Marcin Klisiak
Rauno Korhonen
Introduction to legal informatics
14 December 2012
Legal issues concerning internet social media with a special reference to privacy
Table of contents
I. Outline of the problem......................................................................................................................2
II. Applying international law to the internet.......................................................................................4
III. Contractual issues regarding the social media................................................................................5
IV. Determining the administrator........................................................................................................7
V. Users displaying sensitive information..........................................................................................11
VI. Concern about applications..........................................................................................................12
VII. Applying law in case of involuntarily infringement of privacy..................................................13
VIII. Analysis of the report of findings of the Canadian Privacy Commissioner...............................15
1. Collection of Date of Birth.................................................................................................16
2. Default Privacy Settings.....................................................................................................17
3. Facebook Advertising.........................................................................................................17
4 Third Party Applications......................................................................................................18
5 New Uses of Personal Information......................................................................................19
6 Collection of Personal Information from Sources other then Facebook.............................19
7.1 Account Deactivation and Deletion..................................................................................19
7.2 Accounts of Deceased Users............................................................................................20
8. Personal Information of Non-users....................................................................................22
9. Facebook Mobile and Safeguards......................................................................................24
10. Monitoring for Anomalous Activity.................................................................................24
11. Deception and Misrepresentation....................................................................................25
Outline of the problem
While the field of data protection on the internet is still a relatively untrodden area with
respect to law, it is becoming a more viable concept for our daily lives. Modern internet
technologies are used in many fields, from allowing people to check tomorrow's weather to
ushering new possibilities for the government, including online law publishing to and e-auctions.1 A
part of this field consists of people communicating with each other through various internet
websites, which focus on human interaction. This section saw a great increase in its use during the
recent years. These websites are known as social network sites, and are often defined as sites on the
internet which allow users to create profiles, have a list of people they are connected with and watch
the profiles and connection lists of other users2. One of the most popular ones is facebook, which
currently has over 1 billion users3.
Due to the relatively recent rise of such networks, there are no comprehensive legal regimes
which can govern legal issues steaming from their use. Instead, an analogy needs to be made each
time law is to be applied to such media. As the analogy needs to be made from the legal sources
developed mainly for direct interaction, it is not an easy and direct thing to accomplish. Another
problem with the application of law to the social media comes from the fact that the said media are
applied internationally, but most often the law which deals with them is national. Thus, rules of the
private international law, dealing with the application of the proper legal system have to be applied..
Since the legal issues are solved predominantly in national courts, I will use the law of different
countries as example. I will also most often use facebook as an example of social media, as it has
probably the largest collection of legal issues. There are many other challenges which a lawyer who
wants to understand this branch of law has to overcome, for instance how to deal with the fact that
data is physically stored on servers.
What is privacy?
The majority of cases which will be discussed has a connection to the problem of privacy.
Privacy is a subject raised in many fields of law, but it is especially important regarding the internet.
The concept was best described in an article by Warren and Brandeis as “the right to be left alone”.4
1 25 Years of Data Protection in Finland. Helsinki: Ahti Saarenpää, 2012. Print. 2 Boyd, Danah M., and Nicole B. Ellison. "Social Network Sites: Definition, History, and Scholarship." Journal of
Computer-Mediated Communication (n.d.): n. pag. Social Network Sites: Definition, History, and Scholarship. Web. 14 Dec. 2012.
3 "Facebook Tops Billion-User Mark". The Wall Street Journal (Dow Jones). October 4, 2012. Retrieved December 14, 2012.
4 Saarenpää, Ahti. Legal Privacy. Zaragoza: Prensas Universitarias De Zaragoza, 2008. Print.
It was possible to see how controversial and popular the topic is, during the demonstrations in the
European Union against ACTA, a legislation which was thought to limit the amount of privacy the
internet users enjoy.56 While the question of privacy was not ushered by the advent of the IT and
social media, it is much easier to infringe one's right to privacy while working online then in the
“real world”. Additionally it is important that the right to privacy is not absolute and often clashes
with other norms and values, such as the good of the public safety, when the police search users
private data in order to apprehend both “real world” and internet criminals. This is not so prominent
in the social media, which are generally concerned with the issues of other users and firms being
able to find out too much information about a user. The governments role in these situations is
generally thought to be reversed with regards to the criminal and intellectual property matters, and
instead of attempting to limit the amount of privacy justifying it with protecting other values, it
often sides with the internet user to assist him in gaining more control over the usage of private data
which he inputs, even if most users themselves do not see that as a major problem. It must be noted
that the right to privacy is not synonymous with the right of personal data protection. Privacy is a
wider term, used both for information systems, like the internet and for regular activities. On the
other hand, Data protection does not only encompass data about the private sphere of the individual.
The right to privacy has Roman origins7, while data protection started developing more recently.
Privacy seems to be on a gradable scale, as the sphere of privacy of a government official is
smaller then the one of a typical person. Also different groups might have a legitimate interest in
knowing about one's private affairs, for instance biological children have the right to know their
parents identities or bosses are thought to have more information about their employees, although
only to some extent, as will be shown later in the essay. Another distinction that often happens on
social media sites is the distinction between “friends” - who are able to view the majority of a
persons profile and non-fiends, who have relatively restricted access to this information. In contrast
to the previous examples, this distinction is drawn solely by the user, which signifies an important
aspect – like most rights, the right to privacy can be denounced in certain cases, with regard to part
of it and central people. Not in any way though, privacy is cited in many constitutions as an
inalienable right, which essentially means that law prohibits giving it up in a contract – a good
example would be the constitution of California, which states it in article 18
5 "ACTA: EU Privacy Watchdog Warns of Internet Spying Threat." EurActiv.com. N.p., 25 Apr. 2012. Web. 20 Dec. 2012.
6 Lee, Dave. "Acta Protests: Thousands Take to Streets across Europe." BBC News. BBC, 02 Nov. 2012. Web. 20 Dec. 2012.
7 Saarenpää, Ahti. Legal Privacy. Zaragoza: Prensas Universitarias De Zaragoza, 2008. Print.8 "Constitution of the State of California 1849*." Constitution of the State of California 1849. Ed. Debra Bowen.
California Secretary of State, n.d. Web. 20 Dec. 2012. <http://www.sos.ca.gov/archives/collections/1849/full-text.htm>.
Applying international law to the internet
A particularly interesting topic for the debate about using private international law for
delimiting the legal regime to be used for internet based cases is finding the place where the effect
happened. While the internet is using transmitting data internationally to a great extent, it was not
the first device to do so – before the television and radio also sent information over long distances,
in many cases across boundaries as well. Neither of them ushered a dramatic change in the
international private law, so why should the internet do so?
One of the early ideas for a legal control over the internet came from the state of Minnesota.
In 1990 the state legislation was as follows “[p]ersons outside of Minnesota who transmit
information via the internet knowing that information will be disseminated in Minnesota are subject
to jurisdiction in Minnesota courts for violations of state criminal and civil laws”9 This decision is
controversial, especially since people from other countries might not be subject to the same
regulations, which means that one might undertake a perfectly legal action while working on the
internet in his own country, which is not legal under Minnesota rules and be subject to a penalty
there. In order to prevent this, certain countries, such as Poland, introduced the principle of the
double incrimination. The principle states that for an action to be punishable, it must be considered
a crime under both legal regimes10. Another problem which arises, even if the offense is
indisputable the question about which law to use – for example when a person from South Korea
working on a computer in Singapore tags a person from Malaysia incorrectly as a citizen of China
on the facebook, which server is stored in USA but the offended people were in Vietnam and Japan,
respectively, where will the offense be committed? Is tagging someone wrongly really an offense
will be discussed later, now I will attempt to answer what would be the place of jurisdiction if it was
considered a reasonable breech of one's rights. In reality the answer varies from system to system,
but if it was judged according to the Polish penal code, all of these places are accurate, as it is
possible to talk about the place of jurisdiction where the offender acted (or refrained from acting),
the effect occurred or where the effect should have occurred according to the offender. According to
other articles, also committing a crime against a citizen of Poland would constitute an offense
punishable under the Polish law, as well as in the case of a citizen of Poland committing it abroad..
9 Memorandum of Minnesota Attorney General as reproduced in: B. Jew, 'Cyber Jurisdiction – Emerging Issues & Conflict of Law when Overseas Courts Challenge your Web' (1998) 24 Computers and Law, 23.
10 Wróbel, Włodzimierz, and Andrzej Zoll. Polskie Prawo Karne: Część Ogólna. Kraków: Wydawnictwo Znak, 2011. Print. (Text in Polish)
To make matters even more complicated, there exists a theory under which if one posts text
in social media or anywhere on the web, which contains information disallowed by law, for instance
defamatory, it is sufficient when someone from the country reads it for it to be the basis of a
litigation process11. This view is based on an idea that the effect occurred in each country the
material was seen and downloaded. While this is not an unanimous vision, as certain countries, such
as the USA do not accept it, many other, important countries do. For instance, the EU law held in
the Mines de Potasse case, where the European Court of Justice decided in a preliminary ruling that
the offended party may sue the offender in any country where the law applies12. A valid question
which should be asked in this case is – should we apply all the laws at the same time? The answer is
unfortunately positive, although there exist procedures which allow a country to exchange prisoners
or count a sentence served under a foreign legal system as a sentence served in the own prison. Of
course, in case of private proceedings, when the court orders that a compensation should be paid,
one person would not need to pay a fine from the civil jurisdictions of all the countries in the world
where downloading or viewing the criminalized content occurred, as the plaintiff has a choice from
where does he want to sue, this view was even put forward in the aforementioned case. In
conclusion, while according to the popular image, the internet is considered to be a place there no
legal rules are applied, not entirely dissimilar to the 21 century wild west. However, in reality, it is
governed by the laws of every country.13
Contractual issues regarding the social media
There are two types of legal disputes that arise in social media: infringing of the right of the
user by the media and infringing of the right of one user by another user or a third party. Although it
may seem that the cases of litigation between social media infringing the user there is some form of
vertical relationship, the “equality of arms” before the court in civil matters is one of the
fundamental principles of today's jurisdiction and ensures that the sides have equal rights and
responsibilities. The cases often touch upon the aspects of data protection, privacy and terms of
contract, while the cases of a user versus another user or third party often concern the protection of
intellectual property and various forms of slander.
11 Svantesson, Dan Jerker B. Private International Law and the Internet. Alphen Aan Den Rijn: Kluwer Law International, 2007. Print.
12 Judgment of the Court of 30 November 1976. - Handelskwekerij G. J. Bier BV v Mines de potasse d'Alsace SA. - Reference for a preliminary ruling: Gerechtshof 's-Gravenhage - Netherlands. - Brussels Convention on jurisdiction and the enforcement of Judgment, article 5 (3) (liability in tort, delict or quasi-delict). - Case 21-76. EurLex database, case 61976J0021
13 Svantesson, Dan Jerker B. Private International Law and the Internet. Alphen Aan Den Rijn: Kluwer Law International, 2007. Print.
An interesting exception from this is the argument over which actions on social media
constitute as “free speech” and should be protected which took place in the USA in 2011. It is a
prime example of applying old law to the conflicts which were developed only recently due to the
rise of social media. The actions which were put into doubt consisted of “liking” other users on
facebook, and the subsequent reactions of third parties. In several cases, state employees were fired
from their work for “liking” a profile page of the competitor of their bosses. These actions were
thought to breech the 1st amendment of the constitution and various case law which arose from it. In
the well established US case law, one of the important rules states that “A public employer may not
fire an employee for speech relating to a matter of public concern where that speech causes no
disruption to the workplace”. However the court ruled negatively in this case, stating that a “like”
was not a “substantive statement” that was protected by the amendment. The ruling was so
controversial that American Civil Liberties Union and Facebook itself voiced their negative opinion
about it. In my view, the explanation of the court in this case is not satisfactory, as in a previous
Supreme Court ruling, and incident of flag-burning was treated as “symbolic speech”14 and the
second amendment of the constitution was thought to apply to it. Therefore, clicking a “like” on
facebook should fall under the same category of actions, only without the profanation of a national
symbol controversy. So, what does this case mean to the civil law world? This question is hard to
answer, as each country has different regulations and different interpretations of these regulations
and terms, as well as a different policy on the freedom of speech. Nonetheless, the ruling was only
negative when the “likes” were considered, as writing comments on social media was considered to
be an action guaranteed by the free speech. This brings another factor to the equation, namely why
would posting a message which reads “I approve of that” be any different then clicking the like
button? The controversy is enhanced by the fact that a text message that is displayed after pressing
the “like” button consists of the words “[list of people who clicked 'like'] like this”. In conclusion,
the effects of clicking “like” are not that different from posting a message, and even if they were,
more controversial things were considered “speech” in the meaning of amendment 1 previously.
While the above case is, at the moment, marginal, there is another recently widespread issue
which connects using social media and employment. This case consists of job interviews during
which the interviewer asks for the password to facebook. This problem once again surfaced in
America, and was so severe that federal legislation was proposed to deal with it, which did not pass
only due to its poor wording15 At the moment, the legal situation is unclear, because an analogy has
14 Epstein, Lee and Walker, Thomas G. (1998) "Constitutional Law for a Changing America: rights, liberties, and justice" 3rd ed. pp. 258-280 Washington D.C.: Congressional Quarterly Inc.
15 Protalinski, Emil. "House Votes down Stopping Employers Asking for Facebook Passwords." ZDNet. N.p., n.d. Web. 14 Dec. 2012.
been made at times with the employer running background checks on potential employees or asking
specialized firms to make private investigation into the workers details. These practices are
currently legal, and asking for a password allowing access to other private data can hardly seem a
different matter. However it includes some dubious points: currently in the US law it is forbidden,
depending on the states, for employers to ask their potential employees certain questions, for
instance regarding their religion, orientation or political affiliation. Asking the potential employee
the password to his facebook profile might be a way of circumventing the regulations, as most of
these details are often stored inside. Another potential problem consists of the fact that such a
request can be considered accessing computers and electronically stored information in an illegal
manner. More specifically, it could infringe the federal Stored Communications Act (SCA), or the
Computer Fraud and Abuse Act (CFAA). The question about the legality of such practices depends
on whether the giving of one's password in such a way may be considered voluntary or is it just a
form o coercion, which would infringe these regulations. On two occasions, in 2002 and 200916,
courts sided with the plaintiffs who accused their supervisors of accessing the private information
using the obtained passwords. The more recent case was also an example of social media being
used, as the website accessed was Myspace and the password was thought to be obtained using
coercion. 17 Not only worker protection and human rights groups advocate disallowing this practice,
asocial media on some occasion also sometimes create regulations which ban it. For example,
giving away the facebook password constitutes of a breech of the terms of service of the site.
Facebook stated that it would sue the employers on the basis that their actions constitute a breach of
contract.18
Determining the administrator
When dealing with privacy cases connected to social media, or media available
internationally in general, some problems occur which are unheard of while discussing issues
happening within a country One of the most important questions to answer in such a case is “who is
the administrator of personal data?”, because this entity will assume special rights and obligations
which will be discussed below. It is not an easy question to answer, as various legal regimes have
different theories on this subject, in this essay I will present two: the concept within the Polish law
16 Konop v. Hawaiian Airlines, Inc and Pietrylo v. Hillstone Restaurant Group respectively17 Ramasastry, Anita. "Can Employers Legally Ask You for Your Facebook Password When You Apply for a Job?
Why Congress and the States Should Prohibit This Practice." Verdict, Legal Analysis and Commentary from Justia. N.p., n.d. Web. 14 Dec. 2012.
18 Brodkin, Jon. "Facebook Says It May Sue Employers Who Demand Job Applicants’ Passwords." ArsTechnica. Ministry of Innovation/Business of Technology, 23 Mar. 2012. Web. 14 Dec. 2012. <http://arstechnica.com/business/2012/03/facebook-says-it-may-sue-employers-who-demand-job-applicants-passwords/>.
(in the Personal Data Protection Act) and the definitions created by directive 95/46 of the European
Union. According to the directive, the administrator is called the “controller” and is “the natural or
legal person, public authority, agency or any other body” which “determines the purposes and
means of processing of personal data”. The same article allows the laws of member states to
designate their own definition of the controller.19 It is applied, for example in the Polish legislation,
where the controller is called “administrator of personal data” and only falls under the regulations if
it has its place of business or living in the Republic of Poland or manages data with technological
measures located in this country. The material definition is the same as in the EU directive,
though.20 After establishing the definitions of the data administrator, I will attempt to establish does
facebook fall under it (regarding Polish law, which will serve as an example of the legal questions
that have to be asked to determine the case), and if yes – what are the consequences for the
company.
It is difficult to say, if Facebook fulfills the geographical criteria for being an entity which
has to follow Polish Law, the question what exactly are “technological measures located in a
country” is a complex one. However, according to an official interpretation of the Polish agency
GIODO (General Inspector of the Protection of Private Data), “The legislation is not to be applied
in case of […] entities having their place of business or living in a third country (not belonging to
the European Economic Area), using technological means located in the Republic of Poland only
for the transmission of data”21 However, while the principal place of business of Facebook is
located in the United states, it does have an office in Poland22, which has a potential to make the law
of the protection of personal data applicable in this case.
While the claim that facebook is the administrator of our personal data is widespread, the
portal itself attempts to lessen its responsibility by stating that the real person who is the personal
data administrator is the owner of the profile himself.23 The reasoning that Facebook gives is that
certain solutions regarding transmitting data are customizable by the users to a great extent. Let us
asses this claim from the perspective of the Polish and European law – first of all, in the directive it
is written that the controller can act “alone or jointly with others” - so, even though the users may
19 Luxembourg. European Parliament and the Council. Official Journal. 31995L0046 - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data. Luxembourg: n.p., 1995. EUR-Lex. Web. 15 Dec. 2012.
20 Ustawa z dnia 29 października 2010 r. o zmianie ustawy o ochronie danych osobowych oraz niektórych innych ustaw (Dz. U. Z 2011 r. Nr 229, poz. 1497) (Text in Polish)
21 "ABC Wybranych Zagadnień Z Ustawy O Ochronie Danych Osobowych." GIODO Generalny Inspektor Ochrony Danych Osobowych -. WYDAWNICTWO SEJMOWE, n.d. Web. 15 Dec. 2012.
22 Cohen, David. "AllFacebook Newsletter." Facebook Opens Office For Central, Eastern Europe In Warsaw, Poland. N.p., 28 Sept. 2012. Web. 15 Dec. 2012.
23 "GIODO Przestrzega Polaków Przed Facebookiem." Newsweek.pl. N.p., n.d. Web. 15 Dec. 2012. (Text in Polish)
attain enough control over the information that the claim of Facebook that users are data
administrators too could be upheld – it does not absolve the company from responsibility. Rather it
should attempt to prove that it lost enough authority over the data for it to be an option. Also, recent
developments suggest that the argument is invalid for the reason that Facebook imposes the
“purposes” of processing personal data on the user, for instance by a new mandatory feature which
automatically creates a page which lists all the activities of two people who are “romantically
involved”, be it long standing married couples or people in a short lived relationship.24 Apart from
that, the users have even less means of processing personal data, as they can only fill in the spaces
left by facebook, such as age, movies that they like, already mentioned relationships, and their sex.
The last field of input can be regarded as the final argument that Facebook is, in reality, controlling
the means of data transmission, as a controversy arose when a gay activist demanded Facebook to
introduce the option of picking a “third gender” or “neither” in the “sex” column, and the website
refused.25. The definition falls under the Polish law as well. Many countries outside Europe already
hold the view that facebook should be governed by their regulations, for example Canada decided
that Facebook is a subject to its federal law on the basis that one third Canadians have their profiles
on Facebook, which constitutes a “substantial connection” between the social media and the
country. Certain Polish authorities decided that even if Facebook would not be a subject to Polish
law according to the country's legislation, it should be on the basis of the non-discriminatory
principle.26
Now that it is established that most probably Facebook should fall under the jurisdiction of
most countries personal data protection law, what does it mean? As will most cases, there are
different obligations for the personal data administrators. Under the Polish law, one of their greatest
responsibilities is the “information obligation”. This obligation comes stems from two situations,
when the administrator collects personal data from the person in question and from other sources. In
any of these cases, the administrator has the obligation of informing these people about the
collection of their data, along with providing the information regarding the location where the data
was collected, the what reason for what will it be used, the whereabouts of the data administrator
and the right to correct the data. This is a major disadvantage to the data administrator, as the person
from whom the data was collected from has the ability to disallow the usage of the data. Being a
data administrator is the cause of more negative situations, however. The legislation imposes 5 rules
24 Ramasastry, Anita. "Facebook's Mandatory Couples Pages: The Site's Creating Them May Be Legal, But Is It Wise?" Verdict, Legal Analysis and Commentary from Justia. Justa, 20 Nov. 2012. Web. 15 Dec. 2012.
25 Protalinski, Emil. "Facebook Doesn't Add Third Sex, Gay Activist Disables Account." ZDNet. N.p., 30 Mar. 2012. Web. 15 Dec. 2012.
26 "GIODO Przestrzega Polaków Przed Facebookiem." Newsweek.pl. N.p., n.d. Web. 15 Dec. 2012. (Text in Polish)
of data transmission, which of course are specified more clearly in the law.27
(1) Legality, which implies that the data must be collected according to certain rules, and consists of
a few obligations, such as the obligation of asking the person from whom data will be collected for
permission to make use of it. It also requires that a special care is displayed when transmitting data
which are deemed to be “sensitive data” - such as ethnic origin, political opinions, orientation and
so forth. These are generally not allowed to be transmitted at all, except under enumeratively
specified list.
(2) Connection to the purpose, which states that when collecting personal data, the reason for
collecting them must be provided and generally it is illegal to use the data for another purpose then
was given during their collection. This has the potential to be a dangerous regulation for facebook,
if the data collected for another reason would be used for, for example, their sale to other data-
collecting firms.
(3) Content-based correctness, which signifies that the data should be correct, complete and up to
date. The administrator should verify the data. Facebook is obviously a difficult place for this rule
to be applied in a proper manner, unless the theory of counting the user as an administrator is
applied.
(4) Adequateness, which is closely connected with the connection to the purpose principle and
states that the collected data must be necessary for the purpose of the data collection.
(5) Time restriction, which implies that the personal data must be connectable with the person who
it is connected with only until it serves the outlined purpose of data collection. Afterward, it has to
be rendered anonymous by the administrator.
Applying the rules of data transmission does not constitute all of the disadvantages
experienced by the data administrators under the Polish law. Perhaps shockingly, there is also a
possibility of the application of criminal law should the infringement of private data provide
sufficient, this will be discussed and exemplified later in the essay. As the above cases signify,
Facebook is rightfully concerned about the possibility of these regulations being applied to it. All of
the outlined mechanisms not only make data collecting more difficult but also render following the
regulations expensive as well. In previous years, there were many cases in which the website did
not comply with the legislation of various countries and refused to be sued by their courts28.
However, recently Facebook seems more cooperative and it acknowledges the fact that it is bound
27 "ABC Wybranych Zagadnień Z Ustawy O Ochronie Danych Osobowych." GIODO Generalny Inspektor Ochrony Danych Osobowych -. WYDAWNICTWO SEJMOWE, n.d. Web. 15 Dec. 2012. (Text in Polish)
28 "Facebook Stawia Się Polskiemu Urzędowi. "Nie Możecie Nas Pozwać"" Wyborcza.biz Biznes Ludzie Pieniądze (2010): n. pag. Wyborcza.biz. 19 Nov. 2010. Web. 16 Dec. 2012. (Text in Polish)
by those or similar rules, which is signified by its data use policy, where, “your information” is
defined as “information that's required when you sign up for the site, as well as the information you
choose to share.”29
Users displaying sensitive information
Disregarding the argument is Facebook is the data administrator, the users also can violate the
privacy of other people, even involuntarily. The most often cited example is a disclosure of the
personal data of other users. A simple post on the facebook wall is an action which has the
capability of unlawful revealing personal data. Worse, even if both people have limited access to
their profiles, which renders the chance for the posts to be seen by others minimal, it is still
considered as an action which can reveal the information. There are several types of posts which
can be deemed unlawful. First, the already discussed sensitive data. The difficult part about dealing
with them is the fact that the definition of sensitive data varies from country to country, and
sometimes from state to state. It has already been discussed the cases in which law could possibly
work while dealing with acts committed abroad, so if the data is not sensitive for the legislators in
Mexico, but is for the courts of France, and a Mexican displays sensitive data of a French citizen,
could he stand for a trial in an of the countries? It is hard to give a definite answer, as everything
depends on the laws and agreements of both countries. Before seeking litigation, however, the
person whose data have been disclosed should ask the offender to remove them. In case he
complies, no more action is required. Only when the person refuses, a complaint can be filed to
authorities, for example to the General Inspector of the Protection of Private Data, or directly to a
court.
It is interesting that according to Wojciech Wiewiórski, the current Polish General Inspector of the
Protection of Private Data, not only posting messages on Facebook may be considered revealing
private data, but also inviting someone to groups or events, as by doing so, one is using the private
information to send the invitation, it is thus important to “think for a minute does the person want to
be invited”.30 While the Inspector does not give any examples, I would assume that by inviting
somebody to an event for the republicans, while knowing that he is a follower of this party might
reveal his political affiliation or, similarly, an invitation to a gay parade will possibly reveal
someone's orientation. I do not agree with this opinion, as there is always a possibility to invite a
friend to an event that he will specifically not attend, as some might find it amusing to invite a
declared homophobic to an aforementioned event or a Nazi-sympathizer to a Jewish religious
29 "Data Use Policy." Facebook. N.p., n.d. Web. 15 Dec. 2012. 30 "GIODO Przestrzega Polaków Przed Facebookiem." Newsweek.pl. N.p., n.d. Web. 15 Dec. 2012. (Text in Polish)
ceremony. I can even relate to my personal experiences where I was invited to a facebook group of
the local secondary school class representative elections in a different city, despite being a
university student studying hundreds of kilometers away. While it is arguable that the same can be
said for the possibility to post incorrect messages but while posting a direct message about
someones personal data, it is possible to either post the data, which is disallowed without
permission or give incorrect information, which also might be illegal. Inviting someone to an event,
however, is not making a direct statement, as the person needs to confirm that he is coming there.
Besides, it is possible to reinforce this with a precedent mentioned before, where courts in the USA
refused to consider “liking” something a case of “speech”. Same can be said about invitations,
except that they are not as affirmative as giving “thumbs up”.
Concern about applications
Not only Facebook itself and its users have the potential to disclose private data. Recently,
there seems to be a growing concern about so called applications, often abbreviated to apps, which
are programs that are developed specifically for Facebook (usually by independent companies,
considered third parties in regards of Facebook and users) and are run on this website for the
purpose of allowing users to play games or be connected with people having similar interests31.
These applications often require the users to provide them their personal data, which they share with
various other companies, for instance specializing in internet tracking and displaying
advertisements. According to the cited article, the data is collected and transmitted regardless of the
privacy setting. This, apart from being legally questionable at best, was also against the policy of
Facebook, which resulted in some of the applications being closed down after Facebook learned
that the their owners were sharing data of the users. The specific type of data that was shared were
the ID numbers. They are the basic recognizable values for Facebook, which allows the site to keep
track of its every page and, while containing no personal information themselves, allow other
parties to have an immediate access to all of the data a user does not set to “private” - such as the
persons name and his pictures, which often contain a large amount of private and even sensitive
data. The background for the issue consists of the fact, that a growing number of companies builds
user databases. The firms which create and own the applications have been proven to be sharing the
users' identification numbers with the aforementioned companies.
As mentioned previously, these actions go against the policy of Facebook. The website does
not allow it applications to transfer data of its users to outside sources, even if the user himself
31 "Facebook." Daily Definition RSS. Techterms.com, 14 Jan. 2008. Web. 17 Dec. 2012.
agrees. Another event which proves this policy occurred when Facebook limited the amount of
information received by the applications to only the publicly displayed data, unless the user agrees
otherwise. On the other hand, until recently Facebook was itself passing the data about the user to
third parties which occurred, when a user clicked on an add, causing some of his data to be
disclosed to the advertising company. Only after the Wall Street Journal pointed the case to
Facebook, it changed the regulations. Interestingly, it is difficult to say if the owners of the
companies possessing the applications which disclose, collect and share private data are aware of
these processes. The representative of one of the application developers, RapLeaf stated that “We
didn't do it on purpose” when interrogated about sharing and collecting the data. This claim might
be true, as the information was passed by an internet standard, known as the “referer”, which
displays the address of the last visited site when the user clicks on a link. As the last visited site,
when using the social media, is often one's own profile, it is possible to conclude that the last visited
site is most probably the users personal page on, for example, Facebook, which provides the
application with the ID number of the user.
Applying law in case of involuntarily infringement of privacy
An interesting question that could be asked is whether disclosing the information without
knowing about it is an explanation which would absolve the firm from responsibility? This is a
complex issue, which differs from one legal system to another, but nonetheless certain methods of
dealing with it were developed. Due to my knowledge of the Polish law, I will attempt to answer
how would it be possible to answer this question on the grounds of the legislation of Poland, so
henceforth until resolving this issue an assumption will be made that any persons will be held liable
according to this legal system. First of all, it has to be decided whether the infringement of rights is
to be persecuted on the basis of criminal or civil law.
Interestingly, there is a possibility of subjecting the persons who infringe the right of internet
data protection to the criminal law regime in Poland. It mainly stems from the already mentioned
Act of Protection of Personal Data. The articles of chapter 8 starting from article 49 discuss
criminal penalties for breaching the provisions mentioned in the Act. Article 49 states that “Who
transmits personal data in a database, although their transmitting is not allowed or who is not
entitled to such transmission, faces a fee, restriction of liberty [a specific punishment in the Polish
legal system which most often involves imposed community service] or up to 2 year incarceration.”
As the provision does not mention involuntary action, it can be only used if the case when the
transmission of data was done on purpose32. There are, however, provisions in the same article
which allow applying criminal penalty to an involuntarily action. For instance, article 51§ 2
threatens a data administrator who will involuntarily disclose, or enable access to, data to
unauthorized parties, with equal punishments to the ones in the previously cited article. This would
be the probable basis of criminal legal action against the administrators of data which happens to be
social media, as it was revealed that the particular infringement happens often. There are more
provisions concerning involuntary actions of administrators outlined in the Act, but this one will
suffice as an example.
It is not sufficient to show an article which punishes involuntarily action, in the court
proceedings it must be pointed that there was the so-called “involuntarily guilt”. This concept
involves the requirement for the offender to predict or to be rationally able to predict the action.
When asking the question does this condition apply to this case, it would probably be easy to
determine that board of directors of Facebook or any major application would conduct the required
analysis, provided that they anticipated the possibility that the regulations could breech privacy
rights. The sheer amount of IT employees that could asses the risk without much delay, providing
an almost immediate answer to the problem – and if they did, not prompting an action on behalf of
the company, it would be guilty of an incident of voluntary guilt, covered in the previous provision
of article 52. An entirely different problem, however, is the possibility of them being able to foresee
the consequences, but not doing that. I believe that in this case, it is an innovative sector, so
demanding a firm to predict how entirely new innovations might work is not a reasonable thing to
do. The polish doctrine usually modifies the American doctrine of assuming that the person under
trial is a reasonably prudent person, replacing the “person” in this case with “specialist” as
Facebook and the Application companies work professionally on this field. Every case would have
to be interpreted differently, as there could be instances of a technical error so obvious that
assuming the unforeseeability of the issue would be incorrect.33 In any case, expert witnesses would
be need to be called into court to argue about the technical matters. The most striking question
regarding the procedure is the ability of applying criminal law to firms without personal liability,
such as Facebook or application providers. On the grounds of the Polish law this is possible, but a
few conditions must be met, for instance the crime must be committed by a person working in the
name of the company, the company should potentially be able to benefit from the action, The
punishments applicable in this case range from a fine of 1.000 zł to 20.000.000 zł (about 250 –
32 Wróbel, Włodzimierz, and Andrzej Zoll. Polskie Prawo Karne: Część Ogólna. Kraków: Wydawnictwo Znak, 2011. Print. (Text in Polish)
33 Wróbel, Włodzimierz, and Andrzej Zoll. Polskie Prawo Karne: Część Ogólna. Kraków: Wydawnictwo Znak, 2011. Print. (Text in Polish)
5.000.000 €) and a variety of other sanctions, such as disallowing it to advertise or sell its products
or services (the latter not being applicable to social media, due to their free nature and acting on the
internet, over which national legislations do not have much control.34
Although there are provisions which enable criminal action against firms infringing the
private data, this matter would most likely be filled by individual users to a civil court. The
possibility of a person do demand compensation on the grounds of Civil law is included under the
book three (obligations), title IV (unlawful actions), in the articles § 415 – § 44911 . From these
articles it can be read that anybody who is guilty of causing damage to someone else is under the
obligation to rectify it. Also a legal person needs to rectify the damage caused due to the fault of its
organs.35 It must be said that the interpretation of “damage” in Polish civil code is wide, as it
encases both financial and non financial damage. The non financial damage encases any damage
done to protected values, and the privacy of information in one of them.36
A similar case, which was questionable from the perspective of protective private data
occurred when the “Find friends” feature was introduced. This option accessed private e-mail
databases in order to send an invitation to Facebok e-mail message to every friend which was stored
on e-mail database. By looking on various people's information, it then compiled a list of the e-mail
friends a non registered person had there in order to encourage them to join. Certain users claimed
that Facebook was accessing their e-mail address books without permission. The Canadian privacy
commissioner was not convinced by this claim, however she found that the situation was against the
Canadian Personal Information Protection and Electronic Documents Act (presumably violating
article 7 of this document)37, as Facebook did not ask for the non-users' agreement before obtaining
their e-mail address. As mentioned before, Facebook can be held responsible under the Canadian
law, due to the substantial connection clause. After receiving the report, the website addressed the
issue in a way which was considered adequate by the Canadian officials.38
Analysis of the report of findings of the Canadian Privacy Commissioner
34 � � �Łyjak, Olga. "Odpowiedzialność Karna Spółki Za Przestę pstwa Czł onków Zarzą du I Pracowników." Kancelaria Adwokacka. N.p., 2009. Web. 17 Dec. 2012. <http://lyjak.pl/publikacje/odpowiedzialnosc-karna-spolki-za-przestepstwa-czlonkow-zarzadu-i-pracownikow/>. (Text in Polish)
35 Pietrzykowski, Krzysztof, and Zbigniew Banaszczyk. Kodeks Cywilny. Warszawa: Wydawnictwo C. H. Beck, 2008. Print.
36 "Szkoda Cywilnoprawna." Openlaw.pl. Ed. Marcin Krzymulski. N.p., 3 Dec. 2012. Web. 17 Dec. 2012. (Text in Polish)
37 Canada. Department of Justice. Personal Information Protection and Electronic Documents Act. (S.C. 2000, c. 5). Web. 17 Dec. 2012.
38 "Canada's Privacy Commissioner Flags Facebook Concerns." CTVNews. N.p., 4 Apr. 2012. Web. 17 Dec. 2012.
Generally, Canadians quite often successfully argued both using laws and softer measures, against
Facebook. The aforementioned case brought up by Elizabeth Denham, Assistant Privacy
Commissioner of Canada, concerned a wider variety of issues then just asking non-users for e-mail
addresses. In fact it was a report made about the allegations that the Canadian Canadian Internet
Policy and Public Interest Clinic (CIPPIC) made against Facebook.39 As many of these can shed
some light on the matter of issues regarding social media, I will proceed to discuss the cases and the
findings of the Canadian institution, often attempting to include wider issues which revoke about
the discussed problem.
1. Collection of Date of Birth: There were several issues in this topic. Firstly, while interrogated on
the subject of the necessity of the collection of such a personal topic, which cannot be asked without
a valid purpose according to the principle 4.4.1 Canadian law, Facebook representative argued that
the laws of USA prevent children under the age of 13 to use such media, so asking about the date of
birth was a necessity. This shows an interesting feature about applying law to the internet – actions
that are deemed mandatory by one country can be illegal in another, which gives rise to many
possible conflicts. Assuming that the Canadian law was less liberal and making disclosing one's age
requirement it would be possible that Facebook would have to chose between operating in Canada
and USA or possibly set a different requirement for users in both countries. Another problem which
was addressed was disclosing the age to the advertisement companies, which used it to market their
products to a particular audience. This itself was not controversial, but Facebook was found to
provide this information even when the user set the age displaying option to “hidden”. This was not
denied, but the representatives of facebook made an argument that by “hiding” data, a user only
keeps it hidden from people visiting his page and not from companies which are are provided with
this information by Facebook itself. The language of the privacy policy was considered vague. The
Canadian side looked upon the purpose of asking the age with sympathy, however it mentioned that
passing information which were assumed to be “private” by even rational users went against the
principles of 4.3.2 and 4.3.5 of the Personal Information Protection and Electronic Documents
Act40. Facebook amended the problem by making it clear that the collected data will be always
usable for advertising purposes. This shows that the issues regarding privacy can sometimes be
solved by two means, either by ensuring that a greater protection of data takes place or by clearly
stating the situation prior to reviving the data.
39 Denham, Elizabeth. "Findings under the Personal Information Protection and Electronic Documents Act (PIPEDA)." Office of the Privacy Commissioner of Canada, 16 July 2009. Web. 17 Dec. 2012. <http://www.priv.gc.ca/cf-dc/2009/2009_008_0716_e.asp>.
40 Canada. Department of Justice. Personal Information Protection and Electronic Documents Act. (S.C. 2000, c. 5). Web. 17 Dec. 2012.
2. Default Privacy Settings: Two issues were critically addressed by the Canadian commissioner.
Firstly, the default sharing of the information in the photo albums was not looked upon favorably, as
it stood in contrast with the principle 4.3.5 presented in the Personal Information Protection and
Electronic Documents Act, which states that a person's reasonable expectations should be
considered. Making the default option for sharing photos as “available to all” seems to, in the
opinion of the commissioner, as an action going against the rational expectations which would
upheld the view that if, by default, the profile settings are set as accessible only to friends the
pictures should share this setting, as a similar number of personal data can be stored on them. I
would disagree with this statement, as in my opinion the reasonable thing to do would be checking
the privacy settings once it becomes clear that they are customizable. Another issue which was
brought up was the search engines, which would have access to the private profiles of Facebook's
users. This also was thought to be contrary to the mentioned principle, however no reasoning was
given about it, just that Facebook did not present the evidence that users wished to have their
profiles appearing on search engines. The commissioner also mentioned that “it should be left up to
the individual user to decide for himself or herself whether to make information available outside
the [Facebook] community.” The sole fact that this is not the default settings does not make it
impossible or significantly harder for the user to change the settings if he is not feeling comfortable
by being able to be displayed by Google, therefore I do not agree with the findings of the
commissioner on article 2.
3. Facebook Advertising: According to the report, Facebook makes use of two types of
advertisements: Facebook ads and Social ads. The former target a person, who has a certain
information in her profile, signifying that he or she is in the optimal demographic to be targeted by
this ad. Not only the age and gender plays a role in determining the ad, but also the favorite books,
shows etc. which the user specifies in profile. It is impossible to disallow these ads, as a large
proportion of Facebook's income comes from them. There is a number of third parties, which use
these ads and receive some data like IP addresses or download some information of the user's
computer (although only in a minority of cases the ads are not served by Facebook directly). This
might be the basis of the argument that a rational user agreed to share his data with Facebook itself,
but not with the other producers of such ads and not with the other companies. While the argument
was not brought up by the commissioner, it is a logical one to make. Another category of
advertisements are social ads. These ads are triggered by an action that a facebook user or his friend
preforms. This of course raises the question of the legality of facebook to post an ad which will
indirectly disclose the actions of the person. Interestingly enough, Facebook stated that by
preforming the action, the user gives consent for the ad to be displayed. Social ads use the persons
name and picture while posting this, which inevitably raises the issue of possible impersonation.
4. Third Party Applications: The possible problems which arise due to the third party applications,
however the report was quite effective in summarizing the most controversial features. Firstly,
applications collect data of their users and their friends. His raises the question about sharing the
data of the friends – they did not agree to share their private information with the applications and if
they do not specifically block various applications their friends are using their private data will be
revealed. Applications are not allowed to view all the data, however. As a general rule, they may
access the already publicly displayed page. Also, they may not do it at any time, but only when the
user has the application running. The application cannot allow other users to access the data which
the user does not allow them to see. Most importantly, the application has to destroy all the data 24
hours after accessing it and may only use it for the purposes of the application, or at least had to
before Facebook's last update (as of the time of the report). Creators of applications must also abide
by Facebook's regulations, both these in place for regular users and the more specialized ones for
the application developers (which, for instance, compels the app provider to reveal which
information is going to be used, and for what reason). Facebook does not monitor the actions of the
apps and the users themselves should take notice of any misuse of their data and report it, as is
quoted directly in the terms of use. Facebook does, however, encourage developers through quality
certificates and increased recommendations to adopt a policy aimed at data protection. In a response
to the report, Facebook stated that although it is under no contractual obligation to monitor the
applications, in reality it has a system which does that. Moreover, the types of data an application
may receive is strictly regulated, for example the e-mail of a user will never be disclosed. The list of
possible types of information has little to do with them being “sensitive” information or not, as for
example political views and dating interest are displayed to the third parties without problem. It is
an interesting fact, that consent is a condition sine qua non for using the applications. Should a user
change his privacy settings to not allowing the applications to make use of his data, all will be
deleted without notice. An interesting way was developed to conceal the real meaning of the
agreement that the user signed with the application provider – there was a reference to the “platform
application terms of use” in the “Facebook terms of use. When a user signed the agreement with the
application provider, he was only informed that he will abide by the Facebook terms of use. This
made the users more likely not to be check the general terms and conditions before they agree to
them. I could argue that the incident might be against the spirit of principle 4.3.2 of the act, which
obliges the organizations to put a “reasonable effort” to reveal the purpose of the collected
information. A survey was done on the University of Virginia, which found out that over 90% of the
applications receive more private information then they require, which could be accounted for going
against principle 4.4.2, which states that the organizations must limit themselves to collecting
information they will use, however I think that this is not the case, as there is no mention what
percentage of the applications actually make use of excessive available data. Another important
aspect are the applied safeguards. Safeguards, which are measures which protect the information,
are supposed to be in part technological. Facebook was found to rely almost solely on legal
safeguards which are easily passable by the applications.
5. New Uses of Personal Information: The problem developed because Facebook at times decides to
use the information provided by the users for different reasons, which were not explained to them
previously. The website was thought to not seek the users agreement in a proper way before making
alternative use of their personal information. In response, facebook cited their terms and conditions,
in which its competence to do so is clearly stated, saying moreover that it has not used this
possibility since it was established. Another controversy lied in the method of changing the terms of
service – Facebook had a possibility to do it any time it wished to, just leaving the information
about the changes on a separate page that the users were under the obligation to visit regularly, and
cease to use Facebook if they did not agree with the changes. The commissioner did not find
anything suspicious about these rules, and I have to agree that while they impose a duty on the user,
the user has to agree on it before starting to use Facebook. However, the terms and conditions have
been since changed in a way that the further changes will be preformed in a clearer manner.
6. Collection of Personal Information from Sources other then Facebook: Facebook has stated in its
terms of service that it might collect personal information from other sources than its website,
which could be a serious threat to the data protection. To illustrate this, it is possible to once again
bring up the Polish Personal Data Protection Act, where obtaining personal data from users without
consent required a different procedure and had much more restrictions imposed on it.41 Facebook
was not specific about the procedures by which it collects these data, and when inquired, its
representative stated that currently no such procedure is happening, however this is something that
the firm plans to impose in the future. Of course, without more precise statements or enforced
procedures there is not much that can be discussed.
7a. Account Deactivation and Deletion: The problem stems from the fact that there are opinions that
the two forms of removing the account are nearly indistinguishable. The opponents of the current
system point out that the information which was on deleted accounts stays for a number of days
before it is permanently removed. Facebook claimed this happens due to technical issues and the
41 "ABC Wybranych Zagadnień Z Ustawy O Ochronie Danych Osobowych." GIODO Generalny Inspektor Ochrony Danych Osobowych -. WYDAWNICTWO SEJMOWE, n.d. Web. 15 Dec. 2012. (text in Polish)
commissioner did not find it to be a legally questionable practice. After the report, Facebook
changed its screen informing about the effects of deletion to inform users about this issue. When
deactivation is taking place instead of deletion, the data is hidden but stored indefinitely. The
commissioner found that it was contrary to the principle 5.3, which states that information should
not be kept for longer then it is needed. She suggested that Facebook adopts a retention policy
which will cause the data to be stored for only a limited period of time and deleted afterward.
Facebook stated that preserving data is important from the point of view of the deactivated users,
the majority of which return, expecting to find their imputed information intact. I agree with the
opinion of Facebook, as if deactivated accounts were deleted after some time, this would render the
two forms of account removal to be too similar, which was the situation attacked in the first
accusation. In addition, I can say from my experience that I was not an active user of facebook for
about 2 years and if I decided to formally deactivate my account before this period, and the
Commissioners opinion would prevail, my account would be deleted, which is not an action that I
wanted to preform. Possibly the best idea would be to merge the two options into one action, which
would require a user which deactivates his account to input the time period that must elapse before
its deletion, with “never” or “immediately” being options which could be chosen.
7b. Accounts of Deceased Users: The question about the fate of the personal data after the death of
a user is a controversial one. Facebook resolves the issue by “memorializing” a user's profile which
consists of removing more sensitive information and only allowing existing friends to access the
rest. Immediate family can also request the data to be removed, which brings up the controversial
topic of inheriting the rights to personal information. This topic was not brought up in the report,
although Facebook has stated that “we concluded that the legal next of kin is the proper person to
make a decision as to whether the deceased would have wanted the site to stay up for their friends.
In my opinion, an analogy should be drawn between this and the inheritance of intellectual property
– there should be an option to state in one's last will who should be the successor to the facebook
account. The reason why I believe in this is that it is possible to inherit physical photographs and
unfinished writings recorded in physical media. There seem to be no differences between the
concept of ownership of photographs or writings as long as the author is alive – infringing one's
intellectual property rights to a picture or essay by using it without the author's permission is
punished just as severely if the materials were obtained by hacking somebody's account protected
by a password as it would be for physical materials stolen from somebody's locker. Therefore it
does not make sense to treat these materials differently as far as inheritance law is concerned. If
somebody wished to pass the rights to his digital collection of pictures of insects, stored on his
account on social media, to his nephew who is interested in entomology he should be allowed to do
so. The same applies if someone developed a popular facebook profile which is used as a board for
posting updates or reviews about a certain topic and wishes for the service to be continued by his
co-worker after his death on the same domain. It would be justifiable to treat this issues in a
different way if it was stated that the ownership of data passes to the social media provider in the
contract that the user signs, however with facebook it does not seem to be the case – quite the
opposite, it is clearly stated in the statement of rights and responsibilities that “You [the user]
own[s] all of the content and information you post on Facebook, and you [the user] can control how
it is shared through your privacy and application settings”42 Therefore allowing “the next of kin” to
determine the fate of his deceased family member's account should only happen if the deceased user
did not leave any dispositions about it, which would effectively only require facebook to change the
term “next of kin” to “legal successor”. Another potential topic for debate is whether the “next of
kin” has the right to be informed about the “memorization” of the account with the personal data of
their relative. In many circumstances the “next of kin” would not know that his deceased relative
had a facebook account. So, as Facebook has a policy of allowing the relatives to decide on what
will happen to the memorialized account, there should be some procedures which will be used to
inform these people, who might not have signed the terms of service with Facebook, about the
decisions they can make. The last issue that should be raised is the procedure which Facebook uses
to determine if someone is dead. As logging in at regular intervals is not a required action for
maintaining one's account, the information about someone's death must come from other users. At
the present day, there are forms which a person can fill, attaching evidence about someone's death43.
However such precautions do not seem adequate – it would be perfectly possible for a group of
friends (including the “next of kin” of the victim) to collaborate and, using obituaries prepared by a
graphic program, tricked Facebook's administrators into believing that a person is dead and request
his profile to be permanently deleted. This is another reason that I do not agree with the
commissioner’s opinion about issue raised under point 7a – there should be a way to reactivate
deleted accounts for a reasonable time on the request of the owner, as a person considered dead by
facebook might log on his profile a few months later only to find out that it was deleted due the
actions of his friends and relatives. A possible way to solve some of the issues which were brought
up would be requiring the civil authorities (for example the General Registry Office in the UK) to
inform Facebook once they register someone's death44. This, of course, would require a new level of
cooperation between the governments of various countries and a private corporation – causing a
42 "Facebook Statement of Rights and Responsibilities." Http://www.facebook.com/legal/terms. N.p., 11 Dec. 2012. Web. 15 Dec. 2012.
43 "Memorialization Request | Facebook." Facebook, n.d. Web. 15 Dec. 2012. <http://www.facebook.com/help/contact/305593649477238?rdrhc>.
44 "Facebook's Death Problem." Http://theweek.com. N.p., 21 July 2010. Web. 15 Dec. 2012. <http://theweek.com/article/index/205158/facebooks-death-problem>.
wide range of legal problems which will not be discussed here.
8. Personal Information of Non-users: There are two areas in which the rights of non-users of
facebook might be infringed. The first case was already discussed and concerns accessing the e-
mails of non users by facebook, and using them to send invitations to join the website. This can be
considered violating of the rights of both users, who did not necessarily agree to share the e-mails
with Facebook and the rights of the non-users who have their personal data retained by Facebook
often without their knowledge. While this topic was not looked upon by the Canadian
commissioner, the way facebook acquires the email addresses is important, as it determines whether
sending “spam” emails can be considered an unlawful action in the light of certain legislation, most
notably the United States legislative act Controlling the Assault of Non-Solicited Pornography and
Marketing Act, known as the CAN SPAM act of 2003.45 Under its provisions, sending automatically
generated emails by facebook can be considered illegal if the email serves a commercial purpose
(which is stated to include advertising “content on an Internet website operated for a commercial
purpose”) and does not meet one of the 3 of the “basic types of compliance”. The potential problem
with Facebook is based on the “sending behavior compliance”, in case the method Facebook uses to
acquire the email addresses it sends the correspondence to includes “harvesting” them. The exact
definition of email harvesting is controversial, but generally it states that “Email harvesting is the
process of obtaining a large number of email addresses through various methods”. The methods do
not have to include viruses or malware, obtaining them in large quantities from other users can also
be classified as “harvesting” them.46 This seems to be similar to the technique used by Facebook,
which asks its members to grant it temporary access to their email address book. The emails stored
in this book could have themselves be obtained through various methods, and not necessarily all of
the people who own them would like to receive an email from a social media on behalf of a person
they barely know, or who they know and dislike.47 Another method used by Facebook consists of
obtaining addresses from emails added to tags of non registered users, which itself is a highly
controversial practice, possibly infringing the rights of non users, as will be discussed later. The
question remain unanswered: does Facebook break the US law by its policy toward emails? The
answer is most probably negative, as there were no cases found on the internet in which anybody
sued Facebook on these grounds – quite the contrary, Facebook itself used the CAN SPAM act to
45 "15 USC Chapter 103 - CONTROLLING THE ASSAULT OF NON-SOLICITED PORNOGRAPHY AND MARKETING." Cornell.edu. Cornell University Law School, n.d. Web. 16 Dec. 2012. <http://www.law.cornell.edu/uscode/text/15/chapter-103>.
46 "Email Harvesting." Techopedias. Ed. Cory Janssen. N.p., n.d. Web. 16 Dec. 2012. <http://www.techopedia.com/definition/1657/email-harvesting>.
47 Riley, Carole. "How Did Facebook Get My Email Address?" Social Media and Genealogy. N.p., 22 Apr. 2011. Web. 16 Dec. 2012. <http://socialmediagen.com/how-did-facebook-get-my-email-address/>.
hold a successful trial against a company which used it for commercial reasons.48 Despite not
breaching the aforementioned act, the procedure goes against principle 4.5 of the Canadian Personal
Information Protection and Electronic Documents Act – which disallows retaining email addresses
beyond the purpose they were collected. Facebook did not respond to the accusation, and the case is
not resolved yet.
The other case which was brought up in the section 8 of the commissioner’s report describes
one of the most important and often discussed issues of social media – specifically “tagging” people
on posted pictures. This is highly controversial, as it enables third parties to view information that
might be sensitive, without the permission or even knowledge of the interested persons. Tagging
people can possibly infringe the rights of 2 people: the person whose name is displayed on the
picture and the person who the picture was taken of. The second one can be either tagged correctly,
but without giving permission to be tagged – or he can be tagged wrongly, which usually means that
there can be a case of a person whose name was marked instead. It is furthermore impossible for the
people to “untag” themselves if they do not have an account on facebook. The Canadian
Commissioner proposed a set of harsh regulations, like the need to obtain consent from the third
party before posting any information of non-users and a system of sanctions for the offending
parties, including banning of their account. It was however found in the investigation that the new
Statement of Rights and Responsibilities already covers most of the suggestions, as it prohibits
facebook users from “infringing someone else's rights or otherwise violating the law” This is, of
course, a very general statement, and from my perspective a completely unnecessary one, as it only
duplicates the existing regulations. More importantly, it does not specify the law of which countries
must the user abide by – the law of his country (rendering the regulation ineffectual) or all the
regulations of countries that facebook is working in. However the next provision allows facebook to
remove any content which the company feels as violation to the previous bylaw and to disable
accounts for frequent repeated breeches. The Statement contains some detailed provision, such as
disallowing the posting of identification documents or sensitive financial information of third
parties and stating that consent must be acquired before collecting information from other users on
one's behalf. The procedure of tagging people has not been addressed in detail, however according
to facebook, every user can ask for the tag with his name to be removed. In addition to this every
non-user who is tagged with his email address receives an email from facebook notifying him about
the fact that he has been tagged and that he can join facebook which will enable him to request the
tag to be removed. This procedure, while allowing a non user to remove his tag by joining is highly
controversial, as it both discriminates users who did not have their email included and it is a
48 Levi, Stuart D., and Gregory T. Palumbo. ""Application of the CAN-SPAM Act to Social Networking Sites"" Application of the CAN-SPAM Act to Social Networking Sites. Skadden, Arps, Slate, Meagher & Flom LLP, 12 May 2011. Web. 16 Dec. 2012. <https://www.skadden.com/insights/application-can-spam-act-social-networking-sites>.
dubious action at best in the light of the CAN SPAM act, as mentioned previously. The dispute was
not resolved until this date.
9. Facebook Mobile and Safeguards: The next potential legal issue which was brought up about
facebook was the supposed possibility of logging to a Facebook account from the device that was
being used previously, even if the password was changed using another device. The allegation was
not well founded, but the legal issue did not cease to be interesting: are social media required by
law to provide a safe password scheme? Looking globally, this question must be answered
positively, as there exists a number of regulations on this topic, notably article 13 in the Dutch Data
Protection Act49, which states that “The responsible party shall implement appropriate technical and
organizational measures to secure personal data against loss or against any form of unlawful
processing “, whereas article 1 determines that the “responsible party” is any physical or legal entity
that decides about the transfer of user data. Failure to comply with this article could lead to
sanctions defined under Directive on Privacy and Electronic Communications50, which include
holding social media responsible for the loss caused by insufficient password security.
10. Monitoring for Anomalous Activity: The penultimate problem looked on by the Commissioner
was the procedure of monitoring for “anomalous activity” of its users. The problem that the
Canadian commissioner had with these procedures had more to do with not informing the users
adequately about the practice, however one of the findings included in the report proved to be very
interesting from the point of view of assessing the cooperation between legal authorities and social
media. One of the proposed cases in which Facebook monitors for “anomalous activity” is regulated
by an agreement between Facebok and attorneys general of 49 states within USA. According to this
agreement, a number of steps must be taken by Facebook – for instance, it monitors where a user
significantly changes his or her age, which might indicate faking it in order to gain access to the
features not available for underage users. Also, due to this agreement, Facebook takes notice when
someone becomes “friends” with a person who is significantly younger then him or her, which
could enhance the safety of its youngest demographic. The article mentioned that the agreement is a
part of a larger project which encompasses various other social media sites, such as MySpace. 51
This, while demonstrating how governments and social media can cooperate to achieve a socially
admirable goal, it also triggers a question – are the benefits of such endeavors always worth their
49 "Personal Data Protection Act (Unofficial Translation)." Dutch DPA. N.p., n.d. Web. 18 Dec. 2012. <http://www.dutchdpa.nl/Pages/en_wetten_wbp.aspx>.
50 "Offences and Penalties under the Data Protection Act - Data Protection Commissioner - Ireland." N.p., n.d. Web. 18 Dec. 2012. <http://www.dataprotection.ie/viewdoc.asp?DocID=97>.
51 Stone, Brad. "Facebook Agrees to Devise Tools to Protect Young Users." New York Times, 9 May 2008. Web. 18 Dec. 2012. <http://www.nytimes.com/2008/05/09/technology/09face.html?_r=0>.
price, such as the conflict in this example: is increased safety, which is embodied by data protection,
worth the lost privacy? This question, however is more philosophical then legal, and demonstrates
that problems which arise from the conflict of two spheres of rights are not absent from debates
about social media.
11. Deception and Misrepresentation: The last issue assessed by the Canadian commissioner was a
short one, however it serves as an ideal epilogue for the whole essay. The accusation stated that
“CIPPIC alleged that Facebook […] was misrepresenting itself by claiming to be purely a social
networking site [...]” The allegations were quickly dismissed due to lack of evidence, but I could
not allow such a question to slip by: “What makes Facebook a social network site?” In the first part
of the essay I have established that social network sites focus on human communications through
the internet, however if this definition was comprehensive, all the websites allowing the sending
and receiving of emails would be considered as examples of social media. Some other parts of the
definition have to be added for the term to receive a meaning akin to the one used commonly.
According to one of the proposed definitions, the biggest criteria which makes social media unique
is sharing the information between people by the means of “virtual communities and networks”.52
While emails were the virtual representations of sending letters, social media go one step further
and seek to emulate the direct contact between people. This is precisely the reason why, although
they exist a short time compared to emails, the legal issues regarding their usage received such a
great amount of interest from governments and lawyers. It is impossible to predict in which way the
social media will evolve, however one thing is certain – whatever technology will be discovered
and put into use regarding social media communication, legislators and jurists will always be a step
behind and will find ways to scrutinize breaching existing regulations if appropriate or create new
laws which will combat the activities which are deemed harmful by the majority of the society
otherwise.
52 Ahlqvist, Toni; Bäck, A., Halonen, M., Heinonen, S (2008). "Social media road maps exploring the futures triggered by social media". VTT Tiedotteita - Valtion Teknillinen Tutkimuskeskus (2454): 13.
Top Related