Australia: No ROFL Matter: Discovery and the Risks of Social Networking
Corporate Risk and Insurance Update

A United States court has recently considered whether private communications sent through a social networking (such as Facebook or MySpace) or web hosting (such as Media Temple, Inc) sites are afforded protection from disclosure under the Stored Communications Act ^[1]

The District Court of California decision in Buckley H. Crispin v Christian Audigier, Inc ^[2] found that social networking sites and web hosting providers fall within the Stored Communications Act's protection from disclosure.  As such, the Court ruled that civil parties seeking to discover private electronic communications from such sites will likely be prevented from doing so.

Background

Buckley Crispin (Crispin) is an artist who granted the defendant, Christian Audigier (Audigier), a designer, an oral licence to use his artwork for certain clothing.  Crispin alleged that Audigier breached the scope of the original oral licence and engaged in sublicensing arrangements without consent.

Audigier served subpoenas on several third-party social networking or web hosting businesses (including Facebook, MySpace and Media Temple), directing them produce all communications between Crispin and Audigier, as well as any communications evidencing any sublicensing arrangements.

The defendants maintained that these records were relevant in determining the nature and terms of the agreement that Crispin and Audigier supposedly entered into.

Crispin argued that the subpoenas sought private electronic communications that, under the Stored Communications Act, were prohibited from producing.

So what happened?

The Court reviewed the definitions under the legislation of both Electronic Communication Services (ECS) and Remote Computing Services (RCS) as, under US law, in order for information to be afforded protection from disclosure a provider must be either an ECS or RCS provider.

The court found that both companies qualified as an ECS and RCS because they provided message delivery services and as RCS because they offered message storage services. Accordingly, the Court was satisfied that the communications at issue (and the private form they were in ^[3] were not readily accessibly to the public (at most, they were accessible by a limited audience) and as such the discovery of the communications was not allowed.

But what about privacy settings?

As the Crispin decision was in a United States District Court, it is not binding on alternative jurisdictions, but in the United States it may be used for analysis purposes.

The Crispin decision, however, follows a United States Federal Court decision in EEOC v. Simply Storage Management LLC et al ^[4] an employment law case, in which a magistrate ordered employees to produce social networking profile information from their social networking accounts in response to a discovery request.

This case concerned a sexual harassment complaint made on behalf of two employees against their supervisor and at issue was the emotional state of the two employees.  The Court considered that any posting by the complainants was capable of leading to admissible evidence regarding their emotional states (specifically the time period claimed) and the magistrate found all social networking content revealing, relating, or simply referring to allegations raised in the complaint to be discoverable.

Notably, the Court also found that the fact that a user's profile is private and not available to the public does not shield information in that user's profile from discovery.

Well this is Australia!

To date, national privacy laws in Australia have prevented access to information marked as private or specifically, any private information collected by social networking providers.

The Privacy Act does not apply to individuals acting in a personal capacity so individuals posting information on social networking sites would usually be exempt.  However, if an organisation collects and stores information from your page, and that organisation is covered by the Privacy Act, then it must comply with the National Privacy Principles that set out how an organisation must handle personal information and the purpose for which it can be used.

The location of the social networking site will implicate the application of the Privacy Act.  To be covered by the Privacy Act, an organisation must be in Australia.  So, if the social networking site is based in the USA (the way Facebook and Myspace are), the privacy rights for individuals under Australian law may be limited.

The outcome in Crispin was influenced by regional legislation. Had Crispin been run in Australia, in the interests of justice and of an efficient discovery process, it is possible that an Australian court may not rule in the same way.  A court may allow the private postings of social networking sites to be disclosed and not protected against third party subpoenas.

So what should we do?

In the absence of judicial opinion in Australia, for  individuals, the best advice it to think carefully about the information shared on social networking sites.  It is clear from the two United States cases that words on a social networking page do not fade away as easily as  the spoken conversation.  Accordingly, the easiest way to protect your privacy is not to give out personal information and to think carefully about what you say online.

For litigants, seek and maybe ye shall discover!

 [1] 18 U.S.C. §§ 2701-11.
  [2] No. 09-cv-9509,( C.D. Cal., 26 May 2010
  [3] The Court considered the provider's privacy controls and the individual user's privacy settings in reaching this decision.
  [4] No. 1:09-cv-1223-WTL-DML (S.D. Ind. 11May 2010)

For more information, please contact:

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.