Class 6 Privacy 2016W academic edu

+

1

Privacy

©2016 Dr. Stan

Benda Law 723 Ryerson University

+

2

LEGACY n 

What sticks out in what you have learned so far?

n 

What are you expecting to learn today?

n 

What prior knowledge or experience do you bring to class today

+

3

AGENDA RECAP • 

Internet •  Physical •  Electronic •  Internet(s) •  Smart Phone

• 

Big Data •  Regulatory Control of Big Data •  What’s the point of data aggregation and mining

PRIVACY • 

Privacy •  Theory •  Statutes •  Future Legislation •  Data •  Surveillance

• 

Access to Information

+

4

BIG DATA AMAZON n 

Deal with the work qua work

n 

Experience the expression

n 

CR

GOOGLE n 

Deal with the work qua data

n 

Non expressive use / nonauthorial use

n 

Digital repository n  Data mining n  Text mining n  Media mining n  Feed algorithms n  Improve web services n  Cultural genome

+

5

Dark Net Meets Privacy???? n 

https://www.youtube.com/watch?v=pzN4WGPC4kc

n 

Jamie Bartlett

+

PRIVACY “There is no such a thing”

6

+ Privacy versus Data Protection Does the Distinction Matter?

7

+

8

SO WHAT ARE THEY SAYING? n 

Brandeis

n 

Posner

n 

Peppet

n 

Calo

+

9

PRIVACY - Overview CONTEXT n 

Philosophical n 

n 

n 

Brandeis, Posner, Peppet, Calo

Statutes n 

Privacy Act

n 

Personal Information Protection and Electronic Documents Act – Fed and Provincial in some cases

n 

MODERN OBJECTIVE Privacy is not about secrecy n  User control n  Freedom of choice n  Informational selfdetermination New goal is privacy by design or engineered privacy

+

10

BRANDES n 

What did he say and why?

+

11

Brandeis n 

Fact of Privacy

n 

Social Norms

+

12

SOCIAL NORMS 1

+

13

SOCIAL NORMS 2

+

14

POSNER n 

What did he say in 1978?

+

15

POSNER n 

Privacy of corporations not people

n 

Preclude intrusion

n 

Torts n  n  n  n 

Appropriation False Light Publicity Intrusion

+

16

PEPPET n 

What did he say?

n 

Where is the profundity?

+

17

PEPPET n 

Screening / Sorting versus Signaling

n 

Digital Dossier v Personal Prospectus

+ SORTING & DOSSIER: PROBLEMS n 

Over simplifies the Individual

n 

Inaccurate

n 

No recourse

n 

Discrimination

18

+ PROSPECTUS – UNRAVELING PROBLEM n  Digital

Monitoring of directly observable data

n  Digital

Access to directly verifiable data

+ Role

of Big Data

19

+

20

SIGNALLING PROBLEM

Solution? Don’t Ask

Don’t Tell

Don’t Use (personal genome)

+

21

CALO n 

Informed Consent in the world of the Prospectus

+

22

Calo Notice VISCERAL n 

Familiarity n  Skeumorphic n 

n 

formality

Psychological n 

avatar

n 

Showing Using

n 

DETAILED TECHNICAL n 

Regulators

n 

Journalists

n 

Non-profits

n 

B to B

+

SURVEILLANCE

23

+

24

AGENCIES – Not Really n NSA

US

n Communications n Government

UK

Establishment Canada

Communications Headquarters

25

+

26

ECHELON - 1948 Intelligence is shared with (NSA), the British Government Communications Headquarters (GCHQ), the Australian Defence Signals Directorate (DSD) and New Zealand's Government Communications Security Bureau (GCSB).

Its capabilities are suspected to include the ability to monitor a large proportion of the world's transmitted civilian telephone, fax and data traffic.

The intercepted data, or "dictionaries" are "reported linked together through a high-powered array of computers known as ‘Platform

+

SNOWDON n 

John Oliver Interview Passwords

n 

https://www.youtube.com/watch?v=yzGzB-yYKcc

n 

John Oliver, Surveillance

n 

https://www.youtube.com/watch?v=XEVlyP4_11M

27

+

PRIVACY PIPEDA

28

+

29

PRIVACY STATUTES Technological challenge n  Single number identifiers, smart cards, work place monitoring, search engines, websites, cell phone geographic tracing, surveillance

n 

Personal Information Protection and Electronic Documents Act (PIPEDA)– Federal

n 

Privacy Act – Federal

n 

Canadian Law General – Civil / Criminal, Charter s. 7

n 

n 

Public Sector – Privacy Act

Freedom of Information and Protection of Privacy (FIPPA– Ontario

n 

Personal Health Information Protection Act (PHIPA)

n 

n 

Private Sector (Federal) - PIPEDA

+

30

PRIVACY ACT n 

Protect the privacy of individuals with respect to personal information about themselves held by a government institution

n 

Provide those individuals with a right of access to that information

+

31

PIPEDA n 

Federal Works and Undertakings (banks)

n 

Disclose Personal Information outside of a province (insurance)

n 

Collect, use or disclose Personal Information within a province *

* Fed power on general trade and commerce GM v City National, (1989) 50 D.L.R. (4th) 225, (S.C.C.)

+

32

PIPEDA (1) n 

PIPEDA protects the privacy of individuals by imposing restrictions on the flow of personal information in the Canadian economy, regardless of whether that information is itself collected, used or disclosed as a commodity or whether it is being collected, used or disclosed in some other commercial context

n 

State Farm v Privacy Commissioner / AG Canada, FC, 2010 FC 736

+

33

PIPEDEA (2) n 

Facilitate the collection, use, and disclosure of personal information by the private sector

+

34

EXEMPTIONS n 

Entities covered by the Privacy Act

n 

(Implicit – Interpretation Act) HMQ agents

n 

Individuals who disclose for personal or domestic purposes

n 

Organizations that collect, use or disclose personal information for journalistic, artistic or literary purposes

+

35

STRUCTURE n Compliance

with the model code in schedule 1 n Shall comply with obligations in Code n May comply with recommendations in Code

+

PRINCIPLES n 

Accountability

n 

Accuracy

n 

Identifying Purpose

n 

Safeguards

n 

Consent

n 

Openness

n 

Limiting Collection

n 

Individual Access

n 

Limiting Use, Retention, Disclosure

n 

Challenging Compliance

36

+ SURVEILLANCE – EASTMOND CASE n 

Camera necessary to meet a need

n 

Is camera likely to be effective in meeting the need

n 

Is the loss of privacy proportionate to the benefit gained

n 

Is there a less privacy invasive way of achieving the same end

n 

see also para. 176

37

+

38

DATA, DATA, DATA n 

Cookies

n 

Flash cookies

n 

Beacons

n 

Prescriptions

n 

Where you surf, spend, travel (gps)

+

39

WHAT ABOUT n 

Mug Shots from the 30s

n 

Rogers arbitration provision – see NY Times, photos

n 

Right to be Forgotten

+

DATA PROTECTION

40

+

Objective n 

Protect a person’s data

n 

Peppet Linkage – don’t ask, don’t tell, don’t use

n 

EU has data protection

n 

USA / Canada don’t

41

+

42

Concerns n 

S. 215 Patriot Act

n 

Contra: Free flow of information blocked? WTO & GATS

n 

Data Localization n  n 

Australia med data can’t leave with consent BC / Nova Scotia – personal data held by crown stays in country

+

PRIVACY BY DESIGN

43

+

44

PRIVACY by DESIGN (PbD) PRINCIPLES n 

n  n  n  n  n  n 

Proactive, not reactive: preventative not remedial Privacy as a default setting Privacy Embedded into Design Full Functionality, no zero sum Full life cycle Protection Transparency User Centric

POSSIBLE TECHNIQUES n 

Data Masking

n 

Encryption

n 

De-Identification

n 

Anonymization

n 

Design Thinking

+

45

PREMISE n Privacy

is a business issue not a compliance issue

n Discuss

+

PRIVACY Access to Information

46

+ ACCESS TO INFORMATION ACT n 

Right to Access Government Records (s.4)

n 

Premise of transparency and a right to information (s. 2)

n 

Refusal n 

If the information / document does not exist

n 

Exemption applicable

47

+

48

THIRD PARTY INFORMATION 20. (1) Subject to this section, the head of a government

institution shall refuse to disclose any record requested under this Act that contains

(a)

trade secrets of a third party


(b)

financial, commercial, scientific or technical

information that is confidential information

supplied to a government institution by a

third party and is treated consistently in a

confidential manner by the third party

+

49

n 

(b.1) information that is supplied in confidence to a government institution by a third party for the preparation, maintenance, testing or implementation by the government institution of emergency management plans within the meaning of section 2 of the Emergency Management Act and that concerns the vulnerability of the third party’s buildings or other structures, its networks or systems, including its computer or communications networks or systems, or the methods used to protect any of those buildings, structures, networks or systems;

+

50

n 

(c) information the disclosure of which could reasonably be expected to result in material financial loss or gain to, or could reasonably be expected to prejudice the competitive position of, a third party; or

n 

(d) information the disclosure of which could reasonably be expected to interfere with contractual or other negotiations of a third party.

+ BEFORE THE EXEMPTIONS – S. 4 n 

Subject to this Act, but notwithstanding any other Act of Parliament, every person who is n  n 

A Canadian citizen A permanent resident… Has a right to and shall, on request, be given access to

“any record under the control of a government institution”

51

+

52

WHAT CAN AND CAN’T n 

Of what is and isn’t personal information p.i. (a) – (i) but not (j) to (m)

n 

What can be done and can’t be done (8)

n 

Access (12) v Exemptions (international affairs, defence, inmates ss. 20-28)

n 

Procedures to complaint / reverse 29 et seq.

n 

Segue Data Mining

+

EXEMPTIONS n 

n 

n 

Confidences from other governments (13) Prejudicial to Fed-prov relations (14) Injurious to international affairs / defence (15)

n 

Criminal Investigations (16)

n 

Audits (e.g. Auditor General 16.1/.2/.3)

n 

Threaten the safety of an individual (17)

n 

Economic Interests of Canada (18)

n 

Personal Information (19)

n 

Third Party Information (20)

n 

Internal ops (21)

n 

Audit Techniques (22)

n 

Restricted under legislation in schedule II (24)

53

+ INFORM. COMMISSIONER V MINISTER(S) n 

Ministerial offices are NOT part of a government institution

n 

Nonetheless are the documents in such offices under the CONTROL of the pertinent government institution a) Do the contents relate to a departmental matter b) The government institution could reasonably expect to obtain a copy upon request A + B= Control

54

+

55

MORE PARTICULARLY n 

If the record is in a ministerial office: n  n 

Does the record relate to a departmental matter If the record relates to a departmental matter: n  n 

Legal relationship between the government institution and the record holder Record must be released subject to any applicable exemption

n 

n 

Substantive content of the record Circumstances of its creation

+

56

Cont. n 

No presumption of inaccessibility of Ministerial records

n 

Test does not lead to a wholesale hiding of records in ministerial offices

n 

SCC Decision, Minister of National Defence

+

57

PROCEDURES n 

27 Procedure to stop the release of s. 20 data, involves 3rd party

n 

30 Complaints to Information Commissioner for non-release

n 

41 Court Review, notice to 3rd party

+

ELECTRONIC RECORDS

58

+

59

ONE OTHER POINT: ELECTRONIC DOCUMENTS PIPEDA (fed) n 

Act provides for paperless alternatives n 

Evidence Certification

n 

Electronic signatures

n 

Government practice

n 

ELECTRONIC COMMERCE ACT (Ont)

+

60

TAKE AWAYS n 

Privacy

n 

Big Data / Cloud

n 

Social Norms

n 

Surveillance

n 

Vault control or combination control?

+

61

MIDTERM n 

Focus n  n 

n 

Internet all aspects Pinch on CR / TM

Open Book n  n 

have a dictionary, have the applicable statutory references

n 

10 minutes to review, 90 minutes to execute

n 

During the 10 mins you may pencil ONLY on question sheet not the scantron