A recent US case is a timely reminder that when you post information to a public website, you are likely to lost any expectation of privacy regarding the contents of the information. The principles of the case are broadly equivalent to the situation in New Zealand. But it also serves a wider warning that when you entrust your information to another person (or company), you may be parting with any real control you have over that information.
In the case of Moreno v Hanford Sentinel (2 April 2009) (judgment in PDF) a student living in a small town posted an entry on her MySpace page stating that she “despised” her town, and various critical comments about it. The entry was “signed” with her first name only. Possibly feeling the comments were a bit harsh, she removed the post six days later. However, shortly after the post was taken down, the town’s newspaper published the text of the original post under her full name. The revelation of her post caused a furore and incensed some townsfolk. The student’s family was threatened and abused, and the family business was affected.
The student attempted to sue for breach of privacy, on the grounds that her MySpace post was not intended to be published in a newspaper and brought to the attention of thousands of people. In other words, the student claimed she had an expectation of privacy (a key phrase in privacy law) that the post would only be read by her friends and followers on MySpace.
Quite sensibly, the Court ruled that someone who posts material on a public website cannot claim their privacy is breached if the article is disseminated to a wider audience:
“[The student’s] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material.”
The fact that the post was only “signed” with her first name did not matter, as her identity was able to be easily determined from her MySpace page. Most people would agree that this is a sensible outcome.
But what would the situation have been if the post had been private? That is, if the student had configured her profile so that only approved users could read her post? In the student’s case, the outcome may have been different if the post was restricted, and any limited publication was not so broad to have, in effect, waived any expectation of privacy. Similarly, if the student had emailed her message to a few close friends, it may be reasonable to assume an expectation of privacy. If her message was still not technically “public” but was emailed or made accessible to hundreds of people, including strangers, then it would probably be unreasonable to assume an expectation of privacy. It will always depend upon the facts.
Another potentially tricky situation that could arise is where a person configures a website to keep certain information private (e.g. restricting Facebook messages to friends), but the website decides to change the rules and make all information public and/or searchable. Most websites reserve the right to make changes to their terms and conditions, which are sometimes unpopular as Facebook recently proved. If a website that you post information to has the right to change its rules, then it is plausible that you will not be able to complain if they do so – although in New Zealand, there may a limited, after-the-fact remedy under the Privacy Act 1993.
For example, Principle 10 of the Privacy Act states that personal information must not be used for ulterior purposes (e.g. marketing), unless agreed at time of collection (with some exceptions).
However, by the time that someone has allegedly “breached your privacy”, such as by republishing a MySpace/Facebook post, the horse has bolted.
The example provided by Moreno v Hanford Sentinel, while unstartling, is a small subset of a much broader principle: be very careful entrusting sensitive information to other people, without understanding what rights you retain.