Forgetting, Non-Forgetting and Quasi-Forgetting: Canadian Policy

and Corporate Practice

Colin J. Bennett, Adam Molnar and Christopher Parsons

Department of Political ScienceUniversity of Victoria

BC, Canadawww.colinbennett.ca

cjb@uvic.ca

Analysis of Social Networking Services

• 23 top SNSs in terms of usage in Canada• Content Analysis of Privacy Policies• Tests of Subject Access to PII by researchers• Law Enforcement Compliance Guides • Bill C-30 “Lawful Access” Legislation• Building Website – Canadian Access to Social Media Information

(CATSMI)

Funded by Social Sciences and Humanities Research Council of Canada (SSHRC) and Office of the Privacy Commissioner

FEDERAL PUBLIC SECTOR(PRIVACY ACT)

FEDERAL PRIVATE SECTOR(PIPEDA)

PROVINCIAL PUBLIC SECTORS(Information and Privacy

Statutes)

PROVINCIAL PRIVATE SECTORS(Alberta, BC, Quebec)

Federally Regulated Private Sector

• The Protection of Personal Information and Electronic Documents Act (PIPEDA) 2000– Applies to federally regulated businesses (communications,

transportation, banking) and any enterprise that transmits personal data across provincial or international boundaries for a commercial purpose

– Overseen by the Office of the Privacy Commissioner of Canada

– Also applies to provincial regulated businesses where no “substantially similar legislation”

The “Real and Substantial Connection to Canada” Test

• Acusearch Decision – www.abika.com (2009)

• Facebook Investigations (2009-2012)• WhatsApp Investigation with Dutch DPA

(2012-13)• Cloud-Computing Applications

Responses to Subject Access Requests

Under PIPEDA, personal information means “information about an identifiable individual, but does not include the name, title or business address or telephone number of an employee of an organization.”

PII provided: Facebook, Twitter, Google+ Responses received but no PII (yet): LinkedIn PII refused: Tumblr All others: No responses

AND NO METADATA

Complaint against Twitter?

The Anatomy of a Tweet

Article 17 of New EU Draft Regulation

• The data subject shall have the right to obtain from the controller the erasure of personal data relating to them and the abstention from further dissemination of such data, especially in relation to personal data which are made available by the data subject while he or she was a child, where one of the following grounds applies:

Article 17 of New EU Draft Regulation

– the data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

– the data subject withdraws consent on which the processing is based according to point (a) of Article 6(1), or when the storage period consented to has expired, and where there is no other legal ground for the processing of the data;

– the data subject objects to the processing of personal data pursuant to Article 19;

– the processing of the data does not comply with this Regulation for other reasons.

(EXEMPTIONS OR JOURNALISTIC AND ARTISTIC PURPOSES)

Google’s Interpretation

• THREE PROGRESSIVELY DIFFICULT PROVISIONS–Right to erase something generated by the

user–Right to erase reposting of original posting–Right to erase posting by a third party

Is there a right to be forgotten in non-European (Canadian) law?

• Obligation of the data controller rather than right of data subject

• Retention schedules -- PIAs• Withdrawal of consent for processing

Forgetting, Non-Forgetting and Quasi-Forgetting

• Forgetting, but not yet• Forgetting, but only for what we deem to be PII• Forgetting, but not information that friends have said and

shared about you• Forgetting, but only for us, not for others• Forgetting, but not when requests come from law enforcement• Forgetting, but we cannot ensure complete erasure• Forgetting, except for third-party analytics

The “Net Never Forgets”

• “You may not realize it, but whenever you go online, you’re building an identity through the words and images you post and the activities you do. This can become part of your reputation, and it can be a lasting one. Once personal information goes online, it may be difficult to delete. While you may be able to delete it in one place, there may be cached versions or copies stored elsewhere that you cannot control. Digital storage is cheap and computer memory is plentiful--and unlike people, the Net never forgets” (Jennifer Stoddart, Canadian Privacy Commissioner, January 28th, 2011).