DRT 6903A – Section A Droit du commerce électronique

Cours 5 et 6 – AteliersVie privée

28 septembre et

05 octobre 2010

Eloïse Grattoneloise.gratton@mcmillan.ca

Ateliers du cours 5

En vertu des lois québécoises et canadiennes en matière de protection de renseignements personnels, les employeurs peuvent-ils consulter les profils facebook pour surveiller leurs employés ou dans le cadre de leurs activités de recrutement?

Facebook and the Battle over User Control of Information: Part 5

Should employers be using Facebook to recruit or monitor?

(March 17, 2009)

David Young Lang Michener, Toronto

This issue can be analyzed on two levels: legislative and policy. On the legislative level, only three provinces (Quebec, Alberta and British Columbia) have rules that apply to non-federally regulated employers. PIPEDA does have such rules but applies only to “federal works” such as banks and telecommunications providers. Therefore, most employers outside of the three provinces are not restricted by law from collecting personal information about prospective or current employees on social networking sites. If governed by PIPEDA, an employer must have the individual’s consent to collect such information. The reasonability requirement under PIPEDA must also be met, which leads me into the policy analysis.

David Young Lang Michener, Toronto(suite)

An employer who collects personal information about current or prospective employees through social network sites is doing so – in almost all instances – surreptitiously. The employer, per se, does not have status either as a social network member or as a “friend”. Only individuals within the employer’s organization do or potentially could have such status. By seeking information about employees within such sites, the employer is in effect subverting their intended purpose. Even if consent has been obtained, the employer is misusing the facility. Conversely, there is the argument that information available on social network sites is public or quasi-public, with limited privacy protection. Under the privacy laws, it is still necessary to have consent to collect such information. If there is no consent, an exception must be found, which arguably would put such collection into the category of surveillance. Surveillance is not illegal for non-public bodies if no privacy law governs. The policy question to be asked, therefore, is: should such data collection with or without consent, in contexts that an individual considers private, be condoned?

Éloïse Gratton McMillan, Montreal

Quebec employers may only search OSNs with their employees’ prior consent. Such consent would need to be fully informed and freely given, which is often not the case in the context of recruiting activities or employee surveillance. Employers tempted to search OSNs without such consent should keep in mind that employees using privacy settings would most likely have some type of expectation of privacy in their profile information. For employees who do not have those settings in place, it is debatable whether employers would be found to have collected information “necessary” for the employee’s file or, as the case may be, to be using the information for purposes that are relevant to such file in compliance with the Quebec legal framework.

Éloïse Gratton McMillan, Montreal(suite)

In the event that the profile of the employee reveals information which employers may not like, they may actually have a hard time “using” the profile information to justify, for example, not hiring a potential employee. Quebec courts are usually reluctant to allow an employer to discriminate against an employee using information which is not related to the job for which an individual is applying (such as a criminal record). It may therefore be a challenge for an employer to demonstrate that an employee who enjoys a good night out on a day off would necessarily be a “bad employee.” Ever heard the expression “Work hard, play hard”?

David Fraser McInnes Cooper, Halifax

Every time I speak to large groups about privacy, I inevitably get the question of whether employers can use social networking sites to carry out background checks on prospective employees. The questioner usually reveals that he or she does do these searches – without consent – but is a bit conflicted about it. Since most employees in Canada are excluded from the protection of privacy laws, the answer is usually that the employer can. Unless the prospective employee can muster the circumstances or the resources to bring suit for unreasonable invasion of privacy, there’s nothing the applicant can really do about it. This, of course, presupposes that the applicant is aware about the query on Facebook. The more interesting question, in my view, is whether employers should use social networking sites to carry out background checks. And my answer is: it depends. And if you do, you should really get consent.

David Fraser McInnes Cooper, Halifax(suite)

In my own travels on Facebook, I have seen photos and postings from “friends” whom I know are in the job market. The vast majority of these photos are innocuous. But some are highly questionable. They may not show illegal activities, but in some cases they demonstrate a significant lack of judgement. Facebook and the blogosphere have become the new town square and if an individual chooses to demonstrate their bad judgment or bad behaviour in public, it is only reasonable that their judgment generally be called into question. And if they are looking for a job that requires good character or judgment, they have chosen to publicly display this deficit. Notice how I refer to choice. Individuals can choose how much information they put “out there” and how much to keep to themselves or within their circle of friends. Under no circumstances should an employer try to circumvent an individual’s privacy choices, but if the information is out there for all to see, it is hard to say that it should be out of bounds for those who may have a real and reasonable interest to inquire into the person’s judgment and character. At the same time, users of social networking sites need to take some responsibility for asserting their privacy interests in the information they put out there for all to see.

Ivan Bernardo Miller Thomson, Calgary

Alberta and BC have passed private sector privacy legislation, the Personal Information Protection Act (“PIPA”), which govern how employers collect, use and disclose personal information about current or potential employees. When employers are viewing social network sites they are collecting the personal information. PIPA specifically defines “employee personal information” as personal information about an individual who is an employee or prospective employee. Employers require consent before collecting information, unless the collection is reasonable, the information is related to the employment relationship AND (where it’s an employee) notice must be given to the employee that the information will be collected.

Ivan Bernardo Miller Thomson, Calgary(suite)

So what is reasonable and what is related to the employment relationship? Employers could argue that knowing about employees’ social habits is important information that is needed to assess character and fit for a job. Employees will argue that what happens in their personal time is not the employers’ business. Who will win? The answer will require balance between the employers’ legitimate business interests to manage the workplace and the employees’ privacy interests. My advice to employers? Tread carefully with respect to potential employees, and with current employees don’t go there at all without consent or prior notification.

Heather Black Former Assistant Privacy Commissioner of Canada

My comments are made in the context of organizations subject to PIPEDA but also as suggestions for a best practice they could apply as well to organizations that aren’t subject to PIPEDA or who believe that PIPEDA doesn’t apply to them. There are two circumstances where employers may contemplate collecting and using personal information from Facebook: the first is in the pre-employment stage and the second is in the management of the employer/employee relationship. The rules apply in different ways to these two situations. In the case of pre-employment, in the absence of consent, the prospective employer has no right to collect or use personal information from Facebook. Any organization that thinks it would be a good idea to coerce consent by making it a condition of applying for a job should think again. Would the reasonable person consider that collecting and using Facebook information for screening purposes is appropriate under 5(3) of PIPEDA? The answer is probably not.

Heather Black Former Assistant Privacy Commissioner of Canada(suite)

PIPEDA “balances” the rights of individuals against the needs of organizations. What then do prospective employers need? They need information about a candidate’s education, qualifications, experience, knowledge and personal suitability for the job. They have always needed this information and have developed ways of getting that information based on checks with former employers, references, interviews etc. Prospective employers have never had the right or the opportunity to invade a candidate’s personal life through the use of a tool that would allow the organization to see how a person interacts with his/her friends, relatives and other communities to which he/she may belong. Just because that sort of intrusion is now possible doesn’t make it right. As a prospective employer an organization should start as it means to go on and that is by respecting its employees. In the course of managing the employer/employee relationship there may be circumstances where the employer might consider that collection and use of personal information from Facebook without consent may be justified under section 7 of PIPEDA to investigate an alleged breach of the employment contract. I don’t have the space here to flesh out that argument but given the invasive nature of the collection and its potential uses I imagine the OPC would take some persuading that it is justified. This is not something that an employer should undertake lightly. Certainly under no circumstances should an employer use Facebook to routinely survey or monitor its employees. They are entitled to a private life even in the public/private space that is Facebook.

Atelier du cours 6

Problème Problème: Vous opérez un site de commerce électronique et un

partenaire d’affaires potentiel vient vous lancer l’idée du modèle d’affaires / partenariat suivant: Comme plusieurs des vos clients achètent des produits de leurs appareils sans-fil, ce dernier vous mentionne qu’il a développé une technologie permettant de collecter les données de localisation de vos clients avec l’assistance des opérateurs de réseaux et de les analyser, vous permettant de mieux connaître les intérêts de vos clients de façon telle à pouvoir leur offrir des produits personalisés basés sur leurs profils (données de localisation historiques) ou basés sur leur position géographique (données de localisation en temps réel).

Question: Vous trouvez le modèle intéressant mais vous vous demandez si certaines restrictions légales en matière de protection de renseignements personnels doivent être considérées, et si oui, lesquelles et comment les contourner.

Questions légales?

Questions légales?

1) Est-ce que les lois en matière de protection de renseignements personnels s’appliquent? – Les données de localisation sont-elles des

renseignements personnels?– Si oui quelles sont les implications?

2) Y est-il question potentiellement de spam si des messages publicitaires sont envoyés sur les appareils sans-fil sans consentement?

1) Les données de localisationsont-elles des renseignements personnels?

Réponse: probablement oui dans plusieurs cas…

Europe: oui

Les données de localisationsont-elles des renseignements personnels?

Un renseignement personnel est un renseignement qui: (Québec, LPRPDE, Directive Europe): – 1) est relié à un individu– 2) permet d’identifier cet individu

2 types de données de localisation: – Données de localisation en temps réel– Données de localisation historique

Les données de localisationsont-elles des renseignements personnels?

Données de localisation en temps réel

– 1) est relié à un individu?

– 2) permet d’identifier cet individu?

Si c’est un renseignement personnel, est-ce un renseignement sensible?

Les données de localisationsont-elles des renseignements personnels? Données de localisation historiques

– si reliées à un numéro de téléphone = même réponse que les données en temps réel

– si anonymes:

• 1) est relié à un individu?

• 2) permet d’identifier cet individu?

- Analogie avec les données de type clickstream?

- Si c’est un renseignement personnel, est-ce un renseignement sensible?

Si renseignement personnel:

Implications légales:

– Consentement est nécessaire avant la collecte…

– Consentement opt-in vs. opt-out – Autres implications: droit d’accès,

obligation de sécurité, etc.

2) Spam sans-fil? Y est-il question potentiellement de spam si

des messages publicitaires sont envoyés sur les appareils sans-fil sans consentement?

Lois en matière de spam

La notion de consentement diffère selon les juridictions… Matière qui sera vue plus en détail dans deux cours…. (publicité)