valtion Teknillinen Tutkimuskeskus (2454): 13.