Internet law specialist and McGill grad Allen Mendelsohn, BCL/LLB’01, LLM’10, recently started a blog on his subject of expertise, with the goal of providing a general-audience-friendly, Canadian perspective on topics related to internet law, including contracts, criminal law and intellectual property.

In this column for Focus online, he shares his concerns about Facebook privacy practices.

Allen Mendelsohn, BCL/LLB’01, LLM'10Allen Mendelsohn, BCL/LLB’01, LLM’10

As of this past summer, it was estimated that 16.6 million Canadians are Facebook users, representing approximately half of the population. That is an astounding figure for any activity, let alone for a once-little website originally built for Harvard students to know who was who.

By way of comparison, 14.8 million Canadians voted in the 2011 Federal Election. The privacy of your ballot is sacrosanct; the privacy of your personal information on Facebook is – how should I put this diplomatically – open for discussion.

The personal data that is stored on Facebook’s servers, and thus available to both Facebook as a private corporation and to the public at large (depending on the user’s privacy settings) can be absolutely staggering. Your name, birth date, birthplace, current city of residence, educational history, your image itself, your likes, your dislikes, your friends and family, your job, your boss, your job history and on and on and on – basically everything short of your credit card numbers is there for the taking.

Facebook even very recently launched a “timeline” feature, which handily summarized all this information onto one page. What happens to that data, and who does what with it, has become the obsession of lawyers and governments alike.

Facebook has a long history of privacy issues. Google “Facebook privacy issues” and you will get 138 million results. This autumn, the U.S. Congress has asked the Federal Trade Commission to look into Facebook’s privacy issues. Last year, several EU countries expressed concern over Facebook’s treatment of personal data, and continue to probe Facebook to this day. Canada is no exception, and in fact has been at the forefront of taking on some of Facebook’s questionable practices.

Some background is in order here. Unlike many areas of internet activity in Canada, a person’s privacy is governed by a significant number of statutes, both federally and provincially. At the Federal level, The Personal Information Protection and Electronic Documents Act (S.C. 2000, c. 5, “PIPEDA”), as its name implies, extends a broad range of protection of personal information, both online and off. Québec has its own version of PIPEDA which applies intraprovincially, An Act Respecting the Protection of Personal Information in the Private Sector, R.S.Q., c. P-39.1. This Act gives tangible effect to art. 35 C.C.Q. and art. 5 of the Quebec Charter of Human Rights and Freedoms, which guarantee a right to privacy and private life. British Columbia and Alberta also have provincial acts which protect personal information in the private sector.

PIPEDA is overseen and enforced (as much as possible given the Act’s lack of real teeth) by the Office of the Privacy Commissioner, headed by Jennifer Stoddart, BCL’80. Commissioner Stoddart became well-known in Canada and around the world when in 2009, she took on Facebook and won. Acting on a complaint from the University of Ottawa‘s Canadian Internet Policy and Public Interest Clinic, the Office released its own report that outlined the numerous ways that Facebook’s activities violated PIPEDA. In response to the report and public outcry, Facebook announced that it would review and update a number of its privacy practices for users worldwide, to conform to Canadian law.

If only that 2009 victory for privacy was the end to the story. With every new feature, with every technological “innovation,” has come a whole new set of privacy issues for Facebook. The list of Facebook privacy violations over the years reads like a Top 10 list of what not to do on the internet with personal information. It includes practices such as not deleting personal information when a user closes their account, and sharing the personal information with third parties. Just a few weeks ago, a self-described hacker discovered that Facebook was tracking its users’ internet visits to any website that has some sort of Facebook integration, which, these days, is just about all of them.

Facebook Founder and CEO Mark Zuckerberg famously stated in January 2010 that privacy is no longer “a social norm,” in that the younger generation is comfortable sharing their information online. This no doubt has contributed to Facebook’s policies over the years. While I personally have no issues sharing my information online (I have something called the “Un-Privacy Project” at my blog), I think Zuckerberg is off base here. You only have to witness the public reaction to every new Facebook privacy issue to see that privacy and protection of personal information is still in fact the social norm.

The other side of the Facebook privacy coin is how both private and public actors are using the information they find on Facebook; these issues are beginning to play out in tribunals across Canada. In a recent decision, the B.C. Labour Relations Board upheld the dismissal of two employees who were fired for negative comments they had made about their employer on Facebook. The Board held that the employees did not have a reasonable expectation of privacy where their comments could be read by hundreds of their Facebook friends. This echoed a 2009 Ontario Superior Court of Justice case where the Court held that Facebook postings could be used as evidence in a personal injury lawsuit.

Private lives and online personalities are becoming more intertwined than ever before. Facebook is at the forefront of these issues, for better or worse. How lawyers, judges, and legislators react now will shape the internet, and internet law, for decades to come.

Allen Mendelsohn graduated from the Faculty (where he served as President of the LSA) with a B.C.L. and an LL.B. in 2001. After working as a commercial litigator at a large Montreal firm for several years, he returned to his business roots to become Vice-President of a Montreal internet development company. He became fascinated with legal aspects of the internet, and returned to the Faculty to complete his LL.M. in 2010, where he focused his research and thesis on the internet. He now practices independently as a specialist in internet law, and writes about the topic at his blog, allenmendelsohn.com.