Social Networking and Privacy Protection: The Risks and TransAtlantic Responses

Lecture to Carleton University, Center for European Studies, December 1, 2010

Risks to Privacy Cyber-stalking Cyber-bullying Reputational Damage Identity Theft Commercial Exploitation

(from www.cippic.ca)

Defaults

Complaints to Federal Trade Commission, December 2009 and May 2010 by Electronic Privacy Information Center and broad coalition of public interest groups

Possible “Do Not Track” register as part of federal privacy protection legislation?

US regulatory developments

On May 30, 2008, the Canadian Internet Policy and Public Interest Clinic (CIPPIC) filed a complaint with the Privacy Commissioner of Canada concerning the “unnecessary and non-consensual collection and use of personal information by Facebook.”

On July 16, 2009, the Privacy Commissioner’s Office found Facebook “in contravention” of Canada’s Personal Information Protection and Electronic Documents Act.

September 2010, Privacy Commissioner announced that Facebook changes “reasonable and meet expectations of Canadian law”

October 2010 Privacy Commissioner launched a fresh investigation into the privacy policies of Facebook Inc. after it was revealed that some of the most popular applications had been transmitting the personal information of users to dozens of Web tracking firms.

Canadian regulatory action

Articles 25 and 26 of the EU Data Protection Directive (1995) 95/46/EC

Personal data should not be transferred outside EU unless an “adequate level of protection” which requires:

◦ Basic content principles: Purpose limitation; data quality and

proportionality; transparency; security; rights of access, rectification and opposition; restrictions on onward transfers

◦ Procedural/enforcement principles: good level of compliance with the rules; support and help provided to individual data subjects; appropriate redress provided to the injured party

Administered by Article 29 Working Party of Supervisory authorities

The EU’s “Adequacy Standards”

SNS providers are data controllers under the Data Protection Directive. They provide the means for the processing of user data and provide all the “basic” services related to user management (e.g. registration and deletion of accounts). SNS providers also determine the use that may be made of user data for advertising and marketing purposes - including advertising provided by third parties.

EU Article 29 Working Party

"Member states shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with [the Data Protection] Directive 95/46/EC, inter alia about the purposes of the processing.”Recital: “"Where it is technically possible and effective, in accordance with the relevant provisions of [the Data Protection Directive], the user's consent to processing may be expressed by using the appropriate settings of a browser or other application…. Exceptions to the obligation to provide information and offer the right to refuse should be limited to those situations where the technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user.”

Directive 2009/136/EC: A New Cookie Rule?

"People have really gotten comfortable not only sharing more information and different kinds, but more openly and with more people…That social norm [privacy] is just something that has evolved over time.”Marc Zuckerberg, CEO Facebook, March 2010“If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.”Eric Schmidt, CEO Google, December 2009

“You have zero privacy anyway….get over it.” Scott McNealy, CEO Sun Microsystems, January 1999

THREE OF THE MOST SELF-SERVING THINGS EVER SAID ABOUT PRIVACY!

In conclusion

Social network users care about their privacy

Even if they didn’t, it wouldn’t alter the obligations of data users to process personal data in conformity with privacy principles