web 2.0 + privacyvincent gautrais

professeur agrégé /associate professor faculté de droit / faculty of law

université de Montréal /university of montreal

July 10th, 2009

chaire en droit de la sécurité et des affaires électroniques / udm chair in e-Security and e-Business law

www.gautrais.com

2

plan

• intro

• what is personal info ?

• who is in charge to control it ?

• how to control it ?

3

je me souviens …

remember …

4

que né sous le lys …

that born under the lily …

5

... je crois sous la rose.

… I grow under the rose.

(Eugène-Étienne Taché)

61

7

souvenons-nous que nés sous le papier …

remember that born under paper …

2

8

... nous croissons sous l’électronique.

… we grow under electronic.

(Vincent Gautrais)

9

law is under influence

10

techno

business

culture

legal culture

Privacy is influenced

11

1 - privacy influenced by legal culture

12

2 - privacy influenced by culture

13

immigrants v. natives(Mark Prensky, Digital natives, Digital immigrants, 2001)

14

3 - privacy influenced by business

15

4 - privacy influenced by techno

16

Michel Serres

Les nouvelles technologies :

révolution culturelle et cognitive(New Technologies: Cultural and

Knowledge Revolution)

17

Michel Serres

« when the support / information conbinaison is changing, everything is changing !»

18

- 5000

- 4000

- 3000

- 2000

0

- 1000

2000

1000

writin

g

prin

ting

intern

et

19

Michel Serres« today a pure science professor teaches 60 to 70% of content that he or she doesn’t learn him(her)self in the university».

20

Hyperlink first generation

Web 2.0 second generation

21

22

what is the consequence on law?

did we need

some new laws ?

Are we OK

with old laws ?

23

technological neutrality

on one side, some people said …

24

technological neutrality definition ?

25

law doesn’t favour one technology

Definition 1

26

technologies are similarly manageable

Definition 2

27

RAND report (May 2009)

review of the european data protection directive

(sponsored by UK information commissioner’s office)

http://www.rand.org/pubs/technical_reports/TR710/

28

RAND report (page 24)

29

person in charge of personal information is responsible of its protection

30

are you sure that the directive is technological neutral ?

31

privacy laws were create (during seventies and +) under a different

technology

32

old electronic technology

company (or gov.) needs to control personal information

33

old electronic technology

ex: medical file must be stored

in the doctor’s office

34

differences of new electronic technologies

• protection = circulation

• place of detention

• initiative of circulation

• enhancement of circulation

• etc.

35

are you sure that the technological neutral approach is the better one?

36

Chris Reed ? (UK) no

Bert-Jaap Koops ? (Netherland) no

Lyria Bennett Moses ? (Australia) no

Vincent Gautrais ? (Canada) no

37

1) poor definition

2) not sure that laws are techno neutral

3) not sure that it is the best approach

38

we need to consider this (r)evolution of

facts

on the other side, some others said …

39

we need to consider this (r)evolution of

law

on the other side, some others said …

40

we need to propose a broadest approach considering

1 – purpose of privacy law

2 – more or less danger

3 – new balance between more circulation and more danger

on the other side, some others said …

41

there are some proposed solutions to very basic questions

1 – what

2 - who

3 - how

42

-1-

what ?

43

personal information ?

44

2 – “personal information” means information about an identifiable

individual, but does not include the name, title or business address or telephone

number of an employee of an organization

PIPEDA (federal act - S.C. 2000, c. 5)

45

2 – Personal information is any information which relates to a natural person and allows that person to be identified.

provincial act - R.S.Q. c. P-39.1

46

ex 1: IP address ?

47

france

ex 2: note2be.com ?

(06/2008: appeal court - France)

=

Privacy infrigement

48

canada

ex 2: note2be in Canada ?

intermediaries liability ?

is it a PI ?

constitutionalrights balance ? is it a

collection ?

legitimacyof the website ?

49

germany

Spickmich in Germany (June 23, 2009)

=

no privacy infringement

50

europe

direct or indirect personal information ?

51

usa / uk

• taxonomy of harms from Daniel Solove (understanding privacy)

• RAND report

• google

52

RAND report (May 2009)

review of the european data protection directive

(sponsored by UK information commissioner’s office)

http://www.rand.org/pubs/technical_reports/TR710/

53

RAND report (page 41)

“Overall, we found that as we move toward an increasingly global, networked environment, the Directive as it stands will not suffice in the long term. The widely applauded principles of the Directive will remain as a useful front-end, yet will need to be supported with a harms-based back-end in due course, in order to be able to cope with the challenges of globalisation and flows of personal data.”

54

-2-

who?

55

aristotle versus plato

56

substance versus process

57

PIPEDA4.1 Principle 1 — AccountabilityAn organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following principles.(…)4.1.4Organizations shall implement policies and practices to give effect to the principles, including

• (a) implementing procedures to protect personal information;• (b) establishing procedures to receive and respond to complaints

and inquiries;• (c) training staff and communicating to staff information about the

organization’s policies and practices; and• (d) developing information to explain the organization’s policies and

procedures.

58

Daniel J. Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James Hendler, and Gerald Jay Sussman, Information Accountability, (2007)

59

“information. Privacy is protected not by limiting collection of data, but rather by placing strict rules on how the data may be used”

60

  “In many cases it is only by making better use of the information that is collected, and by retaining what is necessary to hold data users responsible for policy compliance that we can actually achieve greater information accountability”

61

more and more regulations on risk assessment (federal + Quebec)

62

federal (2002)

Privacy Impact Assessment Guidelines: A Framework to Manage Privacy Risks

63

quebec (2009)

Décret sur la diffusion de l’information et sur la protection des renseignements

personnels

64

ex: Chris Kelly = FB chief privacy officer

« We’ve always seen ourselves as a leader in reflecting in what users want online and learning what they’re looking for. We saw that in news feed, we saw that in [Facebook] Beacon and we’ve returned to our principle of user control. »

65

ex: Chris Kelly = FB chief privacy officer

« We’re constantly looking at ways to make sure that people can get the information they want and they need about their friends in their real world social networks. Sure, we will be working on improving the privacy interface on simplifying it to give people the control that they need. »

66

but be careful …

SOX (Sarbanes Oxley Act - 2002) mess

67

sox

section 404: Management Assessment of Internal Controls

« Rules Required. The Commission shall prescribe rules requiring each annual report required by section 13(a) or 15(d) of the Securities Exchange Act of 1934 to contain an internal control report, which shall:

• state the responsibility of management for establishing and maintaining an adequate internal control structure and procedures for financial reporting; and

• contain an assessment, as of the end of the most recent fiscal year of the issuer, of the effectiveness of the internal control structure and procedures of the issuer for financial reporting ».

68

individual

government

company

69

-3-

how?

70

new or old laws ?

as already mentioned …

71

neutral or “un-neutral” laws?

72

changing or interpretating laws?

73

interpretation

communication ? retention ?

collection ?

use ?

74

ex 1: clicsequr

75

3 – identification

service

1 – citizen

4 – minister 2

2 – minister

Service to the public

76

communication ?

77

no because no control on information it self (content)

78

ex 2: tourism website

79

80

81

collection ?

82

no because 1) no control on info, 2) no knowledge of PI and 3) ability to erase on demand problematic information

83

consent ?

84

example

Additionally, users should be aware that when they voluntarily disclose personally identifiable information (e.g., user name, e-mail address) on the forums or in the chat areas of the Spain-Info.com sites, that information, along with any substantive information disclosed in the user's communication, can be collected and correlated and used by third parties and may result in unsolicited messages from other posters or third parties. Such activities are beyond the control of Spain-Info.com

85

 Aleecia M. McDonald and Lorrie Faith Cranor (Carnegie Mellon University)

« The Cost of Reading Privacy Policies » (pdf)

20 hours each month

86

ex 3: google street view

87

88

retention ?

89

no because no control on information it self (content)

90

where come from this control criteria ?

91

inherent to privacy protection

92

ex: R. v. Patrick, 2009 SCC 17

93

[62] Nevertheless, until the garbage is placed at or within reach of the lot line, the householder retains an element of control over its disposition and cannot be said to have unequivocally abandoned it, particularly if it is placed on a porch or in a garage or within the immediate vicinity of the dwelling where the principles set out in the “perimeter” cases such as Kokesch, Grant and Wiley apply.

[63] In municipalities (if there are any left) where garbage collectors come to the garage or porch and carry the garbage to the street, they are operating under (at least) an implied licence from the householder to come onto the property.  The licence does not extend to the police.  However, when the garbage is placed at the lot line for collection, I believe the householder has sufficiently abandoned his interest and control to eliminate any objectively reasonable privacy interest.

R. v. Patrick, 2009 SCC 17

94

conclusion

in some cases, need for new legislations in concordance with electronic huge

changes but …

95

conclusion

i love interpretation too !

web 2.0 + privacyvincent gautrais

professeur agrégé /associate professor faculté de droit / faculty of law

université de Montréal /university of montreal

July 10th, 2009

chaire en droit de la sécurité et des affaires électroniques / udm chair in e-Security and e-Business law

www.gautrais.com