Digital Rights Ireland

Implementing data retention – where’s the consultation?

This is a letter which the Department of Justice wrote in July 2006 indicating that they would consult us before drafting any measures implementing the Data Retention Directive. 18 months later we still haven’t heard anything concrete from them, despite reports that they plan to put laws in place within the next month. Equally in the dark are the ISPs and others in the internet industry who will face the technical challenges and cost of implementation:

Given the short timeframe for putting this legislation into action, the industry – ie ISPs – should know the score. They are charged with the responsibility of storing this vast bank of data on the Irish citizen, but frustratingly they are still not quite sure of their role in the process.

“We, as ISPs, do not have any difficulty with the objective of fighting serious crime but what we need are clear instructions on the expectations of governments across Europe as to what exactly it is we have to retain and when,” says Durrant.

Shane Deasy, managing director for wireless internet provider BitBuzz, while willing and able to comply with the new legislation, echoes Durrant’s sentiment: “There is a grey area – details we have yet to get answers to.

“The industry has met with the Department of Justice and has had several discussions on this forthcoming legislation but to my knowledge the industry has not yet been given information on exactly what data they are required to store and for how long.

“It may require a lot more storage on the part of the ISPs but at the moment we simply don’t know exactly what we are going to be asked to retain.”

Such is the confusion that Google has recently voiced its concerns on its Public Policy blog, stating that the approach taken by Justice may have the effect of damaging the Irish internet industry:

Ireland looks set to be amongst the first countries to transpose the directive. Concerns have been expressed that sufficient time may not be available for a full debate to discuss the very complex issues involved. There is also a real risk that a rushed transposition process could produce legislation which negatively impacts on consumer privacy and is harmful to the internet and telecomms sector. Our view is that it is vital that the reasonable concerns of privacy advocates and industry are taken into account. Google is going to take advantage of the current window of opportunity to get our views across, and we hope that other interested parties will do likewise.

So what will it take before the Department of Justice is prepared to engage in real consultation?

3 comments February 28th, 2008

Irish Privacy Expert – “Big Brother philosophy threatens public’s privacy”

Professor Robert Clark is a leading Irish expert on privacy and the law. Here’s what he had to say in the Independent about the Government’s handling of personal privacy:

Big Brother Philosophy Threatens Public’s Privacy

Do the Irish Government and state agencies — health, prison, law enforcement, semi-state bodies for example — have a legal obligation to keep your personal information private? The answer is a resounding “yes”.

But this does not mean that the law will necessarily be observed — bad things happen. Experience shows that human errors will greatly facilitate personal information misuse. Failure to keep computer passwords confidential, for instance, are estimated to be a major source of data security lapses.

Threats are often internal, rather than external. Examples that come to mind include a case in Belfast some years ago when an unmarried mother-to-be applied at her dole office for maternity benefit.

She was dreading telling her mother of the pregnancy but a nosey neighbour who worked in the office found out about the inquiry and told the entire neighbourhood. The welfare agency was held in breach of its duty to keep information in confidence.

A similar event occurred in Kerry last year when the gardai had to pay damages when information about a suspect found its way into the public domain by way of a garda leak.

The fact is that the State is likely to have access to personal information of the most sensitive kind — medical and health data, criminal records, religion, etc — and it is through data protection law that citizens draw the most protection.

While the Office of the Data Protection Commissioner is better resourced now, the complexity of finding meaningful solutions that face the commissioner in the internet age cannot be overestimated.

Privacy and data protection all too often lose out when confronted by pressure for more police powers or greater administrative convenience. The level of scrutiny by the Oireachtas was negligible. Successive Data Protection Commissioners have complained about this Big Brother philosophy but to little effect.

The practical point is this: the more public servants who can access the data, the more likely it is that something will go wrong.

The lesson to be taken from the UK child benefit disk debacle, in which two disks holding personal data about millions of people went missing, is that too many junior staff were able to access and copy too much information about too many citizens, in breach of internal rules.

The rules and legal position are clear — it is human error that accounts for most data breaches. Threats from hackers are often regarded as external threats but often the person who alters websites and files is a disgruntled employee or ex-employee who is out for revenge or wants to access information about others. Case law in relation to employee hackers shows that the employer is entitled to sack someone straying into personnel files of co-workers.

Where the threat is external, as in cases of identity theft, denial of service attacks, phishing, for example, our legislation appears to be less satisfactory.

Hacking was criminalised as a very minor offence back in 1991 but we have yet to see a review of the law relating to computer and technology misuse in the light of these more damaging developments.

To the extent that our lawmakers are not keeping information misuse laws up to date, it can be said that Sean and Maura Public are not being protected by the State.

A cynic might say that internet crimes and information theft are difficult to detect and investigate but this, while true, is not an excuse for legislative complacency.

Prof Robert Clark is a member of the Internet Advisory Board and is the author of ‘Data Protection Law in Ireland’

Add comment February 8th, 2008

80 Government laptops missing – how much of our personal information is in the wrong hands?

Today’s Irish Independent covers the revelation (via Ruari Quinn’s Dáil questions) that over 80 government laptops – together with other items such as USB keys and Blackberries – have been lost or stolen over the last five years. It appears from the responses to those questions that the laptops weren’t encrypted, but it’s not fully clear what was on each device. We’ve pointed out before that the State’s security standards for personal data appear to be extremely lax – suggesting that it’s essentially a matter of luck that we haven’t had private files compromised on as large a scale as the recent English loss of data on 25 million individuals. The Data Protection Commissioner is already investigating the lax culture within some Government Departments where snooping or sale of personal information is common – but past experience suggests that real change won’t happen unless there is public pressure for it.

So what can you do to protect the private information the State (Revenue, Social Welfare, HSE, Passport Office, local authority, etc.) hold about you? We’d suggest you start making some noise. Start by complaining to your local TDs – if they use email it will usually have the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TDs here. Let them know that personal privacy is an important issue for you. Ask them why the State has been so careless with our private information that the Data Protection Commissioner has said that he has warned of these risks for years, and has said that the State needs “a wake up call”. Ask them what they plan to do about it. And of course you can ask them why, in light of this carelessness, they should be trusted to bring in data retention.

Add comment February 8th, 2008