26 novembre 2012

Californie: applications mobiles et politique de confidentialité

Billet intéressant posté sur Privacy and Information Security Law Blog faisant état de la lettre envoyée le mois dernier par la juge Kamala D. Harris de la Californie à une centaine d'opérateurs d'applications mobiles ne respectant pas les principes énoncés dans la California Online Privacy Protection Act, notamment celui relatif à l'obligation de publier une politique de confidentialité sur un site Web collectant des renseignements personnels. 

À suivre ...  

24 novembre 2012

Hong-Kong: brochures sur les applications mobiles et les téléphones intelligents

Les enjeux liés aux applications mobiles et à l'utilisation de téléphones intelligents sont mis de l'avant dans deux documents qui l'Office of Privacy Commissioner for Personal Data (OPCPD) d'Hong Kong vient de publier. 

Dans la fiche d'information Personal data privacy protection: what mobile apps developers and their clients should know, l'OPCPD insiste sur le fait qu'en plus de suivre une approche référant à la protection intégrée de la vie privée (Privacy by Design - PbD) et de procéder à une évaluations des facteurs relatifs à la vie privée (Privacy Impact Assessment), les développeurs d'applications mobiles doivent respecter les principes énoncés dans la Personal Data (Privacy) Ordinance. On peut y lire, par exemple, que
Personal Information Collection Statement (PICS)
"Apps Developers have to provide mobile device users with a PICS on or before collecting their personal data. They should communicate to the mobile device users under what circumstances will their personal data be collected, accessed or shared and for what purposes. This notice should be presented to mobile device users clearly before they confirm installing the mobile apps." (Source: p. 3)
Removal Commitment
"Account information (including uploaded or shared information) of a mobile device user should be completely removed upon the user’s request or upon account termination unless there is legal or regulatory reason not to do so. Apps Developers should make this account removal function easily accessible." (Source: p. 4)
Privacy Policy Statement (PPS) 
"Apps Developers should prepare a PPS to outline their policies and practices in relation to personal data. Technical terms and elusive language should be avoided in the PPS. It should be easily readable and easily understandable, and in appropriate length. Its location on the mobile apps should be prominent. Its availability also on the businesses’ normal websites is recommended." (Source: p. 5)
Contact Details for Making Data Access and Correction Requests 
"Apps Developers should make available their contact details (including name or post title, and address) in the mobile apps to facilitate mobile device users to make data access and correction requests. They should also have policies and procedures in place to ensure that a request is complied with or refused (as the case may be) within 40 days from receiving the request. Please refer to the Guidance on the Proper Handling of Data Access Request and Charging of Data Access Request Fee by Data Users published by the Commissioner." (Source: p. 6)
Dans la brochure Protect Privacy by Smart Use of Smartphones, l'OPCPD rappelle comment protéger son téléphone intelligent et sécuriser les données qui y sont stockées, comment utiliser en toute sécurité les applications mobiles et limiter la géolocalisation.  

21 novembre 2012

Nouvelle-Zélande: Google, WiFi, vie privée (2)

En octobre dernier, Google a informé le Privacy Commissioner's Office de Nouvelle-Zélande avoir découvert de nouveaux disques contenant des données dites "de contenu" (billet) ... le 19 novembre, Marie Shroff, la commissaire à la vie privée, a reçu la confirmation que ces données ont toutes été détruites par l'entreprise.  

20 novembre 2012

Canada: décret d'exlusion visant les dépositaires de renseignements personnels sur la santé de Terre-Neuve-et-Labrador

En vertu de la Loi sur la protection des renseignements personnels et les documents électroniques (LPRPDÉ), le gouverneur en conseil peut, par décret, exclure un domaine d'activité de l'application de cette loi s'il est convaincu que la loi provinciale régissant ce domaine offre un niveau de protection essentiellement similaire à la LPRPDÉ en ce qui concerne la protection des renseignements personnels à l'intérieur de cette province (art. 26(2)b) LPRPDÉ). 

C'est en vertu de cette procédure que, le 20 octobre dernier, la Personal Health Information Act de Terre-Neuve-et-Labrador a été reconnu comme offrant un niveau de protection essentiellement similaire à la LPRPDÉ. Ainsi, 
"1. Tout dépositaire de renseignements personnels sur la santé qui est assujetti à la loi intitulée Personal Health Information Act, SNL 2008, ch. P-7.01, est exclu de l’application de la partie 1 de la Loi sur la protection des renseignements personnels et les documents électroniques à l’égard de la collecte, de l’utilisation et de la communication de renseignements personnels sur la santé qui s’effectuent à Terre-Neuve-et-Labrador." 
(Source: Décret d'exclusion TR/2012-72 visant des dépositaires 
de renseignements personnels sur la santé à Terre-Neuve-et-Labrador )

Il est à noter qu'en plus de cette loi, d'autres lois provinciales ont été déclarées comme offrant un niveau de protection essentiellement similaire depuis l'entrée en vigueur de la LPRPDÉ. Il en va ainsi de: 
  • la Loi sur la protection des renseignements personnels dans le secteur privé du Québec (décret CP 2003-1842); 
  • la Personal Information Protection Act de la Colombie-Britannique (décret CP 2004-1164);
  • la Personal Information Protection Act de l'Alberta (décret CP 2004-1163);
  • la Loi de 2004 sur la protection des renseignements personnels sur la santé de l’Ontario (décret CP 2005-2224); 
  • la Loi sur l'accès et la protection en matière de renseignements personnels sur la santé du Nouveau-Brunswick (décret CP 2011-1319).

10 novembre 2012

Uruguay: résolutions et déclaration de la 34e conférence internationale

Les 23 et 24 octobre dernier s'est tenue à Punta del Este (Uruguay) la 34° conférence internationale des commissaires à la protection des données et de la vie privée (billet). 

Lors de cette conférence deux résolutions ont été adoptées: 
"- Cloud computing should not lead to a lowering of privacy and data protection standards as compared with other forms of data processing;  
- Data controllers carry out the necessary privacy impact and risk assessments (if necessary, by using trusted third parties) prior to embarking on CC projects;  
- Cloud service providers ensure that they provide appropriate transparency, security, accountability and trust in CC solutions in particular regarding information on data breaches and contractual clauses that promote, where appropriate, data portability and data control by cloud users; cloud service providers, when they are acting as data controllers, make available to users, where appropriate, relevan information about potential privacy impacts and risks related to the use of their services.  
- Further efforts be put into research, third party certification, standardisation, privacy by design technologies and other related schemes in order to achieve a desired level of trust in CC; to build privacy thoroughly and effectively into cloud computing adequate measures should be embedded into the architecture of IT systems and business processes at an early stage (privacy by design);  
- Legislators assess the adequacy and interoperability of existing legal frameworks to facilitate cross-border transfer of data and consider additional necessary privacy safeguards in the era of CC, and  
- Privacy and Data Protection Authorities continue to provide information to data controllers, cloud service providers and legislators on questions relating to privacy and data protection issues."
1. intensify cooperation with each other in order to respond to cross-border data protection and privacy risks in a coordinated manner, by joining multilateral cooperation and enforcement networks; 
2. share information and expertise as much as possible to ensure that the authorities’ scarce resources can be used to the maximum possible; 
3. use this window of opportunity to achieve greater interoperability between the various legal systems and privacy regimes." 
Lors de cette conférence, les commissaires ont également mis l'accent sur les enjeux liés au profilage comme l'illustre la déclaration de la conférence qui invite à prendre en considération les éléments suivants en ce domaine:  
"I. To create trust, public and private entities around the world need to ensure that they inform society to the maximum possible extent about their profiling operations. They should be more transparent about profiling, the way the profiles are assembled and the purposes for which the profiles are used. Providing better information should also ensure individuals have better control over their data. 
II. Profiling operations need to be distinguished in three phases. First of all, it should be determined what is the need for the use of profiling. Secondly, the public or private entity in question should decide which assumptions and which data should form the basis for the profile. Finally, it should be decided in what way the profile can be applied in practice. It would be advisable if the various phases are subject to separate decisions and to regulatory oversight.
III. Both profiles and the underlying algorithms require continuous validation. This means controls should take place to verify if the results from profiling make sense and can reasonably be linked to the data provided at input. It also allows to further improve the profiles and underlying algorithms, thus improving results. 
IV. Profiling operations should not take place without human intervention, especially now that the predictive power of profiling due to more effective algorithms increases. Injustice for individuals due to fully automated false positive or false negative results should be avoided. 
V. The creation and application of profiles should preferably not be in the same hand. A balance needs to be found between the information used to create the profile and its practical application. 
VI. Especially in the third phase, the practical application of the profile, provisions need to be established to allow the individual to challenge both the profile and the outcome. 
VII. Profiling requires strong and independent privacy enforcement authorities with supervisory powers over both the public and the private sector. The authorities should ensure they have all the relevant and up to date knowledge regarding technological developments like profiling. 
VIII. Governments have access to many large databases also containing data collected by private entities. Furthermore, they are able to create laws in order to define their own legal basis. Therefore, privacy enforcement authorities should be able to test and challenge government proposals, for example carrying out audits and be able to scrutinize in the pre-legislative phase."
Pour plus de détails, voir: 
La prochaine conférence aura lieu en Pologne du 23 au 27 septembre 2013.

5 novembre 2012

Australie: les drones sous surveillance

Dans la continuité du billet sur l'action de la CNIL, il est à noter que dans une lettre transmise au procureur général, le commissaire à la vie privée d'Australie, Timithy Pilgrim, s'interroge sur l'encadrement entourant l'utilisation des drones et invite à une réflexion sur cette question et ce, dans les termes suivants: 
Dear Attorney-General
There is growing interest in the community and media about the use and implications of aerial drone technology, particularly drones with video recording and streaming capabilities.
While drone technology has clear benefits, such technology presents a number of risks through its potential to be privacy invasive. The risk is heightened because drone equipment is increasingly commercially available, and can be easily purchased and used by individuals in their private capacity.
Where an agency or private sector organisation covered by the Privacy Act 1998 (Cth) (Privacy Act) intends to use drone technology, it must do so in accordance with the Privacy Act. This would include giving notice to affected individuals about the collection of their personal information, only using and disclosing the personal information as permitted by the Privacy Act, and keeping it secure.
The Privacy Act does not however cover the actions of individuals in their private capacity, including any use of drones by individuals.
I understand that there are laws governing unlawful surveillance, stalking and harassment that may apply to the use of drones by individuals. It is unclear however whether those laws provide sufficient regulatory protection, including appropriate restrictions on unreasonable uses.
In particular, individuals who may be subject to surveillance via drone technology may not currently be able to seek appropriate or consistent redress across the Commonwealth. The statutory cause of action for privacy that is currently being considered by Government could be useful in this type of situation.
I suggest that it may be timely to review the current regulatory framework to ascertain whether it is sufficient to deal with any misuse of drone technology. It may also be appropriate to raise this issue with the Standing Council on Law and Justice.
Please contact me if I can be of any assistance.
Yours sincerely
Timothy Pilgrim
À suivre donc. 

1 novembre 2012

CNIL: les drones sous surveillance

Dans le cadre de sa mission de conseil, la Commission nationale de l'informatique et des libertés a décidé de mener une réflexion quant aux enjeux inhérents à l'utilisation, de plus en plus fréquente, de drones dans le domaine civil eu égard à la protection des renseignements personnels. 

En effet, "dès lors qu'il est équipé d'un appareil photo, d'une caméra mobile, d'un capteur sonore ou encore d'un dispositif de géolocalisation, un drone peut [...] potentiellement porter atteinte à la vie privée, capter et diffuser des données personnelles". (Source: CNIL)

À suivre donc.