cu so 25012011
TRANSCRIPT
-
8/11/2019 Cu So 25012011
1/97
privacy 2.0vincentgautrais
professeur agrg /associate professorfacult de droit / faculty of law
universit de Montral /university of montreal
January 25th, 2011
chaireen droit de la scurit et des affaires lectroniques /udm chairin e-Security and e-Business law
www.gautrais.com
-
8/11/2019 Cu So 25012011
2/97
ppt is available at www.gautrais.com
2
-
8/11/2019 Cu So 25012011
3/97
3
je me souviens
remember
-
8/11/2019 Cu So 25012011
4/97
4
que n sous le lys
that bo rn under the l i ly
-
8/11/2019 Cu So 25012011
5/97
5
... je crois sous la rose.
I grow under the rose.
(Eugne-tienne Tach)
-
8/11/2019 Cu So 25012011
6/97
6
-
8/11/2019 Cu So 25012011
7/97
-
8/11/2019 Cu So 25012011
8/97
8
... nous croissons sous llectronique.
we grow under electronic.
(Vincent Gautrais)
-
8/11/2019 Cu So 25012011
9/97
9
law is under influence
-
8/11/2019 Cu So 25012011
10/97
10
techno
business
culture
legalculture
Privacyis
influenced
-
8/11/2019 Cu So 25012011
11/97
11
1 - privacy influenced by legalculture
-
8/11/2019 Cu So 25012011
12/97
12
-
8/11/2019 Cu So 25012011
13/97
13
2 - privacy influenced by culture
-
8/11/2019 Cu So 25012011
14/97
-
8/11/2019 Cu So 25012011
15/97
15
3 - privacy influenced by business
-
8/11/2019 Cu So 25012011
16/97
$$$$$$$$$$
16
-
8/11/2019 Cu So 25012011
17/97
17
4 - privacy influenced by techno
-
8/11/2019 Cu So 25012011
18/97
18
Michel SerresLes nouvelles technologies :
rvolution culturelle et cognitive(New Technologies: Cultural and
Knowledge Revolution)
http://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitivehttp://interstices.info/jcms/c_33030/les-nouvelles-technologies-revolution-culturelle-et-cognitive -
8/11/2019 Cu So 25012011
19/97
19
Michel Serres
when the support / information conbinaison is
changing, everything is changing!
-
8/11/2019 Cu So 25012011
20/97
20
-5
000
-4
000
-3
000
-2
000
0
-1
000
20
00
10
00
writing
printing
internet
-
8/11/2019 Cu So 25012011
21/97
-
8/11/2019 Cu So 25012011
22/97
22
Hyperlink firstgeneration
Web 2.0 secondgeneration
-
8/11/2019 Cu So 25012011
23/97
23
when facing new problems
-
8/11/2019 Cu So 25012011
24/97
24
begin first with very basic questions.
-
8/11/2019 Cu So 25012011
25/97
25
plan
whatis personal info ?
whois in charge to control it ?
howto control it ?
-
8/11/2019 Cu So 25012011
26/97
-
8/11/2019 Cu So 25012011
27/97
27
personal information ?
-
8/11/2019 Cu So 25012011
28/97
-
8/11/2019 Cu So 25012011
29/97
29
Personal information is any information
which relates to a natural person and
allows that person to be identified.
provincialact - R.S.Q. c. P-39.1
http://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.htmlhttp://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.htmlhttp://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.htmlhttp://www.canlii.ca/en/qc/laws/stat/rsq-c-p-39.1/latest/rsq-c-p-39.1.html -
8/11/2019 Cu So 25012011
30/97
-
8/11/2019 Cu So 25012011
31/97
same in Switzerland
all information relating to an identified oridentifiable person.
-
8/11/2019 Cu So 25012011
32/97
32
ex 1:IP address ?
-
8/11/2019 Cu So 25012011
33/97
33
france
ex 2:note2be.com ?
(06/2008: appeal court - France)
=privacy infringement
-
8/11/2019 Cu So 25012011
34/97
34
canada
ex 2:note2be in Canada?
is it a PI?
legitimacyof the website?
-
8/11/2019 Cu So 25012011
35/97
35
germany
Spickmichin Germany(June 23, 2009)
=
noprivacy infringement
-
8/11/2019 Cu So 25012011
36/97
36
europe
director indirectpersonal information ?
-
8/11/2019 Cu So 25012011
37/97
37
usa / uk
taxonomy of harms from Daniel Solove(understanding privacy)
RANDreport
google
-
8/11/2019 Cu So 25012011
38/97
38
RANDreport (May 2009)review of the european data protectiondirective
(sponsored by UK informationcommissioners office)
http://www.rand.org/pubs/technical_reports/TR710/
http://www.rand.org/pubs/technical_reports/TR710/http://www.rand.org/pubs/technical_reports/TR710/ -
8/11/2019 Cu So 25012011
39/97
39
RANDreport (page 41)
Overall, we found that as we move toward an
increasingly global, networked environment, theDirective as it stands will not suffice in the longterm. The widely applauded principles of theDirective will remain as a useful front-end, yetwill need to be supported with a harms-based back-endin due course, in order to beable to cope with the challenges of globalisationand flows of personal data.
-
8/11/2019 Cu So 25012011
40/97
40
-2-
who?
-
8/11/2019 Cu So 25012011
41/97
41
individual
government
company
third person
-
8/11/2019 Cu So 25012011
42/97
all of them
42
-
8/11/2019 Cu So 25012011
43/97
usually
43
-
8/11/2019 Cu So 25012011
44/97
-
8/11/2019 Cu So 25012011
45/97
data controller
45
-
8/11/2019 Cu So 25012011
46/97
46
(d) "controller" shall mean the natural or legal
person, public authority, agency or any other bodywhich alone or jointly with others determines thepurposes and means of the processing ofpersonal data; where the purposes and means of
processing are determined by national orCommunity laws or regulations, the controller or
the specific criteria for his nomination may be
designated by national or Community law;
(1995) european directive
-
8/11/2019 Cu So 25012011
47/97
but web 2.0 changes the situation
47
-
8/11/2019 Cu So 25012011
48/97
with web 2.0, everybody may be
a data controller
48
-
8/11/2019 Cu So 25012011
49/97
data controller from your own
personal informations
49
-
8/11/2019 Cu So 25012011
50/97
data controller of personal
information from other persons
50
-
8/11/2019 Cu So 25012011
51/97
R. vPatrick, [2009] 1 S.C.R. 579
http://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.htmlhttp://csc.lexum.umontreal.ca/fr/2009/2009csc17/2009csc17.html -
8/11/2019 Cu So 25012011
52/97
52
[62] Nevertheless, until the garbage is placed at or withinreach of the lot line, the householder retains an element ofcontrolover its disposition and cannot be said to haveunequivocally abandoned it, particularly if it is placed on aporch or in a garage or within the immediate vicinity of thedwelling where the principles set out in the perimetercases such as Kokesch, Grantand Wileyapply.
[63] () However, when the garbage is placed at the lotline for collection, I believe the householder hassufficiently abandoned his interest and controltoeliminate any objectively reasonable privacy interest.
R. v. Patrick, 2009 SCC 17
-
8/11/2019 Cu So 25012011
53/97
british-columbia
She said she could no longer kayak, hike
or bicycle, but the defendant produced someof the plaintiffs own photographs posted on
her Facebook page that showed her doing
these activities. (Bagasbas v. Atwal, 2009BCSC 512)
B i i di t STM (R d
http://www.canlii.org/en/bc/bcsc/doc/2009/2009bcsc512/2009bcsc512.htmlhttp://www.canlii.org/en/bc/bcsc/doc/2009/2009bcsc512/2009bcsc512.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.html -
8/11/2019 Cu So 25012011
54/97
Brisindi et STM (Rseau des
autobus), 2010 QCCLP 4158
http://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.htmlhttp://www.canlii.org/fr/qc/qcclp/doc/2010/2010qcclp4158/2010qcclp4158.html -
8/11/2019 Cu So 25012011
55/97
no one alleging his own turpitude
is to be heard
-
8/11/2019 Cu So 25012011
56/97
56
individual
government
company
third person
-
8/11/2019 Cu So 25012011
57/97
that said
57
-
8/11/2019 Cu So 25012011
58/97
control may be abandoned by
users consent too
58
-
8/11/2019 Cu So 25012011
59/97
-
8/11/2019 Cu So 25012011
60/97
consent = respect of privacy law!
-
8/11/2019 Cu So 25012011
61/97
consent = peoplesprotection?
-
8/11/2019 Cu So 25012011
62/97
Encore des mots toujours desmots
Les mmes mots
Rien que des mots
Des mots faciles des motsfragiles
C'tait trop beau
Bien trop beau
Mais c'est fini le temps des
rvesLes souvenirs se fanent aussi
Quand on les oublie
-
8/11/2019 Cu So 25012011
63/97
63
-
8/11/2019 Cu So 25012011
64/97
64
-
8/11/2019 Cu So 25012011
65/97
65
Chris Kelly = FB chief privacy officer
Weve always seen ourselves as a
leader in reflecting in what users want
online and learning what theyre lookingfor. We saw that in news feed, we saw that
in [Facebook] Beacon and weve returned
to our principle of user control.
-
8/11/2019 Cu So 25012011
66/97
66
Chris Kelly = FB chief privacy officer
Were constantly looking at ways to
make sure that people can get the
information they want and they need about
their friends in their real world socialnetworks. Sure, we will be working on
improving the privacy interface on
simplifying it to give people the controlthat they need.
-
8/11/2019 Cu So 25012011
67/97
67
individual
government
company
third person
-
8/11/2019 Cu So 25012011
68/97
-
8/11/2019 Cu So 25012011
69/97
technical solutions
-
8/11/2019 Cu So 25012011
70/97
-
8/11/2019 Cu So 25012011
71/97
1robot
ex: canlii
ex: blogger
-
8/11/2019 Cu So 25012011
72/97
2Google being proactive
-
8/11/2019 Cu So 25012011
73/97
a legalsolution
-
8/11/2019 Cu So 25012011
74/97
the equivalent, in Quebec, of art. 22 fromthe Act to Establish a Legal Framework
for Information Technology
-
8/11/2019 Cu So 25012011
75/97
75
-3-
how?
-
8/11/2019 Cu So 25012011
76/97
some solutions
documentation
accountability
pluri-disciplinary approach
76
-
8/11/2019 Cu So 25012011
77/97
1documentation
show your diligence
77
-
8/11/2019 Cu So 25012011
78/97
canada privacy commisioner
2 bili
-
8/11/2019 Cu So 25012011
79/97
2accountability
need more external control (as audit)
on PI processing
79
-
8/11/2019 Cu So 25012011
80/97
80
Daniel J. Weitzner, Harold Abelson, Tim
Berners-Lee, Joan Feigenbaum, James
Hendler, and Gerald Jay Sussman,
In form at ion Accoun tabi l ity, (2007)
http://dspace.mit.edu/bitstream/handle/1721.1/37600/MIT-CSAIL-TR-2007-034.pdf;jsessionid=5C55BCE830931159A076383961472C6A?sequence=2http://dspace.mit.edu/bitstream/handle/1721.1/37600/MIT-CSAIL-TR-2007-034.pdf;jsessionid=5C55BCE830931159A076383961472C6A?sequence=2 -
8/11/2019 Cu So 25012011
81/97
81
information. Privacy is protected not by
limiting collection of data, but rather byplacing strict ruleson howthe data maybe used
PIPEDA
-
8/11/2019 Cu So 25012011
82/97
82
PIPEDA
4.1 Principle 1 AccountabilityAn organization is responsible for personal information under itscontrol and shall designatean individualor individuals who areaccountable for the organizations compliance with the followingprinciples.()
4.1.4Organizations shall implement policiesand practicesto give effectto the principles, including
(a) implementing proceduresto protect personal information; (b) establishing proceduresto receive and respond to complaints
and inquiries;
(c) training staff and communicating to staff information about theorganizations policiesand practices; and
(d) developing information to explain the organizations policiesandprocedures.
-
8/11/2019 Cu So 25012011
83/97
83
In many cases it is only by makingbetter useof the information that iscollected, and by retaining what isnecessary to hold data users responsible
for policy compliance that we can actually
achieve greater information accountability
-
8/11/2019 Cu So 25012011
84/97
84
some regulations on risk assessmentalready exist (federal + Quebec)
f d l (2002)
-
8/11/2019 Cu So 25012011
85/97
85
federal(2002)
ex: Privacy Impact AssessmentGuidelines: A Framework to Manage
Privacy Risks
b (2009)
-
8/11/2019 Cu So 25012011
86/97
86
quebec(2009)
Dcretsur la diffusion de linformation etsur la protection des renseignements
personnels
-
8/11/2019 Cu So 25012011
87/97
but no formal obligation for private sector
87
3 l i di i li h
-
8/11/2019 Cu So 25012011
88/97
3pluri-disciplinary approach
l i
-
8/11/2019 Cu So 25012011
89/97
conclusion
l i
-
8/11/2019 Cu So 25012011
90/97
90
conclusion
much more fears with opacity
l i
-
8/11/2019 Cu So 25012011
91/97
91
conclusion
as light!
conclusion
-
8/11/2019 Cu So 25012011
92/97
92
conclusion
ex: google street view
-
8/11/2019 Cu So 25012011
93/97
93
-
8/11/2019 Cu So 25012011
94/97
94
-
8/11/2019 Cu So 25012011
95/97
95
conclusion
-
8/11/2019 Cu So 25012011
96/97
96
conclusion
but very few obligations on real
organization accountability
-
8/11/2019 Cu So 25012011
97/97
privacy 2.0vincentgautrais
professeur agrg /associate professorfacult de droit / faculty of law
universit de Montral /university of montreal
January 25th, 2011
chaireen droit de la scurit et des affaires lectroniques /udm chair in e-Security and e-Business law