VYTAUTAS MAGNUS UNIVERSITY
FACULTY OF LAW
Agnė Jarušauskaitė
DOES SOCIAL NETWORKING SITE “FACEBOOK” LEGALLY COLLECT, USE and DISCLOSE USERS PERSONAL INFORMATION UNDER USA, EU and LITHUANIAN LAW?
The Law Master Thesis Integrated Law Studies Program, State Code 60101S103
Research Advisor: Professor Charles F. Szymanski
Defended: Dean Assoc. Prof. Julija Kiršienė 2011 06 __ .
Kaunas, 2011
0 TABLE of CONTENT
SANTRAUKA ...... 2 SUMMARY ...... 3 INTRODUCTION ...... 4 1. SOCIAL NETWORKING SITES (SNSs) and ―FACEBOOK‖ ...... 6 1.1. Social Networking Sites (SNSs) ...... 6 1.2. SNS ―Facebook‖ ...... 7 2. SNS ―FACEBOOK‖ COLLECTS, USES and DISCLOSES USERS PERSONAL INFORMATION ...... 9 2.1. The Main Business Model of SNS ―Facebook‖ ...... 9 2.2. Registration Process and Agreements ...... 10 2.2.1. ―Statement of Rights and Responsibilities‖ ...... 11 2.2.2. ―Privacy Policy‖ ...... 11 2.3. Risky Actions ...... 12 3. DOES SNS „FACEBOOK― LEGALLY COLLECT, USE and DISCLOSE USERS' PERSONAL INFORMATION? ...... 15 3.1. Under USA Law...... 16 3.1.1. The First and Fourth Amendments of the U.S. Constitution ...... 16 3.1.2. Tort Law of Privacy ...... 17 3.1.3. Federal and State Privacy Legislation ...... 18 3.2. Under EU Law ...... 24 3.3.1. The Directive 95/46/EC ...... 25 3.3.2. The Directive 2002/58/EC ...... 29 3.3.3. Guidelines for Social Networks ...... 30 3.3. Under Lithuanian Law ...... 33 3.3.1. The Republic of Lithuania Law on Legal Protection of Personal Data ...... 36 3.3.2. The Lithuanian Law on Electronic Communications ...... 38 3.3.3. The Lithuanian Law on Advertising ...... 39 3.3.4. The Republic of Lithuania Law on Copyright and Related Rights ...... 39 3.3.5. The Republic of Lithuania Law on the State Language ...... 40 3.3.6. The Republic of Lithuania Law on Consumer Protection ...... 40 3.3.7. The Civil Code of the Republic of Lithuania ...... 40 3.3.8. The Criminal Code of the Republic of Lithuania ...... 42 CONCLUSIONS and RECOMMENDATIONS ...... 43 BIBLIOGRAPHY LIST ...... 45 APPENDICES...... 53
1 SANTRAUKA
Socialinių tinklalapių naudojimas yra labai paplitęs pastaruoju metu, tačiau jų populiarumas kelia vis daugiau teisinių problemų, ypač privatumo apsaugos aspektu. Šiuo metu populiariausias socialinis tinklalapis yra „Facebook― (sukurtas ir įregistruotas JAV). Remiantis „Facebook― pateikiamais duomenimis, tinklalapis jau turi daugiau nei 500 milijonų aktyvių vartotojų ir apie 70 proc. jų yra ne iš JAV. Be to, teigiama, kad jau beveik milijonas Lietuvos vartotojų yra susikūrę profilius tinklalapyje „Facebook―. Registracijos procesas tinklalapyje nėra apmokestintas, tačiau SNS „Facebook― renka, naudoja ir atskleidţia paslaugų gavėjų asmeninę informaciją tiesioginio marketingo tikslais, o tai kelia vis didesnį susirūpinimą asmenų privatumo apsauga įvairiose šalyse. Šio darbo tikslas buvo atsakyti į klausimą: ar socialinis tinklalapis „Facebook― teisėtai renka, naudoja ir atskleidţia vartotojų asmeninę informaciją pagal JAV, ES ir Lietuvos teisę? Po išsamios analizės atsakymas į šį klausimą yra: 1) taip, ―Facebook‖ tai daro teisėtai remiantis JAV teise; 2) ne, ―Facebook‖ tai daro neteisėtai remiantis ES ir Lietuvos teisės aktais. Nors JAV teisė į privatumą nuolat varţosi su spaudos laisve ir vis dar nėra aišku ar SNS ―Facebook‖ yra vieša, ar privati erdvė (skirtingose valstijose – skirtingas poţiūris), ―Facebook‖ veikla laikoma teisėta, kadangi jau net kelių valstijų teismai savo sprendimais yra leidę tinklalapyje esančią informaciją naudoti kaip įrodymą byloje. Pagal ES ir Lietuvos teisės aktus asmens privatumas yra pagrindinė ţmogaus teisė ir ji turi būti apsaugota, tad tinklalapis turi atitikti tam tikrus reikalavimus, ypač atkreipiant dėmesį į tai, kad asmeninė informacija ―išeina‖ uţ ES ribų. Tyrimas atskleidė, kad tokie ―Facebook‖ veiksmai kaip neuţtikrintas duomenų saugumas, jų nutekinimas tretiesiems asmenims, aiškiai neišreikštas ir nevienareikšmiškas vartotojų sutikimas, sutarčių su maţamečiais sudarymas ir t.t., neatitinka ES ir LR teisės aktų reikalavimų. Taip pat paaiškėjo, kad socialiniam tinklalapiui ―Facebook‖, kaip asmens duomenų valdytojui, būtina registracija Lietuvoje, tačiau LR Asmens duomenų valdytojų registro duomenų bazėje duomenų apie ―Facebook‖ įregistravimo faktą nėra. Remiantis LR Konstitucijos 22 str. ―[i]nformacija apie privatų asmens gyvenimą gali būti renkama tik motyvuotu teismo sprendimu ir tik pagal įstatymą‖, ―[į]statymas ir teismas saugo, kad niekas nepatirtų savavališko ar neteisėto kišimosi į jo asmeninį ir šeimyninį gyvenimą, kėsinimosi į jo garbę ir orumą‖.
2 SUMMARY
Social networking sites (SNSs) are very popular nowadays. However, it rises various legally issues too, especially on privacy law. The most popular SNS is called ―Facebook‖ (based in the U.S.). ―Facebook‖ states that it has more than 500 million active users, about 70 percent outside the U.S., and almost 1 million their users are in Lithuania already. ―Facebook‖ is a free website and depends on online advertisements for revenue, so the main business model of SNS ―Facebook‖ is the collection, use and disclosure of users‘ personal information, but its practice have encouraged the importance of privacy as a the main fundamental human right protection and raised various discussions in the whole world, because there is no universally accepted privacy law among all countries till now. The aim of this paper was to answer to the issue: does social networking site ―Facebook‖ legally collect, use and disclose users‘ personal information under USA, EU and Lithuanian law? After the comprehensive analyses the answer is: 1) yes, it does under the USA law; but 2) no, it does not under the EU and Lithuanian law. In the USA person's privacy right is competing with a freedom of the press and there is still not clear is SNS ―Facebook‖ public place or private. However, in some states the courts have already ruled, that it is possible to use the information from ―Facebook‖ as evidence, and in New York it is possible to use it even if a person‘s information is on the strictest private control. It is quite differently under the EU and Lithuanian law. Such ―Facebook‖ activities as not safe platform, data leaking to third parties, not clear and not unambiguous user‘s consent, unprotected minors, the collection, use and disclosure of non-users, fake profiles information, opt-out by default, archives of deleted information, unsuccessful searches of ―Facebook‖ agreements in Lithuanian language, not suitable form of information notifications, etc., do not comply with the EU and Lithuanian law. Furthermore, ―Facebook‖ can not provide its services in Lithuania at all, because it is not registered as a data controller in the Lithuanian Register. The Republic of Lithuania Constitution, Article 22, states: ―[i]nformation concerning the private life of a person may be collected only upon a justified court decision and only according to the law‖, and ―[t]he law and the court shall protect everyone from arbitrary or unlawful interference in his private and family life, from encroachment upon his honour and dignity. The perspectives: new legislation for SNSs in the USA, EU and Lithuania; much bigger EU representatives‘ power at persons' privacy protection.
3 INTRODUCTION
Social networking sites (SNSs) are becoming increasingly popular among internet users around the world. Their customers are calculated in millions, and statistics show that people are using SNSs more frequently than e-mail already,1 but it is not just a great tool of communication. Nowadays the most popular SNS is called ―Facebook‖, but, recently, ―Wikileaks‖ founder Julian Assange has said that ―Facebook‖ is ―the most appalling spying machine that has ever been invented‖.2 Moreover, scholars argue that using of SNS is addictive.3 Usually SNSs give people the power to share and make the world more open and connected without any charge, and include a quick and easy registration process, but an essential part of their business model is collection, use and disclosure of personal information. Right to privacy is a fundamental human right and it is protected for a long time already, but there is increasingly difficult to control and maintain the privacy protection on the Internet. The possible spread of damage can be very huge, so privacy protection has become very important. Despite the fact that collection, use and disclosure of personal information are regulated by laws, SNSs and their users are not safe from various possible privacy risks. SNSs content publishers are their users and it is possible that most of them do not know and/or do not keep the laws applicable to publishing content. Personal information posted to these kinds of sites often winds up being used in unexpected ways, for example, to check up on people or transferred to the third parties as a database. Besides that, there is a real possibility that deleted information continues to be used by SNSs and others. An exhaustive list of possible privacy risks is not possible in this case, and the possible damage consequences of privacy infringements made in SNS can be transmitted to a wide range, the damage scope is all over the whole network. So, along with the benefits they offer, SNSs are also raising important privacy issues all over the world. It is not clear whether social networking sites legally collect, use and disclose users personal information. The answer depends on a choice of law which is based on chosen by country and region, because, despite the process of globalization, personal data still are protected
1 Global Faces and Networked Places (Nielsen Report, 2009), p. 3;
4 by various different international privacy laws related by country and region. For example, in May 2008, Privacy Commission of Canada study found that social website ―Facebook‖ are in violation of Canada law, and, as a result, SNS ―Facebook‖ has made corrective measures according its recommendations.4 Despite the risks of SNSs and their popularity in Lithuania, there has not been yet any public analysis of how their activities comply with Lithuanian law. The aim of this paper is to answer to the issue: does social networking site ―Facebook‖ legally collect, use and disclose users‘ personal information under USA, EU and Lithuanian law?
“Facebook”. There are a lot of social networking sites in the world, but the most popular nowadays is a social networking site ―Facebook‖.
Under USA law. SNS ―Facebook‖ was founded in the United States. Under EU and Lithuanian Law. A Lithuanian law student is an author of this paper and Lithuania is a member of the European Union. The tasks are: 1. To describe the phenomenon of social networks and social networking site ―Facebook‖. 2. To identify the main and most risky types of how social networking site ―Facebook‖ collects, uses and discloses users‘ personal information. 3. To review the legislation of USA in response to the issue: does SNS ―Facebook‖ legally collect, use and disclose users‘ personal information under USA law? 4. To review the legislation of EU in response to the issue: does SNS ―Facebook‖ legally collect, use and disclose users‘ personal information under EU law? 5. To review the legislation of Lithuania in response to the issue: does SNS ―Facebook‖ legally collect, use and disclose users‘ personal information under Lithuanian law?
In this paper will be used reviews, examples (case studies) and comparative analysis methods. There is no restriction on SNS ―Facebook‖ in USA, EU and Lithuania till now, so hypothesis is that SNS ―Facebook‖ legally collect, uses and discloses users‘ personal information under USA, EU and Lithuanian law.
4 Elizabeth Denham, Findings into the Complaint Filed by the CIPPIC against Facebook Inc. Under the Personal Information Protection and Electronic Documents Act (Report, Privacy Commission of Canada, 2009);
5 1. SOCIAL NETWORKING SITES (SNSs) and “FACEBOOK”
1.1. Social Networking Sites (SNSs) In an academic and industry researchers definition ―social networking site‖ is separated from ―social network site‖, but in this paper they will be sticked and will be used often preferred vernacular term ―social networking site‖ (SNS).5 Social networking sites (SNSs) became increasingly popular among internet users around the world, their customers are calculated in millions and social networks and blogs became even more popular than e-mail.6 SNSs are intended for individuals with similar interests and can be classified in various ways (depends on criteria).7 SNSs can be advantageous for businesses too (as a search; a lot of opportunities to advertise), so are becoming more attractive than traditional marketing and advertising medium (radio, television, etc.).8 However, SNS is not just a great tool of communication, it rises various legally issues too (especially on privacy law).9 The typical SNS profile/page may contain various information about user (traditionally considered private), and there are many reasons why someone might want to search such information, however, many users fail to realize the import of that.10 A registration process on SNS is easy, quick and free of charge usually, but most of the sites rely on advertisements for revenue (use users‘ personal information for that); direct marketing is recognized as an essential part of SNS business model, but most users are not encouraged to read privacy policies, most of the sites have features enabled by default, etc.11
5 danah m. boyd & Nicole B. Ellison, Social Network Sites: Definition, History, and Scholarship, 13 J. Computer- Mediated Comm., Art. 11 (2007), p. 2; Dr. David Beer, Social network(ing) sites…revisiting the story so far: A response to danah boyd & Nicole Ellison, 13 J. Computer-Mediated Comm. (2008), p. 519. 6 See supra note 1: Global Faces and Networked Places. 7 Daniel Richter & Others, Internet Social Networking – Distinguishing the Phenomenon from Its Manifestations in Web Sites (17th European Conference on Information Systems, 2009), p. 6-8. 8 Victoria Bolotaeva & Teuta Cata, Marketing Opportunities with Social Networks, JISNVC, Vol. 2010, Art ID 109111 (2010), p. 2, 3, 5. 9 Kathryn L. Ossian, Miller Canfield Paddock & Stone PLC, Legal Issues in Social Networking (Institute of Continuing Legal Education, 2009), p. 9 10 Rory Bahadur, Electronic Discovery, Informational Privacy, Facebook and Utopian Civil Justice, 79 Miss. L.J. 317 (Winter 2009), p. 12; Michelle D. Craig, Did You Twitter My Facebook Wall? Social Networking, Privacy and Employment Law Issues, 58 La. B.J. 26 (June/July, 2010), p. 1, 3 11 Rohan Massey, Privacy and Social Networks: a European Opinion, 13 No. 4 J. Internet L. 1 (October, 2009), p. 5; Joseph Bonneau, Sören Preibusch, the Privacy Jungle: On the Market for Data Protection in Social Networks Privacy Jungle, the Eighth Workshop on the Economics of Information Security (WEIS, 2009), p. 14, 19.
6 SNSs became very powerful global weapon, it may cause irreparable damage.12 For example, there are more and more opinions that 2011th revolutions in Tunisia, Egypt and Libya started on SNSs.13 If such protests would have been in Lithuania, according to the Criminal law of the Republic of Lithuania such activities could be resulted in criminal proceedings.14
1.2. SNS “Facebook” The most popular SNS nowadays is called ―Facebook‖; and statistics show that it is the second most popular site in the world.15 It became so popular that even a film called ―Facebook‖ is already created (was nominated for Oscars and Golden Globes), the President of the U.S. calls its heads for dinner, children have name ―Facebook‖ already, etc.16 SNS ―Facebook‖ was founded in February 2004, in the U.S. At first it was only available to colleges' and universities' e-mails users; in 2006 it was opened to all.17 Now it presents itself as ―a social utility that helps people communicate more efficiently with their friends, family and coworkers‖; and that ―anyone can sign up for ―Facebook‖ [,] interact with the people they know in a trusted environment‖.18 ―Facebook‖ states that has more than 2000 employees and over 500 million active users already (about 70 percent outside the U.S.);19 it is obvious that Facebook is very popular all over the world: ―50 percents of active users log on … in any given day‖; ―[p]eople spend over 700 billion minutes per month‖; ―over 900 mln. objects that people interact with‖; ―[a]verage user creates 90 pieces of content each month‖; ―[m]ore than 30 billion pieces of content shared each month; ―[e]ntrepreneurs and developers from more than 190 countries‖; ―[m]ore than 2.5 mln websites have integrated‖.20 In January 2011, it had more than 152 millions users in the
12 Felix Hofer, Privacy issues in social networking: the European perspective (Studio Legale Associato, 2010), p. 6. 13 ―Libya cuts off internet service: Arbor networks‖, Alarabia News (19 February 2011);
7 U.S., and almost 1 million in Lithuania.21 Even the Queen of Great Britain decided to have her profile on ―Facebook‖, and it is not the only example of its popularity between heads of states, politics or famous persons; ―Facebook‖ touches even non-users too.22 Under the ―Facebook‖ Statement of Rights and Responsibilities: “Facebook” means the features and services, made available, including: website at www.facebook.com and any other Facebook branded or co-branded websites (including sub- domains, international versions, widgets, and mobile versions); Platform; social plugins such as the like button, the share button and other similar offerings; other media, software (such as a toolbar), devices, or networks now existing or later developed.”23 From privacy side, ―[i]n the beginning SNS ―Facebook‖ restricted the visibility of users‘ personal information‖, but ―[o]ver the past couple of years, the default privacy settings for a ―Facebook‖ user‘s personal information have become more and more permissive‖.24 Thus, ―Facebook‖ became not safe area at all, it has raised various discussions about privacy protection all over the world.25 ―Facebook‖ users started to sue it over privacy issues (in February 2011, in Lithuania press was published that the first complaint about ―Facebook‖ was lodged to the Police in Lithuania); in Canada was found that SNS ―Facebook‖ are in violation of Canada law; germans got exclusive provisions at ―Facebook‖ Statement of Rights and Responsibilities; Norway filed complaints after a year-long study of the site‘s terms and conditions, etc.26 For example, in Pakistan the use of Facebook was temporarily banned last year, and in China the use of Facebook is banned at all.27
21 ―Facebook Statistics by country‖;
8 2. SNS “FACEBOOK” COLLECTS, USES and DISCLOSES USERS PERSONAL INFORMATION
2.1. The Main Business Model of SNS “Facebook” The main business model of SNS ―Facebook‖ is the collection, use and disclosure of users‘ personal information.28 ―Facebook‖ is a free website, so depends on online advertisements for revenue; users on ―Facebook‖ ―pay‖ through secondary use of their personal data, e.g. for marketing.29 Marketing Bible, patents illustrate it clearly.30 ―Facebook‖ became very important in advertising, and attracted huge investments not without its profitable.31 ―Facebook‖ says to advertisers: ―you can be sure you are connecting with real people with real interest in your products.32 ―People see SNSs as a fun and easy leisure activity‖;33 however, ―publishing content can create a number of legal issues (defamation, copyright infringements, etc.).34 Besides that, there are a lot of various privacy risks, because more and more unexpected ways of use are disclosed.35 For example, identity theft cases rise increasingly fast (there are more than 10 profiles of the President of Lithuania on ―Facebook‖ already), personal information became readily available (it almost became a duty to overlook employees profiles on ―Facebook‖), collected information is not considered safe (a possibility to download users personal information for everybody) and it is used for commercial purposes (data leaking for advertisers), etc.36 Furthermore, there have been various cases related with ―Facebook‖ already; for example, a nun was casted out from the monastery for her activities on ―Facebook‖; the thieves were
28 See supra note 11: Rohan Massey. 29 See supra note 17: Yasamine Hashemi, p. 2; ‗Free of charge‘ may in fact not be ‗for free‘ …‖ (Report and Guidance on Privacy in Social Network Services (Memorandum of Rome, IWGDP, 2008), p. 2); 30 The Facebook Marketing Bible;
9 arrested after the message on ―Facebook‖, etc.37 SNS ―Facebook‖ is especially dangerous for minors and teenagers. As criminal investigation disclosed, in January 2011 in Lithuania a 13 years age girl was killed by a 14 years age boy after they became friends on ―Facebook‖.38 Despite that, teenagers try to protect themselves not from strangers, but from their parents; and under the research, ―Facebook‖ is one of the most popular sites between 7-14 years old minors.39
2.2. Registration Process and Agreements Registration is an official way to start collect, use and disclose users‘ personal information. Registration process on SNS ―Facebook‖ is quick, easy (consisted just from 3 steps) and is free of charge.40 ―Facebook‖ states that ―users provide their real names and information‖ and that ―minors (under 13) can not become users‖ (control of age is an argument why it asks real date of birth).41 Moreover, ―[b]y default, ―Facebook‖ generally assigns the most lenient and lax privacy settings when a user creates a new account‖.42 From ―Facebook‖ position users indicate that they have read and agree to its ―Terms of Use‖ and ―Privacy Policy‖ by clicking ―Sign Up‖ button during registration process on step 2.43 However, such user consent is not clear and not unambiguous, because 1) it has used the smallest font size in the whole sheet on step 2 for the information about the agreements; 2) it is mentioned just in step 2; and, even more, 3) step 2 can be missed over registration process at all.44 ―Terms of Use‖ (―Statement of Rights and Responsibilities‖) and ―Privacy Policy‖ are the main ―Facebook‖ agreements; however, whether they are the ―agreements‖ are speculative.45
37 ―Vienuolę išvarė iš vienuolyno uţ aktyvią veiklą „Facebook― tinkle‖, Delfi.lt (February 19, 2011);
10 2.2.1. “Statement of Rights and Responsibilities”
Under its ―Statement of Rights and Responsibilities‖ (4024 words) users privacy is very important to ―Facebook‖, it is a way to disclose users how it collects, can use their content and information.46 It also states that ―[user] own all of the content and information [he] post on Facebook‖ ... [and] can control how it is shared through [his] privacy and application settings‖.47 The same and more provisions apply to developers/operators, websites and advertisers.48 ―Facebook‖ discloses that it does its best to keep ―Facebook‖ safe, but it can not guarantee it; and that users use it at their own risk.49 Moreover, the necessity of ―Facebook‘s‖ prior written consent is mentioned several times, while user‘s consent suits not written and for all purposes.50 ―Facebook‖ can change its Statement after three or seven days notice, however, there is no such possibility to the other side (user), and, furthermore, user can amend the Statement just in written form and after signed by ―Facebook‖.51 ―Facebook‖ really can be called as ―a static consent and the dynamic web‖.52
2.2.2. “Privacy Policy” ―Facebook‖ states that the Privacy Policy is designed to help users understand how it collects and uses information, but ―[t]o fully understand Facebook's stance on privacy and users personal data, users have to wade through the company's [5,825]-word privacy policy, that is [1,282] words longer than the U.S. Constitution‖.53 TRUSTe Program, ―Safe Harbor‖ should let users feel safely (―Facebook―pays for that); however, TRUSTe's program covers only information that is collected through ―Facebook‖ web site, and Privacy Policy does not apply to entities that ―Facebook‖ does not own or control.54 Moreover, ―Facebook‖ Privacy Policy states that ―[Facebook] tries not to have information from children under age 13 ... [and] recommends that minors 13 years of age or
46 See Appendix 2: Statement of Rights and Responsibilities, Pr. 1. 47 Id., Pr. 2 48 Id., Prs. 9, 11 49 Id., Prs. 3, 15.3. 50 Id., Prs. 1.3.9., 4.9., 5.6., 11.11 51 Id., Prs. 13; 18.5 52 Joseph Bonneau, Static Consent and the Dynamic Web (University of Cambridge, June 18, 2009);
11 older ask their parents for permission‖, also states that ―encourages parents to teach their children about safe internet use practices‖, however, ―tries‖, ―recommends‖, ―encourages‖ can be speculative too.55 Under its Privacy Policy ―Facebook‖: ―1) collects information from user (personal, friend information, content, etc.), interactions (site activity, access device and browser, cookie information), third parties (Platform, other webs) and other users; 2) uses personal information to manage the service, to contact user, to serve personalized advertising, social ads, to supplement users profile, to make suggestions, to help users friends to find him and to help user to share his information; 3) discloses information which depends on users privacy settings (name, profile picture, contact, posts, gender, birth date, etc.), when user invite a friend to join, choose to share information with marketers, etc.” ―Facebook‖ states that it is possible to remove information, but even the deleted information may persist in backup copies for up to 90 days, and, for example, non-user contact information can be deleted, but there is a possibly that not all; even after a request.56 Although ―Facebook‖ claims that it discards information gathered about non-―Facebook‖ users, it does not share the fact that it is gathering this information from non- users, who may not even know that ―Facebook‖ even exists; ―Facebook‖ has a practice of allowing users to upload email addresses, photographs and other personal details about people who haven't signed up to the site; and it makes no representations in the policy other than that it is a forum that members use at their own risk (to find privacy and safety information is difficult).57
2.3. Risky Actions ―[T]he information on most user profiles is sufficient to uniquely identify their owners, even with the name removed‖, but ―users believe social networking sites have a responsibility to shield their data‖.58 However, as Ch. Poole stated, a cost of wrong actions with real names on the Internet can be very high (Israel soldier, serial rapist examples).59 Personal
55 See Appendix 3: Privacy Policy, Pr. 1. 56 Id., Pr. 7; Appendix 2: Statement of Rights and Responsibilities, Prs. 2.1, 2.2. 57 ―Is Facebook tagging a breach of privacy? EU court battle looms for social networking giant‖, DailyMail.co.uk (March 24, 2010);
12 information (comments, photos, etc.) after disclosure in profile most likely will become publicly available, but ―Facebook‖ users are not well informed about the risks.60 ―Facebook‖ profiles contain a lot of personal information (political stances, sexual preferences, an e-mail address, phone number, home address, etc.),61 so there exists an opinion that ―[o]ne of the major concerns about SNSs services is users‘ control over the privacy of their information - or more accurately, control over who gets to view what they publish‖;62 however ―[t]he privacy controls enabled by Facebook are more opt-out than opt-in‖, ―default settings still disseminates most profile changes to all of users' contacts‖.63 In April 2010 ―Facebook‖ removed its users' ability to control who can see their own interests and personal information (applied just for new accounts).64 ―Facebook‖ can not guarantee personal information protection and safety; for example, in April 2011 SNS ―Facebook‖ accidentally turned on the e-mail messages.65 Furthermore, in 2007, ―Facebook‖ announced three new features involving partnerships with third-party websites: Public Search, Social Ads, and Beacon; so, after such involvement ―Facebook‖ platform integrates third-party content into and give developers access to user data, but ―Facebook‖ does it without users formal consent (users did not let to use their personal information in an objectionable manner, especially in the context of third-party partnerships).66 Besides that, ―Facebook‖ fixes almost everything when user is signed-in, it‘s targeted advertising is based on users' listed interests and activities on the Internet (on and off ―Facebook‖);67 and, in scholars opinion, ―the range of users' personal information third party application developers may access without individual consent is vast‖,68 it can cause a lot of privacy infringements.
60 Privacy Protection Issue on Social Networking Sites (October 12, 2010);
13 ―Facebook‖ ensures that it does not give users content or information to advertisers without users‘ consents, however, users‘ photos and chats were disclosed to third parties and third parties could publish content for users.69 For example, when „Facebook―‘ programs disclosed users personal information in October 2010, it has affected even those users who try keeping their information on the strictest control.70 In January 2011 ―Facebook‖ informed that it temporary stops to disclose users telephone numbers and addresses to third parties, however, in February 2011, ―dating‖ site was caught importing 250,000 ―Facebook‖ profiles without permission.71 After all, ―Facebook‖ dropped the plan to disclose users' home addresses and personal phone numbers, but in March 2011 ―Facebook‖ resumed it.72 Besides that, ―Facebook‖ uses cookies (that is not obvious to ―Facebook‖ users or controllable under the privacy settings; and it allows developers to maintain user information indefinitely).73 A new ―Facebook‖ feature should increase the security of the user; however, it is not effective.74 Moreover, ―Facebook‖ does not practically prevent the gather of information about consumers, the collection a variety of data about users;75 under a research on February 2011, brands and trademarks representatives try to have more and more fans on ―Facebook‖ and for that purpose they use deceptive ways too, so it is possible to buy ―fans‖ already.76 Problems with computer infections, identity thieves, scam artists, infected friends‘ messages, and ―official‖ fake ―Facebook‖ messages became a very reasonable fear.77
69 See Appendix 2: Statement of Rights and Responsibilities, Pr. 10.2; In May 2010 ―Facebook‖ was caught that it leaks usernames, user IDs, and Personal details to advertisers and Facebook keeps a log of the IP address that accessed the account, the date and time, and what exactly the user did (clicking on an advertisement, looking at someone else's profile, etc.) (See supra note 36: Barb Dybwad) 70 ―„Facebook― vartotojai „parduoti― reklamos agentūroms‖, Technologijos.lt (October 19, 2010);
14 3. DOES SNS „FACEBOOK“ LEGALLY COLLECT, USE and
DISCLOSE USERS' PERSONAL INFORMATION?
Privacy law is the area of law concerning the protecting and preserving of privacy rights of individuals.78 A right to privacy is the major fundamental human right.79 Such statement is based on Article 12 of the Universal Declaration of Human Rights and Article 8 of the European Convention on Human Rights.80 Privacy of information usually is defined as the right of individuals to control information about them.81 From history side, the right to privacy existed even in 18th century, but the roots of privacy law are in the U.S. (19th century, it is generally agreed that the first publication advocating privacy was the article ―The Right to Privacy‖).82 The first data protection law in the world enacted in the Land of Hesse in Germany in 1970; this was followed by national laws in Sweden (1973), the U.S. (1974), Germany (1977), and France (1978).83 Despite the fact that privacy protection is codified already, there is no universally accepted privacy law among all countries. For example, ―[l]egal concepts like ownership of real property and contracts originated many hundreds of years ago and are now well established in law‖; in contrast, ―the right of privacy has only recently received legal recognition and is still an evolving area of law.‖84 The expression of data protection in various declarations and laws varies, but all require that personal information must be: obtained fairly and lawfully; used only for the original specified purpose; adequate, relevant and not excessive to purpose; accurate and up to date; accessible to the subject; kept secure; and destroyed after its purpose is completed.85
78 ―Privacy‖, Wikipedia;
15 The existing global privacy rights framework is criticized as incoherent and inefficient; except the US almost no other country has in place Statute Law provisions or Self- Regulation guidelines specifically dealing with privacy issues on social networks, although in some jurisdictions dedicated rules are in preparation and likely to come into force in a near future.86 In April 2008 international privacy officials have recommended social networking privacy safeguards.87 Under the guidance, providers must be transparent; live up to promises made to users; and use privacy friendly defaults.88 After the analysis of ―Facebook‖ principles of collecting, using and disclosing users‘ personal information, Privacy Policy and Statement of Rights and Responsibilities, its practice does not comply with such guidance.89 SNS ―Facebook‖ raises various legal discussions all other the world, and various measures are taken.90 Thus, does SNS ―Facebook‖ legally collect, use and disclose users‘ personal information under USA, EU and Lithuanian law? Analysis of how SNS ―Facebook‖ collects, uses and discloses users‘ personal information is presented in section 2 of this paper. In the next steps of this paper it will be compared with the USA, EU and Lithuanian legislation and case studies separately.
3.1. Under USA Law The United States does not have a comprehensive privacy law framework.91 In the U.S. the concept of information privacy finds its basis primarily in the constitutional protections guaranteed by the First and Fourth Amendments, tort law of privacy and federal and state privacy legislation.92
3.1.1. The First and Fourth Amendments of the U.S. Constitution The word "privacy" isn‘t used in the text of the U.S. Constitution, but the Amendment 4 states: ―The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall
86 The Internet has brought new concerns about privacy, nowadays computers can permanently store records of everything (See supra note 109: Matthew C. Clarke); See note 17: Felix Hofer, p.6. 87 The report identifies risks (the large amount of data collection; the misuse of profile data by third parties; insecure infrastructure and application programming interfaces) to privacy and security, provides guidance to regulators, service operators and users. (See supra note 29: Report and Guidance on Privacy in Social Network Services) 88 See supra note 54: Social Networking Privacy. 89 See supra note 29: Report and Guidance on Privacy in Social Network Services, p. 5-7. 90 See Section 1, p. 6; In May 2008, Privacy Commission of Canada study found that Facebook are in violation of the Canada law. As a result, SNS ―Facebook‖ has made corrective measures according recommendations. For example, germans have special exclusive conditions in SNS Facebook agreement. 91 See supra note 17: Yasamine Hashemi, p. 9. 92 See supra note 67: Samantha L. Millier, p. 5.
16 issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.‖93 The same is written in the text of the California Constitution (also declares privacy as an inalienable right).94 A development of privacy law in the U.S. has started in 19th century, from the famous phrase of the courts: ―the right to be let alone‖; and, eventually, the ―right of privacy‖ were included in the Restatement of Torts by the American Law Institute.95 In the U.S. person's privacy right is competing with a freedom of the press (free speech, explicitly mentioned in the First Amendment of U.S. Constitution.).96 ―It is not yet clear exactly where the boundary between "freedom of the press" and ―privacy of individuals‖ should be drawn.‖97 ―Facebook‖ business model is based on users‘ personal information.98 Under the first publication advocating privacy ―a privacy right violation claim would not be hold up if the ―victim‖ of the right to privacy violation gave consent or published the facts himself‖.99 There is a real possibility of identity thefts, fake profiles, tagging without consent, etc., on ―Facebook‖, so privacy violation claim related with ―Facebook‖ can be hold up, just ―Facebook‖ responsibility is not clear here.
3.1.2. Tort Law of Privacy Under the tort law, ―the public disclosure of private facts is a public disclosure of a private fact, which would be offensive and objectionable to the reasonable person, and which is not of legitimate public concern‖.100 Tort actions have proven difficult to apply in the Internet context, but causes of action such as false light, public disclosure, and defamation may translate into the online social network context, however, in the U.S. the problems related with ―Facebook‖ typically come from dissemination of truthful (not false) information or pictures, so ―applicability of false light and defamation torts in the Internet context is seldom recognized‖.101
93 The U. S. Constitution (1787); The Fourth Amendment of the U. S. Constitution (1791) 94 The California Constitution (1849), Art. 1, Sec. 1, Sec. 13; ―Facebook‖ applies the laws of the State of California (See Appendix 2: Statement of Rights and Responsibilities, Pr.15.1.). 95 See supra note 82: Ronald B. Standler; Kristen Decker, Looking for Lagniappe: Publicity as a Culprit to Social Networking Websites, 6 Okla. J. L. & Tech. 51 (June 8, 2010), p. 4. 96 The First Amendment of the U.S. Constitution (1791) 97 See supra note 82: Ronald B. Standler. 98 See Appendix 2: Statement of Rights and Responsibilities, Prs. 5.9., 9.2.6., 9.3., 10.2; ―Personal information‖, Definition (18 U.S.C. § 2510) 99 See supra note 82: Samuel Warren, Louis Brandeis; Kristen Decker, p. 4. 100 See supra note 10: Rory Bahadur, p. 9. 101 See supra note 67: Samantha L. Millier, p. 10.
17 Moreover, in the U.S. confidential business information is treated as a property right, while confidential personal information is not, unless it is offensive and objectionable.102 In California, for example, personal information means an individual's first name or first initial and last name in combination with any one or more of the data elements (social security, driver's license, identification card, etc.), when either the name or the data elements are not encrypted; personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.103 Under American Jurisprudence the right to privacy is restricted to individuals who are in a place that a person would reasonably expect to be private (e.g., home, hotel room, telephone booth).104 Thus, there is no protection for information that either is a matter of public record or the victim voluntarily disclosed in a public place, people should be protected by privacy when they ―believe that the conversation is private, can not be heard by others who are acting in a lawful manner".105 SNS ―Facebook‖ mission is to give people the power to share and make the world more open and connected, but there is still not clear is SNS ―Facebook‖ public place or private.106 “Facebook‖ does not seem as a private place where users can expect to keep their privacy, but, under ―Facebook‖ Statement of Rights and Responsibilities users own all of the content and information posted on ―Facebook‖, and can control how it is shared.107 In scholars opinion ―privacy should be conceptualized as a control over one's personal information both substantive information and behavioral information‖ and ―‗users‘ profiles on SNSs are fluid, holding the ability to be as private as an e-mail‖.108
3.1.3. Federal and State Privacy Legislation People want access to all information around them, but they also want complete control over their own information.109 Huge popularity of SNSs has increased the importance of personal information protection, especially of personally identifiable information (PII), thus, as a
102 See supra note 82: Ronald B. Standler. 103 The California Civil Code, Part 4, Title 1.81, Sec. 1798.80-1798.84, § 1798.82 (2009) 104 The American Jurisprudence 2d, Telecommunications § 209 (1974) 105 See supra note 82: Ronald B. Standler. 106 ―The Main Information‖;
18 result, since April 2010 there are some standards of how PII should be protected in the U.S.110 The NIST Guide, protecting the confidentiality of personally identifiable information, states that organizations should minimize the use, collection, and retention of PII to what is strictly necessary to accomplish their business purpose and mission; ―Facebook‖, however, requires all users to provide their real names and real information till now.111 In such situation it is possible to make two findings: 1) real names and information are strictly necessary to accomplish ―Facebook‖ business purpose and mission; or 2) requirements of keeping such standard are not imperative. Otherwise it is not clear why such ―Facebook‖ practice is not forbidden. ―Facebook‖ states that real name and date of birth are necessary for authenticity and age-appropriate access to content, but it is not clear why it is strictly necessary and why more safely methods are not suitable in this case, for example, pseudonyms or question about age. According to the OECD Guidelines and its key principles, SNS ―Facebook‖ could be liable for such its activities as data leaking, not clear consent, and uncontrolled flow of fake profiles, collecting, using and disclosing non-users personal information or without subjects‘ prior direct consent.112 The development of main federal legislation privacy protection statutes started in 1978 from the Right to Financial Privacy Act, then in 1986 the Electronic Communications Privacy Act and the Stored Communications Act.113 However, there are different states, different courts‘ opinions, and different level of privacy protection in the U.S. Nowadays in the U.S. are several important statutes to consider when discussing the legal liabilities and obligations of the social networking sites: the Digital Millenium Copyright Act (Section 512(c)), the Communications Decency Act (Section 230), the Federal Stored
110 The U.S. Children's Online Privacy Protection Act of 1998, § 1302(8), 1302(11); Erika McCallister, Tim Grance, Karen Scarfone, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII) (National Institute of Standarts and Technology, April 2010), p. 7, 8;
19 Communications Act and the Can-Spam Act.114 ―Facebook‖ is subject to their requirements of and immunities.115 There is no current legislation regarding online advertising.116 Section 512(c) of the Digital Millenium Copyright Act removes liability for copyright infringement from websites that allow users to post content (as long as the site has a mechanism in place whereby the copyright owner can request the removal of infringing content, the site must also not receive a financial benefit directly attributable to the infringing activity), for example, a federal court in Florida granted a motion for mistrial after learning that several members of the jury located and read key information about the case online.117 By contrast, ―11th Circuit Court of Appeals affirmed a lower court's denial of request for mistrial where a juror had viewed an unredacted version of the original indictment against the defendant on the court's web site, the appellate court reasoned that the access did not expose the jury to any new or additional facts and, therefore, did not prejudice the defendant‖; ―Congress generally protects site vendors from legal liability for user-supplied content‖.118 ―Facebook‖ member agrees to a privacy policy that specifically states that user information may be made publicly available.119 Section 230 of the Communications Decency Act immunizes website from any liability resulting from the publication of information provided by another.120 This usually arises in the context of defamation, but several courts have expanded it to cover other sorts of claims as well. The U.S. District Court is noted that the Communications Decency Act ―encourages . . . „interactive computer services' to create forums for people to exchange their thoughts and ideas by protecting web sites and interactive computer services from potential liability for each message republished by their services” and “SNS isn‟t liable for sexual assaults committed by users against other users‖.121 But immunity isn‘t absolute, because it might be denied in
114 Kevin Fayle, Understanding the Legal Issues for Social Networking Sites and Their Users (September 18, 2007);
20 situations where the Web site operator is found to be partly responsible for the posted content; ―[w]here a company is an active creator, it is unlikely to be afforded CDA immunity‖.122 In scholars opinion it is possible that ―Facebook‖ encourages unlawful or tortious statements by their design, because users are presented with a template in which to enter personal information or any other type of information they like, defamatory or otherwise, besides that, the Decency Act could play into potential legal challenges against ―Facebook‖ third-party partnerships on the grounds that members did not have proper notice of how ―Facebook‖ would use their personal information.123 However, ―courts have not imposed any affirmative screening duties on network providers‖, and ―have consistently protected providers from liability where third party system users publish defamatory or other harmful information‖.124 In September 2010 New York court has ruled that material posted to online social networks (even what people post behind privacy settings) can be used as evidence in court.125 On the other hand, in California a judge interpreted the same statute quite differently, ruled that ―if ―Facebook‖ wall is set to "everyone," then nothing is private, but if he restricted access to friends only, then information would be considered as private as an e-mail message, added that "Facebook wall postings are not strictly ‗public,' but are accessible only to those users plaintiff selects‖.126 Besides that, lot of U.S. lawyers says that they have already used or faced evidence plucked from ―Facebook‖ and other SNSs.127 As a general matter, courts have traditionally found that by placing information about oneself on a public forum like the Internet, the claim to a reasonable expectation of privacy is lost. The court stated that it was convinced that ―placing information on the information superhighway necessarily makes said matter accessible to the public, no matter how many protectionist measures may be taken‖ and continued that it is ―obvious that a claim to privacy is unavailable to someone who places information on an indisputably, public medium (Internet) without taking any measure to protect the information‖128
122 U.S. case: Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, U.S. Court of Appeals, 9th Circuit, nos. 04-56916, 04-57173, December 12, 2007 - April 3, 2008; See supra note 121: Liisa M. Thomas, Winston & Strawn LLP, p. 10. 123 See supra note 67: Samantha L. Millier, p. 9; See supra note 17: Yasamine Hashemi, p. 3. 124 Id.: Samantha L. Millier, p. 8. 125 U.S. case: Kathleen Romano v. Steelcase Inc., Suffolk County Supreme Court, September 21, 2010; 126 Anita Ramasastry, Facebook and MySpace Postings in Court: In a Lawsuit, Privacy Settings May Not Matter (September 29, 2010);
21 Some cases have held that ―messages sent through social networking websites are subject to the Can-Spam Act‖.129 An increasingly popular practice by many companies is to place on their websites a ―send-a-friend‖ or ―tell-a-friend‖ feature, but, under the Act a sender, ―when used with respect to a commercial electronic message, means a person who initiates such a message and whose product, service or Internet website is advertised or promoted by the message‖; in a tell-a-friend situation then, it is possible that even though the web visitor requests that the message be sent, the company will be viewed as the sender.130 In addition to federal statutes, that have been mentioned, several states have enacted or proposed laws that would create requirements for social networking sites. For example, California Law requires organizations to notify individuals when PII is known or believed to be acquired by an unauthorized person; Virginia has enacted a law requiring sexual offenders to register their email addresses and screen names, and allows police officer to create mechanisms for web sites to check user information against the resulting database; the North Carolina state senate and Connecticut legislators proposed bills requiring that parents and guardians register with a social networking site and verify their ages before their children can sign up for an account.131 Moreover, the New York state attorney-general challenged ―Facebook‖ and reached a deal with it to introduce safeguards to reduce the risks children from use of the site.132 ―Facebook‖ would be in violation of such requirement because (its practice is to suggest opt-out function, usually). Moreover, there are a lot of uncertainty about user‘s consent, changes of ―Facebook‖ agreements and information notifications too. Although ―Facebook‖ contends the consent is adequate, not everyone agrees.133 In 2007, the American Bar Association promulgated a series of recommendations to avoid legal issues with electronic contracting (the user must have adequate notice that the proposed terms exist; the user must have a meaningful opportunity to review the terms; the user must have adequate notice that taking a specified, optional action manifests assent to the terms; and the user must, in fact, take that action).134
129 See supra 121: Liisa M. Thomas, Winston & Strawn LLP, p. 9. 130 Id., p. 12 131 See supra note 103: California Civil Code, § 1798.29; See note 34: Eric Goldman; See note 114: Kevin Fayle. 132 Anne Barnard, ―Facebook Agrees to More Safeguards‖, The New York Times (October 17, 2007);
22 In scholars‘ opinion, ―Facebook‖ privacy policy and Terms of Use may fit the requirements for both procedural and substantive unconscionability.135 ―All the California law requires is that companies post privacy policies on their websites that notify their users about the kinds of information collected from them, how this information is used, and to whom it is disclosed, among other things‖; ―otherwise, an individual could bring a challenge against ―Facebook‖ privacy policy on the grounds that it is unconscionable‖; ―however, despite the fact that in the U.S. courts the terms of use agreement has been held as ―illusory and unenforceable‖ already, until recently, nearly every time a court faced a clickwrap agreement, it found it enforceable and binding upon the parties‖.136 Thus, under the U.S. law everything is allright with ―Facebook‖ agreements. Copyright infringement (without permission) can result in both criminal and civil liability.137 For example, over last several months the U.S. Government has seized more than 70 sites, domain names; in March 2011 – the first arrest of a website operator that illegally streamed copyrighted sporting events.138 Overall, despite the fact that not all ―Facebook‖ activities (data leaking, ―opt-out‖, for example) comply with the USA legislation, in Courts opinions SNS ―Facebook‖ legally collects, uses and discloses users personal information under USA law, and ―Facebook‖ posts can be used as evidence. Their main argument is that ―Facebook‖ users can not reasonably expect to be private then they are placing information about oneself on a public forum like the Internet. However, ―Facebook‖ should not be calm, because such a finding is very fragile and may be just a question of time. It‘s Statement of Rights and Responsibilities confuses users. According to a research social networks need to take several actions to sufficiently safeguard their users' information, privacy policies need to be explicit and understandable to the layperson in order to create a clear and definable legal relationship between the user and the site, especially from data leaking and identity theft side.139 There is an opinion that it is important to federal
135 See supra note 17: Yasamine Hashemi, p. 12. 136 Id., p. 10-12; See supra note 113: Robert Terenzi, p. 12, p. 15. 137 See supra note 9: Kathryn L. Ossian, Miller Canfield Paddock & Stone PLC, p. 4. 138 HSI agents arrest website operator that illegally streamed copyrighted sporting events (U.S. Immigration, Customs Enforcment, March 3, 2011);
23 government take action and that the civil justice system is in need of major repair.140 According to the World Privacy Forum, ―self-regulation has been a proven failure‖; and most privacy advocates believe that self-regulatory principles are weak and are not likely to result in meaningful protection for consumers; ―federal laws, not the advertising industry, must provide consumers with the ability to control their own information‖.141 In April and May 2010 were filed the complaints against ―Facebook‖; in October 2010 two members of the U.S. Congress hit ―Facebook‖ with a series of questions about the latest privacy issues surrounding the site's most popular applications; in December 2010, Obama administration called for online privacy bill of rights; in February 2011 Chairman Leahy announced new subcommittee on privacy and technology – in reason to protecting ―Americans‘ privacy in the digital age.142
3.2. Under EU Law In the European Union privacy is a fundamental human right – ―the individual‘s right to privacy‖ - so companies and governments must respect it.143 Besides that, EU Data Protection Commissioners states: ―Protecting user privacy and securing the user‘s personal data has become one of the most imperative goals of today‘s society.‖144 The European Union stance differs strongly from the self-regulatory, free market approach favoured in the U.S.145 ―The European Union's efforts and legislative scheme is an aggressive, comprehensive attempt to both reign in SNSs use of their users' personal information and protect the European citizenry.‖146 However, the European Commission does not regulate on privacy issues, leaving it up to the EU‘s 27 member states, but it can issue guidelines or directives for corporate practices.147 Contrary to
140 See supra note 10: Rory Bahadur, p. 21; See supra note 67: Samantha L. Millier, p. 2. 141 Donald S. Clark, Re: Comments of the World Privacy Forum concerning FTC‟s proposed principles, Online Behavioral Advertising: Moving the Discussion Forward to Possible Self-Regulatory Principles (World Privacy Forum, April 11, 2008);
24 some States in the U.S., for example, in October 2010 a Danish media tribunal ruled that media do not in principal have access to use information posted in closed profiles because information on closed profiles are reserved to people -- the ―Facebook‖ 'friends' -- who have been authorised to access the profile.148 Under EU, a term "personal data" (similar to PII) shall mean any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.149 The European Union requires all member states to legislate to ensure that citizens have a right to privacy and to create a Data Protection Authority to protect its citizens' privacy through directives.150 A key legislation of privacy protection in the European Union is the Data Protection Directive of 1995 (Directive 95/46/EC)151 and e-Privacy Directive of 2002 (Directive 2002/58/EC)152. An evolution of them started from OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980)153 and the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981)154.
3.3.1. The Directive 95/46/EC The Directive 95/46/EC is based on the idea that ―privacy is a fundamental human right,‖ and has eight basic principles that limit the scope of personal data collection and dissemination.155 The Directive aims to give individuals extensive control over the use and
148 Danish court blocks media from quoting Facebook 'friends' (October 13, 2010);
25 dissemination of personal data, and imposes affirmative duties upon those entities that collect and manage such personal information; ―[a]lthough there has been a great deal of criticism concerning the adoption and implementation of the Directive's policy goals in individual European Union Member States, many countries have successfully implemented such policies‖.156 The Data Protection Directive applies to SNSs in most cases, even if the provider's headquarters are located outside of the European Economic Area.157 In November 2003, the European Court of Justice (―ECJ‖) determined that: posting individuals' names and telephone numbers (as well as information regarding their working conditions and hobbies) on a web site did indeed constitute the "processing" of personal data for the purposes of the Data Protection Directive; the web site operators posting personal data on line are not subject to the legal regime governing the transfer of personal data unless 1) they actually send the personal information to Internet users who did not intentionally seek access to the web pages, or (2) the server infrastructure is located on a non-EU country; the Data Protection Directive applies to the non- profit sector too.158 The courts finding highlighted the fact that Europe data protection regime is extremely far reaching. Thus, the Directive prohibits the transfer of personal data to a country or territory outside the European Economic Area (EEA159) unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.160 Exception of this is that the data subject has freely given a valid and revocable at any time consent to the transfer and the practical implications for compliance with these strict requirements must be considered by the SNS provider and factored into the design of their SNS and relevant terms of use or privacy policy.161 Under the Directive personal data may be processed only if the data subject has unambiguously given his consent.162 Analysis of registration on Faebook process has disclosed that SNS ―Facebook‖ doesn‘t comply with such
156Id. 157 See supra note 149: Directive 95/46/EC, Arts. 4(1)(a), 4(1)(c), 2(d); Opinion 1/2008 on data protection issues related to search engines, Article 29 Data Protection Working Party (April 4, 2008), p. 3, 10, 11, 24;
26 statements because: an information about ―Facebook‖ term of use and privacy policy was disclosed by the smallest font size in the whole sheet;163 in ―Facebook‖ Statement of Rights and Responsibilities an unambiguously consent is not mentioned at all and its users are not encouraged to get unambiguous other people consents164; from the other side, ―Facebook‖ requires to get its prior written consent.165 ―Consent‖, especially when it comes near by ―prior written consent‖, can be interpreted widely, so it is possible that ―Facebook‖ misleads its users. SNS ―Facebook‖ allows users to contribute data about other people, such as adding a name to a picture, rating a person, listing ―people I have met/want to meet‖ at events, and this tagging may also identify non-members, the implication being that the processing of such data about non-members by the SNS may be performed only if it comply with Article 7 of the Directive.166 The Data Protection Directive requires data to be ―adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed.‖167 For example, in December 2008 the ECJ has ruled that the storage and processing of personal data containing individualized personal information in such a register for statistical purposes cannot, on any basis, be considered to be necessary within the meaning of Article 7(e) of Directive 95/46, only anonymous information that requires to be processed in order for such an objective to be attained.168 SNS ―Facebook‖ should consider carefully whether it can justify forcing its users to act under their real identities rather than under pseudonyms.169 Moreover, anyone whose data is processed on SNS has access and rectification rights in relation to that data.170 Members and non-members must have the right of access, correction, and deletion and the SNS homepage should therefore clearly refer to the existence of a ―complaint handling office‖ that can deal with data protection and privacy issues and complaints.171 SNS ―Facebook‖ does not comply with that. SNS providers are urged to take ―appropriate technical and organizational measures‖ to maintain security and prevent unauthorized processing,172 and they must inform users of their
163 See Appendix 1: Registration process, Step 2. 164 See Appendix 2: Statement of Rights and Responsibilities, Prs. 5.7, 5.9, 9.3, 10.3. 165 Id., Pr. 3.9 166 See supra note 11: Rohan Massey, p. 4; See supra note 149: Directive 95/46/EC, Art. 7. 167 Id., Art. 6.1(c). 168 Case: C-524/06 Huber v. Federal Republic of Germany [16 December 2008] ECR I-9705. 169 See supra note 11: Rohan Massey, p. 6. 170 See supra note 149: Directive 95/46/EC, Arts. 12, 14 171 See supra note 11: Rohan Massey, p. 6. 172 See supra note 149: Directive 95/46/EC, Art. 17(1); See supra note 11: Rohan Massey, p. 3.
27 identities and the different purposes for which they process personal data.173 These would include, for example, usage of data for direct marketing purposes, possible sharing of data with specified categories of third parties, and the use of sensitive data. It would also include an overview of how the SNS provider builds its user profiles, in particular how they are created and from what data sources.174 If profile form includes questions relating to sensitive data, it must be made ―very clear‖ that answering such questions is completely voluntary.175 However, ―Facebook‖ does not use such practice. Besides that, data subject has a right to object personal data being processed for the purposes of direct marketing and the right to object free of charge to such disclosures or uses must be expressly offered under Directive,176 but such possibility was not found in ―Facebook‖ terms of use or privacy policy, moreover, ―Facebook‖ activities (data leaking examples) disclose that ―Facebook‖ infringes Directive provisions. SNS providers are obliged not to keep personal data ―longer than is necessary for the purposes for which the data were collected or for which they were further processed‖; and any information deleted by a user when updating his or her account should not be retained.177 However, ―Facebook‖ agreements state differently. The data controller is unable to avoid the responsibility and obligation to ensure security of data processing under the Directive; and the Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if the third country in question ensures an adequate level of protection.178 ―Adequate‖ can be speculative,179 but ―Facebook‖ discloses that it does its best to keep ―Facebook‖ safe, nor it can not guarantee it,180 and that users use it at their own risk181.
173 See supra note 149: Directive 95/46/EC, Art. 10. 174 See supra note 11: Rohan Massey, p. 4. 175 See supra note 149: Directive 95/46/EC, Art. 8.1; See supra note 11: Rohan Massey, p. 4. 176 Id., Art. 14(b) 177 Id., Article 6; See supra note 11: Rohan Massey, p. 5. 178 See supra note 149: Directive 95/46/EC, Art. 17(2), Art. 25(1) 179 ―The European Commission‘s Directive on Data Protection would prohibit the transfer of personal data to non- European Union countries that do not meet the European Union (EU) ―adequacy‖ standard for privacy protection. In order to reduce the uncertainty of ―adequacy‖ the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework in 2000.‖ SNS Facebook privacy policy states that it complies with Safe Harbor privacy principles (Safe Harbor Privacy Principles, The U.S. Department of Commerce (July 21, 2000);
28 3.3.2. The Directive 2002/58/EC The e-Privacy Directive of 2002 is concerning to the processing of personal data and the protection of privacy in the electronic communications sector.182 The Directive 2002/58/EC states that "electronic mail" means any text, voice, sound or image message sent over a public communications network which can be stored in the network or in the recipient's terminal equipment until it is collected by the recipient.183 Under the e-Privacy Directive the provider of a publicly available electronic communications service must take appropriate technical and organisational measures to safeguard security of its services and the measures shall ensure a level of security appropriate to the risk presented.184 Besides that, in case of particular risk of breach of the security of network, the provider of a publicly available electronic communications service must inform the subscribers concerning such risk and, where the risk lies outside the scope of the measures to be taken by the service provider, of any possible remedies, including an indication of the likely costs involved.185 Furthermore, Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned.186 SNS ―Facebook‖ does not comply with such provisions.187 Even if the SNS had the means to contact the non-user and inform him or her about the existence of this personal data, the SNS provider would be in breach of the rules on spam in the e-Privacy Directive if it were to send an email invitation to join the SNS in order to access the personal data.188 When, for example, SNS allow users to send invitations to third parties, the prohibition in the e-Privacy Directive on the use of email for direct marketing will not apply if the communication is personal.189
182 See supra note 152: Directive 2002/58/EC. 183 Id., Art. 2(h) 184 Id., Art. 4(1) 185 Id., Art. 4(2) 186 Id., Art. 5(1) 187 See Appendix 2: Statement of Rights and Responsibilities; See Appendix 3: Privacy Policy. 188 See supra note 11: Rohan Massey, p. 4. 189 ―For that to be the case, the SNS must comply with the following criteria: 1) no incentive is given to either sender or recipient; 2) the provider does not select the recipients of the message; 3) the identity of the sending user must be
29 3.3.3. Guidelines for Social Networks The popularity of SNSs raises various issues with regard to the European data protection.190 In 2008, the Commission convened some of Europe major social networks as well as researchers and child welfare organizations to discuss guidelines for the use of social networking sites by children and "The Safer Social Networking Principles for EU",191 were voluntarily adopted by the industry in February 2009.192 They identified that the risks on the sites include cyberbullying, grooming and risky behaviour like revealing personal information, and they aim to limit these risks by, for example, ensuring that private profiles of users under the age of 18 are not searchable; preventing under-age users from using their services (if a social networking site targets teenagers over 13, it should be difficult for people below that age to register), etc.; the provisions laid down in EU Directive no. 136 of 2009 (amending the previous ECD no. 58 of 2002, etc.) significantly impacted the marketing industry.193 In June 2009, the Article 29 Working Party stated that direct marketing is recognized as ―an essential part of the SNS business model‖, but it is also required to ―comply with relevant provisions of both Data Protection and ePrivacy Directive‖,194 that SNSs (―Facebook‖ was mentioned) need more regulation to ensure that personal data of their respective users is not put at risk, and that even though the majority of sites that the report mentioned are based in the United States, the group stated their large presence in Europe means that they should be subject to European Union privacy and data protection legislation.195
clearly mentioned; and 4) the sending user must know the full content of the message that will be sent on his behalf.‖ (See supra note 11: Rohan Massey, p. 5) 190 Id., p. 1. 191 Dr Rachel O‘Connell and Others, Safer Social Networking Principles for the EU (February 10, 2009);
30 Thus, in June 2009 European Union issued new privacy rules for social networks by guidelines, applying to any social network available in Europe irrespective of where that network is headquartered.196 Obligations: 1) SNS should inform users of their identity, and provide comprehensive and clear information about the purposes and different ways in which they intend to process personal data; 2) SNS should offer privacy-friendly default settings. 3) SNS should provide information and adequate warning to users about privacy risks when they upload data onto the SNS; 4) Users should be advised by SNS that pictures or information about other individuals, should only be uploaded with the individual‘s consent; 5) At a minimum, the homepage of SNS should contain a link to a complaint facility, covering data protection issues, for both members and non-members; 6) Marketing activity must comply with the rules laid down in the Data Protection and e-Privacy Directive; 7) SNS must set maximum periods to retain data on inactive users. Abandoned accounts must be deleted; 8) With regard to minors, SNS should take appropriate action to limit the risks.197 However, ―Facebook‖ profiles have been accessible by default since January 2010;198 users have to opt-in to ensure that their photographs and other information can be viewed only by friends, etc. The EU Commission is currently in the process of reviewing the general EU legal framework on the protection of personal data, the main policy objectives are: to modernise the EU legal system for the protection of personal data, in particular to meet the challenges resulting from globalisation and the use of new technologies; to strengthen individuals' rights, and at the same time to reduce administrative formalities to ensure a free flow of personal data within the EU and beyond, to improve the clarity and coherence of the EU rules for personal data protection and to achieve a consistent and effective implementation and application of the fundamental right to the protection of personal data in all areas of the European Union activities.199 For that purpose, in May 2009 organised a wide stakeholders' conference on data protection and launched a public consultation about the future legal framework for the fundamental right to protection of
196 Opinion 5/2009 on online social networking, Article 29 Data Protection Working Party (June 12, 2009); 31 personal data in the EU.200 The public consultation was concluded in December 2009. Further targeted stakeholders' consultations were held in 2010.201 In April 2010 German consumer protection minister Ilse Aigner wrote an open letter to ―Facebook‖, expressing her concern for the SNS users after the changes proposed in March.202 In May 2010 the Article 29 Data Protection Working Party has written a letter to the social networking site, describing the change in default privacy settings as "unacceptable".203 In October 2010, data-protection officials have criticized ―Facebook‖ for putting users‘ personal information and privacy at risk with its policy changes, and exists an opinion already that it is ―essential to have effective provisions on remedies and sanctions‖ including ―criminal sanctions in case of serious data protection violations‖; for example, in February 2010 a court sentenced three Google officials to six-month terms, which were suspended, they were held responsible after a group of Turin school students filmed themselves bullying an autistic classmate and uploaded a clip to Google Video in 2006.204 In November 2010 the Commission adopted a strategic Communication on a comprehensive strategy on data protection in the European Union highlighting its main ideas and key objectives on how to revise the current rules on data protection.205 It is possible that legislation will be put forward in 2011.206 In November 2010 a resolution on data protection and privacy in the third millennium was passed over the Europe conference of ministers of justice.207 In February 2011 the Article 29 Data Protection Working Party adopted an Opinion 9/2011 on the revised Industry Proposal.208 In March 2011 was 200 Personal data - more use, more protection? (Conference, The European Commission, 2009); 32 announced that the EU intends to force ―Facebook‖ and other SNSs to make high standards of privacy the default setting: ―'Right to be forgotten' would ensure users of ―Facebook‖ and other sites could completely erase personal data‖.209 Scholars offer guidance with regard to how legal regimes should adjust to the increasing concern over privacy invasion on the Internet.210 ―Facebook‖ believes it is already complies with EU law and says it is working alongside Brussels officials in the revision of data protection legislation that was enacted in 1995, in the early days of the internet. "Facebook‖ is fully engaged in the debates around the review of the European Union's data protection directive," said a company spokeswoman, Sophy Silver. "We work closely with data protection authorities across the EU and with the European commission and parliament‖. Silver said ―Facebook‖ users were already able to remove their data completely from view, after which it took a few weeks to clean up the company's servers.211 Thus, after a research it is possible to say that ―Facebook‖ does not legally collect, use and discloses users personal information under EU law. Privacy is fundamental human right under EU law and should be protected, however, ―Facebook‖ doesn‘t ensure safety and security of personal data, user consent is not unambiguous and clear. ―Facebook‖ is in violation of the Directive 95/46/EC, the Directive 2002/58/EC and EU Guidelines for Social Networks. 3.3. Under Lithuanian Law Lithuania is a member of the European Union and, as other member states, shall protect the fundamental rights and freedoms of natural persons, in particular their right to privacy with respect to the processing of personal data. 212 The phenomenon of SNS, especially of SNS ―Facebook‖, is widespread in Lithuania like in other European Union countries.213 Almost 25 percent of Lithuania people are users of SNS ―Facebook‖ and seems that this amount has tend to grow because generations changes and, under a research, more than 48 percent of internet users use SNS ―Facebook‖ in Lithuania (this is much bigger proportion than in Poland, Latvia or Estonia).214 However, most Lithuanian children 209 See supra note 157: Leigh Phillips. 210 See supra note 67: Samantha L. Millier, p. 12. 211 See supra note 157: Leigh Phillips. 212 See supra note 149: The Directive 95/46/EC, Arts. 1(1), 8(7) 213 Lithuania is at 75th place (See supra note 21: Socialbakers.com). 214 ―Socialiniai tinklai populiariausi tarp nedirbančio jaunimo ir namų šeimininkių‖, Marketer.lt (October 16, 2010); 33 do not understand well what it is personal data and publish too much personal information about themselves on SNSs; under a research, 65 percent Lithuanian children have SNS profile and more often than children from other European countries disclose their address and telephone number.215 Such situation, for example, can be explained by an unsuccessful search of SNS ―Facebook‖ Terms of Use and its Privacy Policy written in Lithuanian language. Despite the fact that more than 70 translations are available on the site already (Lithuanian language is included), there is no possibility to read ―Facebook‖ agreements in Lithuanian language till now. Otherwise, even the politicians (well known public persons, possibly an example for others) of Lithuania ignore prohibitions and ask to support them on ―Facebook‖; various movements, protests, campaigns spread in ―Facebook‖ almost everyday.216 Besides that, ―Facebook‖ became very important for business in Lithuania too. Over the last IT conference in Lithuania as a tendency of the year was chosen business integration in ―Facebook‖.217 Lithuanian companies attract customers advertise their goods or services on ―Facebook‖, ignoring the Lithuanian law on advertising and ―Facebook‖ prohibitions.218 More and more civil and criminal infringements are related with ―Facebook‖. For example, in January 2011, in Lithuania, a 13 years old girl was killed by a 14 years old boy after they became friends on ―Facebook‖;219 in February 2011, Lithuanian teenager girl saw that there is her fake defamatory profile on ―Facebook‖ and told mother, after that the first complaint about that was written to the police in Lithuania.220 There is no strong history of data protection in Lithuania, however, in October 2002 the Constitutional Court of the Republic of Lithuania highlighted that personal privacy is inviolable although the right to privacy is not absolute and the Supreme Court of Lithuania has on multiple occasions reaffirmed the right to private life to be one of the most fundamental human rights.221 215 ―Vaikai atskleidţia per daug asmeninės informacijos internete‖, Lietuvos vartotojų institutas (March 3, 2011); 34 The Constitution of the Republic of Lithuania, Article 22, states: ―The private life of a human being shall be inviolable. Personal correspondence, telephone conversations, telegraph messages, and other communications shall be inviolable. Information concerning the private life of a person may be collected only upon a justified court decision and only according to the law. The law and the court shall protect everyone from arbitrary or unlawful interference in his private and family life, from encroachment upon his honour and dignity.‖222 Article 2.23 of the Civil Code of the Republic of Lithuania elaborates the ways of protection of the right to privacy embedded in Article 22 of the Constitution.223 In May 2000, the Constitutional Court of the Republic of Lithuania has ruled that person can not expect privacy if he is carrying out activities of a public nature and he understands or is capable to understand it, and such person‘s activity is not a subject of the Article 22 of the Constitution of Lithuania and of the Article 8 of the European Convention on Human Rights and Fundamental Freedoms.224 There is no specific legislation for online social networks, virtual communities, online behavioural marketing or search engine privacy in Lithuania,225 but, in EU Officials opinion, Lithuanian law could be applied.226 In privacy and data protection field jurisprudence is not wide in Lithuania. The reason of such status quo could be a novelty and the fact that Lithuanians rarely refer to the courts or other institutions due to violations of their private life; the majority of cases regarding to privacy protection related to conflicts between two constitutional rights - right to private life and right to freedom of expression, and, in majority of cases, violations of the right 35 to privacy or the right to an image have been found.227 For example, in August 2008, the Supreme Court of Lithuania has ruled that person‘s previously activities (previously not avoided talking to the media and revealed information which is considered to be intimate) shall not be considered to be consent to publish information about person‘s private life.228 Under Lithuanian law personal data shall mean any information relating to a natural person, the data subject, who is identified or who can be identified directly or indirectly by reference to such data as a personal identification number or one or more factors specific to his physical, physiological, mental, economic, cultural or social identity, and Data processing shall mean any operation which is performed with personal data.229 3.3.1. The Republic of Lithuania Law on Legal Protection of Personal Data Lithuania has an Act of Legal Protection of Personal Data.230 Under the Act SNS ―Facebook‖ is data controller. First of all, it is very important to say, that, under the Act, data controllers shall be registered in the State Register of Personal Data Controllers,231 however, a search of SNS ―Facebook‖ on the Register was not successful.232 Thus, it is the first reason why SNS ―Facebook‖ does not legally collect, use and discloses users' personal information under Lithuanian law. Secondly, the Act states that ―data controllers‖ have various duties.233 For example, they must ensure that personal data are processed accurately, fairly and lawfully, and are identical, adequate and not excessive in relation to the purposes for which they are collected and further processed. However, ―Facebook‖ uses almost all personal data that has been collected, even if the data was collected from fake profile accounts or without non-users consents, and lets 227 See supra 221: Lithuania – Privacy Profile. Id. 228 See supra note 221: Lithuania – Privacy Profile. 229The examples of operations: collection, recording, accumulation, storage, classification, grouping, combining, alteration (supplementing or rectifying), disclosure, making available, use, logical and/or arithmetic operations, retrieval, dissemination, destruction or any other operation or a set of operations. (The Republic of Lithuania Law Amending the Law on Legal Protection of Personal Data, Ţin (February 1, 2008, I-1374), Article 2(1), 2(4)) 230 Id. 231 Id., Art. 34(1) 232The State Register of Personal Data Controllers, Homepage; 36 the third parties to copy such data. Besides that, ―Facebook‖ asks real names, date of birth, etc., without proving that it is really necessary. Thirdly, under the Act personal data may be processed, for example, if the data subject has given his consent or a contract to which the data subject is party is being concluded or performed.234 The collection, use and disclosure of personal information on SNS ―Facebook‖ is based on user‘s consent, expressed by one time push on ―sign in‖ button during registration process, after such implication ―Facebook‖ keeps that its agreements are concluded. However, such type of consent is not expressed clearly, in a written or equivalent form, and can not be an unambiguous evidence of data subject‘s free will. There are various interpretations and different opinions about ―Facebook‖ user‘s consent validity, especially when it is related with identity thefts. The Supreme Court of Lithuania is ruled that consent for direct marketing purposes should be prior, and it can not be given at the same time when electronic means of communication was used.235 Thus, ―Facebook‖ practice does not comply with such statements. Besides that, a possibility to refuse giving consent is not clear and easily realizable, if person want to use or are using ―Facebook‖, there is no possibility to him not to give a consent for marketing and there is no such practice as ―each offer‖ at all, so it does not comply with the Article 14 of the Act too.236 Furthermore, ―Facebook‖ activities do not comply with the Act, because ―average consumer‖ is not well informed and does not know the rights properly, while ―Facebook‖ has a duty to inform well under the Act; visitors and users, especially seldom users, do not get information properly; they are not informed about their right to object, even though ―Facebook‖ has a duty to inform about that.237 234 ―Consent shall mean an indication of will given freely by a data subject indicating his agreement to the processing of his personal data for the purposes known to him. His consent with regard to special categories of personal data must be expressed clearly, in a written or equivalent form or any other form giving an unambiguous evidence of the data subject‘s free will.‖ (Id., Art. 2(11), Subp. 1(1) and 1(2) of Art. 5) 235 Asmens duomenų tvarkymas tiesioginės rinkodaros tikslu (Teismų sprendimų apibendrinimas, Valstybinė duomenų apsaugos inspekcija, 2011), p. 6; 37 Finally, under the Act data controller must implement appropriate organisational and technical measures intended for the protection of personal data and these measures must ensure a level of security appropriate to the nature of the personal data to be protected and the risks represented by the processing., but ―Facebook‖ practice does not comply with that, because of: ―no guarantee‖, ―on your own risk‖, examples of data leaking to third parties, not ensuring the security of advertisements‘ platforms, etc.238 Besides that, ―Facebook‖ does not have issues about the correctness of personal data provided by data subject and does not notify the State Data Protection Inspectorate without delay, while it should.239 Of course, not only ―Facebook‖ is failing in its duties, the State Data Protection Inspectorate does not perform well as well, but in some situations ―Facebook‖ should notify the State Data Protection Inspectorate about the processing of personal data by automatic means, however, there is no information about such ―Facebook‖ practice. 240 Thus, the collection, use and disclosure of personal data on SNS ―Facebook‖ violate the Republic of Lithuania Law on Legal Protection of Personal Data. 3.3.2. The Lithuanian Law on Electronic Communications The Lithuanian Law on Electronic Communications can be applied to SNS ―Facebook‖ too (as to the e-mail, blogs services of SNSs).241 Under the Act, it is important to promote 1) the competition in providing electronic communications networks and services as well as associated facilities and services, 2) the protection of user interests and 3) the development of the internal market; the Communications Regulatory Authority is responsible for the regulation of electronic communications activities.242 This Act also states that the right to refuse should be offered to the users,243 the opportunity to object to use of electronic contact details for direct marketing should be available, it should be free of charge and in an easy manner, and it is prohibited to send electronic mail disguising or concealing the identity of the sender on whose behalf the communication is made.244 Besides that, under the Act, the measures of safeguard security shall ensure a level of 238 Id., Art. 30(1) 239 Id., Art. 26(6), 26(7) 240 Id., Arts. 33(1), 31. 241 The Lithuanian Law on Electronic Communications (November 14, 2008, IX-2135) 242 Id., Arts. 1(5), 6(1); The Communications Regulatory Authority of the Republic of Lithuania, Homepage; 38 security appropriate to the risk presented.245 Thus, ―Facebook‖ activities violate this Act too, because it‘s users have no possibility to refuse or to object to use their contact details for direct marketing, ―Facebook‖ does not ensure appropriate security level (huge possible damage, irreversible consequences, however, ―no guarantee‖, ―at your own risk‖, data leaking examples), and ―Facebook‖ encourages users to invite their friends to use ―Facebook‖ by offering own help (undisclosed advertisement; ―Facebook‖ hands, but users identities and not proper consents). 3.3.3. The Lithuanian Law on Advertising Under Lithuanian Law on Advertising the use of misleading advertising shall be banned and advertising must be clearly identifiable according to its form of presentation.246 However, ―Facebook‖ practice does not comply with such requirements, because, as it has just been mentioned, ―Facebook‖ encourages users to invite their friends, offers own help and even does it for them, however, it does not disclose clearly especially for recipients that this is advertisement. In addition, if the service provider advertises its services, he is not impartial service provider, thus is responsible for what its customers are doing on the platform.247 Besides that, data subject can enforce against the data exporter as third-party beneficiary.248 For example, in March 2011, in Lithuania, the District Court has ruled that internet service providers must block sites if it is necessary, and, in April 2011, in Great Britain, the Court has ruled that Internet service providers must to monitor and control user actions.249 Thus, from these points of view, ―Facebook‖ can be kept liable for its users content and activities on Platform. 3.3.4. The Republic of Lithuania Law on Copyright and Related Rights In SNS ―Facebook‖ Statement of Rights and Responsibilities is included provision stating that user grant to ―Facebook‖ a non-exclusive, transferable, sub-licensable, royalty-free, 245 Id., Art. 62(1) 246 See supra note 218: The Republic of Lithuania Law on Advertising, Arts. 5(1), 8. 247 ―Teisininkas Andrius Iškauskas: net jei „Linkomanija― bus uţblokuota, karas su interneto piratais tęsis‖, 15min.lt (January 20, 2011); 39 worldwide license to use any IP content that user post on or in connection with ―Facebook‖ (IP License), it ends when user delete IP content or account unless content has been shared with others and they have not deleted it.250 Under the Act, it is not permitted to transfer the right in all future works, which are not clearly identified, besides that, transfer will not be applied if the modes of use of the work do not exist or are unknown.251 Thus, ―Facebook‖ IP License is not valid, ―Facebook‖ uses and discloses Lithuanian users IP content that is covered by intellectual property rights not legally. 3.3.5. The Republic of Lithuania Law on the State Language How it was mentioned before, despite the fact that more than 70 translations are available on the site already (Lithuanian language is included), there is no possibility to read agreements in Lithuanian language till now, so Lithuanian users agree with the agreements that are written in English. The Act states that transactions with natural and legal persons of foreign states shall be conducted in the state (Lithuanian) language and another language acceptable to both parties.252 Thus, ―Facebook‖ practice does not comply with such requirement. 3.3.6. The Republic of Lithuania Law on Consumer Protection The Act states that the consumer shall be entitled to get comprehensive and true information in the state (Lithuanian) language, and goods and services should be offered so that customers would understand clearly a commercial nature of the proposal.253 However, ―Facebook‖ agreements are long, not easily understandable, in English, etc., and it uses undisclosed advertise methods (―Facebook‖ hands, users identities). Under the Act, consumers' public interest shall be protected by the State Consumer Rights Protection Authority.254 3.3.7. The Civil Code of the Republic of Lithuania Under the Civil Code of the Republic of Lithuania the choice of the law applicable to a contract as made by the agreement of the parties may not be the grounds for refusing to apply the mandatory legal norms of the Republic of Lithuania and that cannot be changed or declined by the agreement of the parties, any transaction that fails to meet the requirements of mandatory 250 See supra note 218: The Republic of Lithuania Law on Advertising, Art. 2.1. 251 Id., Art. 38.3. 252 The Republic of Lithuania Law on the State Language, (January 31, 1995, I-779), Art 9 253 The Republic of Lithuania Law on Consumer Protection, (January 12, 2007, I-657), Arts 5, 6 254 Id., Art. 30; See supra note 223: The Civil Code of the Republic of Lithuania, Art. 6.188 (7) 40 statutory provisions shall be null and void.255 Besides that, under the Code, a choice of the law applicable to a contractual obligation shall not result in depriving or restricting the consumer of the right to protect his interests by the remedies determined by the provisions of the law of the state of his domicile.256 Moreover, claims for reparation of damage resulting from infringement of personal non-property rights committed by the mass media shall be governed, depending on the choice of the aggrieved person and claims for reparation of damage resulting from an act of unfair competition shall be governed by the law of the state in whose market the negative effects of unfair competition occurred.257 The Civil Code states that the form of consumer contracts shall be governed by the law of the place of the consumer‘s domicile.258 Under the Code, ―Facebook‖ agreements can be formed by actions, however, there must be sufficient data for the ascertainment of the parties and arbitration clause must be formed in a written form (the protection of the text should be guaranteed and the signature of the sending party should be identified).259 Furthermore, each party of a contract shall be obliged to act in accordance with good faith in their contractual relationships;260 the parties shall be bound to disclose to each other the information they have and which is of essential importance for the conclusion of a contract;261 standard conditions prepared by one of the parties shall be binding to the other if the latter was provided with an adequate opportunity of getting acquainted with the said conditions;262 no surprising condition contained in a standard condition contract;263 unfair conditions are not permitted;264 a party may refuse from the contract or a separate condition thereof if at the time of the conclusion of the contract, the contract or its condition unjustifiably gives the other party excessive advantage (for example, has taken unfair advantage of the other's dependent position, or of the other party's economic difficulties, urgent needs, or of the latter's economic weakness, lack of information or experience, his inadvertence or inexperience in negotiations; regard shall also be taken of the 255 Id., Arts. 1.37(3), 6.157, 1.80(1) 256 Id., Art. 1.39(2) 257 Id., Arts 1.45(1), 1.46 258 Id., Art. 1.38(4) 259 Id., Arts 1.71, 1.76, 1.73(5), 6.192(2) 260 Id., Art. 6.158 (1) 261 Id., Art. 6.163 (4) 262 Id., Art. 6.185 (2) 263 Id., Art. 6.186 (1) 264 Id., Art. 6.211 41 nature and purpose of the contract);265 Thus, ―Facebook‖ agreements and practice rise various legally issues. Besides that, SNS ―Facebook‖ states that its users can not be under 13 years old (stated in both: in Statement of Rights and Responsibilities and in Privacy Policy), and that it recommends teenagers to have parents permission (stated just in Privacy Policy),266 however, under the Civil Code of the Republic of Lithuania minors under 14 (not under 13!) years of age shall enjoy the right to enter alone (just) into contracts to meet their ordinary and usual needs, and minors over 14 and under 18 years of age shall enter into contracts with (mandatory) the consent of parents or guardians.267 After all, a producer or a supplier of services, if the products (services) were obtained for the purposes of consumption, shall be bound to compensate for damage caused by defective products or defective services, under the Code,268 so ―Facebook‖ can have big problems of its ―unintentional‖ data leaking, misleading information or collection, use and disclosure of users personal information without clear consent. 3.3.8. The Criminal Code of the Republic of Lithuania The Criminal Code of the Republic of Lithuania can be applied to the ―Facebook‖ too. ―Facebook‖ users‘ activities such as an aggression against other countries, defamation, insult, organization or provocation of public disorder can be resulted in criminal proceedings.269 Moreover, unlawfully breach of personal correspondence, mail, conversations secrecy, illegally collection, use and disclosure of personal information about the private life, illegally provocations, copyrights, industrial property rights infringements, illegal commercial activities are forbidden under the Code, and for such activities legal person can be responsible in criminal proceedings.270 Thus, data leaking, not clear users consent, ignore of registration requirement, etc. - ―Facebook‖ activities do not comply with Lithuanian criminal law too. Overall, SNS ―Facebook‖ does not legally collects, uses and discloses users‘ personal information under Lithuanian law. 265 Id., Art. 6.228 (1) 266 See Appendix 2: Statement of Rights and Responsibilities, Pr. 4 (5); See Appendix 3: Privacy Policy, Section 1 (―Parental participation‖). 267 See supra note 14: The Criminal Code of the Republic of Lithuania. 268 Id., Art. 6.292, Parts 1, 5 269 Id., Arts. 110, 154(2), 155, 283 270 Id., Arts. 166 (1), 167(1), 168(1), 170(1), 192, 194, 195, 202. 42 CONCLUSIONS and RECOMMENDATIONS Social networking sites (SNSs) became increasingly popular among internet users around the world, but despite of various advantages of SNS, it is not just a great tool of communication, it rises various legally issues too, especially on Privacy law. Statistics show that ―Facebook‖ is the most popular SNS in the world and has over 500 million active users already (about 70 percent of users are outside the U.S.; in Lithuania – almost 1 million already). The main business model of SNS ―Facebook‖ is the collection, use and disclosure of users‘ personal information. The most risky SNS ―Facebook‖ activities are: not clear, not unambiguous users consent; not fair, not clear and not easy to read agreements; data leaking practice; uncontrolled possibility of fake profiles; possibility to use data after deleting; unprotected minors; not informative notifications; no equality between users and ―Facebook‖ consent; no security guarantees; lack of safety; no real possibility to control; undisclosed advertise practice, practice of opt-in by default. The research disclosed that SNS ―Facebook‖ collects, uses and discloses users personal information: 1) under U.S. law – legally; 2) under EU and Lithuanian law – does not legally. The USA law: person's privacy right is competing with a freedom of the press. In courts opinion, people should be protected by privacy when they "believe that the conversation is private and can not be heard by others who are acting in a lawful manner‖. In September 2010 New York court has ruled that material posted to online social networks (even what people post behind privacy settings) can be used as evidence in court. California court has ruled that if ―Facebook‖ wall is set to "everyone," then nothing is private, but if he restricted access to friends only, then information would be considered as private as an e-mail message, and added that "Facebook‖ wall postings are not strictly ‗public,' but are accessible only to those users plaintiff selects. However, ―Facebook‖ should not be calm, because such a finding is very fragile and may be just a question of time. The EU law: SNS ―Facebook‖ activities violate the Directive 95/46/EC, the Directive 2002/58/EC and the Guidelines for Social Networks. In the EU privacy is a fundamental human right. ―Facebook‖ does not ensure safety and security of personal data, user‘s consent is not unambiguous and clear. The ECJ is ruled that the storage and processing of personal data containing individualized personal information in such a register for statistical purposes cannot, on any basis, be considered to be necessary, only anonymous information that requires to be processed in order for such an objective to be attained. 43 Lithuanian law: SNS ―Facebook‖ activities violate the Republic of Lihuania Constitution, the Republic of Lithuania Law on Legal Protection of Personal Data, Law on Electronic Communications, Law on Advertising, Law on Copyright and Related Rights, Law on the State Language, Law on Consumer Protection and the Civil and Criminal Codes of the Republic of Lithuania. SNS ―Facebook‖ is not registered in the State Register of Personal Data Controllers, while it should be, and there is no ―Facebook‖ agreement in Lithuanian language; ―Facebook‖ uses almost all personal data that has been collected, even if it was collected from the fake profile accounts or without non-users consents, and lets the third parties to copy such data; safety of personal information is not secured on ―Facebook; moreover, ―Facebook‖ asks real personal information (names, date of birth, etc.) without proving that it is really necessary; users are not informed about their right to object, even though ―Facebook‖ has a duty to do it; ―Facebook‖ gets user‘s consent just over registration process, although Lithuanian court has ruled that a consent should be prior and can not be given at the same time; etc. Privacy risks and legally issues will not disappear with unreal growth of audience, so it is needed to act. The question is what measures are adequate and, in nowadays situation on international privacy law, every country can answer by itself differently. Recommendations: 1. To correct the detected violations or to change legislation. The new EU guidelines are the best model to be enforced. The registration requirement is also reccommended (the taxes perspective). 2. To enforce SNS ―Facebook‖ to stop such its activities as: ―opt-out‖ by default, data leaking, direct marketing without user‘s consent, undisclosed advertisement, etc. 3. To make a duty for SNS to invest in privacy law education, especially for teenagers, maybe even don‘t let to register and sign up an agreement without pass of exam, over which you could get a special unique code allowing finishing registration. 4. It is very necessary to introduce some irremissible law classes at schools, because not rare legislation and various agreements are too heavy even for adults. What we could expect from the teenagers if we do not teach them anything about law, just requiring keeps it? 44 BIBLIOGRAPHY LIST 1. The Universal Declaration of Human Rights (the General Assembly of the U. N., 1948), Art. 12; The USA Law: The Constitutions: 2. The U. S. Constitution (1787); 3. The Fourth Amendment of the U. S. Constitution (1791); 4. The First Amendment of the U.S. Constitution (1791); 5. The California Constitution (1849), Art. 1, Sec. 1 & 13; The Cases: 6. U.S. case: VPR Internationale v. Does 1-1017, Illinois Central District Court, No. 2:2011cv02068 (April 29, 2011) 7. U.S. case: United States of America v. Frank Hernandez, Florida District Court, no. 07-60027-CR- ZLOCH, March 10, 2009. 8. U.S. case: Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, U.S. Court of Appeals, 9th Circuit, nos. 04-56916, 04-57173, December 12, 2007 - April 3, 2008; 9. U.S. case: Kathleen Romano v. Steelcase Inc., Suffolk County Supreme Court, September 21, 2010. The Jurisprudence: 10. The American Jurisprudence 2d, Telecommunications § 209 (1974) The Codes / Acts: 11. 17 U.S.C. § 512(c) 12. 18 U.S.C. § 2702(a). 13. 47 U.S.C. § 230(c)(1) 14. The Right to Financial Privacy Act of 1987 (RFPA) (12 U.S.C. § 3401); 15. The Electronic Communications Privacy Act of 1986 (ECPA) (18 U.S.C. § 2510); 16. The Stored Communications Act of 1986 (SCA) (18 U.S.C. § 2701-2712) 17. The U.S. Children's Online Privacy Protection Act of 1998 (15 U.S.C. § 6501-6506) 18. The California Civil Code, § 1798.82, § 1798.29 The EU Law: The Conventions: 19. The Convention for the Protection of Human Rights and Fundamental Freedoms (Rome, 4.XI.1950), Art. 8; 20. The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Strasbourg, 28.I.1981); The Directives: 21. The Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, Arts. 1(1), 2(a), 2(d), 2(h), 4(1)(a), 4(1)(c), 6.1(c), 7(a), 8(1), 8(7), 10, 17(1), 17(2), 12, 14(b), 25(1). 45 22. The Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector; Arts. 2(h), 4(1), 4(2), 5(1); 23. The European Commission‘s Directive on Data Protection would prohibit the transfer of personal data to non-European Union countries that do not meet the European Union (EU) ―adequacy‖ standard for privacy protection. In order to reduce the uncertainty of ―adequacy‖ the U.S. Department of Commerce in consultation with the European Commission developed a "safe harbor" framework in 2000. 24. The Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users‘ rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws. The Others: 25. Case: C-524/06 Huber v. Federal Republic of Germany [16 December 2008] ECR I-9705. 26. The E.U. Commission Decision on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council, Official Journal of the European Union (February 5, 2010), Clause 3; 46 The Lithuanian Law: The Constitution: 36. The Constitution of the Republic of Lithuania (came into force on November 2, 1992); The Codes: 37. The Civil Code of the Republic of Lithuania (July 18, 2000, VIII-1864), Arts. 1.37(3), 1.38(4), 1.39(2), 1.45(1), 1.46, 1.71, 1.73(5), 1.76, 1.80(1), 2.23, 6.157, 6.158 (1), 6.163 (4), 6.185 (2), 6.186 (1), 6.188 (7), 6.192(2), 6.211, 6.228 (1), 6.292; 38. The Criminal Code of the Republic of Lithuania, Ţin (2000, Nr. 89-2741), Arts. 110, 154(2), 155, 166 (1), 167(1), 168(1), 170(1), 192, 194, 195, 202, 283; The Acts: 39. The Republic of Lithuania Law on Advertising (July 18, 2000, No VIII - 1871), Arts. 2.1, 5(1), 8, 13, 38.3; 40. The Republic of Lithuania Law Amending the Law on Legal Protection of Personal Data, Ţin (February 1, 2008, I-1374), Arts 2(1), 2(4), 2(7), 2(11), 5(1)(1), 5(1)(2), 14, 23, 24, 25, 26(6), 26(7), 27(1), 28, 29, 30(1), 31, 33(1), 34(1); 41. The Lithuanian Law on Electronic Communications (November 14, 2008, IX-2135), Arts. 1(5), 6(1), 62(1), 61(4), 69(2), 69(3); 42. The Republic of Lithuania Law on the State Language, (January 31, 1995, I-779), Art. 9; 43. The Republic of Lithuania Law on Consumer Protection, (January 12, 2007, I-657), Arts. 5, 6, 30; The Jurisprudence: 44. Ţ.Ţ. v Ltd Ekstra Ţinios, the Supreme Court of the Republic of Lithuania (14 August 2008, No. 3K- 3-393/2008); 45. S.Š. and V.Š. v Ltd Lietuvos rytas, the Supreme Court of Lithuania (2 January 2008, No. 3K-7- 2/2008); 46. The Jurisprudence of the Administrative Court of the Republic of Lithuania, No.8, p. 29-30; 47. Dėl Lietuvos Respublikos visuomenės informavimo įstatymo 8 straipsnio ir 14 straipsnio 3 dalies atitikties Lietuvos Respublikos Konstitucijai, the LR Constitutional Court decision (Vilnius:, October 23, 2002); The Articles: 50. danah m. boyd & Nicole B. Ellison, Social Network Sites: Definition, History, and Scholarship, 13 J. Computer-Mediated Comm., Art. 11 (2007), p. 2; 51. Dr. David Beer, Social network(ing) sites…revisiting the story so far: A response to danah boyd & Nicole Ellison, 13 J. Computer-Mediated Comm. (2008), p. 519. 52. Victoria Bolotaeva & Teuta Cata, Marketing Opportunities with Social Networks, JISNVC, Vol. 2010, Art ID 109111 (2010), p. 1-3, 5-6; 47 53. Kathryn L. Ossian, Miller Canfield Paddock & Stone PLC, Legal Issues in Social Networking (Institute of Continuing Legal Education, 2009), p. 4, 7, 9; 54. Rory Bahadur, Electronic Discovery, Informational Privacy, Facebook and Utopian Civil Justice, 79 Miss. L.J. 317 (Winter 2009), p. 9, 12, 21; 55. Michelle D. Craig, Did You Twitter My Facebook Wall? Social Networking, Privacy and Emplyment Law Issues, 58 La. B.J. 26 (June/July, 2010), p. 1, 3; 56. Samantha L. Millier, the Facebook Frontier: Responding to the Changing Face of Privacy on the Internet, 97 Ky. L.J. 541 (2008-2009), p. 1-2, 4-5, 7-13; 57. Rohan Massey, Privacy and Social Networks: a European Opinion, 13 No. 4 J. Internet L. 1 (October, 2009), p. 1- 6; 58. Felix Hofer, Privacy issues in social networking: the European perspective (Studio Legale Associato, 2010), p. 4, 6; 59. Joseph Bonneau, Sören Preibusch, the Privacy Jungle: On the Market for Data Protection in Social Networks Privacy Jungle, the Eighth Workshop on the Economics of Information Security (WEIS, 2009), p. 14, 19. 60. Yasamine Hashemi, Facebook‟s Privacy Policy and Its Third-Party Partnerships: Lucrativity and Liability (Boston University School of Law, 2009), p. 2-3, 8-14; 61. Lauren A. Matecki, Update: COPPA is Ineffective Legislation! Next Steps for Protecting Youth Privacy Rights in the Social Networking Era, 5 NW J. L. & Soc. Pol'y 369 (2010), p. 3, 15-16, 19; 62. Eric Goldman, Social Networking Sites and the Law (Santa Clara University School of Law, May 2007), p. 1; The Press Releases: 72. Catharine Smith, ―Facebook Responds To Assange Claim It Is A 'Spying Machine‖, HuffingtonPost (May 3, 2011) 48 76. ―Egiptietis dukrą pavadino „Facebook―‖, Delfi.lt (22 February, 2011); 49 96. Kurt Opsahl, ―Updated: Facebook Further Reduces Your Control Over Personal Information‖, Electronic Frontier Foundation (April 19, 2010); 50 116. Dana B. Rosenfeld, Alysa Z. Hutnik, Christopher M. Loeffler, California Supreme Court Holds Zip Code is PII under Song-Beverly Act (February 14, 2011); The Others: 131. Global Faces and Networked Places (Nielsen Report, 2009), p. 3; 51 135. Daniel Richter & Others, Internet Social Networking – Distinguishing the Phenomenon from Its Manifestations in Web Sites (17th European Conference on Information Systems, 2009), p. 6-8. 136. ―Top Sites‖, Alexa.com; 52 APPENDICES 1. Illustrations of Steps during Registration Process on SNS ―Facebook‖. 2. SNS ―Facebook‖ Statement of Rights and Responsibilities. 3. SNS ―Facebook‖ Privacy Policy. 53 Appendix 1: Illustrations of Steps during Registration Process on SNS ―Facebook‖ Step 1. Step 2. 54 Appendix 2: SNS ―Facebook‖ Statement of Rights and Responsibilities (Copied from: < http://www.facebook.com/terms.php> [in May 11, 2011]) ―This agreement was written in English (US). To the extent any translated version of this agreement conflicts with the English version, the English version controls. Please note that Section 16 contains certain changes to the general terms for users outside the United States. Date of Last Revision: October 4, 2010. Statement of Rights and Responsibilities This Statement of Rights and Responsibilities ("Statement") derives from the Facebook Principles, and governs our relationship with users and others who interact with Facebook. By using or accessing Facebook, you agree to this Statement. 1. Privacy Your privacy is very important to us. We designed our Privacy Policy to make important disclosures about how you can use Facebook to share with others and how we collect and can use your content and information. We encourage you to read the Privacy Policy, and to use it to help make informed decisions. 2. Sharing Your Content and Information You own all of the content and information you post on Facebook, and you can control how it is shared through your privacy and application settings. In addition: 1. For content that is covered by intellectual property rights, like photos and videos ("IP content"), you specifically give us the following permission, subject to your privacy and application settings: you grant us a non-exclusive, transferable, sub-licensable, royalty- free, worldwide license to use any IP content that you post on or in connection with Facebook ("IP License"). This IP License ends when you delete your IP content or your account unless your content has been shared with others, and they have not deleted it. 2. When you delete IP content, it is deleted in a manner similar to emptying the recycle bin on a computer. However, you understand that removed content may persist in backup copies for a reasonable period of time (but will not be available to others). 3. When you use an application, your content and information is shared with the application. We require applications to respect your privacy, and your agreement with that application will control how the application can use, store, and transfer that content and information. (To learn more about Platform, read our Privacy Policy and Platform Page.) 4. When you publish content or information using the "everyone" setting, it means that you are allowing everyone, including people off of Facebook, to access and use that information, and to associate it with you (i.e., your name and profile picture). 5. We always appreciate your feedback or other suggestions about Facebook, but you understand that we may use them without any obligation to compensate you for them 55 (just as you have no obligation to offer them). 3. Safety We do our best to keep Facebook safe, but we cannot guarantee it. We need your help to do that, which includes the following commitments: 1. You will not send or otherwise post unauthorized commercial communications (such as spam) on Facebook. 2. You will not collect users' content or information, or otherwise access Facebook, using automated means (such as harvesting bots, robots, spiders, or scrapers) without our permission. 3. You will not engage in unlawful multi-level marketing, such as a pyramid scheme, on Facebook. 4. You will not upload viruses or other malicious code. 5. You will not solicit login information or access an account belonging to someone else. 6. You will not bully, intimidate, or harass any user. 7. You will not post content that: is hateful, threatening, or pornographic; incites violence; or contains nudity or graphic or gratuitous violence. 8. You will not develop or operate a third-party application containing alcohol-related or other mature content (including advertisements) without appropriate age-based restrictions. 9. You will not offer any contest, giveaway, or sweepstakes ("promotion") on Facebook without our prior written consent. If we consent, you take full responsibility for the promotion, and will follow our Promotions Guidelines and all applicable laws. 10. You will not use Facebook to do anything unlawful, misleading, malicious, or discriminatory. 11. You will not do anything that could disable, overburden, or impair the proper working of Facebook, such as a denial of service attack. 12. You will not facilitate or encourage any violations of this Statement. 4. Registration and Account Security Facebook users provide their real names and information, and we need your help to keep it that way. Here are some commitments you make to us relating to registering and maintaining the security of your account: 1. You will not provide any false personal information on Facebook, or create an account for anyone other than yourself without permission. 2. You will not create more than one personal profile. 3. If we disable your account, you will not create another one without our permission. 4. You will not use your personal profile for your own commercial gain (such as selling your status update to an advertiser). 5. You will not use Facebook if you are under 13. 6. You will not use Facebook if you are a convicted sex offender. 7. You will keep your contact information accurate and up-to-date. 8. You will not share your password, (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account. 56 9. You will not transfer your account (including any page or application you administer) to anyone without first getting our written permission. 10. If you select a username for your account we reserve the right to remove or reclaim it if we believe appropriate (such as when a trademark owner complains about a username that does not closely relate to a user's actual name). 5. Protecting Other People's Rights We respect other people's rights, and expect you to do the same. 1. You will not post content or take any action on Facebook that infringes or violates someone else's rights or otherwise violates the law. 2. We can remove any content or information you post on Facebook if we believe that it violates this Statement. 3. We will provide you with tools to help you protect your intellectual property rights. To learn more, visit our How to Report Claims of Intellectual Property Infringement page. 4. If we remove your content for infringing someone else's copyright, and you believe we removed it by mistake, we will provide you with an opportunity to appeal. 5. If you repeatedly infringe other people's intellectual property rights, we will disable your account when appropriate. 6. You will not use our copyrights or trademarks (including Facebook, the Facebook and F Logos, FB, Face, Poke, Wall and 32665), or any confusingly similar marks, without our written permission. 7. If you collect information from users, you will: obtain their consent, make it clear you (and not Facebook) are the one collecting their information, and post a privacy policy explaining what information you collect and how you will use it. 8. You will not post anyone's identification documents or sensitive financial information on Facebook. 9. You will not tag users or send email invitations to non-users without their consent. 6. Mobile 1. We currently provide our mobile services for free, but please be aware that your carrier's normal rates and fees, such as text messaging fees, will still apply. 2. In the event you change or deactivate your mobile telephone number, you will update your account information on Facebook within 48 hours to ensure that your messages are not sent to the person who acquires your old number. 3. You provide all rights necessary to enable users to sync (including through an application) their contact lists with any basic information and contact information that is visible to them on Facebook, as well as your name and profile picture. 7. Payments and Deals 1. If you make a payment on Facebook or use Facebook Credits, you agree to our Payments Terms. 2. If purchase a Deal, you agree to our Deals Terms. 3. If you provide a Deal or partner with us to provide a Deal, you agree to the Merchant Deal Terms in addition to any other agreements you may have with us. 8. Special Provisions Applicable to Share Links 57 If you include our Share Link button on your website, the following additional terms apply to you: 1. We give you permission to use Facebook's Share Link button so that users can post links or content from your website on Facebook. 2. You give us permission to use and allow others to use such links and content on Facebook. 3. You will not place a Share Link button on any page containing content that would violate this Statement if posted on Facebook. 9. Special Provisions Applicable to Developers/Operators of Applications and Websites If you are a developer or operator of a Platform application or website, the following additional terms apply to you: 1. You are responsible for your application and its content and all uses you make of Platform. This includes ensuring your application or use of Platform meets our Facebook Platform Policies and our Advertising Guidelines. 2. Your access to and use of data you receive from Facebook, will be limited as follows: 1. You will only request data you need to operate your application. 2. You will have a privacy policy that tells users what user data you are going to use and how you will use, display, share, or transfer that data and you will include your privacy policy URL in the Developer Application. 3. You will not use, display, share, or transfer a user’s data in a manner inconsistent with your privacy policy. 4. You will delete all data you receive from us concerning a user if the user asks you to do so, and will provide a mechanism for users to make such a request. 5. You will not include data you receive from us concerning a user in any advertising creative. 6. You will not directly or indirectly transfer any data you receive from us to (or use such data in connection with) any ad network, ad exchange, data broker, or other advertising related toolset, even if a user consents to that transfer or use. 7. You will not sell user data. If you are acquired by or merge with a third party, you can continue to use user data within your application, but you cannot transfer user data outside of your application. 8. We can require you to delete user data if you use it in a way that we determine is inconsistent with users’ expectations. 9. We can limit your access to data. 10. You will comply with all other restrictions contained in our Facebook Platform Policies. 3. You will not give us information that you independently collect from a user or a user's content without that user's consent. 4. You will make it easy for users to remove or disconnect from your application. 5. You will make it easy for users to contact you. We can also share your email address with users and others claiming that you have infringed or otherwise violated their rights. 6. You will provide customer support for your application. 7. You will not show third party ads or web search boxes on Facebook. 8. We give you all rights necessary to use the code, APIs, data, and tools you receive from us. 9. You will not sell, transfer, or sublicense our code, APIs, or tools to anyone. 58 10. You will not misrepresent your relationship with Facebook to others. 11. You may use the logos we make available to developers or issue a press release or other public statement so long as you follow our Facebook Platform Policies. 12. We can issue a press release describing our relationship with you. 13. You will comply with all applicable laws. In particular you will (if applicable): 1. have a policy for removing infringing content and terminating repeat infringers that complies with the Digital Millennium Copyright Act. 2. comply with the Video Privacy Protection Act ("VPPA"), and obtain any opt-in consent necessary from users so that user data subject to the VPPA may be shared on Facebook. You represent that any disclosure to us will not be incidental to the ordinary course of your business. 14. We do not guarantee that Platform will always be free. 15. You give us all rights necessary to enable your application to work with Facebook, including the right to incorporate content and information you provide to us into streams, profiles, and user action stories. 16. You give us the right to link to or frame your application, and place content, including ads, around your application. 17. We can analyze your application, content, and data for any purpose, including commercial (such as for targeting the delivery of advertisements and indexing content for search). 18. To ensure your application is safe for users, we can audit it. 19. We can create applications that offer similar features and services to, or otherwise compete with, your application. 10. About Advertisements and Other Commercial Content Served or Enhanced by Facebook Our goal is to deliver ads that are not only valuable to advertisers, but also valuable to you. In order to do that, you agree to the following: 1. You can use your privacy settings to limit how your name and profile picture may be associated with commercial, sponsored, or related content (such as a brand you like) served or enhanced by us. You give us permission to use your name and profile picture in connection with that content, subject to the limits you place. 2. We do not give your content or information to advertisers without your consent. 3. You understand that we may not always identify paid services and communications as such. 11. Special Provisions Applicable to Advertisers You can target your specific audience by buying ads on Facebook or our publisher network. The following additional terms apply to you if you place an order through our online advertising portal ("Order"): 1. When you place an Order, you will tell us the type of advertising you want to buy, the amount you want to spend, and your bid. If we accept your Order, we will deliver your ads as inventory becomes available. When serving your ad, we do our best to deliver the ads to the audience you specify, although we cannot guarantee in every instance that your ad will reach its intended target. 2. In instances where we believe doing so will enhance the effectiveness of your advertising campaign, we may broaden the targeting criteria you specify. 59 3. You will pay for your Orders in accordance with our Payments Terms. The amount you owe will be calculated based on our tracking mechanisms. 4. Your ads will comply with our Advertising Guidelines. 5. We will determine the size, placement, and positioning of your ads. 6. We do not guarantee the activity that your ads will receive, such as the number of clicks you will get. 7. We cannot control how people interact with your ads, and are not responsible for click fraud or other improper actions that affect the cost of running ads. We do, however, have systems to detect and filter certain suspicious activity, learn more here. 8. You can cancel your Order at any time through our online portal, but it may take up to 24 hours before the ad stops running. You are responsible for paying for those ads. 9. Our license to run your ad will end when we have completed your Order. You understand, however, that if users have interacted with your ad, your ad may remain until the users delete it. 10. We can use your ads and related content and information for marketing or promotional purposes. 11. You will not issue any press release or make public statements about your relationship with Facebook without written permission. 12. We may reject or remove any ad for any reason. 13. If you are placing ads on someone else's behalf, we need to make sure you have permission to place those ads, including the following: 1. You warrant that you have the legal authority to bind the advertiser to this Statement. 2. You agree that if the advertiser you represent violates this Statement, we may hold you responsible for that violation. 12. Special Provisions Applicable to Pages If you create or administer a Page on Facebook, you agree to our Pages Terms. 13. Amendments 1. We can change this Statement if we provide you notice (by posting the change on the Facebook Site Governance Page) and an opportunity to comment. To get notice of any future changes to this Statement, visit our Facebook Site Governance Page and become a fan. 2. For changes to sections 7, 8, 9, and 11 (sections relating to payments, application developers, website operators, and advertisers), we will give you a minimum of three days notice. For all other changes we will give you a minimum of seven days notice. All such comments must be made on the Facebook Site Governance Page. 3. If more than 7,000 users comment on the proposed change, we will also give you the opportunity to participate in a vote in which you will be provided alternatives. The vote shall be binding on us if more than 30% of all active registered users as of the date of the notice vote. 4. We can make changes for legal or administrative reasons, or to correct an inaccurate statement, upon notice without opportunity to comment. 14. Termination If you violate the letter or spirit of this Statement, or otherwise create risk or possible legal 60 exposure for us, we can stop providing all or part of Facebook to you. We will notify you by email or at the next time you attempt to access your account. You may also delete your account or disable your application at any time. In all such cases, this Statement shall terminate, but the following provisions will still apply: 2.2, 2.4, 3-5, 8.2, 9.1-9.3, 9.9, 9.10, 9.13, 9.15, 9.18, 10.3, 11.2, 11.5, 11.6, 11.9, 11.12, 11.13, and 14-18. 15. Disputes 1. You will resolve any claim, cause of action or dispute ("claim") you have with us arising out of or relating to this Statement or Facebook exclusively in a state or federal court located in Santa Clara County. The laws of the State of California will govern this Statement, as well as any claim that might arise between you and us, without regard to conflict of law provisions. You agree to submit to the personal jurisdiction of the courts located in Santa Clara County, California for the purpose of litigating all such claims. 2. If anyone brings a claim against us related to your actions, content or information on Facebook, you will indemnify and hold us harmless from and against all damages, losses, and expenses of any kind (including reasonable legal fees and costs) related to such claim. 3. WE TRY TO KEEP FACEBOOK UP, BUG-FREE, AND SAFE, BUT YOU USE IT AT YOUR OWN RISK. WE ARE PROVIDING FACEBOOK "AS IS" WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING, BUT NOT LIMITED TO, IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, AND NON-INFRINGEMENT. WE DO NOT GUARANTEE THAT FACEBOOK WILL BE SAFE OR SECURE. FACEBOOK IS NOT RESPONSIBLE FOR THE ACTIONS, CONTENT, INFORMATION, OR DATA OF THIRD PARTIES, AND YOU RELEASE US, OUR DIRECTORS, OFFICERS, EMPLOYEES, AND AGENTS FROM ANY CLAIMS AND DAMAGES, KNOWN AND UNKNOWN, ARISING OUT OF OR IN ANY WAY CONNECTED WITH ANY CLAIM YOU HAVE AGAINST ANY SUCH THIRD PARTIES. IF YOU ARE A CALIFORNIA RESIDENT, YOU WAIVE CALIFORNIA CIVIL CODE §1542, WHICH SAYS: "A GENERAL RELEASE DOES NOT EXTEND TO CLAIMS WHICH THE CREDITOR DOES NOT KNOW OR SUSPECT TO EXIST IN HIS FAVOR AT THE TIME OF EXECUTING THE RELEASE, WHICH IF KNOWN BY HIM MUST HAVE MATERIALLY AFFECTED HIS SETTLEMENT WITH THE DEBTOR." WE WILL NOT BE LIABLE TO YOU FOR ANY LOST PROFITS OR OTHER CONSEQUENTIAL, SPECIAL, INDIRECT, OR INCIDENTAL DAMAGES ARISING OUT OF OR IN CONNECTION WITH THIS STATEMENT OR FACEBOOK, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. OUR AGGREGATE LIABILITY ARISING OUT OF THIS STATEMENT OR FACEBOOK WILL NOT EXCEED THE GREATER OF ONE HUNDRED DOLLARS ($100) OR THE AMOUNT YOU HAVE PAID US IN THE PAST TWELVE MONTHS. APPLICABLE LAW MAY NOT ALLOW THE LIMITATION OR EXCLUSION OF LIABILITY OR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU. IN SUCH CASES, FACEBOOK'S LIABILITY WILL BE LIMITED TO THE FULLEST EXTENT PERMITTED BY APPLICABLE LAW. 16. Special Provisions Applicable to Users Outside the United States We strive to create a global community with consistent standards for everyone, but we also strive to respect local laws. The following provisions apply to users outside the United States: 1. You consent to having your personal data transferred to and processed in the United States. 61 2. If you are located in a country embargoed by the United States, or are on the U.S. Treasury Department's list of Specially Designated Nationals you will not engage in commercial activities on Facebook (such as advertising or payments) or operate a Platform application or website. 3. Certain specific terms that apply only for German users are available here. 17. Definitions 1. By "Facebook" we mean the features and services we make available, including through (a) our website at www.facebook.com and any other Facebook branded or co-branded websites (including sub-domains, international versions, widgets, and mobile versions); (b) our Platform; (c) social plugins such as the like button, the share button and other similar offerings and (d) other media, software (such as a toolbar), devices, or networks now existing or later developed. 2. By "Platform" we mean a set of APIs and services that enable others, including application developers and website operators, to retrieve data from Facebook or provide data to us. 3. By "information" we mean facts and other information about you, including actions you take. 4. By "content" we mean anything you post on Facebook that would not be included in the definition of "information." 5. By "data" we mean content and information that third parties can retrieve from Facebook or provide to Facebook through Platform. 6. By "post" we mean post on Facebook or otherwise make available to us (such as by using an application). 7. By "use" we mean use, copy, publicly perform or display, distribute, modify, translate, and create derivative works of. 8. By "active registered user" we mean a user who has logged into Facebook at least once in the previous 30 days. 9. By "application" we mean any application or website that uses or accesses Platform, as well as anything else that receives or has received data from us. If you no longer access Platform but have not deleted all data from us, the term application will apply until you delete the data. 18. Other 1. If you are a resident of or have your principal place of business in the US or Canada, this Statement is an agreement between you and Facebook, Inc. Otherwise, this Statement is an agreement between you and Facebook Ireland Limited. References to “us,” “we,” and “our” mean either Facebook, Inc. or Facebook Ireland Limited, as appropriate. 2. This Statement makes up the entire agreement between the parties regarding Facebook, and supersedes any prior agreements. 3. If any portion of this Statement is found to be unenforceable, the remaining portion will remain in full force and effect. 4. If we fail to enforce any of this Statement, it will not be considered a waiver. 5. Any amendment to or waiver of this Statement must be made in writing and signed by us. 6. You will not transfer any of your rights or obligations under this Statement to anyone else without our consent. 62 7. All of our rights and obligations under this Statement are freely assignable by us in connection with a merger, acquisition, or sale of assets, or by operation of law or otherwise. 8. Nothing in this Statement shall prevent us from complying with the law. 9. This Statement does not confer any third party beneficiary rights. 10. You will comply with all applicable laws when using or accessing Facebook. 63 Appendix 3: SNS ―Facebook‖ Privacy Policy (Copied form: ―Date of last revision: December 22, 2010. This policy contains nine sections, and you can jump to each by selecting the links below: 1. Introduction 2. Information We Receive 3. Sharing information on Facebook 4. Information You Share With Third Parties 5. How We Use Your Information 6. How We Share Information 7. How You Can Change or Remove Information 8. How We Protect Information 9. Other Terms 1. Introduction Questions. If you have any questions or concerns about our privacy policy, contact our privacy team through this help page. You may also contact us by mail at 1601 S. California Avenue, Palo Alto, CA 94304. TRUSTe Program. Facebook has been awarded TRUSTe's Privacy Seal signifying that this privacy policy and practices have been reviewed by TRUSTe for compliance with TRUSTe's program requirements. If you have questions or complaints regarding our privacy policy or practices, please contact us by mail at 1601 S. California Avenue, Palo Alto, CA 94304 or through this help page. If you are not satisfied with our response you can contact TRUSTe here.This privacy policy covers the website www.facebook.com. The TRUSTe program covers only information that is collected through this Web site, and does not cover other information, such as information that may be collected through software downloaded from Facebook. Safe Harbor. Facebook also complies with the EU Safe Harbor framework as set forth by the Department of Commerce regarding the collection, use, and retention of data from the European Union. As part of our participation in the Safe Harbor, we agree to resolve all disputes you have with us in connection with our policies and practices through TRUSTe. We will also provide initial responses to access requests within a reasonable period of time. To view our certification, visit the U.S. Department of Commerce's Safe Harbor Web site. Scope. This privacy policy covers all of Facebook. It does not, however, apply to entities that Facebook does not own or control, such as applications and websites using Platform. By using or accessing Facebook, you agree to our privacy practices outlined here. No information from children under age 13. If you are under age 13, please do not attempt to register for Facebook or provide any personal information about yourself to us. If we learn that 64 we have collected personal information from a child under age 13, we will delete that information as quickly as possible. If you believe that we might have any information from a child under age 13, please contact us through this help page. Parental participation. We strongly recommend that minors 13 years of age or older ask their parents for permission before sending any information about themselves to anyone over the Internet and we encourage parents to teach their children about safe internet use practices. Materials to help parents talk to their children about safe internet use can be found on this help page. 2. Information We Receive Information you provide to us: Information About Yourself. When you sign up for Facebook you provide us with your name, email, gender, and birth date. During the registration process we give you the opportunity to connect with your friends, schools, and employers. You will also be able to add a picture of yourself. In some cases we may ask for additional information for security reasons or to provide specific services to you. Once you register you can provide other information about yourself by connecting with, for example, your current city, hometown, family, relationships, networks, activities, interests, and places. You can also provide personal information about yourself, such as your political and religious views. Content. One of the primary reasons people use Facebook is to share content with others. Examples include when you update your status, upload or take a photo, upload or record a video, share a link, create an event or a group, make a comment, write something on someone‘s Wall, write a note, or send someone a message. If you do not want us to store metadata associated with content you share on Facebook (such as photos), please remove the metadata before uploading the content. Transactional Information. We may retain the details of transactions or payments you make on Facebook. If you do not want us to store your payment source account number, you can remove it using your payments page. Friend Information. We offer contact importer tools to help you upload your friends‘ addresses so that you can find your friends on Facebook, and invite your contacts who do not have Facebook accounts to join. If you do not want us to store this information, visit this help page. If you give us your password to retrieve those contacts, we will not store your password after you have uploaded your contacts‘ information. Information we collect when you interact with Facebook: Site activity information. We keep track of some of the actions you take on Facebook, such as adding connections (including joining a group or adding a friend), creating a photo album, sending a gift, poking another user, indicating you ―like‖ a post, attending an event, or connecting with an application. In some cases you are also taking an action when you provide 65 information or content to us. For example, if you share a video, in addition to storing the actual content you uploaded, we might log the fact that you shared it. Access Device and Browser Information. When you access Facebook from a computer, mobile phone, or other device, we may collect information from that device about your browser type, location, and IP address, as well as the pages you visit. Cookie Information. We use "cookies" (small pieces of data we store for an extended period of time on your computer, mobile phone, or other device) to make Facebook easier to use, to make our advertising better, and to protect both you and Facebook. For example, we use them to store your login ID (but never your password) to make it easier for you to login whenever you come back to Facebook. We also use them to confirm that you are logged into Facebook, and to know when you are interacting with Facebook Platform applications and websites, our widgets and Share buttons, and our advertisements. You can remove or block cookies using the settings in your browser, but in some cases that may impact your ability to use Facebook. Information we receive from third parties: Facebook Platform. We do not own or operate the applications or websites that you use through Facebook Platform (such as games and utilities). Whenever you connect with a Platform application or website, we will receive information from them, including information about actions you take. In some cases, in order to personalize the process of connecting, we may receive a limited amount of information even before you connect with the application or website. Information from other websites. We may institute programs with advertising partners and other websites in which they share information with us: We may ask advertisers to tell us how our users responded to the ads we showed them (and for comparison purposes, how other users who didn’t see the ads acted on their site). This data sharing, commonly known as “conversion tracking,” helps us measure our advertising effectiveness and improve the quality of the advertisements you see. We may receive information about whether or not you’ve seen or interacted with certain ads on other sites in order to measure the effectiveness of those ads. If in any of these cases we receive data that we do not already have, we will ―anonymize‖ it within 180 days, meaning we will stop associating the information with any particular user. If we institute these programs, we will only use the information in the ways we explain in the ―How We Use Your Information‖ section below. Information from other users. We may collect information about you from other Facebook users, such as when a friend tags you in a photo, video, or place, provides friend details, or indicates a relationship with you. 3. Sharing information on Facebook. 66 This section explains how your privacy settings work, and how your information is shared on Facebook. You should always consider your privacy settings before sharing information on Facebook. Name and Profile Picture. Facebook is designed to make it easy for you to find and connect with others. For this reason, your name and profile picture do not have privacy settings. If you are uncomfortable with sharing your profile picture, you should delete it (or not add one). You can also control who can find you when searching on Facebook or on public search engines using the Applications and Websites privacy setting. Contact Information. Your contact information settings control (available when customizing your privacy settings) who can contact you on Facebook, and who can see your contact information such as your email and phone number(s). Remember that none of this information is required except for your email address, and you do not have to share your email address with anyone. Personal Information. Your personal information settings control who can see your personal information, such as your religious and political views, if you choose to add them. We recommend that you share this information using the friends of friends setting. Posts by Me. You can select a privacy setting for every post you make using the publisher on our site. Whether you are uploading a photo or posting a status update, you can control exactly who can see it at the time you create it. Whenever you share something look for the lock icon. Clicking on the lock will bring up a menu that lets you choose who will be able to see your post. If you decide not to select your setting at the time you post the content, your content will be shared consistent with your Posts by Me default privacy (available when customizing your privacy settings). Gender and Birth Date. In addition to name and email address, we require you to provide your gender and birth date during the registration process. We ask for your date of birth to verify that you are 13 or older, and so that we can better limit your access to content and advertisements that are not age appropriate. Because your date of birth and gender are required, you cannot delete them. You can, however, edit your profile to hide all (or part) of such fields from other users. Other. Here are some other things to remember: Some of the content you share and the actions you take will show up on your friends’ home pages and other pages they visit. If another user tags you in a photo or video or at a place, you can remove the tag. You can also limit who can see that you have been tagged on your profile from your privacy settings. Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was 67 otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. You understand that information might be reshared or copied by other users. Certain types of communications that you send to other users cannot be removed, such as messages. When you post information on another user’s profile or comment on another user’s post, that information will be subject to the other user’s privacy settings. If you use an external source to publish information to Facebook (such as a mobile application or a Connect site), you should check the privacy setting for that post, as it is set by that external source. “Everyone” Information. Information set to ―everyone‖ is publicly available information, just like your name, profile picture, and connections. Such information may, for example, be accessed by everyone on the Internet (including people not logged into Facebook), be indexed by third party search engines, and be imported, exported, distributed, and redistributed by us and others without privacy limitations. Such information may also be associated with you, including your name and profile picture, even outside of Facebook, such as on public search engines and when you visit other sites on the internet. The default privacy setting for certain types of information you post on Facebook is set to ―everyone.‖ You can review and change the default settings in your privacy settings. If you delete ―everyone‖ content that you posted on Facebook, we will remove it from your Facebook profile, but have no control over its use outside of Facebook. Minors. We reserve the right to add special protections for minors (such as to provide them with an age-appropriate experience) and place restrictions on the ability of adults to share and connect with minors, recognizing this may provide minors a more limited experience on Facebook 4. Information You Share With Third Parties. Facebook Platform. As mentioned above, we do not own or operate the applications or websites that use Facebook Platform. That means that when you use those applications and websites you are making your Facebook information available to someone other than Facebook. Prior to allowing them to access any information about you, we require them to agree to terms that limit their use of your information (which you can read about in Section 9 of our Statement of Rights and Responsibilities) and we use technical measures to ensure that they only obtain authorized information. To learn more about Platform, visit our About Platform page. Connecting with an Application or Website. When you connect with an application or website it will have access to General Information about you. The term General Information includes your and your friends‘ names, profile pictures, gender, user IDs, connections, and any content shared using the Everyone privacy setting. We may also make information about the location of your computer or access device and your age available to applications and websites in order to help them implement appropriate security measures and control the distribution of age- appropriate content. If the application or website wants to access any other data, it will have to ask for your permission. 68 We give you tools to control how your information is shared with applications and websites that use Platform. For example, you can block all platform applications and websites completely or block specific applications from accessing your information by visiting your Applications and Websites privacy setting or the specific application‘s ―About‖ page. You can also use your privacy settings to limit which of your information is available to ―everyone‖. You should always review the policies of third party applications and websites to make sure you are comfortable with the ways in which they use information you share with them. We do not guarantee that they will follow our rules. If you find an application or website that violates our rules, you should report the violation to us on this help page and we will take action as necessary. When your friends use Platform. If your friend connects with an application or website, it will be able to access your name, profile picture, gender, user ID, and information you have shared with ―everyone.‖ It will also be able to access your connections, except it will not be able to access your friend list. If you have already connected with (or have a separate account with) that website or application, it may also be able to connect you with your friend on that application or website. If the application or website wants to access any of your other content or information (including your friend list), it will have to obtain specific permission from your friend. If your friend grants specific permission to the application or website, it will generally only be able to access content and information about you that your friend can access. In addition, it will only be allowed to use that content and information in connection with that friend. For example, if a friend gives an application access to a photo you only shared with your friends, that application could allow your friend to view or print the photo, but it cannot show that photo to anyone else. We provide you with a number of tools to control how your information is shared when your friend connects with an application or website. For example, you can use your Application and Websites privacy setting to limit some of the information your friends can make available to applications and websites. You can block all platform applications and websites completely or block particular applications or websites from accessing your information. You can use your privacy settings to limit which friends can access your information, or limit which of your information is available to ―everyone.‖ You can also disconnect from a friend if you are uncomfortable with how they are using your information. Pre-Approved Third-Party Websites and Applications. In order to provide you with useful social experiences off of Facebook, we occasionally need to provide General Information about you to pre-approved third party websites and applications that use Platform at the time you visit them (if you are still logged in to Facebook). Similarly, when one of your friends visits a pre- approved website or application, it will receive General Information about you so you and your friend can be connected on that website as well (if you also have an account with that website). In these cases we require these websites and applications to go through an approval process, and to enter into separate agreements designed to protect your privacy. For example, these agreements include provisions relating to the access and deletion of your General Information, along with your ability to opt-out of the experience being offered. You can disable instant 69 personalization on all pre-approved websites and applications using your Applications and Websites privacy setting. You can also block a particular pre-approved website or application by clicking "No Thanks" in the blue bar when you visit that application or website. In addition, if you log out of Facebook before visiting a pre-approved application or website, it will not be able to access your information. Exporting Information. You (and those you make your information available to) may use tools like RSS feeds, mobile phone address book applications, or copy and paste functions, to capture, export (and in some cases, import) information from Facebook, including your information and information about you. For example, if you share your phone number with your friends, they may use third party applications to sync that information with the address book on their mobile phone. Advertisements. Sometimes the advertisers who present ads on Facebook use technological methods to measure the effectiveness of their ads and to personalize advertising content. You may opt-out of the placement of cookies by many of these advertisers here. You may also use your browser cookie settings to limit or prevent the placement of cookies by advertising networks. Facebook does not share personally identifiable information with advertisers unless we get your permission. Links. When you click on links on Facebook you may leave our site. We are not responsible for the privacy practices of other sites, and we encourage you to read their privacy statements. 5. How We Use Your Information We use the information we collect to try to provide a safe, efficient, and customized experience. Here are some of the details on how we do that: To manage the service. We use the information we collect to provide our services and features to you, to measure and improve those services and features, and to provide you with customer support. We use the information to prevent potentially illegal activities, and to enforce our Statement of Rights and Responsibilities. We also use a variety of technological systems to detect and address anomalous activity and screen content to prevent abuse such as spam. These efforts may on occasion result in a temporary or permanent suspension or termination of some functions for some users. To contact you. We may contact you with service-related announcements from time to time. You may opt out of all communications except essential updates on your account notifications page. We may include content you see on Facebook in the emails we send to you. To serve personalized advertising to you. We don‘t share your information with advertisers without your consent. (An example of consent would be if you asked us to provide your shipping address to an advertiser to receive a free sample.) We allow advertisers to choose the characteristics of users who will see their advertisements and we may use any of the non- personally identifiable attributes we have collected (including information you may have decided 70 not to show to other users, such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for those advertisements. For example, we might use your interest in soccer to show you ads for soccer equipment, but we do not tell the soccer equipment company who you are. You can see the criteria advertisers may select by visiting our advertising page. Even though we do not share your information with advertisers without your consent, when you click on or otherwise interact with an advertisement there is a possibility that the advertiser may place a cookie in your browser and note that it meets the criteria they selected. To serve social ads. We occasionally pair advertisements we serve with relevant information we have about you and your friends to make advertisements more interesting and more tailored to you and your friends. For example, if you connect with your favorite band‘s page, we may display your name and profile photo next to an advertisement for that page that is displayed to your friends. We only share the personally identifiable information visible in the social ad with the friend who can see the ad. You can opt out of having your information used in social ads on this help page. To supplement your profile. We may use information about you that we collect from other Facebook users to supplement your profile (such as when you are tagged in a photo or mentioned in a status update). In such cases we generally give you the ability to remove the content (such as allowing you to remove a photo tag of you) or limit its visibility on your profile. To make suggestions. We use your information, including the addresses you import through our contact importers, to make suggestions to you and other users on Facebook. For example, if another user imports the same email address as you do, we may suggest that you add each other as friends. Similarly, if one of your friends uploads a picture of you, we may suggest that your friend tag you in the picture. We do this by comparing your friend‘s pictures to information we‘ve put together from the photos you‘ve been tagged in. We may also suggest that you use certain tools and features based on what your friends have used. You can control whether we suggest that another user add you as a friend through your ―search for you on Facebook‖ privacy setting. You can control whether we suggest that another user tag you in a photo by clicking customize from your privacy settings. To help your friends find you. We allow other users to use contact information they have about you, such as your email address, to find you, including through contact importers and search. You can prevent other users from using your email address to find you using the search section of your privacy settings. Downloadable Software. Certain downloadable software applications and applets that we offer, such as our browser toolbars and photo uploaders, transmit data to us. We may not make a formal disclosure if we believe our collection of and use of the information is the obvious purpose of the application, such as the fact that we receive photos when you use our photo uploader. If we believe it is not obvious that we are collecting or using such information, we will make a disclosure to you the first time you provide the information to us so that you can decide whether you want to use that feature. Memorializing Accounts. If we are notified that a user is deceased, we may memorialize the 71 user‘s account. In such cases we restrict profile access to confirmed friends, and allow friends and family to write on the user‘s Wall in remembrance. We may close an account if we receive a formal request from the user‘s next of kin or other proper legal request to do so. 6. How We Share Information Facebook is about sharing information with others — friends and people in your communities — while providing you with privacy settings that you can use to restrict other users from accessing some of your information. We share your information with third parties when we believe the sharing is permitted by you, reasonably necessary to offer our services, or when legally required to do so. For example: When you make a payment. When you enter into transactions with others or make payments on Facebook, we will share transaction information with only those third parties necessary to complete the transaction. We will require those third parties to agree to respect the privacy of your information. When you invite a friend to join. When you ask us to invite a friend to join Facebook, we will send your friend a message on your behalf using your name. The invitation may also contain information about other users your friend might know. We may also send up to two reminders to them in your name. You can see who has accepted your invitations, send reminders, and delete your friends‘ email addresses on your invite history page. If your friend does not want us to keep their information, we will also remove it at their request by using this help page. When you choose to share your information with marketers. You may choose to share information with marketers or electronic commerce providers that are not associated with Facebook through on-site offers. This is entirely at your discretion and we will not provide your information to these marketers without your consent. To help your friends find you. By default, we make certain information you have posted to your profile available in search results on Facebook to help your friends find you. However, you can control who can see some of this information, as well as who can find you in searches, through your privacy settings. We also partner with email and instant messaging providers to help their users identify which of their contacts are Facebook users, so that we can promote Facebook to those users. To give search engines access to publicly available information. We generally limit search engines‘ access to our site. We may allow them to access information set to the ―everyone‖ setting (along with your name and profile picture) and your profile information that is visible to everyone. You can change the visibility of some of your profile information using the customize section of your privacy settings. You can also prevent search engines from indexing your profile using the Applications and Websites privacy setting. To help improve or promote our service. Sometimes we share aggregated information with third parties to help improve or promote our service. But we only do so in such a way that no 72 individual user can be identified or linked to any specific action or information. To provide you with services. We may provide information to service providers that help us bring you the services we offer. For example, we may use third parties to help host our website, send out email updates about Facebook, remove repetitive information from our user lists, process payments, or provide search results or links (including sponsored links). These service providers may have access to your personal information for use for a limited time, but when this occurs we implement reasonable contractual and technical protections to limit their use of that information to helping us provide the service. To advertise our services. We may ask advertisers outside of Facebook to display ads promoting our services. We may ask them to deliver those ads based on the presence of a cookie, but in doing so will not share any other information with the advertiser. To offer joint services. We may provide services jointly with other companies, such as the classifieds service in the Facebook Marketplace. If you use these services, we may share your information to facilitate that service. However, we will identify the partner and present the joint service provider‘s privacy policy to you before you use that service. To respond to legal requests and prevent harm. We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards. We may also share information when we have a good faith belief it is necessary to prevent fraud or other illegal activity, to prevent imminent bodily harm, or to protect ourselves and you from people violating our Statement of Rights and Responsibilities. This may include sharing information with other companies, lawyers, courts or other government entities. Transfer in the Event of Sale or Change of Control. If the ownership of all or substantially all of our business changes, we may transfer your information to the new owner so that the service can continue to operate. In such a case, your information would remain subject to the promises made in any pre-existing Privacy Policy. 7. How You Can Change or Remove Information Editing your profile. You may change or remove your profile information at any time by going to your profile page and clicking ―Edit My Profile.‖ Information will be updated immediately. Delete uploaded contacts. If you use our contact importer to upload addresses, you can later delete the list on this help page. You can delete the email addresses of friends you have invited to join Facebook on your invite history page. Deactivating or deleting your account. If you want to stop using your account you may deactivate it or delete it. When you deactivate an account, no user will be able to see it, but it will 73 not be deleted. We save your profile information (connections, photos, etc.) in case you later decide to reactivate your account. Many users deactivate their accounts for temporary reasons and in doing so are asking us to maintain their information until they return to Facebook. You will still have the ability to reactivate your account and restore your profile in its entirety. When you delete an account, it is permanently deleted from Facebook. You should only delete your account if you are certain you never want to reactivate it. You may deactivate your account on your account settings page or delete your account on this help page. Limitations on removal. Even after you remove information from your profile or delete your account, copies of that information may remain viewable elsewhere to the extent it has been shared with others, it was otherwise distributed pursuant to your privacy settings, or it was copied or stored by other users. However, your name will no longer be associated with that information on Facebook. (For example, if you post something to another user‘s profile and then you delete your account, that post may remain, but be attributed to an ―Anonymous Facebook User.‖) Additionally, we may retain certain information to prevent identity theft and other misconduct even if deletion has been requested. If you have given third party applications or websites access to your information, they may retain your information to the extent permitted under their terms of service or privacy policies. But they will no longer be able to access the information through our Platform after you disconnect from them. Backup copies. Removed and deleted information may persist in backup copies for up to 90 days, but will not be available to others. Non-user contact information. If a user provides your email address to us, and you are not a Facebook user but you want us to delete your address, you can do so on this help page. However, that request will only apply to addresses we have at the time of the request and not to any addresses that users provide to us later. 8. How We Protect Information We do our best to keep your information secure, but we need your help. For more detailed information about staying safe on Facebook, visit the Facebook Security Page. Steps we take to keep your information secure. We keep your account information on a secured server behind a firewall. When you enter sensitive information (such as credit card numbers and passwords), we encrypt that information using secure socket layer technology (SSL). We also use automated and social measures to enhance security, such as analyzing account behavior for fraudulent or otherwise anomalous behavior, may limit use of site features in response to possible signs of abuse, may remove inappropriate content or links to illegal content, and may suspend or disable accounts for violations of our Statement of Rights and Responsibilities. Risks inherent in sharing information. Although we allow you to set privacy options that limit access to your information, please be aware that no security measures are perfect or impenetrable. We cannot control the actions of other users with whom you share your information. We cannot guarantee that only authorized persons will view your information. We 74 cannot ensure that information you share on Facebook will not become publicly available. We are not responsible for third party circumvention of any privacy settings or security measures on Facebook. You can reduce these risks by using common sense security practices such as choosing a strong password, using different passwords for different services, and using up to date antivirus software. Report Violations. You should report any security violations to us on this help page. 9. Other Terms Changes. We may change this Privacy Policy pursuant to the procedures outlined in the Facebook Statement of Rights and Responsibilities. Unless stated otherwise, our current privacy policy applies to all information that we have about you and your account. If we make changes to this Privacy Policy we will notify you by publication here and on the Facebook Site Governance Page. If the changes are material, we will provide you additional, prominent notice as appropriate under the circumstances. You can make sure that you receive notice directly by liking the Facebook Site Governance Page. Consent to Collection and Processing in the United States. By using Facebook, you consent to having your personal data transferred to and processed in the United States. Defined Terms. "Us," "we," "our," "Platform" and "Facebook" mean the same as they do in the Statement of Rights and Responsibilities. ―Information‖ and ―content‖ are used more generally and interchangeably here than in the Statement of Rights and Responsibilities unless otherwise limited by the context.‖ 75