Privacy and data protection - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

Privacy and data protection

Description:

... that the information Plaintiffs provided to Northwest was Plaintiffs' property. ... purchase travel services through Northwest Airlines nwa.com Reservations, we ... – PowerPoint PPT presentation

Number of Views:487
Avg rating:3.0/5.0
Slides: 19
Provided by: RayNi
Category:

less

Transcript and Presenter's Notes

Title: Privacy and data protection


1
Privacy and data protection
  • The Last Class
  • Exam open materials
  • Three hours
  • See posted model

2
  • You represent the NY Times in reference to their
    online site. The site gives away electronic
    copies of the NY Times for free, but requires
    that the user register, by answering a number
    of questions giving her name, address, email,
    occupation, general income range, and other
    information and agreeing to contractual terms of
    use. They use this information for targeted
    advertising through mailing lists, pop-up ads
    and the like. You are asked to draft a privacy
    policy for the Times and to advise them on what
    risks they have in reference to possible
    unauthorized access to the data. How should they
    respond?

3
Basic Issues privacy and security
  • What considerations of privacy shape modern law?
  • Capability of system to acquire, store and
    process individual items
  • Create full, rather than scattered files
  • Modern query re identity theft and profiling
  • Huge social and legal change occurring
  • Meaning conflicted and shifting
  • Privacy as confidentiality
  • Privacy as data protection

4
The Privacy side
  • Grounded in tort law and constitutional law
  • What is the policy basis?
  • Cooley/ Brandeis The right to be left alone
  • Reasonable expectation of privacy as one issue
  • Subjectively present and Objectively reasonable
  • The Court finds that this society is simply not
    prepared to recognize as reasonable a claim
    that a picture on the Internet is private in
    nature, such that the Government cannot access
    it. In fact, the Court believes that our society
    would recognize the opposite that a person who
    places a photograph on the Internet precisely
    intends to forsake and renounce all privacy
    rights to such imagery

5
Privacy torts
  • Intrusion on seclusion. One who intentionally
    intrudes, physically or otherwise, upon the
    solitude or seclusion of another or his private
    affairs or concerns, is subject to liability
    for invasion of privacy, if the intrusion would
    be highly offensive to a reasonable person.
  • Publication of private facts. A person who gives
    publicity to a matter concerning the private
    life of another is subject to liability for
    invasion of privacy, if the matter publicized is
    a kind that (a) would be highly offensive to a
    reasonable person, and (b) is not of legitimate
    concern to the public.
  • False light. Tort if one gives publicity to a
    matter that places the other before the public in
    a false light, the false light would be highly
    offensive to a reasonable person, and the actor
    had knowledge of or acted in reckless disregard
    as to the falsity of the publicized matter.

6
Dwyer case
  • Am Ex rents information regarding spending
    habits
  • Claims violation of privacy
  • Intrusion on seclusion four elements must be
    alleged - (1) an unauthorized intrusion or prying
    into the plaintiff's seclusion (2) an intrusion
    which is offensive or objectionable to a
    reasonable man (3) the matter upon which the
    intrusion occurs is private and (4) the
    intrusion causes anguish and suffering.
  • No violation

7
Dwyer cont.
  • Claims fraud you promised and said that you did
    not use them in the particular way, but then did
    so.
  • Result no liability
  • Defendants contend, and we agree, that the only
    damage plaintiffs could have suffered was a
    surfeit of unwanted mail. Plaintiffs have
    failed to allege how they were damaged by
    defendants' practice of selecting cardholders for
    mailings likely to be of interest to them.

8
Data protection Issues
  • Personally identifiable data is the issue
  • Limit the right of the holder of the data to use
    it
  • Defined (a) "personal data" shall mean any
    information relating to an identified or
    identifiable natural person ("data subject") an
    identifiable person is one who can identified,
    directly or indirectly, in particular by
    reference to an identification number or to one
    or more factors specific to his physical,
    physiological, mental, economic, cultural or
    social identity
  • The issue is how can the holder of such data use
    it?
  • Restraint is a result. What is the policy?
  • Consideration right/ interest of general
    economy, other person etc.

9
EU Directive personal data may be processed only
if
  • (a) data subject has given his consent
    unambiguously
  • (b) processing is necessary for the performance
    of a contract to which the data subject is party
    or in order to take steps at the request of the
    data subject prior to entering into a contract
  • (c) processing is necessary for compliance with
    a legal obligation to which the controller is
    subject
  • (f) processing is necessary for the purposes of
    the legitimate interests pursued by the
    controller or by the third party to whom the
    data are disclosed.

10
Cal Privacy Policy Posting Law
  • In general no requirement
  • California and a few others say
  • An operator of a commercial Web site or online
    service that collects personally identifiable
    information about individual consumers residing
    in California who visit its site or service
    shall conspicuously post its privacy policy on
    its Web site, or in the case of an operator of an
    online service, make that policy available in
    accordance with Section 22578
  • The privacy policy shall
  • (1) Identify the categories of personally
    identifiable information that the operator
    collects and the categories persons or
    entities with whom the operator may share that
    information.
  • (2) If the operator maintains a process for an
    individual consumer to review and request
    changes provide a description of that process.
  • (3) Describe the process by which the operator
    notifies consumers of material changes to the
    privacy policy for that Web site.

11
Northwest
  • Disclose personal information the Government
  • PNRs contain information such as a passenger's
    name, flight number, credit card data, hotel
    reservation, car rental, and any traveling
    companions
  • The ECPA prohibits a person or entity from
  • (1) intentionally accessing without
    authorization a facility through which an
    electronic communication service is provided....
  • Plaintiffs argue that Northwest's access to its
    own electronic communications service is limited
    by its privacy policy

12
Other claims
  • Trespass
  • As a matter of law, the PNRs were not Plaintiffs'
    property. Plaintiffs voluntarily provided some
    information included in the PNRs. It may be that
    the information Plaintiffs provided to Northwest
    was Plaintiffs' property. However, when that
    information was compiled and combined with other
    information to form a PNR, the PNR itself became
    Northwest's property. Northwest cannot wrongfully
    take its own property
  • Intrusion on seclusion

13
Contract Issue
  • Contract warranty
  • When you reserve or purchase travel services
    through Northwest Airlines nwa.com Reservations,
    we provide only the relevant information required
    by the car rental agency, hotel, or other
    involved third party to ensure the successful
    fulfillment of your travel arrangements.
  • General statement of policy
  • The privacy statement did not constitute a
    unilateral contract. The language used vests
    discretion in Northwest to determine when the
    information is "relevant" and which "third
    parties" might need that information.

14
Policies that come back to haunt
  • Non-contractual risk
  • An incongruity between the privacy policy
    language and actual practices a common FTC
    enforcement target.
  • FTC charges of unfair and deceptive trade
    practices under Section 5 of the FTC Act are
    increasing as to privacy and security
  • Deceptive to claim that data is not revealed or
    is secure, but then reveal it or not protect it
  • Unfair to not maintain security?

15
Security issues
  • Duty to protect security of personal data
  • FTC says its common sense
  • CA Civ. Code 1798.81.5 (CA residents, not just
    consumers) Businesses controlling information
    about Cal. Residents must "implement and maintain
    reasonable security procedures and practices
    appropriate to the nature of the information, to
    protect the personal information from
    unauthorized access, destruction, use,
    modification, or disclosure."

16
Guess policy and consequences
17
The 20 year result
  • Adopt a comprehensive security program reasonably
    designed to protect security of personal
    information collected from or about consumers
  • Must include safeguards including
  • designation of employees to coordinate and be
    accountable
  • identification of material internal and external
    risks re unauthorized disclosure, misuse, loss,
    alteration, destruction, or other compromise.
  • Must include (1) employee training and
    management (2) systems, including network and
    software design, processing, storage,
    transmission, and disposal and (3) prevention,
    detection, and response to intrusions, or other
    systems failures.
  • design and implement reasonable safeguards to
    control the risks regularly test or monitor
    effectiveness evaluate
  • outside audit
  • File with FTC of copies of each different
    print, etc. or other document containing any
    representation regarding policy or collection

18
Notice of security breaches
  • Over 20 states have security breach notice laws
  • CA Civ. Code 1798.82
  • Notice to CA residents
  • By any entity that conducts business in
    California
  • Disclose any breach of the security of the system
    to any California resident whose unencrypted
    personal information was or is reasonably
    believed to have been acquired by an unauthorized
    person
Write a Comment
User Comments (0)
About PowerShow.com