The outgoing head of the Crown Prosecution Service and DPP for England and Wales, Sir Ken MacDonald QC, has used his retirement speech to warn against UK government proposals to expand data retention:
As I near my conclusion, let me, in my final public speech as DPP, repeat my call for level headedness and for legislative restraint in an age of dangerous movements.
We need to take very great care not to fall into a way of life in which freedom’s back is broken by the relentless pressure of a security State.
Over the last thirty years technology has given each of us, as individual citizens, enormous gifts of access to information and knowledge. Sometimes it seems as if everything is at our fingertips and this has made our lives immeasurably richer.
But technology also gives the State enormous powers of access to knowledge and information about each one of us. And the ability to collect and store it at will. Every second of every day, in everything we do.
Of course modern technology is of critical importance to the struggle against serious crime.
Used wisely, it can protect us.
But we need to understand that it is in the nature of State power that decisions taken in the next few months and years about how the State may use these powers, and to what extent, are likely to be irreversible. They will be with us forever. And they in turn will be built upon.
So we should take very great care to imagine the world we are creating before we build it. We might end up living with something we can’t bear.
October 21st, 2008
The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.
It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice.
Full text of the Advocate General’s opinion available here.
The German Working Group against Data Retention (Arbeitskreis Vorratsdatenspeicherung) is also bringing a legal challenge to data retention and has put out a press release on the Opinion.
October 14th, 2008
The agenda of the European Court of Justice has just listed Tuesday, October 14 for the Advocate General’s opinion on the State’s challenge to the Data Retention Directive. This won’t be a final decision – the Advocate General gives an opinion which is merely advisory and the court is not bound by it. In most cases, however, the court will follow the broad approach of the Advocate General.
What’s the significance of the State’s challenge? Here’s what we said about it before:
On the plus side, the challenge will certainly delay implementation of the Directive, and stands a very good chance of striking it down in its entirety. There is a very strong case that the passing of the Directive was flawed.
On the minus side, the challenge is purely procedural. The Government agrees with the principle of spying on every citizen – it merely alleges that the wrong legal mechanism was chosen. According to the Government, the measure should have been passed by unanimous agreement of all the member states – not by a majority voting procedure. We agree – the directive is clearly an attempt to deal with matters of criminal law that are reserved to the member states, and the fundamental rights of Irish citizens should not be set aside by the majority vote of other EU states. But we’re disappointed that the Government shows no interest in asserting the right to privacy of Irish citizens. The result is that the European Court of Justice, when it eventually deals with the case, will only be hearing about procedure – not privacy.
Obviously we hope that the Government’s challenge will succeed in invalidating the Directive. Whatever the outcome of their case, however, our own challenge to data retention – where we raise these privacy issues about Irish law as well as the Directive – will continue.
(Thanks to Joris van Hoboken for pointing out that the Opinion had been timetabled.)
October 3rd, 2008
There’s some good news and some not-so-good news in the Irish Times today on how the government is responding to its ongoing problems with losing personal data.
First, the not-so-good news. In response to a parliamentary question from Labour leader Ruairí Quinn, it emerged that the rate of loss of electronic devices is increasing to approximately one per week. (A figure which includes e.g. laptops, desktops, usb keys, Blackberries, etc.) Worse, only three government departments have fully encrypted their portable devices and although the majority are in the process of doing this, two departments (Communication and Education and Science) have not done so at all.
So what’s the good news? After these figures emerged, the Minister for Justice indicated that he was considering introducing mandatory reporting where personal data is lost, which, according to the Irish Times, would extend to “all state agencies, banks and other entities”. We’ve been calling for mandatory reporting of data loss for some time now, something which has been endorsed by amongst others the European Data Protection Supervisor and the Irish Times and it’s good to see the Minister (albeit belatedly) acknowledge the need for change.
The devil is, however, in the details and (while it’s dangerous to read too much into a relatively short piece) there are indications in the story that what the Minister is considering is too narrow.
First, the story talks about reporting “when an electronic device containing information on members of the public is lost or stolen”. This reflects a rather old fashioned view of data being embodied in a particular tangible form – a view which is no longer valid. It makes little sense to say that there should be notification when a USB key is lost but not when an online database is compromised.
Secondly, the focus seems to be on data which goes “missing”. This might fit the traditional example of the laptop left on the bus – but excludes situation where a corrupt insider deliberately misuses data. A good example is the recent scandal where mortgage brokers illegally passed on details of buyer’s finances to estate agents and auctioneers. Such abuses are often more serious than inadvertent loss of data, and any duty to report should also include deliberate and illegal disclosures of data.
Thirdly, the duty to report would be to the Data Protection Commissioner, with the public being informed “in major cases”. This must not mean, however, that the individuals whose data is lost would only be informed “in major cases”. The risk to your finances if your details are lost is just as great whether or not you are the only victim. It would be little consolation to learn that you were not informed and given a chance e.g. to cancel your credit cards because you were the victim of a “minor breach” only.
These concerns aside, we welcome the Minister’s decision and look forward to seeing detailed proposals soon.
October 2nd, 2008