Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.


Privacy class

  • Be the first to comment

  • Be the first to like this


  1. 1. Global Information Law and Practice Privacy January 11, 2020 professor michael geist university of ottawa, faculty of law
  2. 2. Privacy Case Study BigTel is Canada’s largest telecom provider with nearly 40% of the wireless market. The company enjoys the number one position in all of its key services: wireless, broadband Internet, local phone, and television (broadcast distribution). The company offers significant discounts for subscribers that purchase all four services and the majority of them do. BigTel has announced new plans to enhance its subscribers’ experience by providing more relevant advertising to them on all of its services. The company already collects vast amounts of data including viewing habits, Internet activities, location information, device details, and social communications. It plans to use that information to develop detailed profiles of its subscribers. Subscribers will categorized in aggregate according to their interests and the advertisers will be able to target their ads to the relevant category. Since BigTel does not currently have the data analytics capabilities for the service, it will transfer the subscriber data to U.S.-based DataTarget. BigTel says that it takes privacy very seriously. It has offered to remove any customer from the relevant advertising program upon request.
  3. 3. Privacy Case Study Please consider the following questions: 1. Do BigTel’s plans fall within commonly-used privacy laws? 2. If so, do you think the plan is compliant with the law? 3. If it is not compliant, what changes would you recommend?
  4. 4. Privacy Law Principles
  5. 5. OECD Privacy Principles - Established in 1980 - Non-binding but ultimately serve as the basis for many national rules - Updated in 2011 - Served as framework for APEC Privacy Framework
  6. 6. EU Data Protection Directive • 1995 – the EU adopts the Data Protection Directive – A Directive sets a minimal standard. • Broad spectrum of levels of adoption throughout the continent. – Directive premised on FIPPs • The Fair Information Practices – Notice, Access, Choice, Security and Enforcement • In the EU – also purpose specification, minimization, proportionality – Sets jurisdictional boundaries and relies upon the work of DPAs
  7. 7. EU Data Protection Directive • European member states adopt data protection laws. • EU Charter of Rights now includes privacy and data protection. – Therefore court can strike down Directives. • Digital Rights Ireland.
  8. 8. EU Data Protection Directive • Data may not be sent beyond the EU – unless specific exceptions apply: – Specific agreement (safe harbor) – Adequate country (Israel, Canada) – Consent – Internal compliance programs. • Faces substantial challenges in the age of cloud computing.
  9. 9. GDPR • Right to be forgotten • Significant penalties: 4% of global turnover • Stronger consent models • Algorithmic transparency • Access rights
  10. 10. Canadian Privacy Law - The Start - CSA Model Code negotiated in early 1990s as a model code for privacy - Quebec only province with private sector privacy law - EU Data Protection Directive creates pressure - Canada hosts OECD Ministerial Conference on Electronic Commerce in 1998
  11. 11. Privacy Law - The Basics - Bill introduced in 1998 to coincide with OECD meeting - Took effect in 2001 (federally regulated orgs), 2004 (everyone else) - Limited to commercial activity for constitutional reasons - Shared responsibility with provinces - substantially similar - Enforced by Privacy Commissioner of Canada in an ombuds+ role - Complaints driven + audit power
  12. 12. Privacy Law - The Basics Application - Subject matter • Personally identifiable information only - includes information about employees • Public domain exception – Telephone Directory – Professional or Business Directory – Registry Collected under Statutory Authority – Court Record – Information Appearing in the Media Where the Individual has Provided the Information • Federal Privacy Act exempt • Name, Title, Business address or Telephone number of an employee exempt
  13. 13. Privacy Law - The Basics 10 PRINCIPLES -- 1. Accountability • organization is accountable for personal information • Includes privacy point person, training staff 2. Identifying Purposes • purpose of collection must be clear • Identify any new purposes • Grandfathering issue 3. Consent • individual has to give consent to collection, use, disclosure • “meaningful” consent -- will depend upon circumstances
  14. 14. Privacy Law - The Basics 10 PRINCIPLES (cont.) -- 4. Limiting Collection • collect only information required for identified purpose 5. Limiting Use, Disclosure and Retention • consent required for other purposes • Destroy or anonymize information once no longer needed 6. Accuracy • keep as accurate as necessary for identified purpose
  15. 15. Privacy Law - The Basics 10 PRINCIPLES (cont.) -- 7. Safeguards • protection and security required 8. Openness • policies should be available • Clear language 9. Individual Access – info available upon request, inaccuracies corrected 10. Challenging Compliance – ability to challenge all practices
  16. 16. Privacy Law - The Basics Compromise statute -- Purpose clause (s.3) The purpose of this Part is to establish... rules to govern the collection, use and disclosure of personal information in a manner that recognizes the right of privacy of individuals with respect to their personal information and the need of organizations to collect, use or disclose personal information for purposes that a reasonable person would consider appropriate in the circumstances.
  17. 17. Privacy Law - The Basics - Shared responsibility with provinces - “Substantial similarity” - Quebec, Alberta, British Columbia, provincial health privacy - Hundreds of OPC findings - Statutory review every 5 years - Last review in 2006 leads to Digital Privacy Act - Privacy Act - governs public sector privacy law - No updates since first enacted
  18. 18. HK Privacy Law Ordinance - Established in 1995, several amendments since (including direct marketing) - Scope - (1) The information which relates to a living person and can be used to identify that person - (2) It exists in a form in which access or processing is practicable. - Many codes of practice - Enforcement with possible fines
  19. 19. HK Privacy Law Ordinance DPP1 - Data Collection Principle • Personal data must be collected in a lawful and fair way, for a purpose directly related to a function /activity of the data user. • Data subjects must be notified of the purpose and the classes of persons to whom the data may be transferred. • Data collected should be necessary but not excessive. DPP2- Accuracy & Retention Principle • Personal data must be accurate and should not kept for a period longer than is necessary to fulfil the purpose for which it is used. DPP3 - Data Use Principle • Personal data must be used for the purpose for which the data is collected or for a directly related purpose, unless voluntary and explicit consent with a new purpose is obtained from the data subject.
  20. 20. HK Privacy Law Ordinance DPP4 - Data Security Principle • A data user needs to take practical steps to safeguard personal data from unauthorised or accidental access, processing , erasure, loss or use. DPP5 - Openness Principle • A data user must make personal data policies and practices known to the public regarding the types of personal data it holds and how the data is used. DPP6 - Data Access & Correction Principle • A data subject must be given access to his/her personal data and allowed to make corrections if it is inaccurate.
  21. 21. Emerging Issues
  22. 22. Changing EU Law – Safe Harbour • U.S. received special “treatment”: – U.S. firms registered and were supervised by the FTC. • In Schrems, the agreement was struck down. – Argument: insufficient redress w/r/t the risk of government surveillance. • Important lesson regarding the power of the individual.
  23. 23. Changing EU Law – Privacy Shield • Supplemented by laws providing redress by EU citizens towards the USG – Main complaint against Safeharbor – too lax enforcement by the FTC: • Lack of incentives • Lack of manpower
  24. 24. Data Breach Disclosure
  25. 25. Digital Privacy Act security breach disclosure • Rash of security breach disclosures - CIBC, Choicepoint, TJX (Homesense & Winners), Target, Ashley Madison • Two possible reporting requirements in event of breach: – Requirement to report “material breach of security safeguards involving personal information under control” to Privacy Commissioner – Criteria to determine whether to report: • Sensitivity of information • Number of affected individuals • Cause of breach/systemic problem
  26. 26. Digital Privacy Act security breach disclosure – Requirement to report breach to individuals if “it is reasonable in the circumstances to believe that the breach creates a real risk of significant harm to the individual” – What is significant harm? • bodily harm • humiliation • damage to reputation or relationships • loss of employment, business or professional opportunities • financial loss • identity theft • negative effects on the credit record and damage to or loss of property – Risk factors - (1) sensitivity of info; (2) risk of misuse
  27. 27. Digital Privacy Act security breach disclosure – Notifications • “ as soon as feasible” • Understandable to affected individuals • To other organizations who may be able to mitigate harm
  28. 28. Data Localization
  29. 29. Data Localization – Growing trend in response to Snowden – Requirements to retain data locally – Changing architecture of cloud services – British Columbia case • Health processing data • Retention requirements in province – TPP requirements (data localization and data transfer) – Future challenge: EU/Data localization demands vs. TPP/corporate pressure
  30. 30. Data Localization -TPP
  31. 31. Data Transfer -TPP
  32. 32. Right to be Forgotten
  33. 33. Right to be Forgotten
  34. 34. Right to be Forgotten – Gonzalez case • Legal content • Original remains online • Difficult to find – Google response – Jurisdictional scope of the order