Privacy

Communication technologies present major privacy concerns and this is another area in which legal consideration is necessary to ensure protection of one’s company and its users, when developing a new social networking site. There has been extensive discussion of privacy-related issues in current legislation, but the scope and protection guaranteed by these laws, varies from jurisdiction to jurisdiction. In general, privacy is, “a state in which one is not watched or disturbed by others” (Soanes 713). This definition is problematic as there are ambiguities in regards to what actually constitutes “being watched,” specifically due to the increase in surveillance capabilities associated with today’s technologies. As well, the notion of “being disturbed” is also subjective, as what one perceives to be a disruption of one’s private life may not be considered a disruption by another person. Judge Cooley originally described privacy as, “the right to be let alone” and Alan Westin continues the definition of privacy, “ the right of individuals to determine for themselves when, how, and to what extent information about them is communicated to others;” although, these conceptions of privacy also highlight how the definitions are rooted in an individual’s perspective and how they are not Internet specific, which makes the boundaries of privacy in today’s digital environment unclear, making it more difficult for an e-business owner to know his/her rights and responsibilities when it comes to privacy (Bird 257; Rappa 2009). In creating an online social networking site, one needs to be familiar with the implications of existing privacy legislation. In both Canada and the United States, privacy is an implied right rather than an explicit enumeration in the Constitutions, but certain rights are included even though they are not directly characterized in these bodies of legislation. For example, the Ninth Amendment of the //U.S. Constitution// declares, “The enumeration in the Constitution, of certain rights, shall not be construed to deny or disparage others retained by the people,” with similar protections stated in the //Canadian Charter of Rights and Freedoms//, “ The guarantee in this //Charter// of certain rights and freedoms shall not be construed as denying the existence of any other rights or freedoms that exist in Canada (Bird 258; FindLaw: Thomson Reuters “Ninth Amendment” 2009; Canadian Charter of Rights and Freedoms, General, sec. 26). Moreover, in the //U.S. Constitution// there is also the Fourth Amendment, which guarantees, “ The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized” (FindLaw: Thomson Reuters “Fourth Amendment” 2009). There are corresponding rights in the //Canadian Charter// as well, “Everyone has the right to be secure against unreasonable search or seizure,” and, “Everyone has the right to life, liberty and security of the person and the right not to be deprived thereof except in accordance with the principles of fundamental justice,” which also help in establishing a right to privacy (Canadian Charter of Rights and Freedoms, Legal Rights, sec. 7 and 8 ). These laws entail that governments follow legal procedure and therefore prevent against an abuse of government authority. As well, cases that followed the institution of these legal parameters, such as //Griswold v. Connecticut,// // 381 U.S. 479 (1965) //, established a “reasonable expectation of privacy” clause when determining whether or not privacy protection should exist and defined areas and locations in which privacy is to be expected (Bird 259; “Griswold v. Connecticut”). Privacy protection can also be found in the Fifth Amendment of the //U.S. Constitution//, “No person… shall be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of the law,” and section thirteen of the // Canadian Charter //, “A witness who testifies in any proceedings has the right not to have any incriminating evidence so given used to incriminate that witness in any other proceedings, except in a prosecution for perjury or for the giving of contradictory evidence;” which prevent against one having to commit any acts of self-incrimination (FindLaw: Thomson Reuters “Fifth Amendment” 2009; Canadian Charter of Rights and Freedoms, Legal Rights, sec. 13 ). In the E.U. privacy has been guaranteed in the Human Rights Convention, as Article eight states “ Everyone has the right to respect for his private and family life, his home and his correspondence,” protecting all four of these defined areas (Liberty 2008). In addition, there are numerous federal acts concerning privacy in Canada, the U.S., and in the various countries comprising the E.U. Most significantly in the United States is the // Electronic Communications Privacy Act (ECPA) // of 1986. The //ECPA// applies to those involved in the transmission, storage, and interception of electronic communications, which affect interstate or foreign commerce. This act is applicable as the proposed social-networking site incorporates commercial activities, such as the sale of widgets. The act continues with three principle provisions. Title I of the act prohibits unauthorized interception and disclosure of wire, oral, and electronic communications in transit; the “business extension rule” is an applicable exception to this title as it provides for disclosures made in the ordinary course of business, or as would be necessary, in this case, for the operation and maintenance of a social networking site. There is also a valid exception when prior consent has been given and this is significant, as this exception only requires prior consent to be given on the part of one of the involved parties (Bird 276-279). Title II of the //ECPA// provides similar protection to electronic communications that are kept in storage, with one additional exception to those included in Title I as it, “exempts from liability conduct authorized //by a user of a wire or electronic communication service with respect to a communication of or intended for that user//,//”// which would enable the site to store information a user has provided in order to provide its social networking services to that user (Bird 280-281). Title III prevents against the use of unauthorized trap and trace or pen register devices, and this can be related as it would require that authorities have a court order before requiring the site to divulge information provided by its users; although the need for search warrants and privacy protection in general has been severely limited by the //U.S. Patriot Act// (Bird 284). Another pertinent U.S. Federal Act is the //Gramm-Leach-Bliley Act// of 1999 as it allows for business affiliations and the sharing of information between firms and it also includes consent requirements that have to be satisfied in order for personal identifiable information to be disclosed to non-affiliated institutions. It is necessary that the proposed e-business be aware of these specificities and that an “opt-out” policy” is currently in place, meaning the burden is placed on the client to deny these arrangements (Bird 272-274). To avoid future conflicts it may be advantageous for the social networking site to provide “opt-in” rather than “opt-out” measures in its privacy policy. The U.S. //Privacy Act// of 1974 is another important statute in relation to privacy. The act is, “designed to regulate the collection, maintenance, use, and disclosure of personal information by federal agencies” (Bird 269). It expands upon the //ECPA// in that it establishes guidelines, such as requiring consent prior to the attainment, storage, or disclosure of personal identifiable information and that individuals have the right to make corrections to any misinformation in his/her records. Similar provisions are made in the Canadian //Privacy Act// and in many of the federal acts of E.U. member countries ( Electronic Privacy Information Center and Privacy International 2003; Privacy and human Rights 2003 “Italian” and “Kingdom of Denmark” 2003). These laws could be extended to encompass any of the personal information provided and contained in the new social networking site. The //Personal Information and Electronic Documents Act (PIPEDA)// of Canada also applies the stipulations from the //Privacy Act// to the private realm. The act acknowledges that companies need to acquire information, to both provide services and for economic gain, but the legislation tries to balance these requirements with individual’s rights to privacy (Holmes 2008). //PIPEDA// defines how commercial organizations and businesses can collect, store and use data, and requires consent before any of the aforementioned procedures can be implemented ( BILL C-6 - Royal Assent 2009). As well, the act states that the information gathered can only be used for a stated purpose, and reaffirmation of consent is necessary for any further uses; even if the consumer refuses to consent to the company’s terms, the service has to be provided if the information is non-essential to the transaction ( PIPEDA, 2009 Did I put right ref in works cited Rup??? ; Bird 305 ). This explains how it is illegal for a company to sell information from a prior transaction, which is often gathered for spamming and online profiling purposes, if these terms were not disclosed in the company’s privacy policy, before that transaction took place. Additionally, when a transaction has been completed, any remaining personal information from the business deal has to be erased, destroyed, or rendered anonymous (Bird 305). //PIPEDA// specifies that companies need to provide clear privacy policies and outlines ten principles that all companies, including the online social networking site, must follow: accountability, identifying purposes, consent, limiting collection, limiting use disclosure, retention, accuracy, safeguards, openness, individual access and challenging compliance ( BILL C-6 - Royal Assent, 2009). The E.U. also has very strong privacy controls, as in many parts of Europe, “ Personal information cannot be collected without consumers’ permission, and they have the right to review the data and correct inaccuracies… Companies that process data must register their activities with the government… [and] Personal information cannot be shared by companies or across borders without express permission from the data subject” ( Sullivan 2006). As well, the Council of Europe’s //Convention on Data Protection// protects privacy as a fundamental human right ( Stratford, 1998 ). Another important privacy initiative is the //European Union’s Directive on Privacy Protection//. Most significantly, Article six indicates that data must be collected “fairly” and “accurately” and only be used for openly specified purposes. It is most noteworthy for e-businesses as the provisions apply to any non-member states doing business with member states. Article seven of the //Directive// delineates consent processes and outlines other recognized, legitimate reasons for the collection and processing of information. Article twenty-five is also crucial to an understanding of one’s legal obligations as it, “prohibits the export of personal data to nonmember countries that do not have laws that ‘adequately’ protect personal data,” meaning that the location where the social networking site is created has to satisfy the EU’s minimum privacy requirements to conduct business with the member states. In order to qualify and receive protection against legal disputes, the social-networking company should follow the requirements of the //US-EU Safe Harbor Agreement//, abiding by the principles of notice, choice, onward transfer, access, security, data integrity and enforcement (Bird 301-302). Many nations within the EU have taken strong initiatives to safeguard their countries and its citizens privacy. For example, In the United Kingdom new government regulations were to come into effect on Monday April 6th 2009. The new regulations require internet providers to keep records of emails and online phone calls. The ISPs are required by law now to keep record of the former mentioned details for at least a time period of twelve months because they can provide potential information in the case of a criminal investigation. The ISPs are not required to store the content of the emails but they are required to record the date, time and duration of all the communication that is made online. The telecom provider industry in the EC directive is also obliged to do this. The government believes that by doing this they are protecting their civil rights. It is important that the social networking site in their clause make the user’s aware that all the emails that they are going to be sending using their service is going to be recorded in their ISP provider’s database. (ISPs to record all emails and calls, 2009). Privacy is particularly a concern for this proposed e-business as, “The site will allow individuals to create their own material in any digital form and potentially share this information with any other members of the site” (Wensley “Further Details” 2009). As well, the future social networking site will allow for online communications, which presents major privacy concerns. It is impossible to eliminate all of the privacy concerns in regards to the Internet and social networking, but the company should avoid using tactics such as spamming, spyware, cookies, or the selling of client’s personal information to other companies, especially if the use of such measures has not been made apparent to the users. Overall, it is imperative that the e-business have an explicit, easy-to-read privacy policy that describes how user’s personal information will be collected, stored and used, along with offering a form of consent in which users have to acknowledge that they are aware of the risks involved in providing personal data and participating in an online networking community. The e-business can acquire privacy seals of protection, such as //TRUSTe,// to improve customer confidence in the sites operation (TRUSTe 2009). Furthermore, another concern that social networking sites have to be aware of is email because providing email is one form of service that is going to be provided by the social networking site. They have to be careful how commercial email is going to be used by them. Commercial emails are often key logged and data is collected by companies to collect personal data about individuals to target them specifically according to their tastes and preferences. Since, the social networking site is going to have advertisers on their site they might want to use all the information that is getting collected to their advantage to target potential consumers. When companies decide to do this they have to be really careful about the possible harms that can be caused by this and how individuals can pursue litigation. One such problem was seen in the case of //In Re DoubleClick Inc., Privacy Litigation//. Every time one visits a Website they leave a “fingerprint” of information about their identity in the form of a cookie online. (Bird, 281). A cookie is a computer text file, which is sent to the person visiting the website’s web browser by the person who is the host of the website. (Cookies, 2004). A cookie stores the information about one and their preferences in text file on their hard disk. Sometimes cookies contain a record of information that one has visited on the site and it is used to customize the website according to the user’s preferences. Only the website that designed the cookie can view and read the information on it. (What is a cookie?, 2009). This does not imply that the a company cannot use that data to their advantage and targeting potential customers. DoubleClick, is a provider of internet advertising products and services. It’s main objective lies in collecting, compiling and analyzing information about users of online technology and the information collected is used to target individuals with advertisements. Often at times websites lend space to other sites who want to place their banner advertisements in that space. In a situation like this, DoubleClick acts as an intermediary between the two sites. It performs the job of creating value for its customers by building value for its customers by constructing profiles of the internet users and then using those to target specific people. (In Re DOUBLECLICK INC. PRIVACY LITIGATION, 2001). The plaintiffs in this case filed a case against DoubleClick, the main argument was that the action of putting cookies on the plaintiffs computers and using those to collect information about them is an invasion of their privacy and it violates the Title Two of the Electronic Communications Privacy Act. In this case, the basis of plaintiff’s argument that electronic communication is “Internet Access” and the “ISP” was declared wrong. (Bird, 282). The main reason for this was because according to the judgement there is a difference between Internet Access and ISP because an “ISP is an entity that provides access to the internet. Access to the internet is the service an ISP provides.” (Bird, 282). In this case the plaintiffs had no proof to prove that DoubleClick access to the information was unauthorized. DoubleClick was hired by clients to perform the service of collecting data and thus DoubleClick had the authorization for the information. (Bird, 283). There was no finding in the case that proved that DoubleClick had been engaging in unfair trade practices and they never used consumer’s information other than the purposes that it has “disclosed in its privacy policy”. (In re DOUBLECLICK INC. PRIVACY LITIGATION, 2001). Thus, the social networking site has to be very careful about the kind of information that it allows a third party access from their customers email and cookie information that it has stored in its database. Being aware of the privacy concerns detailed in this section and the laws by which they are governed is also an asset for e-businesses in avoiding potential privacy infringement litigation. Common Law Torts In the United States, in order to prevent invasion of privacy, there are four torts that help provide remedies against any injustice. The first tort is, “intrusion upon seclusion.” It is defined as, “intentionally intruding, physically or otherwise, upon the solitude or seclusion of another or his private affairs or concerns” (Bird 260-261). This tort further establishes the right to left alone and helps in defining what constitutes as a public area and a private area. (Bird, 261). The social networking site has to be aware of this because the networking service is going to be providing its customers with email service and depending on how emails are defined, as private or public, this tort could apply. Also, monitoring an individual’s email service without permission could be considered as an invasion of their privacy. (Bird, 265). Owners have to make sure in their clause they make users aware of this to prevent any possible future problems. In addition, the second common law tort is known as, “Public Disclosure of Private Facts Causing Injury to Reputation” (Bird, 265). This tort applies when damage is done to one’s reputation by publicly disclosing or transmitting their personal information or facts. Elements of “intent or knowledge”, “highly offensive to a reasonable person”, and “facts must be private”. Often at times someone information is gathered from online and stored in databases to be used for purposes such as marketing. Individuals often are not clear about this, therefore, the social networking site has to write in their terms and conditions if they are going to be doing this so that their user is clear and it prevents any kinds of legal obligations. (Bird, 265). Furthermore, the third tort outlined in the common is, “Publicly Placing Another in a False Light” (Bird, 266). This situation occurs when a person becomes falsely connected to information that is illegal, embarrassing and damaging to one’s reputation. (Bird 266). Often at times this tort happens in concerns relating to cyberspace. (Bird, 266-267). One case highlighting such a concern is Boring v. Google. Google recently introduced “Street View” feature in Google Earth, which shows pictures of streets in the program to the user. Several pictures of the Boring’s house and pool were taken and made available on “Street View.” The Boring’s believed that the pictures of were taken from their driveway and it was a sign of their private property. One of the main claims made by the Boring’s was that it was a direct invasion on their privacy. All the claims made by the Boring’s were dismissed by the judge in the end. The judge in this case, Judge Hay, rejected the claims because he believed that the common law torts of “intrusion upon seclusion” and “publicity given to private life” were not violated and the couple has failed to provide sufficient evidence of shame, humiliation or offend that was caused to a reasonable person because the photographs did not contain any people in them. When designing a social networking site one has to aware of such implications. For example, if one allows individuals to post their pictures on the site then they have to be careful that no one else can go on someone’s profile and takes their pictures and claim it to be their own or use it for wrongful behaviour that may violate an individual’s privacy. Such implications need to be given consideration when designing a networking site. Another tort outlined in the United States is, “Misappropriation of a person’s name or likeness causing injury to reputation” (Bird 26…). This tort applies where the name or picture of living person is used for commercial purposes without the individual’s permission or consent. (Bird, 266). When designing a networking site one has to be aware of this because anyone can gain access to an individual’s pictures posted on their site and use it for unlawful purposes without the individual’s consent. The social networking site needs to take all the former mentioned torts into consideration when designing the site and in their terms and conditions they have to make their user’s aware of such implications that could result from any wrongful behaviour.

Works Cited "BILL C-6 - Royal Assent." 23 March. 2009. . Department of Justice Canada. “Canadian Charter of Rights and Freedoms.” 20 March 2009 . FindLaw: Thomson Reuters. “U.S. Constitution: Fourth Amendment.” 2009. 20 March 2009 . FindLaw: Thomson Reuters. “U.S. Constitution: Fifth Amendment.” 2009. 20 March 2009 . FindLaw: Thomson Reuters. “U.S. Constitution: Ninth Amendment.” 2009. 20 March 2009 . Griswold v Connecticut. 381. U.S. 479. U.S. Supreme Court. 1965. Information From: FindLaw: Thomson Reuters. “ U.S. Supreme Court  <span style="font-size: 12.0pt; mso-bidi-font-size: 13.0pt; line-height: 115%; font-family: "Times New Roman"; mso-bidi-font-family: "Lucida Grande"; mso-bidi-font-weight: bold;">Griswold v. Connecticut, 381 U.S. 479 (1965) <span style="font-size: 12.0pt; mso-bidi-font-size: 20.0pt; line-height: 115%; font-family: "Times New Roman"; mso-bidi-font-family: Georgia;">.” 2009. 20 March 2009 <http://caselaw.lp.findlaw.com/scripts/getcase.pl?court=us&vol=381&invol=47>. <span style="font-size: 12.0pt; mso-bidi-font-size: 20.0pt; line-height: 115%; font-family: "Times New Roman"; mso-bidi-font-family: Georgia;">Holmes, Nancy. “Canada’s Federal Privacy Laws.” 25 September 2008. 21 March 2009 <http://www.parl.gc.ca/information/library/PRBpubs/prb0744-e.htm#privacyl>. <span style="font-size: 12.0pt; mso-bidi-font-size: 20.0pt; line-height: 115%; font-family: "Times New Roman"; mso-bidi-font-family: Georgia;">Liberty. “Article 8: Right for Private and Family Life.” __The Liberty Guide to Human__ __Rights__. 18 August 2008. 9 April 2009 <http://www.yourrights.org.uk/yourrights/the-human-rights-act/the-convention- rights/article-8-right-to-respect-for-private-and-family-life.html>. "PIPEDA and Your Business - Complying With The Privacy Act." __Small Business Canada - Starting a Small Business - Small Business Articles__. 22 March. 2009. <http://sbinfocanada.about.com/cs/legalmatters/a/pipeda_2.htm>. Privacy and Human Rights 2003. “Italian Republic.” 2003. 9 April 2009 <http://www.privacyinternational.org/survey/phr2003/index.htm>. Privacy and Human Rights 2003. “Kingdom of Denmark.” 2003. 9 April 2009 < <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman"; color: black;">http://www.privacyinternational.org/survey/phr2003/countries/denmark.htm>. <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman"; color: black;">Rappa, Michael. “Data Privacy.” __Managing the Digital Enterprise__. 21 March 2009. 18 March 2009 < http://digitalenterprise.org/privacy/privacy.html>. <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman"; color: black;">Soanes, Catherine, ed. __Oxford Dictionary of Current English__. 3rd ed. Oxford, Oxford University Press, 2001. <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman"; color: black;">Stratford, Jean Slemmons. “Data Protection and Privacy in the United States and Europe.” 1998. 8 April 2009 <http://datalib.library.ualberta.ca/publications/iq/iq22/iqvol223stratford.pdf>. <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman"; color: black;">Sullivan, Bob. <span style="font-size: 12.0pt; mso-bidi-font-size: 29.0pt; line-height: 115%; font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-bidi-font-family: Georgia; color: black;">“‘La difference’ is Stark in EU, U.S. Privacy Laws.” __MSNBC__. 19 October 2006. 6 April 2009 <http://www.msnbc.msn.com/id/15221111/>. <span style="font-size: 12.0pt; mso-bidi-font-size: 29.0pt; line-height: 115%; font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman"; mso-bidi-font-family: Georgia; color: black;">TRUSTe. “TRUSTe for Enterprise.” 2009. 11 April 2009 <http://www.truste.org/businesses/enterprise.php>. <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman"; color: black;">Wensley, Anthony. “CCT 206 Further Details on Group Project.” Handout. 2009. 3 April 2009 <https://portal.utoronto.ca/webapps/portal/frameset.jsp?tab_id=_2_1&url=%2Fwe bapps%2Fblackboard%2Fexecute%2Flauncher%3Ftype%3DCourse%26id%3D_ 458195_1%26url%3D>. <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 200%; font-family: "Times New Roman";"> <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman";"> <span style="font-size: 12.0pt; mso-bidi-font-size: 11.0pt; line-height: 115%; font-family: "Times New Roman";">