PM360 OCTOBER 2010

SOCIAL MEDIA STRATEGIES

Social Media Under the Privacy Microscope

BY KENNETH N. RASHBAUM, ESQ.

THE LATE HALL OF FAME PITCHER SATCHEL Paige once famously remarked, “Don’t look back. Something may be gaining on you.” In a turnaround few in the social media arena would have anticipated, it is the government—in the U.S. and Europe—that is closing the gap between the watchers and the watched, using surveillance tactics social media marketers have employed since their initiatives began. The FDA recently took Novartis to task for allegedly misleading information in a Facebook widget. In Europe, the European Commission’s Article 29 Working Party on Data Protection has issued a directive requiring affirmative, explicit opt-in for “cookies,” in the interest of protecting privacy. Germany recently proposed legislation proscribing the vetting of Facebook entries of prospective employees.

The Legal, Compliance, and Risk departments of corporations, especially in life sciences, have quaked about the prospect of government surveillance for potential privacy violations in social media endeavors. It turns out their concerns are real, and those in social media marketing should ramp up their vigilance accordingly and obtain legal guidance with regard to U.S. and international privacy standards that impact social media campaigns.

On July 29, 2010, the FDA notified Novartis that “as part of (its) monitoring and surveillance program,” the FDA had determined that a Facebook Share widget “misbranded” the Novartis drug Tasigna (used in the treatment of a particular form of leukemia) because “it makes representations about the efficacy of Tasigna but fails to communicate any risk information associated with the use of this drug” (emphasis in original). The pharmaceutical and medical device industries have labored under the watchful eyes of the FDA and the Federal Trade Commission for some time, but this recent letter brings home the fact that the FDA is now vigilantly monitoring sites such as Facebook, using surveillance methods all too familiar to social media marketers. The next area of enhanced regulatory scrutiny (which may be ongoing as this article goes to press), particularly with regard to the life sciences industry, will be privacy. Monitoring of social media sites in Europe has been in full swing for some time. The U.S. is catching up, and no doubt will do so quickly.

At the heart of most social media campaigns is a personal story, and it is the “personal” that can present a trap for the unwary, sometimes with severe consequences. European Union Privacy Directives proscribe the transmission of “personal data” beyond the European Economic Area (the EU member states plus Switzerland, Liechtenstein, and Norway) without consent of the data subject, which must be obtained in accordance with local enabling laws and procedures set forth by the local Data Protection Authority. “Personal Data” is broadly defined as data that can be traced to an identifiable person. (In Italy, certain company data enjoys the same level of protection.)

Each EU member state implements the Privacy Directives through its own enabling legislation, and failure to consider location laws can result in severe monetary penalties or even prosecution. In Italy, for example, photographs or videos are considered “personal data.” This was the basis of the recent criminal prosecution of Google in Italy for the Internet broadcast of students harassing an autistic child. The consent of the child’s parents was not obtained for a broadcast of this video beyond Italy.

Healthcare providers and certain pharmaceutical and medical device corporations face similar constraints in the U.S. under HIPAA and the enhanced restrictions on marketing pursuant to the HITECH Act. These laws, like those in the European Union member states, and certain countries in South America and Asia, also comprise security requirements for storage and transmission of patient-identifiable data related to treatment.

Privacy and security laws pose potential minefields for social media marketers, particularly those working with multinational corporations and the life sciences industry. Legal and regulatory guidance, in a collaborative environment with in-house resources and the social media team, can provide the knowledge to navigate the privacy and security minefield successfully.

Kenneth N. Rashbaum is Principal of Rashbaum Associates in New York. His practice focuses on privacy, data protection, and compliance issues for multinational corporations and the life sciences industry. He speaks frequently on issues of social media compliance with laws and regulations in the U.S., Europe, and Asia. Additional information is available at www.rashbaumassociates.com