Internet privacy seems to be constantly in the headlines globally, and social media communications are clearly driving most of these privacy concerns. Since law is the glue that hold societies together, all people on Earth rely on various laws, whether they drive their cars in traffic, pay taxes, establish geographic boundaries or use the Internet.
However, the courts and regulatory bodies usually react (slowly) to social change rather than create social change; as a result, the law has not quite kept up with the privacy concerns surrounding social media.
In my recent column — “Who Reads Terms of Service, Privacy Policies or Click Agreements?” — I describe various U.S. and EU laws regarding privacy policies. In this column, I will provide more about privacy protection, or lack thereof, coming from the courts and regulatory bodies in the U.S. and a number of EU countries — and note what may be on the horizon for the future.
US Supreme Court Votes 9-0 Against Employee Privacy
Most readers know that the U.S. Supreme Court does not often vote 9-0 on any issue, so that fact, in and of itself, is significant. Many of us noted with great interest the U.S. Supreme Court’s 9-0 decision last June in favor of the City of Ontario, California. The Court ruled that a police officer was not entitled to privacy regarding text messages.
Here’s what happened: The Ontario Police Department allowed each police officer 250,000 text characters a month without charge on city-issued PDAs, and when they exceeded that limit, the police officers were charged personally. The city’s employment agreement said that employees should not expect any privacy with respect to their text messages. So, when Officer Quon’s boss saw that he was exceeding the 250,000 text character limit month after month, the boss asked Arch Wireless for copies of all his text messages. When Officer Quon’s boss saw the text messages, which included sexual content and other private matters, he concluded that many were not police business.
Officer Quon brought a lawsuit against the city claiming he had a constitutional right of privacy for those text messages. The city had a right to access data on its own email server, but the information stored at Arch Wireless consisted of private records, Quon argued, and under the 1986 Stored Communications Act, the city had no right to access that data. Actually, the 1986 Stored Communications Act was originally enacted to protect telephone records and is now used to prevent inappropriate access to Internet records stored at remote websites like Facebook, MySpace, Yelp and the like.
Ultimately the Supreme Court ruled that since Officer Quon used city-provided equipment, Quon should not have expected any privacy. The Supreme Court did not expand this ruling to a broader context. However, one important message stemming from this ruling is that employees in the U.S. should not expect support from the Supreme Court for privacy for anything they do with social media if they use employer-provided equipment and/or access those services using employer- provided Internet access.
Private Postings on Social Media May Not Be Subpoenaed
About a month before the Supreme Court issued the Quon ruling, U.S. District Judge Margaret Morrow ruled in Buckley H. Crispin v. Christian Audigier, Inc. et al that items posted on social media sites such as Facebook and MySpace that were not available to the public could not be subpoenaed. The Crispin case was a copyright infringement case regarding an oral agreement relating to the use of logos on certain garments.
Whether the Crispin case is appealed or not, the subsequent ruling in Quon may cause interesting court opinions in the future. If the social media postings in Crispin were made using employer’s equipment or Internet access, it would seem that privacy will no longer be available as a defense for subpoenas.
Google’s WiFi Capture on Street View Will Change Privacy Laws
In May 2010, Google admitted it captured unprotected WiFi data as it traveled around the world taking pictures for Google Street View. Class actions lawsuits have been filed against Google, and many countries in the EU have pursued a myriad of actions.
For example, in the Czech Republic, Street View is no longer available because the country saw it as an invasion of privacy. Google agreed to destroy ill-gotten WiFi data in Ireland. In the UK, Google will submit to an audit regarding the UK Data Protection laws, among other things. Interestingly, the U.S. Federal Trade Commission ultimately concluded that Google violated no U.S. privacy laws after completing its investigation.
In the wake of the recent Google privacy issues and concerns about how Facebook manages privacy, the European Commission recently announced that that the EU will seek stronger Internet privacy protection and ultimately update and/or revise the 1995 EU Data Directive.
Buzz Settlement on Privacy Violation
When Google started Buzz as a social media feature in early 2010, many of us thought that Google had finally figured out how to get with social media and compete with Facebook.
However, Google made a tragic mistake. It automatically enrolled Gmail users in Buzz, and Google determined who should be friends with whom without asking or receiving permission from anyone. No surprise that a class action suit was filed against Google for invasion of privacy.
A settlement was recently reached under which Google agreed to pay US$8.5 million to organizations focused on Internet privacy education and policy.
Since we are all living through this great wave of social change, it’s not really possible to predict exactly where we are headed. Privacy issues and rights are very different today than before the arrival of social media, and social media boundaries are constantly being tested — and now regulated.
Given the phenomenal growth in the use of social media and the resulting impact on culture around the world, we all need to stay tuned for radical changes to privacy laws and how they affect us in our personal, business and professional roles.
E-Commerce Times columnist Peter S. Vogel is a trial partner atGardere Wynne Sewell, where he is chair of the eDiscovery Team and Chair of the Technology Industry Team. Before practicing law, he was a systems programmer on mainframes, received a masters in computer science, and taught graduate courses in information systems and operations research. His blog covers contemporary technology topics.Vogel can be reached at [email protected]