The judiciary should confine itself to those incremental changes which are necessary to keep the common law in step with the dynamic and evolving fabric of our society.
Iacobucci J. in R. v. Salituro
* * *
I’ve stayed away from Web 2.0 issues on this blog until now. But when a colleague who I wouldn’t have guessed called me the other day and was quite obviously flabbergasted about how powerful the Facebook application is, it confirmed my very non-original opinion that this phenomenon of people posting personal stuff on the internet could change the shape of privacy law.
I was a resister at first, not of the technology, but of the technology as something that was going to change the law as we know it. You see, I’m a former research lawyer and (as you know) like to follow developing case law. Through this affair of the heart I’ve learned that nine out of ten judgements are confined to their facts. The tenth is usually one I can squeeze some meaning out of, formerly in our internal firm newsletters and now in this blog. I know well that incremental change is truly the norm for the common law. So even as a user of Facebook that was fully-aware of the new masses of people taking control of the internet’s content, I was sceptical (or clueless) that Web 2.0 meant much for privacy law.
My non-belief was aided by my practice as a management-side employment lawyer. We get asked to help employers manage employees who post bad things on the internet all the time. Most of the time we rely on contractual rights, hopefully ones that are helped by a nice “blogging” policy so employer interests can be protected without having to rely on an argument that “employees ought to have known.” Like maybe a policy that tells employees that saying an improper thing to 350 Facebook friends can cause just as much harm as saying it to the world and, hence, will be treated as such. Disputes about off-duty conduct and about how far an employer’s right to regulate an employee’s private life goes have been litigated in Canada for years. Not simple by any means, but nothing new.
Then came the harder files. Former employees don’t have employment contracts. They can have a duty to keep information confidential, but in Canadian law the duty is based on the circumstances under which information is communicated and received. Disparagement of a former manager doesn’t fit, and as a result I’ve gained a rather quick interest in the law of defamation. But what if a former employee publishes a true but embarrassing or harmful fact about a former manager? Or a patient or client? Think about an accurate and fair account of bad management. Say it includes a manager’s home phone number stolen from a personnel file. Or maybe a nurse posts information about a patient’s medical condition on a Facebook page. If employee and patient privacy is regulated, the organization may be in for a problem with a privacy regulator (though not likely for disclosure of the bad management story). But does it have a legal means of acting against the rogue former employee to contain the breach? Does the manager or patient for that matter? What the heck is the basis for the claim?
What’s that? “A new common law right of privacy,” you say?
I am happy that I work with many fair and reasonable organizations, but I’m not really in the running for the “new invasion of privacy tort and implied (contractual) privacy rights advocate-of-the-year” award. We’re only inching our way towards court-based recognition of privacy rights in Canada. Though a newly-recognized privacy right would cause some constraint on management, the example above shows that new bases for protecting privacy would at least fit with some management interests. I think most employers would feel compelled to take action to protect a manager whose privacy is under attack by a former employee simply as a matter of good human resources. A novel confidentiality clause in an employment contract may take employers part of the way provided it hits the right level of post-employment restrictiveness, but such a clause would only invite the truly important question: what types of restrictions on expression ought to be imposed or enforced by a court in the name or privacy?
So I’m a believer now. I’ve mentioned before that I recently read Daniel Solove‘s book, The Future of Reputation. It’s a great read, and got me thinking about privacy law and its relationship to freedom of expression, an issue of balance that I don’t get exposed to when working with very technical privacy regulation on a day-in and day-out basis. It also helped me unlock a link between privacy, the law of defamation and even intellectual property that I hadn’t fully understood and that is critical to our developing common law of privacy. Web 2.0 will push the common law along, maybe incrementally, but likely at a pace that reflects a true social phenomenon. We might expect bad decisions and confusing jurisprudence given the pace of change, but we’ll soon enough have a rational governing common law.
But, of course, the significance of Web 2.0 raises other challenging issues.
There’s the increasing significance of the principle of practical obscurity – the one that says information can still be private (or one’s interest in keeping something private can subsist) even if it is exposed to some unauthorized or limited authorized access if it is so buried that the information remains obscure. This has been a part of privacy law for some time, recognized as early as 1989 by the United States Supreme Court in Reporters Committee, but it is a principle that should now have an increasing importance as privacy law develops.
Then there’s the merging of professional and personal reputation and its impact on workplace privacy law. My loving and understanding wife accepts that I “work” all the time and in turn brings her own laptop to our dinner table – which, appropriately enough, is four feet high and more of a casual dinner “bar.” I also have a mainly professional blog but a deep craving to blow the barrier between my personal and professional personas apart by revealing more and more of myself online. If I’m going to be on-duty all the time I’d better do it in my own skin or I’ll be bound for misery and burnout eh?
I assume the way I work is not atypical for a year 2008 knowledge worker in his or her mid-30s, and therfore ask the following: Have we surrendered all privacy to our employers? Or is a new legal framework for employee privacy needed now that the “workplace” is boundless and there is no true “off-duty?” If the boundary between the workplace and the outside world is disintegrating, where should courts now draw the line between what an employer is and is not allowed to know about its employees?
Can you tell I’m excited? Thanks for listening to my story and my ramblings. I’m looking forward to watching this play out and following the developments. If you have any good readings to further feed my interest please let me know. See ya!