Privacy and Personal Data Protection: Legal Context and Social Perception

Transcription

1 Privacy and Personal Data Protection: Legal Context and Social Perception Estelle De Marco Inthemis FIA 2011 Budapest Economics of Privacy Wednesday 18 May 2011

2 Privacy (12 UDHR, 17 ICCPR, 8 ECHR, 7 EU Charter, Constitutions, civ. and crim. Laws) Protected spheres and aspects: Privacy, home, family, correspondances / honour and reputation Secret / freedom Content Concept that suffers from «an embarrassment of meanings» [1] «Right to be left alone» [2], «to make decisions into his zone of privacy» [3] Concept that «cannot be understood independently from society» [1] More precise definitions: e.g. F. Terré (identity, origins, health, moral/(extra)conjugal, fam. life, friendship, participation in private assembly) [4] More extensive ECHR: ex. relations with the outside world, even professional; selfdetermination; personal autonomy; own personality development [5] Proposed definition: whole set of pieces of pers. information that have their subject as common denominator, their private nature being determined according to the legitimacy or illegitimacy of third parties controlling it (knowledge/transcription/divulgation) [6] Personal Data protection (8 ECHR, 8 EU Charter, Conv. 108, Dir 1995/46, Dir. 2002/58 mod. 2009/136) : personal data are elements of private life, even disclosed/processed [1] D. J. Solove; [2] S. Warren and L. Brandeis; [3] USA Supreme Court; [4] F. Terré; [5] E Court HR; [6] E. De Marco.

3 Personal Data Protection: Dir. 95/46/EC 2002/58/EC modif. 2009/136/EC Criteria of application of EU and National laws : Establishment Use of processing means (including user s terminals + software mobile phone, calculating facilities, java scripts, cookies to store and retrieve pers. data.. WP 179) [7] Conditions for collecting/processing personal data: The data subject has unambiguously given his prior consent, o Unless legitimate interest pursued by the controller or 3 rd party interest which cannot override user s rights o Imperative for: Processing traffic data for marketing purposes or added value services Using location data (general terms & conditions: not enough, WP 115 [8]) Sending direct marketing communications using (or not) automatic calling machines (unless similar products/services) Sending any cookie (browsers predetermined to accept: not enough, WP 171, [9]) Collecting sensitive data, unless P.D. manifestly made public by the subject; separate opt in consent if through cookies [9]) Transfering PD to 3 rd countries that do not ensure an adequate level of protection

4 Personal Data Protection: Dir. 95/46/EC 2002/58/EC modif. 2009/136/EC Consent must be informed (at least controller s identity, purposes) Cookies and use of location data extended imperative information; for instance: identity of the serving and collecting entity / creation of a profile to serve targ. ads [8] Collection for specified, explicit, legitimate purposes prohibition of further processing in an incompatible way Ex. behavioural advertising > impossible to enrich with other information Data quality: processed fairly and lawfully; adequate, relevant and not excessive; accurate and keep up to date Data kept for no longer than is necessary Location data: should not be stored once the service has been provided (WP 115) [8] Right of access, of erasure, to object: Compelling legitimate grounds or for direct marketing purposes Use of location data / processing of traffic data for marketing purposes / cookies Direct marketing communication: opportunity to object each time Obligation to notify the supervisory authority Obligations of security and confidentiality

5 Internet users perception of privacy / privacy commercial exploitation Perceptions vs legal definitions [10] Personal data: affective link, different data depending on the individual Privacy: value of freedom (secret/autonomy), intimacy, dignity, subjectivity Tendencies Different classes: e.g. reluctants, disinterested, negociators, friendly [11, 12] Fears: hack. > whoever > commerc. (61% 75%) > State > colleagues > fam. [13, 14] More positive attitude when informed about collection/follow up, prior consent and right to object, confidence in the enterprise, secured environment [10] [15] Sensitive info. more easily disclosed where a benefit is expected [7, 10]; variables influencing seek advantages: cultural, behavioural, socio demographics, experience... [12] 23% of users are ready to monetize their data [14] less than 20% are ready to choose a feepaying model without advertising [15, SN] compar.: more knowledgeable people seem to be the ones who release the more added value information (ex. [13] y. o., young male managers) but they seem to see those information as «lessprivate»thanother data ( and postal address, phone, private photos ) [10, 11, 12] C. Lancelot Miltgen; [13] Survey TNS/Sofres for Microsoft; [14] Survey Ninjam/Iligo; [15] ETO/Market Audit

6 References [1] D. J. Solove, A taxonomy of privacy, University of Pennsylvania Law Review, vol. 154, n 3, Jan [2] S. Warren and L. Brandeis, "The right to privacy ", Harvard Law Review, vol. IV, 15 Dec. 1890, n 5. [3] USA Supreme Court, 1965; see P. Tabatoni, "avant propos", in La protection de la vie privée dans la société de l information, dir. P. Tabatoni, tome 1, cahier des sciences morales et politiques, PUF, 1 st ed., Jan. 2002, p. 4. [4] F. Terré, "la vie privée" in La protection de la vie privée dans la société de l information, dir. of P. Tabatoni, tome 3, PUF, janv. 2002, pp [5] Niemietz v. Germany, judgment of 16 December 1992, Series A no. 251 B; Copland v. the United Kingdom, n 62617/00, 3 April 2007; Pierre Kayser, La protection de la vie privée par le droit, PU d'aix Marseille/Economica, 3 rd ed., 1995, page 45, referring to the decision X. v. Island, decision of the Commission, 18 May 1976, year 1976, req. n 6825/74, page 343; P.G. and J.H. v. the United Kingdom, no /98, ECHR 2001, IX, 56, Series A, n 280 B, p. 28, 24; Key case law issues, the concepts of "private and family life", European Court of Human Rights, 24/01/2007, referring to Pretty v. The United Kingdom, n 2346/02, ECHR 2002, III, 61, 67. [6] E. De Marco, L anonymat sur Internet et le droit, thesis, UM1, 2005, ANRT (ISBN: ; Ref.: 05MON10067). [7] Article 29 Data Protection Working Party, Opinion 8/2010 on applicable law, 16 December 2010, WP179.

7 References [8] Article 29 Data Protection Working Party, Opinion on the use of location data with a view to providing value added services, November 2005, WP 115. [9] Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, 22 June 2010, WP 171. [10] C. Lancelot Miltgen, "Vie privée et Internet: influence des caractéristiques individuelles et situationnelles sur les attitudes et les comportements des internautes face àla collecte des données personnelles", cahier de recherche DMSP n 317 et actes du congrès AFM Tunis 2003, [11] C. Lancelot Miltgen et C. Gauzente, "Vie privée et partage de données personnelles en ligne : une approche typologique", cahier de recherche DMSP n 356, april 2006, [12] C. Lancelot Miltgen, "Dévoilement de données personnelles et contreparties attendues en e commerce : une approche typologique et interculturelle", Système d information et management (SIM), vol. 15, n 4, dec. 2010, pp [13] Survey TNS/Sofres for Microsoft, May 2010, sofres.com/points devue/612b63531dcf46f9b9fc7c2b49480f04.aspx. [14] Ninjam/Iligo, Etude sur le rapport des internautes français àla confidentialité des données numériques, 23/11/2010. [15] ETO and Market audit, Baromètre de l intrusion, 2010.