Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social...
Transcript of Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social...
![Page 1: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/1.jpg)
Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need to comply?
Colin J. Bennett Department of Political Science
University of Victoria BC, Canada
www.colinbennett.ca [email protected]
Presentation to Asia Privacy Scholars Network
Conference, Tokyo, November 19-20
![Page 2: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/2.jpg)
FEDERAL PUBLIC SECTOR
FEDERAL PRIVATE SECTOR
PROVINCIAL PUBLIC SECTOR
PROVINCIAL PRIVATE SECTOR
![Page 3: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/3.jpg)
Federal Public Sector
• The Privacy Act of 1982
– Overseen by the Office of the Privacy Commissioner of Canada
• The Access to Information Act of 1982
– Overseen by the Office of the Information Commissioner of Canada
![Page 4: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/4.jpg)
Provincial Public Sectors
PROVINCIAL INFORMATION AND PRIVACY LEGISLATION
• Overseen by Information and Privacy Commissioners (BC, Alberta, Saskatchewan, Ontario), Commission d’Accès à l’Information (Quebec) and Ombudsmen elsewhere.
SEPARATE HEALTH PRIVACY LEGISLATION: ALBERTA, ONTARIO, SASKATCHEWAN, MANITOBA, NEWFOUNDLAND
• Overseen by Provincial Information and Privacy Commissioners
![Page 5: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/5.jpg)
Federally Regulated Private Sector
• The Protection of Personal Information and Electronic Documents Act (PIPEDA) 2000 – Applies to federally regulated businesses
(communications, transportation, banking) and any enterprise that transmits personal data across provincial or international boundaries for a commercial purpose
– Overseen by the Office of the Privacy Commissioner of Canada
– Also applies to provinces where no “substantially similar legislation”
![Page 6: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/6.jpg)
Provincially Regulated Private Sector
• “Substantially similar ” private sector data protection legislation in Alberta, British Columbia and Quebec, overseen by Information and Privacy Commissioners of Alberta and BC, and Commission d’Accès in Quebec
• Older consumer credit legislation in most provinces
• Older and little used “privacy tort” statutes in several provinces
![Page 7: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/7.jpg)
Distinct Profile of Canadian Privacy Protection Regime
• A hybrid privacy regime
• Bi-lingualism
• Bi-jurism
• Multi-culturalism
• A Network of Independent Commissioners
![Page 8: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/8.jpg)
Extra-territorial impacts
• Section 4.1.3 of Schedule One of PIPEDA:
“An organization is responsible for personal information in its possession or custody, including information that has been transferred to a third party for processing. The organization shall use contractual or other means to provide a comparable level of protection while the information is being processed by a third party.”
![Page 9: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/9.jpg)
The “Real and Substantial Connection to Canada” Test
• Acusearch Decision – www.abika.com (2009)
• Facebook Investigations (2009-2012)
• Cloud-Computing Applications
![Page 10: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/10.jpg)
Analysis of Social Networking Services
• 23 top SNSs in terms of usage in Canada
• Content Analysis of Privacy Policies
• Tests of Subject Access to PII by researchers
• Building Website
Funded by SSHRC, and Office of Privacy Commissioner
![Page 11: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/11.jpg)
Assertions of Compliance
• No mention of any law (10)
• EU-US Safe Harbor (9)
• Child Online Protection Act (1)
• California Law (1)
• Only one explicitly recognized European jurisdiction
• Only one explicitly recognized Canadian law
![Page 12: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/12.jpg)
Responses to Subject Access Requests
• PII provided: Facebook, Twitter, Google+
But no Metadata
Complaint against Twitter
• Responses received but no PII (yet): LinkedIn, Instagram • PII refused: Tumblr • All others: No responses
![Page 13: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/13.jpg)
Lessons?
1. For Regulators – (Global Privacy Enforcement Network)
2. For Researchers
3. For Privacy Advocates
![Page 15: Social networking and Canadian jurisdiction: With …ethicj/Organisatonal Information...Social networking and Canadian jurisdiction: With which privacy laws do SNSs think they need](https://reader034.fdocuments.us/reader034/viewer/2022042215/5ebd31954c66bd4f8c2d9af6/html5/thumbnails/15.jpg)
Conclusion…..
“YOUR PRIVACY IS IMPORTANT TO US…..sometimes”