Académique Documents
Professionnel Documents
Culture Documents
0
vincent gautrais
professeur agrg /associate professor
facult de droit / faculty of law
universit de Montral /university of montreal
January 25th, 2011
chaire en droit de la scurit et des affaires lectroniques /
udm chair in e-Security and e-Business law
www.gautrais.com
ppt is available at www.gautrais.com
2
3
je me souviens
remember
4
que n sous le lys
that born under the lily
5
... je crois sous la rose.
I grow under the rose.
(Eugne-tienne Tach)
6
7
souvenons-nous que ns sous le papier
remember that born under paper
8
... nous croissons sous llectronique.
we grow under electronic.
(Vincent Gautrais)
9
law is under influence
10
techno
business
culture
legal
culture
Privacy is
influenced
11
1 - privacy influenced by legal culture
12
13
2 - privacy influenced by culture
14
immigrants v. natives
(Mark Prensky, Digital natives, Digital immigrants, 2001)
15
3 - privacy influenced by business
$$$$$$$$$$
16
17
4 - privacy influenced by techno
18
Michel Serres
Les nouvelles technologies :
rvolution culturelle et cognitive
(New Technologies: Cultural and
Knowledge Revolution)
19
Michel Serres
when the support / information conbinaison is
changing, everything is changing !
20
-
5
0
0
0
-
4
0
0
0
-
3
0
0
0
-
2
0
0
0
0
-
1
0
0
0
2
0
0
0
1
0
0
0
w
r
i
t
i
n
g
p
r
i
n
t
i
n
g
i
n
t
e
r
n
e
t
21
Michel Serres
today a pure science professor teaches 60 to
70% of content that he or she doesnt learn
him(her)self in the university.
22
Hyperlink first generation
Web 2.0 second generation
23
when facing new problems
24
begin first with very basic questions.
25
plan
what is personal info ?
who is in charge to control it ?
how to control it ?
26
-1-
what ?
27
personal information ?
28
personal information means information
about an identifiable individual, but does
not include the name, title or business
address or telephone number of an
employee of an organization
PIPEDA (federal act - S.C. 2000, c. 5)
29
Personal information is any information
which relates to a natural person and
allows that person to be identified.
provincial act - R.S.Q. c. P-39.1
personal information definition
2(a) 'personal data' shall mean any
information relating to an identified or
identifiable natural person ('data subject');
an identifiable person is one who can be
identified, directly or indirectly, in particular
by reference to an identification number or to
one or more factors specific to his physical,
physiological, mental, economic, cultural or
social identity
European directive (1995)
same in Switzerland
all information relating to an identified or
identifiable person.
32
ex 1: IP address ?
33
france
ex 2: note2be.com ?
(06/2008: appeal court - France)
=
privacy infringement
34
canada
ex 2: note2be in Canada ?
is it a PI ?
legitimacy
of the website ?
35
germany
Spickmich in Germany (June 23, 2009)
=
no privacy infringement
36
europe
direct or indirect personal information ?
37
usa / uk
taxonomy of harms from Daniel Solove
(understanding privacy)
RAND report
google
38
RAND report (May 2009)
review of the european data protection
directive
(sponsored by UK information
commissioners office)
http://www.rand.org/pubs/technical_reports/TR710/
39
RAND report (page 41)
Overall, we found that as we move toward an
increasingly global, networked environment, the
Directive as it stands will not suffice in the long
term. The widely applauded principles of the
Directive will remain as a useful front-end, yet
will need to be supported with a harms-
based back-end in due course, in order to be
able to cope with the challenges of globalisation
and flows of personal data.
40
-2-
who?
41
individual
government
company
third person
all of them
42
usually
43
44
individual
government
company
third person
data controller
45
46
(d) "controller" shall mean the natural or legal
person, public authority, agency or any other body
which alone or jointly with others determines the
purposes and means of the processing of
personal data; where the purposes and means of
processing are determined by national or
Community laws or regulations, the controller or
the specific criteria for his nomination may be
designated by national or Community law;
(1995) european directive
but web 2.0 changes the situation
47
with web 2.0, everybody may be
a data controller
48
data controller from your own
personal informations
49
data controller of personal
information from other persons
50
R. v Patrick, [2009] 1 S.C.R. 579
52
[62] Nevertheless, until the garbage is placed at or within
reach of the lot line, the householder retains an element of
control over its disposition and cannot be said to have
unequivocally abandoned it, particularly if it is placed on a
porch or in a garage or within the immediate vicinity of the
dwelling where the principles set out in the perimeter
cases such as Kokesch, Grant and Wiley apply.
[63] () However, when the garbage is placed at the lot
line for collection, I believe the householder has
sufficiently abandoned his interest and control to
eliminate any objectively reasonable privacy interest.
R. v. Patrick, 2009 SCC 17
british-columbia
She said she could no longer kayak, hike
or bicycle, but the defendant produced some
of the plaintiffs own photographs posted on
her Facebook page that showed her doing
these activities. (Bagasbas v. Atwal, 2009
BCSC 512)
Brisindi et STM (Rseau des
autobus), 2010 QCCLP 4158
no one alleging his own turpitude
is to be heard
56
individual
government
company
third person
that said
57
control may be abandoned by
users consent too
58
59
Aleecia M. McDonald and Lorrie Faith
Cranor (Carnegie Mellon University)
The Cost of Reading Privacy Policies
(pdf)
20 hours each month
consent = respect of privacy law !
consent = peoples protection?
Encore des mots toujours des
mots
Les mmes mots
Rien que des mots
Des mots faciles des mots
fragiles
C'tait trop beau
Bien trop beau
Mais c'est fini le temps des
rves
Les souvenirs se fanent aussi
Quand on les oublie
63
64
65
Chris Kelly = FB chief privacy officer
Weve always seen ourselves as a
leader in reflecting in what users want
online and learning what theyre looking
for. We saw that in news feed, we saw that
in [Facebook] Beacon and weve returned
to our principle of user control.
66
Chris Kelly = FB chief privacy officer
Were constantly looking at ways to
make sure that people can get the
information they want and they need about
their friends in their real world social
networks. Sure, we will be working on
improving the privacy interface on
simplifying it to give people the control
that they need.
67
individual
government
company
third person
technical solutions
1 robot
ex: canlii
ex: blogger
2 Google being proactive
a legal solution
the equivalent, in Quebec, of art. 22 from
the Act to Establish a Legal Framework
for Information Technology
75
-3-
how?
some solutions
documentation
accountability
pluri-disciplinary approach
76
1 documentation
show your diligence
77
canada privacy commisioner
2 accountability
need more external control (as audit)
on PI processing
79
80
Daniel J. Weitzner, Harold Abelson, Tim
Berners-Lee, Joan Feigenbaum, James
Hendler, and Gerald Jay Sussman,
Information Accountability, (2007)
81
information. Privacy is protected not by
limiting collection of data, but rather by
placing strict rules on how the data may
be used
82
PIPEDA
4.1 Principle 1 Accountability
An organization is responsible for personal information under its
control and shall designate an individual or individuals who are
accountable for the organizations compliance with the following
principles.
()
4.1.4
Organizations shall implement policies and practices to give effect
to the principles, including
(a) implementing procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints
and inquiries;
(c) training staff and communicating to staff information about the
organizations policies and practices; and
(d) developing information to explain the organizations policies and
procedures.
83
In many cases it is only by making
better use of the information that is
collected, and by retaining what is
necessary to hold data users responsible
for policy compliance that we can actually
achieve greater information accountability
84
some regulations on risk assessment
already exist (federal + Quebec)
85
federal (2002)
ex: Privacy Impact Assessment
Guidelines: A Framework to Manage
Privacy Risks
86
quebec (2009)
Dcret sur la diffusion de linformation et
sur la protection des renseignements
personnels
but no formal obligation for private sector
87
3 pluri-disciplinary approach
conclusion
90
conclusion
much more fears with opacity
91
conclusion
as light!
92
conclusion
ex: google street view
93
94
95
96
conclusion
but very few obligations on real
organization accountability
privacy 2.0
vincent gautrais
professeur agrg /associate professor
facult de droit / faculty of law
universit de Montral /university of montreal
January 25th, 2011
chaire en droit de la scurit et des affaires lectroniques /
udm chair in e-Security and e-Business law
www.gautrais.com