300 likes | 312 Views
This lecture addresses risks to privacy in social networking, including cyber-stalking, reputational damage, and identity theft. It discusses US and Canadian regulatory actions, the EU's data protection standards, and user consent on cookies. Quotes on privacy from industry CEOs are examined, emphasizing user concerns and data processing obligations.
E N D
Social Networking and Privacy Protection: The Risks and TransAtlantic Responses Lecture to Carleton University, Center for European Studies, December 1, 2010
Risks to Privacy • Cyber-stalking • Cyber-bullying • Reputational Damage • Identity Theft • Commercial Exploitation (from www.cippic.ca)
US regulatory developments • Complaints to Federal Trade Commission, December 2009 and May 2010 by Electronic Privacy Information Center and broad coalition of public interest groups • Possible “Do Not Track” register as part of federal privacy protection legislation?
Canadian regulatory action • On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint with the Privacy Commissioner of Canada concerning the “unnecessary and non-consensual collection and use of personal information by Facebook.” • On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act. • September 2010, Privacy Commissioner announced that Facebook changes “reasonable and meet expectations of Canadian law” • October 2010 Privacy Commissioner launched a fresh investigation into the privacy policies of Facebook Inc. after it wasrevealed that some of the most popular applications had been transmitting the personal information of users to dozens of Web tracking firms.
The EU’s “Adequacy Standards” • Articles 25 and 26 of the EU Data Protection Directive (1995) 95/46/EC • Personal data should not be transferred outside EU unless an “adequate level of protection” which requires: • Basic content principles: Purpose limitation; data quality and proportionality; transparency; security; rights of access, rectification and opposition; restrictions on onward transfers • Procedural/enforcement principles: good level of compliance with the rules; support and help provided to individual data subjects; appropriate redress provided to the injured party • Administered by Article 29 Working Party of Supervisory authorities
EU Article 29 Working Party • SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the “basic” services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes - including advertising provided by third parties.
Directive 2009/136/EC: A New Cookie Rule? "Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the Data Protection] Directive 95/46/EC, inter alia about the purposes of the processing.” Recital: “"Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application…. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.”
THREE OF THE MOST SELF-SERVING THINGS EVER SAID ABOUT PRIVACY! "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people…That social norm [privacy] is just something that has evolved over time.” Marc Zuckerberg, CEO Facebook, March 2010 “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Eric Schmidt, CEO Google, December 2009 “You have zero privacy anyway….get over it.” Scott McNealy, CEO Sun Microsystems, January 1999
In conclusion • Social network users care about their privacy • Even if they didn’t, it wouldn’t alter the obligations of data users to process personal data in conformity with privacy principles