There has been a court ruling recently with significant implications for organisations with any kind of a data governance regime – particularly if it concerns the handling of personal information. What has triggered this all starts with a Facebook profile…
If you search for “Jeffrey Arlen Spinner” online you will find, among other things, a link to his Facebook profile. Follow that link and you’ll find a photo, along with a list of some of Jeffrey’s interests, and some very minimal biographical data – for instance, he admits that he’s male (thanks, I inferred that from the photo…), but is reticent about his age. If you have a Facebook account, you might even log on and have a look at his public profile page. On that page, you will see the following message:
“People who aren’t friends with Jeffrey see only some of his profile information. If you know Jeffrey personally, send him a message or add him as a friend.“
It would seem that Jeffrey has a pretty good grasp of the difference between data he’s willing to disclose via the profile visible to anyone with a computer, and data which is only accessible to those he has defined as friends using the preference settings Facebook makes available.
All pretty unremarkable – except that Jeffrey happens not to be plain “Mr Spinner” – he is in fact Acting Supreme Court Justice in Suffolk County, NY. In that role he recently ruled in the case of Romano v Steelcase Furniture, concluding that Mrs Romano’s Facebook postings should be disclosed in full (regardless of whether they were from her public or private pages, and irrespective of whether they were current or deleted) as part of the pre-trial discovery process.
The ruling is available online here. For those of you into that kind of thing, Justice Spinner’s Facebook page is here. He turned 51 some time in the last couple of months, by the way – and there’s a small prize for the first commenter who correctly works out how I know that.
Regrettably, the ruling raises far more issues than it resolves – but I’m not going to go through them exhaustively here, except to mention two specific issues. I must preface these by noting that I am not a lawyer, and nothing I write here should be construed as providing legal advice. If your organisation is or may be affected by the factors I describe below, you should seek qualified legal advice in support of any decision you contemplate.
First, Justice Spinner is prepared to cite case law from Colorado and even Canada, where it supports his view that Mrs Romano forfeited her right to privacy when she posted on Facebook… but he doesn’t mention the federal appeal ruling in Crispin v Audigien which, inconveniently, comes to the contrary conclusion.
Second, his judgement hinges, largely, on the question of what constitutes ‘making something public’ – and he takes a pretty binary view. For example, through his case citations he equates posting something on MySpace with “making it available to anyone with a computer and opening it up to public eye”. Well, I’m not on MySpace (Jeffrey is, by the way: apparently he is non-smoking, teetotal, straight… and a Libran, in case you’re interested), but a cursory glance suggests that it is quite possible for MySpace users to set their profiles to “friends only”. My attempt to browse some profiles on MySpace results in the following message:
“Sorry, the profile of xxxxxxxxx is only viewable by friends”
That suggests to me that it is possible to put information on MySpace without making it accessible to “anyone with a computer”.
I am more concerned by another sentence in Justice Spinner’s ruling. He says:
Mrs Romano “consented to the fact that her personal information would be shared with others, notwithstanding her privacy settings”.
It would be more accurate to say that she “consented to the fact that her personal information would be shared strictly in accordance with her privacy settings, but acknowledged the risk that security measures might fail to provide total protection against unwanted disclosures.”
Second, Justice Spinner can’t quote anything in the policy which says “by the way, your privacy settings have no material effect in restricting who can see your data and who can’t”. Of course not – because the whole purpose of the various privacy settings is to provide users with ways of segmenting their different audiences, and disclosing different data accordingly. They may not be implemented in such a way as to fulfil that aim effectively, but if so, that’s not Mrs Romano’s fault, nor does it weaken the extent to which she “exhibited an actual (subjective) expectation of privacy”, to quote from the ruling.
If Justice Spinner’s description of social network privacy were accurate, there would only be two privacy settings, labelled “Publish to everyone” or “Do not publish” – and that is manifestly not the case. Justice Spinner obviously knows that full well: not just because he himself publishes only selectively via Facebook, but also because in his ruling, he explicitly reasons that it is the information on Mrs Romano’s public pages which leads him to conclude that the information on her private pages might be germane to the case.
Personal privacy issues aside, though, what conclusions should enterprises draw from this ruling, in terms of the management of personal information?
Well, I think this should reinforce some existing messages about how enterprises should treat personal data. A former colleague of mine at Sun Microsystems, Michelle Dennedy (then CPO), pithily remarked that personal data ought to be treated like toxic waste. Manage it rigorously, be vigilant about the possibility of leaks, plan how to clean it up if there is one… and the golden rule: if at all possible, just don’t have it on the premises in the first place.
If Justice Spinner’s ruling sets a precedent for other similar judgements, there are significant governance implications for any organisation which either handles personal data, or attempts to enforce a data management distinction between data which is publicly available and data which is not. The ruling increases the likelihood that organisations can be compelled to re-discover and disclose data in response to legal actions between other parties – even if that data is otherwise considered not to be in the public domain, and even if it has supposedly been deleted. In this particular case, the administrative burden of satisfying Justice Spinner’s request will fall not on Mrs Romano or on Steelcase, but on Facebook.
Facebook now are not only made to look as though their privacy settings are both practically and legally meaningless; they also find themselves compelled to retrieve and disclose data which Mrs Romano had apparently deleted from (the private sections of) her Facebook pages. If your organisation handles personal data which the data subjects themselves are entitled to delete, then the implication of not actually destroying that data is that you may be compelled to retrieve it for disclosure. Of course, this is an entirely distinct governance problem from that of regulated organisations who have a statutory duty to retain data (such as financial records, clinical data and so on).
Even if it’s a matter of personal data which the data subjects have not opted to delete, organisations should carefully consider how effectively their retention policies are put into practice. It should be standard practice, under most data protection regimes, to retain personal data only for as long as it is needed… and to dispose of it thereafter.
If, in your organisation, “dispose of” does not mean “destroy”, you should evaluate the cost and governance implications, should you be required to find out whether or not you still hold that data, and to disclose it if you do.
You should also pay close attention to the possible impact in terms of reputation and good will, should you have to disclose data which a user reasonably believed would be kept private… and in this instance, “kept private” would clearly include the notion of “published selectively, to a user-defined audience”. In privacy terms, the trust relationship between users and service providers rests – to a great extent – on ensuring that what happens to users’ data is in line with what they expect to happen to it. (In fact, that happens to be a major topic of the research report I’ve just finished writing… but more of that anon).
So, Jeffrey (may I call you that, by the way? I feel I know you so well now…) if you read this, and if you’re in my neighbourhood, do look me up. If you’re a Libra, apparently we should get on really well…
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.