View
215
Download
0
Tags:
Embed Size (px)
Citation preview
web 2.0 + privacyvincent gautrais
professeur agrégé /associate professor faculté de droit / faculty of law
université de Montréal /university of montreal
July 10th, 2009
chaire en droit de la sécurité et des affaires électroniques / udm chair in e-Security and e-Business law
www.gautrais.com
2
plan
• intro
• what is personal info ?
• who is in charge to control it ?
• how to control it ?
3
je me souviens …
remember …
4
que né sous le lys …
that born under the lily …
5
... je crois sous la rose.
… I grow under the rose.
(Eugène-Étienne Taché)
61
7
souvenons-nous que nés sous le papier …
remember that born under paper …
2
8
... nous croissons sous l’électronique.
… we grow under electronic.
(Vincent Gautrais)
9
law is under influence
10
techno
business
culture
legal culture
Privacy is influenced
11
1 - privacy influenced by legal culture
12
2 - privacy influenced by culture
13
immigrants v. natives(Mark Prensky, Digital natives, Digital immigrants, 2001)
14
3 - privacy influenced by business
15
4 - privacy influenced by techno
16
Michel Serres
Les nouvelles technologies :
révolution culturelle et cognitive(New Technologies: Cultural and
Knowledge Revolution)
17
Michel Serres
« when the support / information conbinaison is changing, everything is changing !»
18
- 5000
- 4000
- 3000
- 2000
0
- 1000
2000
1000
writin
g
prin
ting
intern
et
19
Michel Serres« today a pure science professor teaches 60 to 70% of content that he or she doesn’t learn him(her)self in the university».
20
Hyperlink first generation
Web 2.0 second generation
21
22
what is the consequence on law?
did we need
some new laws ?
Are we OK
with old laws ?
23
technological neutrality
on one side, some people said …
24
technological neutrality definition ?
25
law doesn’t favour one technology
Definition 1
26
technologies are similarly manageable
Definition 2
27
RAND report (May 2009)
review of the european data protection directive
(sponsored by UK information commissioner’s office)
http://www.rand.org/pubs/technical_reports/TR710/
28
RAND report (page 24)
29
person in charge of personal information is responsible of its protection
30
are you sure that the directive is technological neutral ?
31
privacy laws were create (during seventies and +) under a different
technology
32
old electronic technology
company (or gov.) needs to control personal information
33
old electronic technology
ex: medical file must be stored
in the doctor’s office
34
differences of new electronic technologies
• protection = circulation
• place of detention
• initiative of circulation
• enhancement of circulation
• etc.
35
are you sure that the technological neutral approach is the better one?
36
Chris Reed ? (UK) no
Bert-Jaap Koops ? (Netherland) no
Lyria Bennett Moses ? (Australia) no
Vincent Gautrais ? (Canada) no
37
1) poor definition
2) not sure that laws are techno neutral
3) not sure that it is the best approach
38
we need to consider this (r)evolution of
facts
on the other side, some others said …
39
we need to consider this (r)evolution of
law
on the other side, some others said …
40
we need to propose a broadest approach considering
1 – purpose of privacy law
2 – more or less danger
3 – new balance between more circulation and more danger
on the other side, some others said …
41
there are some proposed solutions to very basic questions
1 – what
2 - who
3 - how
42
-1-
what ?
43
personal information ?
44
2 – “personal information” means information about an identifiable
individual, but does not include the name, title or business address or telephone
number of an employee of an organization
PIPEDA (federal act - S.C. 2000, c. 5)
45
2 – Personal information is any information which relates to a natural person and allows that person to be identified.
provincial act - R.S.Q. c. P-39.1
46
ex 1: IP address ?
47
france
ex 2: note2be.com ?
(06/2008: appeal court - France)
=
Privacy infrigement
48
canada
ex 2: note2be in Canada ?
intermediaries liability ?
is it a PI ?
constitutionalrights balance ? is it a
collection ?
legitimacyof the website ?
49
germany
Spickmich in Germany (June 23, 2009)
=
no privacy infringement
50
europe
direct or indirect personal information ?
51
usa / uk
• taxonomy of harms from Daniel Solove (understanding privacy)
• RAND report
52
RAND report (May 2009)
review of the european data protection directive
(sponsored by UK information commissioner’s office)
http://www.rand.org/pubs/technical_reports/TR710/
53
RAND report (page 41)
“Overall, we found that as we move toward an increasingly global, networked environment, the Directive as it stands will not suffice in the long term. The widely applauded principles of the Directive will remain as a useful front-end, yet will need to be supported with a harms-based back-end in due course, in order to be able to cope with the challenges of globalisation and flows of personal data.”
54
-2-
who?
55
aristotle versus plato
56
substance versus process
57
PIPEDA4.1 Principle 1 — AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.(…)4.1.4Organizations shall implement policies and practices to give effect to the principles, including
• (a) implementing procedures to protect personal information;• (b) establishing procedures to receive and respond to complaints
and inquiries;• (c) training staff and communicating to staff information about the
organization’s policies and practices; and• (d) developing information to explain the organization’s policies and
procedures.
58
Daniel J. Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James Hendler, and Gerald Jay Sussman, Information Accountability, (2007)
59
“information. Privacy is protected not by limiting collection of data, but rather by placing strict rules on how the data may be used”
60
“In many cases it is only by making better use of the information that is collected, and by retaining what is necessary to hold data users responsible for policy compliance that we can actually achieve greater information accountability”
61
more and more regulations on risk assessment (federal + Quebec)
62
federal (2002)
Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks
63
quebec (2009)
Décret sur la diffusion de l’information et sur la protection des renseignements
personnels
64
ex: Chris Kelly = FB chief privacy officer
« We’ve always seen ourselves as a leader in reflecting in what users want online and learning what they’re looking for. We saw that in news feed, we saw that in [Facebook] Beacon and we’ve returned to our principle of user control. »
65
ex: Chris Kelly = FB chief privacy officer
« We’re constantly looking at ways to make sure that people can get the information they want and they need about their friends in their real world social networks. Sure, we will be working on improving the privacy interface on simplifying it to give people the control that they need. »
66
but be careful …
SOX (Sarbanes Oxley Act - 2002) mess
67
sox
section 404: Management Assessment of Internal Controls
« Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall:
• state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and
• contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting ».
68
individual
government
company
69
-3-
how?
70
new or old laws ?
as already mentioned …
71
neutral or “un-neutral” laws?
72
changing or interpretating laws?
73
interpretation
communication ? retention ?
collection ?
use ?
74
ex 1: clicsequr
75
3 – identification
service
1 – citizen
4 – minister 2
2 – minister
Service to the public
76
communication ?
77
no because no control on information it self (content)
78
ex 2: tourism website
79
80
81
collection ?
82
no because 1) no control on info, 2) no knowledge of PI and 3) ability to erase on demand problematic information
83
consent ?
84
example
Additionally, users should be aware that when they voluntarily disclose personally identifiable information (e.g., user name, e-mail address) on the forums or in the chat areas of the Spain-Info.com sites, that information, along with any substantive information disclosed in the user's communication, can be collected and correlated and used by third parties and may result in unsolicited messages from other posters or third parties. Such activities are beyond the control of Spain-Info.com
85
Aleecia M. McDonald and Lorrie Faith Cranor (Carnegie Mellon University)
« The Cost of Reading Privacy Policies » (pdf)
20 hours each month
86
ex 3: google street view
87
88
retention ?
89
no because no control on information it self (content)
90
where come from this control criteria ?
91
inherent to privacy protection
92
ex: R. v. Patrick, 2009 SCC 17
93
[62] Nevertheless, until the garbage is placed at or within reach of the lot line, the householder retains an element of control over its disposition and cannot be said to have unequivocally abandoned it, particularly if it is placed on a porch or in a garage or within the immediate vicinity of the dwelling where the principles set out in the “perimeter” cases such as Kokesch, Grant and Wiley apply.
[63] In municipalities (if there are any left) where garbage collectors come to the garage or porch and carry the garbage to the street, they are operating under (at least) an implied licence from the householder to come onto the property. The licence does not extend to the police. However, when the garbage is placed at the lot line for collection, I believe the householder has sufficiently abandoned his interest and control to eliminate any objectively reasonable privacy interest.
R. v. Patrick, 2009 SCC 17
94
conclusion
in some cases, need for new legislations in concordance with electronic huge
changes but …
95
conclusion
i love interpretation too !
web 2.0 + privacyvincent gautrais
professeur agrégé /associate professor faculté de droit / faculty of law
université de Montréal /university of montreal
July 10th, 2009
chaire en droit de la sécurité et des affaires électroniques / udm chair in e-Security and e-Business law
www.gautrais.com