1 / 53

Justifications for Privacy Protection

Social Networking and Privacy Protection: What if Anything has Changed? ソーシャルネットワーキングとプライバシー保護 もし突然変化が起きたら ?. Lecture to Meiji University, Graduate School of Commerce and Japanese Society of Information and Management, August 9, 2011. Justifications for Privacy Protection.

nasya
Download Presentation

Justifications for Privacy Protection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Social Networking and Privacy Protection: What if Anything has Changed?ソーシャルネットワーキングとプライバシー保護もし突然変化が起きたら? Lecture to Meiji University, Graduate School of Commerce and Japanese Society of Information and Management, August 9, 2011

  2. Justifications for Privacy Protection • As a Right of the Person • The “Right to be Let Alone” (United States) • La Vie Privée (France) • Privatsphäre (Germany) • Puraibashii (Japan?) • As a Political Value • A Check against Powerful State and Private Organizations • As an Instrumental Value • To ensure that the right data are used by the right people for the right purposes • To build “trust” in e-commerce and e-government REGULATING PRIVACY: DATA PROTECTION AND PUBLIC POLICY IN EUROPE AND THE UNITED STATES 1992

  3. JAPANESE TRANSLATION, BUNSHINDO (1994)

  4. Accountability Purpose identification at time of collection Informed consent for collection To limit use and disclosure (finality) Retention limitation Data quality Data security Openness about policies and practices Individual access and correction The Information Privacy (Data Protection) Principles

  5. These principles appear in: • Comprehensive data protection laws in around 40 countries • SectoralLegislation in information intensive industries • International agreements from Council of Europe, OECD, European Union, Asia-Pacific Economic Cooperation • Self-regulatory codes and standards

  6. The Governance of Privacy: The Privacy ‘Toolbox’ • International Instruments • Council of Europe Convention (1981) • OECD Guidelines (1981) • EU Data Protection Directive (1995) • APEC Privacy Principles (2004) • Mercosur • Organization of American States (OAS) • International Management and Technical Standards • Regulatory Instruments • Data protection law in over 40 countries • Self-Regulatory Instruments • Codes • Standards • Seals and Marks • Privacy Impact Assessments (PIAs) • Technological Instruments • Privacy by Design • Privacy-enhancing technologies

  7. Lessons learned in 40 Years of Data Protection Policy • There is a convergence of policy goals and common consensus on what it means for the responsible organization to protect personal data – the fair information principles. • An increasing recognition that a diversity of instruments is necessary • Information privacy (data protection) is more than information security • Rules must be “technology neutral” • Comprehensive information privacy/data protection law is essential – public and private sectors, manual and automated data • BUT it is not sufficient – law must be combined with self regulatory and technological solutions, and it must be supported by sympathetic public opinion, supportive organizational cultures and civil society advocacy

  8. WWW.PRIVACYADVOCATES.CA

  9. Challenges from Social Networking….. "People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people…That social norm [privacy] is just something that has evolved over time.” Marc Zuckerberg, CEO Facebook, March 2010 “If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.” Eric Schmidt, CEO Google, December 2009

  10. http://www.vincos.it/world-map-of-social-networks/

  11. Top three Social Networking Services (SNS) by Region Adapted from www.vincos.it (June 2011)

  12. www.internetworldstats.com

  13. SNS vary along a number of dimensions

  14. NEW PRACTICES AND OLD STORIES新しい理論と古い話 • FUNCTION CREEP ファンクション・クリープ • CORPORATE OPACITY 法人組織の不透明さ • CORPORATE MISMANAGEMENT AND  SLOPPINESS 組織運営といい加減さ • INTRUSION AND SURVEILLANCE 偵察と監視

  15. Function Creepファンクション・クリープ “Function Creep is what occurs when a technology designed for a specific purpose ends up serving another purpose which it was never planned to perform”  ファンクション・クリープとは、特別な目的の為にデザインされたテクノロジーが、当初の計画から“脱線”した全く別の目的を果たす事である。

  16. Citizen vigilantism

  17. Insurance claim enforcement

  18. Employee screening

  19. Political accountability

  20. CORPORATE OPACITY 組織の不透明さ

  21. Defaults

  22. Facebook Recommended Privacy Settings, July 2011

  23. Facebook privacy settings, July 20, 2011

  24. CORPORATE MISMANAGEMENT AND SLOPPINESS 組織運営といい加減さ

  25. INTRUSION AND SURVEILLANCE 偵察と監視

  26. Risks to Privacyプライバシーに対するリスク • Cyber-stalking ネット上のストーカー • Cyber-bullying ネット上のいじめ • Reputational Damage 名誉毀損 • Identity Theft 個人情報窃盗 • Commercial Exploitation 詐欺的商法 (from www.cippic.ca)

  27. SO WHAT IS BEING DONE?

  28. THE UNITED STATES • Complaints to Federal Trade Commission, December 2009 and May 2010 by Electronic Privacy Information Center and broad coalition of public interest groups • Complaint to FTC (June 2011) about online tagging using facial recognition • 2011 California Social Networking Bill

  29. CANADA • On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint with the Privacy Commissioner of Canada concerning the “unnecessary and non-consensual collection and use of personal information by Facebook.” • On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act. • September 2010, Privacy Commissioner announced that Facebook changes “reasonable and meet expectations of Canadian law” • October 2010 Privacy Commissioner launched a fresh investigation into the privacy policies of Facebook Inc. after it wasrevealed that some of the most popular applications had been transmitting the personal information of users to dozens of Web tracking firms.

  30. EUROPE • Articles 25 and 26 of the EU Data Protection Directive (1995) 95/46/EC • Personal data should not be transferred outside EU unless an “adequate level of protection” which requires: • Basic content principles: Purpose limitation; data quality and proportionality; transparency; security; rights of access, rectification and opposition; restrictions on onward transfers • Procedural/enforcement principles: good level of compliance with the rules; support and help provided to individual data subjects; appropriate redress provided to the injured party • Administered by Article 29 Working Party of Supervisory authorities

  31. European Union Article 29 Working Party • SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the “basic” services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes - including advertising provided by third parties. (Opinion June 2009)

  32. Safer Social Networking Principles for the EU (2009) • “Principle 6: Enable and encourage users to employ a safe approach to personal information and privacy. Providers should provide a range of privacy setting options with supporting information that encourages users to make informed decisions about the information they post online. These options should be prominent in the user experience and accessible at all times. Providers should consider the implications of automatically mapping information provided during registration onto profiles, make users aware when this happens, and should consider allowing them to edit and make public/private that information where appropriate. Users should be able to view their privacy status or settings at any given time. Where possible, the user’s privacy settings should be visible at all times.” Developed by SNS providers in consultation with the EU Commission http://ec.europa.eu/information_society/activities/social_networking/docs/sn_principles.pdf

  33. Art. 29 Opinion on Consent (2011) • “According to the European data protection authorities, consent requires the use of mechanisms that leave no doubt of the data subject’s intention to consent. Therefore only statements or actions, not mere silence or inaction, can constitute valid consent. For example, when a data subject registers with a social network and the default settings of his or her profile make all personal information viewable to all ‘friends of friends’, it cannot be inferred that this user has given his or her consent.” http://ec.europa.eu/justice/policies/privacy/workinggroup/wpdocs/2011_en.htm

  34. Directive 2009/136/EC: A New Cookie Rule? "Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the Data Protection] Directive 95/46/EC, inter alia about the purposes of the processing.” Recital: “"Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application…. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.”

  35. What has changed in 20 years? • Technological change • Miniturization • Distribution • Convergence with the material • Biometric identification • The routine capture of personal data • Globalization • The pressures for securitization • The difficulty of distinguishing between personally and non-personally identifiable data

More Related