privacy 2.

0
vincent gautrais
professeur agrg /associate professor
facult de droit / faculty of law
universit de Montral /university of montreal

January 25th, 2011

chaire en droit de la scurit et des affaires lectroniques /
udm chair in e-Security and e-Business law
www.gautrais.com






ppt is available at www.gautrais.com
2
3



je me souviens
remember
4



que n sous le lys
that born under the lily
5



... je crois sous la rose.
I grow under the rose.

(Eugne-tienne Tach)
6





7



souvenons-nous que ns sous le papier

remember that born under paper
8



... nous croissons sous llectronique.
we grow under electronic.

(Vincent Gautrais)


9




law is under influence

10
techno
business
culture
legal
culture
Privacy is
influenced
11




1 - privacy influenced by legal culture



12
13




2 - privacy influenced by culture


14
immigrants v. natives
(Mark Prensky, Digital natives, Digital immigrants, 2001)

15




3 - privacy influenced by business







$$$$$$$$$$


16
17




4 - privacy influenced by techno



18

Michel Serres
Les nouvelles technologies :
rvolution culturelle et cognitive
(New Technologies: Cultural and
Knowledge Revolution)
19


Michel Serres
when the support / information conbinaison is
changing, everything is changing !

20
-

5
0
0
0

-

4
0
0
0

-

3
0
0
0

-

2
0
0
0

0

-

1
0
0
0

2
0
0
0

1
0
0
0

w
r
i
t
i
n
g

p
r
i
n
t
i
n
g

i
n
t
e
r
n
e
t

21


Michel Serres
today a pure science professor teaches 60 to
70% of content that he or she doesnt learn
him(her)self in the university.

22
Hyperlink first generation
Web 2.0 second generation
23



when facing new problems
24



begin first with very basic questions.
25
plan


what is personal info ?

who is in charge to control it ?

how to control it ?

26
-1-




what ?
27



personal information ?

28


personal information means information
about an identifiable individual, but does
not include the name, title or business
address or telephone number of an
employee of an organization
PIPEDA (federal act - S.C. 2000, c. 5)
29



Personal information is any information
which relates to a natural person and
allows that person to be identified.
provincial act - R.S.Q. c. P-39.1
personal information definition

2(a) 'personal data' shall mean any
information relating to an identified or
identifiable natural person ('data subject');
an identifiable person is one who can be
identified, directly or indirectly, in particular
by reference to an identification number or to
one or more factors specific to his physical,
physiological, mental, economic, cultural or
social identity


European directive (1995)
same in Switzerland



all information relating to an identified or
identifiable person.
32



ex 1: IP address ?
33
france



ex 2: note2be.com ?
(06/2008: appeal court - France)
=
privacy infringement
34
canada



ex 2: note2be in Canada ?
is it a PI ?
legitimacy
of the website ?
35
germany



Spickmich in Germany (June 23, 2009)
=
no privacy infringement
36
europe



direct or indirect personal information ?
37
usa / uk

taxonomy of harms from Daniel Solove
(understanding privacy)

RAND report

google
38


RAND report (May 2009)
review of the european data protection
directive
(sponsored by UK information
commissioners office)
http://www.rand.org/pubs/technical_reports/TR710/
39
RAND report (page 41)


Overall, we found that as we move toward an
increasingly global, networked environment, the
Directive as it stands will not suffice in the long
term. The widely applauded principles of the
Directive will remain as a useful front-end, yet
will need to be supported with a harms-
based back-end in due course, in order to be
able to cope with the challenges of globalisation
and flows of personal data.
40
-2-




who?
41
individual
government
company
third person




all of them
42




usually
43
44
individual
government
company
third person




data controller
45
46
(d) "controller" shall mean the natural or legal
person, public authority, agency or any other body
which alone or jointly with others determines the
purposes and means of the processing of
personal data; where the purposes and means of
processing are determined by national or
Community laws or regulations, the controller or
the specific criteria for his nomination may be
designated by national or Community law;


(1995) european directive




but web 2.0 changes the situation
47




with web 2.0, everybody may be
a data controller
48




data controller from your own
personal informations
49




data controller of personal
information from other persons
50





R. v Patrick, [2009] 1 S.C.R. 579
52


[62] Nevertheless, until the garbage is placed at or within
reach of the lot line, the householder retains an element of
control over its disposition and cannot be said to have
unequivocally abandoned it, particularly if it is placed on a
porch or in a garage or within the immediate vicinity of the
dwelling where the principles set out in the perimeter
cases such as Kokesch, Grant and Wiley apply.

[63] () However, when the garbage is placed at the lot
line for collection, I believe the householder has
sufficiently abandoned his interest and control to
eliminate any objectively reasonable privacy interest.


R. v. Patrick, 2009 SCC 17
british-columbia


She said she could no longer kayak, hike
or bicycle, but the defendant produced some
of the plaintiffs own photographs posted on
her Facebook page that showed her doing
these activities. (Bagasbas v. Atwal, 2009
BCSC 512)

Brisindi et STM (Rseau des
autobus), 2010 QCCLP 4158





no one alleging his own turpitude
is to be heard
56
individual
government
company
third person




that said
57




control may be abandoned by
users consent too
58
59



Aleecia M. McDonald and Lorrie Faith
Cranor (Carnegie Mellon University)
The Cost of Reading Privacy Policies
(pdf)

20 hours each month




consent = respect of privacy law !




consent = peoples protection?




Encore des mots toujours des
mots
Les mmes mots
Rien que des mots
Des mots faciles des mots
fragiles
C'tait trop beau
Bien trop beau
Mais c'est fini le temps des
rves
Les souvenirs se fanent aussi
Quand on les oublie
63
64
65
Chris Kelly = FB chief privacy officer

Weve always seen ourselves as a
leader in reflecting in what users want
online and learning what theyre looking
for. We saw that in news feed, we saw that
in [Facebook] Beacon and weve returned
to our principle of user control.
66
Chris Kelly = FB chief privacy officer
Were constantly looking at ways to
make sure that people can get the
information they want and they need about
their friends in their real world social
networks. Sure, we will be working on
improving the privacy interface on
simplifying it to give people the control
that they need.

67
individual
government
company
third person






technical solutions








1 robot

ex: canlii
ex: blogger






2 Google being proactive





a legal solution





the equivalent, in Quebec, of art. 22 from
the Act to Establish a Legal Framework
for Information Technology
75
-3-




how?
some solutions

documentation

accountability

pluri-disciplinary approach
76
1 documentation



show your diligence
77
canada privacy commisioner
2 accountability



need more external control (as audit)
on PI processing
79
80


Daniel J. Weitzner, Harold Abelson, Tim
Berners-Lee, Joan Feigenbaum, James
Hendler, and Gerald Jay Sussman,
Information Accountability, (2007)
81


information. Privacy is protected not by
limiting collection of data, but rather by
placing strict rules on how the data may
be used

82
PIPEDA
4.1 Principle 1 Accountability
An organization is responsible for personal information under its
control and shall designate an individual or individuals who are
accountable for the organizations compliance with the following
principles.
()
4.1.4
Organizations shall implement policies and practices to give effect
to the principles, including
(a) implementing procedures to protect personal information;
(b) establishing procedures to receive and respond to complaints
and inquiries;
(c) training staff and communicating to staff information about the
organizations policies and practices; and
(d) developing information to explain the organizations policies and
procedures.
83

In many cases it is only by making
better use of the information that is
collected, and by retaining what is
necessary to hold data users responsible
for policy compliance that we can actually
achieve greater information accountability
84



some regulations on risk assessment
already exist (federal + Quebec)

85
federal (2002)



ex: Privacy Impact Assessment
Guidelines: A Framework to Manage
Privacy Risks

86
quebec (2009)



Dcret sur la diffusion de linformation et
sur la protection des renseignements
personnels



but no formal obligation for private sector
87
3 pluri-disciplinary approach

conclusion
90
conclusion




much more fears with opacity

91
conclusion




as light!

92
conclusion




ex: google street view


93

94

95
96
conclusion




but very few obligations on real
organization accountability

privacy 2.0
vincent gautrais
professeur agrg /associate professor
facult de droit / faculty of law
universit de Montral /university of montreal

January 25th, 2011

chaire en droit de la scurit et des affaires lectroniques /
udm chair in e-Security and e-Business law
www.gautrais.com