Barrister Toby Futter recently wrote a handy update on originality, authorship, and copyright in compilations. He discusses the en banc Australian Federal Court appeal of last year’s Telstra ruling that there was no copyright in a White Pages or Yellow Pages telephone directory (see my post A Feisty copyright ruling on the original decision). The Court followed the Australian High Court IceTV decision and dismissed the appeal, meaning that the original finding of no copyright stands. As Toby says:

The big question in New Zealand is whether that approach will be adopted here, and, if so, in what form.

We may find out this year – as his article notes, Toby is involved in two cases currently before the High Court in which copyright in compilations is at issue.

My colleague Stuart Bradshaw also commented on the Telsra appeal here:

“‘The case is a reminder that copyright law does not protect everything you can’t put under lock and key and unless such a law comes along, and is actually enforceable, businesses will need to figure out how to add value to their directories and data-collections that cannot be duplicated.”

Aussie ISP liability

Another Federal Court decision has, in a 2-1 majority, dismissed the film industry’s appeal against last year’s ruling that Aussue ISP iiNet was liable for copyright infringment on its network. While the decision is welcome news for iiNet, which has spent over AUD$6m defending itself, the Court did rightly leave the door open for liability to exist:

It does not necessarily follow from the failure of the present proceeding that circumstances could not exist whereby iiNet might in the future be held to have authorised primary acts of infringement on the part of users of the services provided to its customers under its customer service agreements.

The case turned to a large extent on the process by which the studios notified iiNet of the alleged copyright infringment, and if further steps had been taken by the studios, iiNet may have been liable for failing to disconnect users. Also, it may not be the end of the road, with the movie studios fairly likely to appeal the decision to the High Court.

The full judgment is here.

Facebook photos fair game?

The Herald reports:

The Press Council has rejected a complaint against the Herald on Sunday by a man upset a picture off the social networking site Facebook was used in print… In its decision, the Press Council said using a photo off the website was not a breach of its rules.

While the Press Council was not making any comment about copyright, the situation does of course raise copyright issues.

It may be increasingly common for media organisations to reproduce social networking content without permission of the copyright owner. There is a copyright exception for news reporting, however this is limited to “current events”. Care must be taken when copying Facebook images (and other content) without permission. The copyright in material uploaded to Facebook remains with the owner. While users cannot expect privacy in social networking sites, using copyright material without permission is more black and white.

• 35% of respondents are more concerned about individual privacy than 2 years ago.
• At the same time, “trust ratings” for most organisations holding personal data have increased since 2 years ago.
• 78% of under-30s use social networking sites.
• Approximately 57% of those users (estimated) believe social networking sites are “mainly private” places for sharing information.
• 54% of respondents were concerned about what social networking uses their personal information for.

One plausible interpretation is that at the same time we are becoming more aware and concerned about privacy issues, we are also becoming more ready to disclose information. This view would be supported by comments to a follow-up article at the NZ Herald website, which reported:

Facebook users who did not think they could protect their privacy outnumbered those who thought they could by four to one – and only one of them thought it was a bad thing.

There are several seemingly conflicting trends within this data, which bears out the overarching (and not entirely new) 64-million dollar conundrum of online privacy: people are willing to trade privacy for functionality, so to what extent should governments intervene? Do we need saving from ourselves?

The survey strongly confirms that New Zealanders do care about privacy, and a recent US survey confirmed the same in that country. Increasing education and awareness of privacy issues are key steps to empowering individuals to make their own, informed decisions, and New Zealand’s Privacy Commissioner is very much at the forefront of that process. It is also helpful when Facebook privacy concerns becomes front page news on our major daily newspaper (and not on a slow news day either).

More local coverage of this issue:

• Media7’s program this week discussed privacy on the internet
• Social site use rising as privacy fears grow
• Facebook must evolve or wither, say analysts

Private data may only be passed on and used for commercial purposes with the consent of the persons involved.

The problem with her complaint (at least in the way it is framed) is that Facebook’s privacy policy, not unreasonably, allows just that. Or, if it doesn’t (or didn’t previously) then Facebook has the right to change its terms of use (see clause 13). Facebook has already received “the consent of the persons involved”, at least regarding personal information about Facebook users, and can get further consent if necessary simply by changing its terms of use. The Latin phrase is volenti non fit injuria: no injury is done to a person who consents. (Of course, it’s informed consent that matters.)

And that’s the issue. Even if Facebook, or another popular site, included privacy-busting rules from day one, what is the likelihood there would be any lasting reaction from users? Very few users actually read website terms anyway. And even if people are vaguely aware of privacy issues, that still does not stop people from signing up if there is some perceived value. If people are willing to trade privacy for value, should the state intervene? Or even the United Nations (as has been mentioned by New Zealand’s Privacy Commissioner)? Compulsory privacy principles and voluntary best-practice standards on personal data storage, such as the new ISO standards for health records, is one thing. Intervening in freedom of contract is quite another.

As I have written previously, people cannot post things to social networks and still expect privacy. Social networks and other website are very aware of the privacy issues, and the potential threat of regulation. The majority of a social networking site’s potential value lies in exploiting (in a commercial sense) the personal data that their armies of users happily supply every day. That is why it is in their own best interest to implement reasonably strong privacy policies without hamstringing their own motives, but of course listening to user pressure when necessary.

It would require a major co-ordinated global effort to impose uniform privacy regulation on social networks – which is why that will not happen. Instead, the social networks will, for the most part, stay one step ahead of well-meaning (and otherwise) crusading politicians, safe in the knowledge that their users will back them if it means a trade off between their very real enjoyment of social networks, and some intangible, hard-to-grasp privacy “benefit”.

It is somewhat ironic that the organisations being labeled (by some) as the worst abusers of privacy are quite possibly doing the most to define and shape the future of privacy law.

Computerworld reports on an Employment Relations Authority decision upholding a restraint of trade clause for a former IT account manager. Restraint clauses are common in the IT industry, as in others, and can be particularly important given the significance of IP and know-how in the IT sector. The article notes that the decision “belies the commonly-held belief that restraint of trade clauses are difficult to enforce”. It is true that the ERA and the Courts will strike down or limit unreasonable restraint clauses, but in recent years the Courts have tended to uphold restraint clauses. The conduct of the parties post-termination is also likely to be relevant, with “bad behaviour” on either side likely to be taken into account by the relevant authority.

Website terms

My latest Computerworld article is now online: Analysis: Cases clarify requirements for website terms of use

Facebook privacy investigation

The EU is investigating whether posting photos and other information about people on Facebook without their consent is a breach of privacy law. Privacy is a rapidly developing area, and the EU (for better or worse) leads the world in this area. The policies adopted in the EU are likely to influence privacy policy in other jurisdictions, including New Zealand where the Law Commission recently recommended leaving privacy to develop at common law (i.e. develop “organically”). It is reasonable to expect that with privacy, where Europe goes, the UK will go; and where the UK goes, New Zealand will eventually go.

In the case Miller v Facebook (15 January 2010, US District Court, Georgia), the plaintiff claimed that part of Facebook’s terms and conditions did not apply – specifically, the clause requiring any claims to be brought in Facebook’s home state of California (known as a “forum selection” or jurisdiction clause). The court said:

“striking the forum selection clause could wreak havoc on the entire social-networking internet industry. If this court were to determine that the forum selection clause contained in Facebook’s TOU was unenforceable, the company could face litigation in every state in this country and in nations around the globe which would have potential adverse consequences for the users of Facebook’s social-networking site and for other internet companies”

The court therefore upheld Facebook’s forum selection clause.

Common law legal systems (such as New Zealand, the UK, the US and Australia) have long recognised “customs of merchants” (the lex mercatoria) in applying and shaping the law. There are good reasons why the common law has done so, going back many centuries: it provides certainty for commerce, recognised accepted “best practice”, and promoted uniformity conducive to trade. To ignore it would have been to potentially disrupt and destabilise commercial dealings.

For the same reasons, as the common law is continuously evolving, the customs of “e-merchants” should also be taken into account by courts.

This is likely to be relevant to the enforceability of website terms and conditions. There have been a number of cases in the past year involving disputes over whether or not website terms are binding (for example Website disclaimers – yes, they do work). Some have argued that a standard link to a disclaimer is insufficient. There are a number of legal grounds for finding it is sufficient (and a growing number of cases have upheld them – successful challenges are rare).

However, there is good argument that such practice is now also customary. Many websites have a disclaimer link, often at the bottom of the page. It is commonly understood that when you use a website, there may be “Terms of use” or “Disclaimer” link. That is accepted and, today, could be said to be the custom for online business. The common law should not disregard the accepted, reasonable and necessary practices established by modern merchants.

Although the Facebook decision is only a lower-court procedural ruling, it provides an encouraging demonstration of a court’s willingness to consider the new lex mercatoria (and other policy considerations), and the perils of the law ignoring them, relating to e-commerce.

“As more private lives are exported online, reasonable expectations are diminishing. When our reasonable expectations diminish, as they have, by necessity our legal protection diminishes”.

The reason is that the law attempts to balance the “reasonable expectations” of privacy with other considerations, such as freedom of information and free speech. In New Zealand, the Bill of Rights Act 1990, section 14, enshrines this freedom (as best it can, given the unsatisfactory state of that Act):

“14. Freedom of expression: Everyone has the right to freedom of expression, including the freedom to seek, receive, and impart information and opinions of any kind in any form”.

That right remains strong, but there is no doubt that “reasonable expectations” of privacy are rapidly shifting. In the article Dr O’Hara gives the example of an embarrassing photo taken at a party:

“A decade ago, he said, there would have been an assumption that it might be circulated among friends. But now the assumption is that it may well end up on the internet and be viewed by strangers.”

Another prime example is Google’s Street View. A decade or two ago there may have been some expectation of privacy when walking in the street (although as Katrine Evans of the University of Wellington, now Assistant Privacy Commissioner, notes there is a “considerable body of [precedent] which states that innocuous photographs of people in public places will not attract the protection of the common law”).

Today, Street View routinely photographs people in the streets; there is no doubt that this sort of occurrence will be a permanent part of our lives in some shape or form. Street View has various privacy measures in place (e.g. blurring faces) but there have been cases of people caught in compromising situations and a number of court cases have been fought or are pending.

A while ago I blogged (Don’t expect privacy in cyberspace) about a US case where a girl’s public MySpace rant – ostensibly intended only for her friends – was republished in a newspaper. She claimed a breach of privacy. The Court said:

“[The student's] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material”.

The US Court’s ruling was quite sensible, however it highlights the point that not only are expectations of privacy rapidly changing, but the avenues for disseminating private information (and thereby possibly redefining what constitutes reasonable expectations) are also expanding. This is happening at the same time that the law in many common law jurisdictions (e.g. UK, US, Canada, Australia & New Zealand) is still relatively unsettled and developing. The societal changes of “the Facebook generation” has already been recognised in data loss / information security incidents, and is equally relevant in privacy law.

It is worth noting that in New Zealand’s current leading case on privacy (Hosking v Runting [2005] 1 NZLR 1) the actual existence of a tort of privacy was only accepted by a 3-2 decision. Since that time, other jurisdictions have expanded their privacy laws more liberally than the Hosking case’s relatively narrow scope. Most recently the 2008 Max Mosley case in the UK (argued on the basis of breach of confidence and “unauthorised disclosure of personal information”) has thrown up a number of related issues likely to be explored in a future New Zealand case.

Due to reasons of cost, substantial court cases involving breaches of privacy are rare. It seems likely that, whatever currently a “reasonable expectation” of privacy is, it will have changed again by the time the next case is argued.

A recent US case is a timely reminder that when you post information to a public website, you are likely to lost any expectation of privacy regarding the contents of the information. The principles of the case are broadly equivalent to the situation in New Zealand. But it also serves a wider warning that when you entrust your information to another person (or company), you may be parting with any real control you have over that information.

In the case of Moreno v Hanford Sentinel (2 April 2009) (judgment in PDF) a student living in a small town posted an entry on her MySpace page stating that she “despised” her town, and various critical comments about it. The entry was “signed” with her first name only. Possibly feeling the comments were a bit harsh, she removed the post six days later. However, shortly after the post was taken down, the town’s newspaper published the text of the original post under her full name. The revelation of her post caused a furore and incensed some townsfolk. The student’s family was threatened and abused, and the family business was affected.

The student attempted to sue for breach of privacy, on the grounds that her MySpace post was not intended to be published in a newspaper and brought to the attention of thousands of people. In other words, the student claimed she had an expectation of privacy (a key phrase in privacy law) that the post would only be read by her friends and followers on MySpace.

Quite sensibly, the Court ruled that someone who posts material on a public website cannot claim their privacy is breached if the article is disseminated to a wider audience:

“[The student's] affirmative act [of publishing her post on MySpace] made her article available to any person with a computer and thus opened it to the public eye. Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material.”

The fact that the post was only “signed” with her first name did not matter, as her identity was able to be easily determined from her MySpace page. Most people would agree that this is a sensible outcome.

But what would the situation have been if the post had been private? That is, if the student had configured her profile so that only approved users could read her post? In the student’s case, the outcome may have been different if the post was restricted, and any limited publication was not so broad to have, in effect, waived any expectation of privacy. Similarly, if the student had emailed her message to a few close friends, it may be reasonable to assume an expectation of privacy. If her message was still not technically “public” but was emailed or made accessible to hundreds of people, including strangers, then it would probably be unreasonable to assume an expectation of privacy. It will always depend upon the facts.

Another potentially tricky situation that could arise is where a person configures a website to keep certain information private (e.g. restricting Facebook messages to friends), but the website decides to change the rules and make all information public and/or searchable. Most websites reserve the right to make changes to their terms and conditions, which are sometimes unpopular as Facebook recently proved. If a website that you post information to has the right to change its rules, then it is plausible that you will not be able to complain if they do so – although in New Zealand, there may a limited, after-the-fact remedy under the Privacy Act 1993.

For example, Principle 10 of the Privacy Act states that personal information must not be used for ulterior purposes (e.g. marketing), unless agreed at time of collection (with some exceptions).

However, by the time that someone has allegedly “breached your privacy”, such as by republishing a MySpace/Facebook post, the horse has bolted.

The example provided by Moreno v Hanford Sentinel, while unstartling, is a small subset of a much broader principle: be very careful entrusting sensitive information to other people, without understanding what rights you retain.