Embed Size (px)
Citation preview
Forgetting, Non-Forgetting and Quasi-Forgetting: Public Policy and
Corporate Practice
Colin J. Bennett, Adam Molnar and Christopher Parsons
Department of Political ScienceUniversity of Victoria
BC, Canadawww.colinbennett.ca
Canadian Access to Social Media Information Project
www.catsmi.ca http://catsmi.tookish.net
• 23 top SNSs in terms of usage in Canada• Content Analysis of Privacy Policies• Tests of Subject Access to PII by researchers• Law Enforcement Compliance Guides • Implications for “Lawful Access” Legislation
Funded by Social Sciences and Humanities Research Council of Canada (SSHRC) and Office of the Privacy Commissioner
Living next to the United States….
“Living next to you is in some ways like sleeping with an elephant. No matter how friendly and even-tempered is the beast, if I can call it that, one is affected by every twitch and grunt.” Pierre Eliot Trudeau
FEDERAL PUBLIC SECTOR(PRIVACY ACT)
FEDERAL PRIVATE SECTOR(PIPEDA)
PROVINCIAL PUBLIC SECTORS(Information and Privacy
Statutes)
PROVINCIAL PRIVATE SECTORS(Alberta, BC, Quebec)
Federally Regulated Private Sector
• The Protection of Personal Information and Electronic Documents Act (PIPEDA) 2000– Applies to federally regulated businesses
(communications, transportation, banking) and any enterprise that transmits personal data across provincial or international boundaries for a commercial purpose
– Overseen by the Office of the Privacy Commissioner of Canada
– Also applies to provincial regulated businesses where no “substantially similar legislation”
Extra-territorial impact of PIPEDA
• Section 4.1.3 of Schedule One of PIPEDA: “An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
An “organization to organization” approach, rather than a “country to country” approach
The “Real and Substantial Connection to Canada” Test
• Acusearch Decision – www.abika.com (2009)
• Facebook Investigations (2009-2012)• WhatsApp Investigation with Dutch DPA
(2012-13)• Cloud-Computing Applications
Responses to Subject Access Requests
Under PIPEDA, personal information means “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.”
PII provided: Facebook, Twitter, Google+ Responses received but no PII (yet): LinkedIn PII refused: Tumblr All others: No responses
AND NO METADATA
Complaint against Twitter?
The Anatomy of a Tweet
Information provided to law enforcement (Facebook)
• User contact info (name, DOB, e-mail addresses, physical address, city, state, zip, phone (home, mobile, work), screen name, “group contact info”, “user neoprint” (an expanded view of the user profile); “user photoprint” (a compilation of photos uploaded but not deleted), and IP logs (source IP address, ISP)….
• Preservation up to 90 days
Article 17 of New EU Draft Regulation
– the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
– the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;
– the data subject objects to the processing of personal data pursuant to Article 19;
– the processing of the data does not comply with this Regulation for other reasons.
(EXEMPTIONS OR JOURNALISTIC AND ARTISTIC PURPOSES)
Three Progressively Controversial “Rights”
–Right to erase something generated by the user–Right to erase reposting of original posting–Right to erase posting by a third party
Is there a right to be forgotten in non-European (Canadian) law?
• Obligation of the data controller rather than right of data subject
• Retention schedules -- PIAs• Withdrawal of consent for processing
The “Net Never Forgets”
• “You may not realize it, but whenever you go online, you’re building an identity through the words and images you post and the activities you do. This can become part of your reputation, and it can be a lasting one. Once personal information goes online, it may be difficult to delete. While you may be able to delete it in one place, there may be cached versions or copies stored elsewhere that you cannot control. Digital storage is cheap and computer memory is plentiful--and unlike people, the Net never forgets” (Jennifer Stoddart, Canadian Privacy Commissioner, January 28th, 2011).
Forgetting, Non-Forgetting and Quasi-Forgetting
• Forgetting, but not yet• Forgetting, but only for what we deem to be PII• Forgetting, but not information that friends have said and
shared about you• Forgetting, but only for us, not for others• Forgetting, but not when requests come from law enforcement• Forgetting, but we cannot ensure complete erasure• Forgetting, except for third-party analytics
Legal Jurisdictions
Technical Jurisdictions
Corporate Jurisdictions
