cu so 25012011

8/11/2019 Cu So 25012011

1/97

privacy 2.0vincentgautrais

professeur agrg /associate professorfacult de droit / faculty of law

universit de Montral /university of montreal

January 25th, 2011

chaireen droit de la scurit et des affaires lectroniques /udm chairin e-Security and e-Business law

www.gautrais.com

8/11/2019 Cu So 25012011

2/97

ppt is available at www.gautrais.com

2

8/11/2019 Cu So 25012011

3/97

3

je me souviens

remember

8/11/2019 Cu So 25012011

4/97

4

que n sous le lys

that bo rn under the l i ly

8/11/2019 Cu So 25012011

5/97

5

... je crois sous la rose.

I grow under the rose.

(Eugne-tienne Tach)

8/11/2019 Cu So 25012011

6/97

6

8/11/2019 Cu So 25012011

7/97

8/11/2019 Cu So 25012011

8/97

8

... nous croissons sous llectronique.

we grow under electronic.

(Vincent Gautrais)

8/11/2019 Cu So 25012011

9/97

9

law is under influence

8/11/2019 Cu So 25012011

10/97

10

techno

business

culture

legalculture

Privacyis

influenced

8/11/2019 Cu So 25012011

11/97

11

1 - privacy influenced by legalculture

8/11/2019 Cu So 25012011

12/97

12

8/11/2019 Cu So 25012011

13/97

13

2 - privacy influenced by culture

8/11/2019 Cu So 25012011

14/97

8/11/2019 Cu So 25012011

15/97

15

3 - privacy influenced by business

8/11/2019 Cu So 25012011

16/97

$$$$$$$$$$

16

8/11/2019 Cu So 25012011

17/97

17

4 - privacy influenced by techno

8/11/2019 Cu So 25012011

18/97

18

Michel SerresLes nouvelles technologies :

rvolution culturelle et cognitive(New Technologies: Cultural and

Knowledge Revolution)
http://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitive

8/11/2019 Cu So 25012011

19/97

19

Michel Serres

when the support / information conbinaison is

changing, everything is changing!

8/11/2019 Cu So 25012011

20/97

20

-5

000

-4

000

-3

000

-2

000

0

-1

000

20

00

10

00

writing

printing

internet

8/11/2019 Cu So 25012011

21/97

8/11/2019 Cu So 25012011

22/97

22

Hyperlink firstgeneration

Web 2.0 secondgeneration

8/11/2019 Cu So 25012011

23/97

23

when facing new problems

8/11/2019 Cu So 25012011

24/97

24

begin first with very basic questions.

8/11/2019 Cu So 25012011

25/97

25

plan

whatis personal info ?

whois in charge to control it ?

howto control it ?

8/11/2019 Cu So 25012011

26/97

8/11/2019 Cu So 25012011

27/97

27

personal information ?

8/11/2019 Cu So 25012011

28/97

8/11/2019 Cu So 25012011

29/97

29

Personal information is any information

which relates to a natural person and

allows that person to be identified.

provincialact - R.S.Q. c. P-39.1
http://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.htmlhttp://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.htmlhttp://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.htmlhttp://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.html

8/11/2019 Cu So 25012011

30/97

8/11/2019 Cu So 25012011

31/97

same in Switzerland

all information relating to an identified oridentifiable person.

8/11/2019 Cu So 25012011

32/97

32

ex 1:IP address ?

8/11/2019 Cu So 25012011

33/97

33

france

ex 2:note2be.com ?

(06/2008: appeal court - France)

=privacy infringement

8/11/2019 Cu So 25012011

34/97

34

canada

ex 2:note2be in Canada?

is it a PI?

legitimacyof the website?

8/11/2019 Cu So 25012011

35/97

35

germany

Spickmichin Germany(June 23, 2009)

=

noprivacy infringement

8/11/2019 Cu So 25012011

36/97

36

europe

director indirectpersonal information ?

8/11/2019 Cu So 25012011

37/97

37

usa / uk

taxonomy of harms from Daniel Solove(understanding privacy)

RANDreport

google

8/11/2019 Cu So 25012011

38/97

38

RANDreport (May 2009)review of the european data protectiondirective

(sponsored by UK informationcommissioners office)

http://www.rand.org/pubs/technical_reports/TR710/
http://www.rand.org/pubs/technical_reports/TR710/http://www.rand.org/pubs/technical_reports/TR710/

8/11/2019 Cu So 25012011

39/97

39

RANDreport (page 41)

Overall, we found that as we move toward an

increasingly global, networked environment, theDirective as it stands will not suffice in the longterm. The widely applauded principles of theDirective will remain as a useful front-end, yetwill need to be supported with a harms-based back-endin due course, in order to beable to cope with the challenges of globalisationand flows of personal data.

8/11/2019 Cu So 25012011

40/97

40

-2-

who?

8/11/2019 Cu So 25012011

41/97

41

individual

government

company

third person

8/11/2019 Cu So 25012011

42/97

all of them

42

8/11/2019 Cu So 25012011

43/97

usually

43

8/11/2019 Cu So 25012011

44/97

8/11/2019 Cu So 25012011

45/97

data controller

45

8/11/2019 Cu So 25012011

46/97

46

(d) "controller" shall mean the natural or legal

person, public authority, agency or any other bodywhich alone or jointly with others determines thepurposes and means of the processing ofpersonal data; where the purposes and means of

processing are determined by national orCommunity laws or regulations, the controller or

the specific criteria for his nomination may be

designated by national or Community law;

(1995) european directive

8/11/2019 Cu So 25012011

47/97

but web 2.0 changes the situation

47

8/11/2019 Cu So 25012011

48/97

with web 2.0, everybody may be

a data controller

48

8/11/2019 Cu So 25012011

49/97

data controller from your own

personal informations

49

8/11/2019 Cu So 25012011

50/97

data controller of personal

information from other persons

50

8/11/2019 Cu So 25012011

51/97

R. vPatrick, [2009] 1 S.C.R. 579
http://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.html

8/11/2019 Cu So 25012011

52/97

52

[62] Nevertheless, until the garbage is placed at or withinreach of the lot line, the householder retains an element ofcontrolover its disposition and cannot be said to haveunequivocally abandoned it, particularly if it is placed on aporch or in a garage or within the immediate vicinity of thedwelling where the principles set out in the perimetercases such as Kokesch, Grantand Wileyapply.

[63] () However, when the garbage is placed at the lotline for collection, I believe the householder hassufficiently abandoned his interest and controltoeliminate any objectively reasonable privacy interest.

R. v. Patrick, 2009 SCC 17

8/11/2019 Cu So 25012011

53/97

british-columbia

She said she could no longer kayak, hike

or bicycle, but the defendant produced someof the plaintiffs own photographs posted on

her Facebook page that showed her doing

these activities. (Bagasbas v. Atwal, 2009BCSC 512)

B i i di t STM (R d
http://www.canlii.org/en/bc/bcsc/doc/2009/2009bcsc512/2009bcsc512.htmlhttp://www.canlii.org/en/bc/bcsc/doc/2009/2009bcsc512/2009bcsc512.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.html

8/11/2019 Cu So 25012011

54/97

Brisindi et STM (Rseau des

autobus), 2010 QCCLP 4158
http://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.html

8/11/2019 Cu So 25012011

55/97

no one alleging his own turpitude

is to be heard

8/11/2019 Cu So 25012011

56/97

56

individual

government

company

third person

8/11/2019 Cu So 25012011

57/97

that said

57

8/11/2019 Cu So 25012011

58/97

control may be abandoned by

users consent too

58

8/11/2019 Cu So 25012011

59/97

8/11/2019 Cu So 25012011

60/97

consent = respect of privacy law!

8/11/2019 Cu So 25012011

61/97

consent = peoplesprotection?

8/11/2019 Cu So 25012011

62/97

Encore des mots toujours desmots

Les mmes mots

Rien que des mots

Des mots faciles des motsfragiles

C'tait trop beau

Bien trop beau

Mais c'est fini le temps des

rvesLes souvenirs se fanent aussi

Quand on les oublie

8/11/2019 Cu So 25012011

63/97

63

8/11/2019 Cu So 25012011

64/97

64

8/11/2019 Cu So 25012011

65/97

65

Chris Kelly = FB chief privacy officer

Weve always seen ourselves as a

leader in reflecting in what users want

online and learning what theyre lookingfor. We saw that in news feed, we saw that

in [Facebook] Beacon and weve returned

to our principle of user control.

8/11/2019 Cu So 25012011

66/97

66

Chris Kelly = FB chief privacy officer

Were constantly looking at ways to

make sure that people can get the

information they want and they need about

their friends in their real world socialnetworks. Sure, we will be working on

improving the privacy interface on

simplifying it to give people the controlthat they need.

8/11/2019 Cu So 25012011

67/97

67

individual

government

company

third person

8/11/2019 Cu So 25012011

68/97

8/11/2019 Cu So 25012011

69/97

technical solutions

8/11/2019 Cu So 25012011

70/97

8/11/2019 Cu So 25012011

71/97

1robot

ex: canlii

ex: blogger

8/11/2019 Cu So 25012011

72/97

2Google being proactive

8/11/2019 Cu So 25012011

73/97

a legalsolution

8/11/2019 Cu So 25012011

74/97

the equivalent, in Quebec, of art. 22 fromthe Act to Establish a Legal Framework

for Information Technology

8/11/2019 Cu So 25012011

75/97

75

-3-

how?

8/11/2019 Cu So 25012011

76/97

some solutions

documentation

accountability

pluri-disciplinary approach

76

8/11/2019 Cu So 25012011

77/97

1documentation

show your diligence

77

8/11/2019 Cu So 25012011

78/97

canada privacy commisioner

2 bili

8/11/2019 Cu So 25012011

79/97

2accountability

need more external control (as audit)

on PI processing

79

8/11/2019 Cu So 25012011

80/97

80

Daniel J. Weitzner, Harold Abelson, Tim

Berners-Lee, Joan Feigenbaum, James

Hendler, and Gerald Jay Sussman,

In form at ion Accoun tabi l ity, (2007)
http://dspace.mit.edu/bitstream/handle/1721.1/37600/MIT-CSAIL-TR-2007-034.pdf;jsessionid=5C55BCE830931159A076383961472C6A?sequence=2http://dspace.mit.edu/bitstream/handle/1721.1/37600/MIT-CSAIL-TR-2007-034.pdf;jsessionid=5C55BCE830931159A076383961472C6A?sequence=2

8/11/2019 Cu So 25012011

81/97

81

information. Privacy is protected not by

limiting collection of data, but rather byplacing strict ruleson howthe data maybe used

PIPEDA

8/11/2019 Cu So 25012011

82/97

82

PIPEDA

4.1 Principle 1 AccountabilityAn organization is responsible for personal information under itscontrol and shall designatean individualor individuals who areaccountable for the organizations compliance with the followingprinciples.()

4.1.4Organizations shall implement policiesand practicesto give effectto the principles, including

(a) implementing proceduresto protect personal information; (b) establishing proceduresto receive and respond to complaints

and inquiries;

(c) training staff and communicating to staff information about theorganizations policiesand practices; and

(d) developing information to explain the organizations policiesandprocedures.

8/11/2019 Cu So 25012011

83/97

83

In many cases it is only by makingbetter useof the information that iscollected, and by retaining what isnecessary to hold data users responsible

for policy compliance that we can actually

achieve greater information accountability

8/11/2019 Cu So 25012011

84/97

84

some regulations on risk assessmentalready exist (federal + Quebec)

f d l (2002)

8/11/2019 Cu So 25012011

85/97

85

federal(2002)

ex: Privacy Impact AssessmentGuidelines: A Framework to Manage

Privacy Risks

b (2009)

8/11/2019 Cu So 25012011

86/97

86

quebec(2009)

Dcretsur la diffusion de linformation etsur la protection des renseignements

personnels

8/11/2019 Cu So 25012011

87/97

but no formal obligation for private sector

87

3 l i di i li h

8/11/2019 Cu So 25012011

88/97

3pluri-disciplinary approach

l i

8/11/2019 Cu So 25012011

89/97

conclusion

l i

8/11/2019 Cu So 25012011

90/97

90

conclusion

much more fears with opacity

l i

8/11/2019 Cu So 25012011

91/97

91

conclusion

as light!

conclusion

8/11/2019 Cu So 25012011

92/97

92

conclusion

ex: google street view

8/11/2019 Cu So 25012011

93/97

93

8/11/2019 Cu So 25012011

94/97

94

8/11/2019 Cu So 25012011

95/97

95

conclusion

8/11/2019 Cu So 25012011

96/97

96

conclusion

but very few obligations on real

organization accountability

8/11/2019 Cu So 25012011

97/97

privacy 2.0vincentgautrais

professeur agrg /associate professorfacult de droit / faculty of law

universit de Montral /university of montreal

January 25th, 2011

chaireen droit de la scurit et des affaires lectroniques /udm chair in e-Security and e-Business law

cu so 25012011

Documents