1 / 48

drt 6455 eCommerce Law lesson 5 – IT and Privacy

drt 6455 eCommerce Law lesson 5 – IT and Privacy. associate professor faculty of law university of montreal university of montreal chair in e- Security and e- Business law www.gau trais.com. Plan. IT and Privacy in General IT and Privacy at the Workplace. Legal References.

rowdy
Download Presentation

drt 6455 eCommerce Law lesson 5 – IT and Privacy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. drt 6455 eCommerce Lawlesson 5 – IT and Privacy associate professor faculty of law university of montreal university of montreal chair in e-Security and e-Business law www.gautrais.com

  2. Plan • IT and Privacy in General • IT and Privacy at the Workplace

  3. Legal References • Personal Information Protection and Electronic Documents Act , 2000, c. 5 (Federal)(Schedule 1): Principles Set Out in the National Code for the Protection of Personal Information, CAN/CSA-Q830-96 • Protection of Personal Information in the Private Sector, An Act Respecting the, R.S.Q., chapter P-39.1 • Legal framework for information technology, An Act to establish a, R.S.Q. c. C-11 • C.c.Q • Etc.

  4. Introduction • Privacy has existed for a long time but… • This issue changes with electronic developments Easy to: • Copy • Sell, diffuse, exchange information • Communicate with others Difficult to: - Know that our personal information is in circulation

  5. Definitions • Canada law definition: Art. 2: «personal information means information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization ». • Québec law definition : Art. 2: «personal information is any information which relates to a natural person and allows that person to be identified ».

  6. In practice, personal information includes … • Credit card numbers • Indicators of race, health, financial situation • But also … - Names, telephone numbers, addresses, e-mails, ages, etc. - Buying habits - Different types of information may be linked Etc.

  7. International framework • Privacy in North America (outside Québec) - Business law - Self-regulation - Great pressure to impede the adoption of laws - But things are changing • Privacy in Europe - Fundamental law - Laws in every country - Privacy as public order - 1995 European Directive • Difficulties in reaching agreement

  8. 1- Federal law • Bill C-6: first attempt at Canada-wide harmonisation • Not restricted to Privacy - Electronic documents - Modifications to the Canada Evidence Act (C-5) • History - In the beginning, C-54 - In 1999, C-6 • Constitutional problems concerning this law - Problems between Québec and the ROC • Strangely, application of this law awaits endorsement by the European Parliament - European Commission opinion concerning Canadian law - Third country opinions • Respecting the schedule

  9. 1- Federal law • A controversial law - weak law in terms of procedure - weak in terms of substance • Main articles are - 5 (3) - 7 (1), 7 (2), 7 (3) • Document legitimizing the CSA Code Type reproduced in annex 1 (a law that adapts to uses)

  10. 2 – Provincial Law • The Civil Code (art. 35, 36, 37) • Protection of Personal Information in the Private Sector, An Act Respecting the, R.S.Q., chapter P-39.1 - 1992, first province to pass a privacy law - In reality, two laws - Creation of a permanent institution (Access to Information Commission) - Very European approach (comparison with French law) - Very protectionist approach - Distinction for Quebec law in respect to other provinces and countries

  11. 2 – Provincial Law • Gathering of PI • From the concerned person - with consent (art. 6) - with legitimate interest (restricted sense) *Ex., merchant sends flowers as birthday gift *Sending of advertisement • Justifying source of information (art. 7) • Informing the concerned person (art. 9) - Why - Use - Place information is held

  12. 2 – Provincial Law • Fundamental principle – files are confidential and cannot be exchanged (art. 13) • Exception – consent • Definition of consent (art .14): « Consent to the collection, communication or use of personal information must be manifest, free, and enlightened, and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested. Consent given otherwise than in accordance with the first paragraph is without effect. »

  13. 2 – Provincial Law • Accessing and adjusting a file *Written procedure (art. 30) *Merchant acting with diligence *Free of reasonable fee *Right to exclude data

  14. 3- American law • A protection obviously exists, but not through laws - Jurisprudence - Behavioural code - Truste and BBBonline experience • History - Clinton problems and threats in 1996 - Creation of quality labels - Improvement? No, given the increase in traffic - Continuing threat to make laws - 2000 agreements with the European Union: end of the privacy war? - Many sectoral laws (children – finance – health – etc.) - Several big corporations demand a law

  15. Privacy war (USA / Europe) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 • The Member States shall provide that the transfer to a third country of personal data which are undergoing processing or are intended for processing after transfer may take place only if, without prejudice to compliance with the national provisions adopted pursuant to the other provisions of this Directive, the third country in question ensures an adequate level of protection. 2. The adequacy of the level of protection afforded by a third country shall be assessed in the light of all the circumstances surrounding a data transfer operation or set of data transfer operations; particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral, in force in the third country in question and the professional rules and security measures which are complied with in that country. 3. The Member States and the Commission shall inform each other of cases where they consider that a third country does not ensure an adequate level of protection within the meaning of paragraph 2. 4. Where the Commission finds, under the procedure provided for in Article 31 (2), that a third country does not ensure an adequate level of protection within the meaning of paragraph 2 of this Article, Member States shall take the measures necessary to prevent any transfer of data of the same type to the third country in question.

  16. Privacy war (USA / Europe) • Battle since 1997 • 08/2000: The « Safe Harbour » agreement (or security spheres) - All companies submit their policies to the FTC - Each policy is analyzed - Powers of investigation and sanction - Infractions result in removal from the list • With article 26, departures (?) are possible

  17. 4 - European law • 1995 Directive • Directive on Privacy and Electronic Communications (2002) • See the European Commission site on Privacy

  18. Principles • There are general principles (10) • And there are specific principles (10) • Cross-checking is possible

  19. General principles • Accountability • Identifying purposes • Consent • Limiting collection • Limiting use, disclosure, and retention • Accuracy • Security • Openness • Access • Challenging compliance

  20. General principles • Accountability « An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization's compliance with the following principles ». « Organizations shall implement policies and practices to give effect to the principles, including (a) implementing procedures to protect personal information; (b) establishing procedures to receive and respond to complaints and inquiries; (c) training staff and communicating to staff information about the organization's policies and practices; and (d) developing information to explain the organization's policies and procedures ».

  21. General principles 2. Identifying purposes « The purposes for which personal information is collected shall be identified by the organization at or before the time the information is collected ».

  22. General principles 3. Consent « The knowledge and consent of the individual are required for the collection, use, or disclosure of personal information, except where inappropriate ». Example: A Privacy Commissioner of Canada decision forbids banks from carrying out credit checks on people wishing to open accounts (Conclusion # 40, 2002 IIJCan 42369 (C.V.P.C.)).

  23. General principles 4. Limiting collection «The collection of personal information shall be limited to that which is necessary for the purposes identified by the organization. Information shall be collected by fair and lawful means ».

  24. General principles 5. Limiting use, disclosure, and retention « Personal information shall not be used or disclosed for purposes other than those for which it was collected, except with the consent of the individual or as required by law. Personal information shall be retained only as long as necessary for the fulfilment of those purposes ».

  25. General principles 6. Accuracy « Personal information shall be as accurate, complete, and up-to-date as is necessary for the purposes for which it is to be used ».

  26. General principles 7. Security « Personal information shall be protected by security safeguards appropriate to the sensitivity of the information »

  27. General principles 8. Openness « An organization shall make readily available to individuals specific information about its policies and practices relating to the management of personal information ».

  28. General principles 9. Access « Upon request, an individual shall be informed of the existence, use, and disclosure of his or her personal information and shall be given access to that information. An individual shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate ».

  29. General principles 10. Challenging compliance « An individual shall be able to address a challenge concerning compliance with the above principles to the designated individual or individuals accountable for the organization's compliance ».

  30. Specific principles • Obligation to publish a privacy policy - Return to the basic elements - Respect them - Draw up a legible policy - Place the policy strategically (see the TrustE) 2. In the policy, identify the purposes of the collection and the use or communication of the PI

  31. Specific principles • Manage the consent - OPT-IN: right of opposition regarding previous use *active *passive - OPT-OUT: right to withdraw *anytime *no longer using the PI for purposes already consented to - Renunciation form (idem contract)

  32. Specific principles 4. Using cookies: are they edible? - What are they? - What are they used for? *Retracing *Security *Making user-friendly (ex., shopping basket) - Explain what they are and how to protect oneself against them

  33. Specific principles • Right of access • Respect of security management • List of personal information used by a company • Special situations management *Children *Health information • Applicable law • Create an e-mail link to the privacy department

  34. Stop and think! • And if all this were in appropriate? •  Pierre TRUDEL, « De la « surveillance » à la qualité : les fondements actualisés du droit de la protection des données personnelles dans le gouvernement en ligne », 2005. •  Vincent GAUTRAIS, « Le défi de la protection de la vie privée face aux besoins de circulation de l’information personnelle », (2004) 9-2 Lex Electronica

  35. Privacy in the workplace • 20% of work time is leisure! • Ex., 28 January 2000 grievance arbitration - Firing confirmed by arbitrator - 329 hours on the Internet … including pornos - Password used 223 times • OK, but how does an employer access such precise data and at what price? - Very elaborate surveillance methods - specialized software (Little Brother, Redhand, etc.) - A 1998 study by the American Management Association International found that *63% of employers read employee e-mails *23% say nothing - Ever better means of evasion *Crypto *Alternative address

  36. Juridical issues • Towards a recognition of privacy at the workplace - Canadian Charter of Rights and Liberties *art. 8 – (searches) - Quebec Charter *art. 5 – (privacy) *art. 4 – (dignity) *art. 24 – (searches) *art. 46 – (just and reasonable conditions) - CCQ *art. 5 – (general) *art. 35 and ff – (privacy) *art. 2087 – (dignity) *art. 2058 – (no evidence in violation of fundamental rights) - Comparison with France *Penal code 226-1 (bugging of telephones), 226-15 (violation of private correspondence) *Labour code 122-45 (idem), 121-8 (personal information cannot be gathered without employee’s or candidate’s consent)

  37. Legal issues • Canadian jurisprudence often refers to American law and limits privacy - Place *SAQ vs. Syndicat … (1983) TA 335 *Supreme Court not so sure (Dyment 1988) *Supreme Court adjustment (Hunter vs. Southam 1984) depends on circumstances - Implicit consent appearing in a work contract • Bridgestone vs. Firestone (CA 1999) surveillance of a supposedly sick employee - Triple breach *valid even in the establishment *Subordination does not necessarily entail an implicit waiver *reasonableness of surveillance

  38. In practice • Justifications for monitoring an employee - i. Efficiency of employee (CCQ art. 2088 - diligence) - ii. Leaking of confidential information (exception: CCQ 1472) - iii. Intellectual property • Right of employer to control work • Employee’s obligation to act faithfully (CCQ 2088, 1375) • Protection of individual rights: general principles (neither systematic nor discriminatory) • Jurisprudence: specificity of employee protection

  39. In practice • Possible penalties given warnings (policy) - increasingly a criterion (clear federally, less so provincially) - not needed in the US - in Europe (France), it depends - so, be careful of comparative law! • Employer control possible if - warnings - not arbitrary - reasonable • Proportionality of penalties - not necessarily heavy on first offence • Other criteria likely to be taken into account - properties of the computer - work place (home?)

  40. Warnings • Belisle c. Rawdon (Municipalité), 2005 QCCRT 453 (IIJCan) (there was no warning) • Commission des normes du travail c. Bourse de Montréal, D.T.E. 2002T-373 (Québec) (there was no warning) • Services d'administration P.C.R. Ltée. c. Québec (Commissaire du travail), 2003 IIJCan 602 (QC C.S.) (there was no warning) • Syndicat canadien des communications, de l’énergie et du papier, Section locale 522 c. CAE Électronique Ltée, D.T.E. 2000T-157 (T.A.) (there was no warning)

  41. Warnings • Even with a policy, it may not work • Bell Canada • Boisvert • Even in the absence of a policy, the employee can be convicted

  42. Control by the employer is possible if … • Reasonableness • But reasonable expectation of privacy on the part of the employer - Srivastava - Bell Canada - Blais c. Société des Loteries Vidéos du Québec Inc., 2003 QCCRT 14 (IIJCan) • Dismissal • Burden of proof on the employer • Alliance de la fonction publique du Canada c. Musée des beaux-arts du Canada (2003)

  43. Proportionality • Alliance de la fonction publique du Canada c. Musée des beaux-arts du Canada (2003) • Jacobs c. Mohawks Internet Technologies/Sports Interaction (2004) • No warnings (Syndicat des cols bleus)

  44. Aggravating circumstances High level of employee independence • Syndicat canadien des communications, de l’énergie et du papier, Section locale 522 c. CAE Électronique Ltée, D.T.E. 2000T-157 (T.A.)  Refusal to collaborate – low seniority – bad faith • Syndicat des spécialistes et professionnels d’Hydro-Québec c. Hydro-Québec, non rapporté, 2 septembre 2003 • DiVito • Centre de réadaptation Lethbridge Property • Srivastava c. Hindu Mission of Canada, [2001] J.Q. 1913 (CA) NO • Arpin c. Grenier, 2004 IIJCan 11259 (QC C.Q.) YES Severity • Syndicat canadien des communications, de l’énergie et du papier, Section locale 522 c. CAE Électronique Ltée, D.T.E. 2000T-157 (T.A.)  • Perrault

  45. Exonerating circumstances • Seniority/ Ad hoc use • Bell Canada c. Association canadienne des employés de téléphone, D.T.E. 2000T-254 (T.A.) • The arbitrator recognizes that the employer’s equipment can occasionally be put to personal use. There is a violation if the use is frequent and prevents work from being executed. In spite of the violation the code of conduct, the arbitrator believes the employee did not misuse his employer’s time. Considering the employee’s nine years seniority and clean disciplinary file, the arbitrator imposes a three month suspension. • No precedent • Bell Canada • No damages (on hacker sites) • Commission des normes du travail c. Bourse de Montréal inc., D.T.E. 2002T-373 (C.Q.) 

  46. Illustration - Jurisprudence • Alliance de la fonction publique du Canada c. Musée des beaux-arts du Canada (2003) • Fiset c. Services d’administration P.C.R. (2003) • Perreault c. Syndicats des employés de soutien de l’Université de Sherbrooke (2004) • Syndicat des cols bleus regroupés de Montréal, section locale 301 c. La Ronde (Six Flags) (2004) • Jacobs c. Mohawks Internet Technologies/Sports Interaction (2004) • Arpin c. Grenier (2004) • Centre de réadaptation Lethbridge c. Syndicat des physiothérapeute et des thérapeutes en réadaptation physique du Québec (2004) • Blais c. Société des loteries vidéo du Québec (2003) • Boisvert c. Industrie Machinex (2002) • DiVito c. MacDonald Dettwiler & Associates, [1996] B.C.J. 1436. • Srivastava c. Hindu Mission of Canada, [2001] J.Q. 1913 (CA) • Bell Canada c. Association canadienne des employés de téléphone, (2000) DTE T-254 (TA) • Syndicat canadien des communications, de l’énergie et du papier, section locale 522 c. CAE Électronique, (2000) DTE T-157 (TA) • Commission des normes du travail c. Bourse de Montréal, (2002) DTE T0373 (CQ) • Syndicat des spécialistes d’Hydro-Québec c. Hydro-Québec, non rapporté (2003)

  47. Privacy policy form Return to basic principles 2. Respect them 3. Draw up a legible policy • Place the policy strategically • Communicate it to employees • Employee notices and means of communication • Reissuing of notices (programming Internet access) • Employee training • Document signing (electronically or on paper) • Control mechanisms

  48. Privacy policy content • Range of allowances • Range of restrictions • Property of production tools • Protection against inappropriate use • Protection of sensitive information • Domain of employer rights • Frequency of controls • Sanctions in the case of violations • Measures for employees leaving the company • Etc.

More Related