Digital Rights Ireland

Complaint to European Commission over Irish Interception Laws

You might have noticed that we think that Irish data retention laws are an invasion of our privacy. Unfortunately Irish law on interception of communications also fails to protect our privacy – and for that reason we’ve lodged a formal complaint with the European Commission, pointing out that Irish law doesn’t meet European standards and asking that they require the Irish government to introduce adequate protections. Read on for more details and to see what you can do to help.

What’s the difference between data retention and interception? While data retention focuses on traffic data – who called whom, when, where the mobile phone was, etc. – interception deals with attempts by the state or private parties to monitor the contents of communications – to listen in on telephone calls, read emails, and so on.

Interception is controlled to a limited extent by Irish law – under legislation from 1983 and a 1993 Act introduced after a scandal involving the Taoiseach and Minister for Justice illegally tapping journalists’ phones – but that law is now well out of date, and doesn’t meet the standards set out by European law in the 2002 e-Privacy Directive.

What’s wrong with the existing Irish law? There are two major limitations. First, it was introduced at a time when there were a limited number of players in the telecommunications market. As such, it applied initially to Telecom Éireann, and was extended to certain telecoms businesses operating under a licence or a general authorisation. It does not, however, apply to other businesses which don’t need an authorisation – which includes most online only businesses. Webmail, instant messaging or voice over IP, for example, would not be protected by the 1993 Act. Secondly, it applies only to messages which are “being transmitted” – something which appears to mean that e.g. the contents of a webmail inbox would not be protected.

As a result of these limitations, the protections of the 1983 and 1993 Acts – which make interception a criminal offence, require a warrant from the Minister for Justice before interception can be carried out by the police, and provide for judicial oversight – simply do not apply to a wide range of online communications. This lack of legislative control appears to be a relatively clear breach of the e-Privacy Directive, which requires states to “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so … [by] legislative measures [which are] necessary, appropriate and proportionate within a democratic society”.

In short, we think that Irish law doesn’t adequately protect the privacy of your online communications – and hopefully the European Commission will require the Government to introduce adequate protections. If you agree, you can support the complaint by contacting the Minister for Justice (Email: minister@justice.ie, Fax: 01 661-5461, Snail Mail: 94 St. Stephen’s Green, Dublin 2) and asking him to extend Irish interception law to adequately protect online communications and meet our European obligations. You can also email the Commission at InfsoB2@ec.europa.eu, referring to our complaint and indicating that you are also making a formal complaint that Irish law on the interception of communications is not in compliance with Art. 5 of the ePrivacy Directive.

(Update: 16.06.09 – The European Commission has now replied, indicating that it is now investigating this matter under reference 2009/4368, SG(2009) A/4871. You might include this reference if writing to support us.)

For those of you who can’t get enough legalese, the full text of our complaint is below:

Dear Mr. …

The purpose of this letter is to outline how Ireland has failed to implement Article 5 of Directive 2002/58/EC.

As you know, Article 5.1 provides that:

“Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.”

When implementing the Directive, it was the view of national authorities that Article 5.1 was already adequately provided for in Irish law by section 98 of the Postal and Telecommunications Services Act 1983 in combination with the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993. See the comments of the Department of Communications, Marine & Natural Resources in their Guidance Notes on the Transposition into Irish Law of EU Directive 2002/58/EC. (29 July 2003) Since transposition, Part 7 of the recent Criminal Justice (Terrorist Offences) Act 2005 has also become relevant.

Between them, these pieces of domestic legislation do partially cover the requirements of Article 5. However, the scope of this legislation is limited and there are several situations which appear to fall within Article 5 but which would not be covered by Irish law. Three points in particular stand out:

* Section 98 applies only to messages being transmitted by persons who hold a general authorisation. Messages transmitted by other persons are not protected. Thus, it would appear that email sent via a webmail service such as Gmail would not be covered; nor would calls on VOIP services such as Skype.

* Section 98 applies only to messages “in the course of transmission”. Again using the example of a webmail service, it would appear that the stored contents of a person’s inbox would not be in transmission and thus would not be covered (perhaps depending on whether they had been read by the recipient).

* The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 regulates police interceptions of telecommunications messages, but again only where those messages are being transmitted by persons who hold a general authorisation. Consequently, the safeguards created by that Act (including judicial oversight) do not apply to other police interceptions.

I propose to outline briefly the Irish legal framework and to consider in more detail the places where Irish law falls short of the requirements of Article 5.

Persons to whom Irish interception law applies

Irish law on interception of telecommunications messages is contained in section 98 of the Postal and Telecommunications Services Act 1983 which prohibits interception and disclosure of telecommunications messages. That section, as originally enacted, applied only to the interception of messages being transmitted by the then state monopoly, Telecom Éireann.

With the advent of deregulation, section 98 was extended to cover other licensed operators (the Postal and Telecommunications Services (Amendment) Act, 1999, section 7). Subsequently, with the introduction of a general authorisation framework, the provisions of section 98 were extended to any person operating under a general authorisation (Regulation 4(8) of the European Communities (Electronic Communications Networks and Services)(Authorisation) Regulations 2003).

However, this limitation of section 98 to messages being transmitted by persons operating under a general authorisation would appear to present a problem. There may be situations where telecommunications messages are being transmitted by means of a public communications network or through a publicly available telecommunications service, where that network or service is not being operated under a general authorisation. Webmail and VOIP services would appear to fall into this category. Accordingly, messages transmitted by such services do not appear to be protected against interception under Irish law.

In particular, there is no offence to address the situation where a private individual intercepts messages being transmitted by such a service, or where the proprietor of such a service improperly discloses such messages.

Restriction to messages in the course of transmission

Section 98(1) (as extended) provides:

“A person who-
(a) intercepts or attempts to intercept, or
(b) authorises, suffers or permits another person to intercept, or
(c) does anything that will enable him or another person to intercept,
telecommunications messages being transmitted by [a person deemed to be authorised under the Authorisation Regulations] or who discloses the existence, substance or purport of any such message which has been intercepted or uses for any purpose any information obtained from any such message shall be guilty of an offence.” (emphasis added and text changed to reflect extension of s.98 to other operators)

The reference to telecommunications messages being transmitted suggests that stored messages, such as voicemail messages, or a webmail inbox, would not be protected by section 98. (It might be said that such messages are “being transmitted” until the point at which they are initially accessed – however, once accessed it would seem more difficult to argue that they are still being transmitted.) This limitation appears to be incompatible with Art. 5 of Directive 2002/58/EC which applies to “communications” (as defined in Art. 2) generally. Indeed, Art. 5 would be significantly undermined if messages in storage were excluded.

Regulation of police interception of telecommunications messages

The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 sets out the Irish law on police interception of telecommunications. Under section 2, an authorisation to intercept the contents of communications can only be given by the Minister for Justice. Sections 4 and 5 set out conditions which must be satisfied before an authorisation can be granted. For example, section 4 provides (in respect of the investigation of crime) that:

“The conditions referred to in section 2 of this Act in relation to an interception for the purpose of criminal investigation are-

( a ) (i) that-

(I) investigations are being carried out by the Garda Síochána, or another public authority charged with the investigation of offences of the kind in question, concerning a serious offence or a suspected serious offence,

(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, either or, as the case may be, both of the following, that is to say:

(A) information such as to show whether the offence has been committed or as to the facts relating to it,

(B) evidence for the purpose of criminal proceedings in relation to the offence,

and

(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information or evidence) in providing information, or evidence, such as aforesaid,

or

(ii) that-

(I) in the case of a serious offence that is apprehended but has not been committed, investigations are being carried out, for the purpose of preventing the commission of the offence or of enabling it to be detected, if it is committed, by the Garda Síochána or another public authority charged with the prevention or investigation of offences of the kind in question,

(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, information as to the perpetrators, the time, the place, and the other circumstances, of the offence that would enable the offence to be prevented or detected, as the case may be, and

(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information) in preventing or detecting the offence, as the case may be,

and

(b) that the importance of obtaining the information or evidence concerned is, having regard to all the circumstances and notwithstanding the importance of preserving the privacy of postal packets and telecommunications messages, sufficient to justify the interception.”

This section provides important safeguards: interception is restricted to serious offences, investigation other than interception must be inadequate, interception is restricted to messages sent to or from a particular address, thus ruling out indiscriminate monitoring of traffic and “fishing expeditions”, and interception must, in the circumstances, be proportionate.

Section 8 of the Act then creates a judicial power of oversight over the interception system, while section 9 creates a complaints procedure for persons who allege that interceptions have been improperly carried out.

The 1993 Act is, however, limited to “interceptions” which would (if not authorised) amount to an offence under section 98. (See the definition of “interception” in section 1.) Consequently, the 1993 Act has no application to interceptions falling outside section 98. It follows that any interception by the police of, for example, emails transmitted by a webmail service will not be regulated by the provisions of section 98 and will escape regulation by Irish law – the section 98 safeguards, including proportionality, judicial oversight and the complaints procedure, will not be available.

This would appear to breach Article 15.1 of Directive 2002/58/EC. Article 15.1 specifies that any restriction by Member States of the rights and obligations provided for in Article 5 must be by way of “legislative measures” which are “necessary, appropriate and proportionate within a democratic society”. However, interception of emails in the circumstances I have outlined would appear not to be governed by any legislative measure, much less one which can be assessed as necessary, appropriate or proportionate. The unfettered discretion which this would appear to confer on the police would therefore appear to be incompatible with the Directive.

In summary, it appears that Irish law has not been properly updated to take account of the requirements of Article 5 of Directive 2002/58/EC, and I would respectfully ask that the Commission investigate whether Ireland has failed properly to implement this Directive.

5 comments May 28th, 2009

European Court upholds data retention… for the time being

The European Court of Justice has given its decision today in the Irish Government challenge to the Data Retention Directive - Ireland v. Parliament and Council (Press Release | Judgment). Unsurprisingly (in light of the Advocate General’s Opinion) it has held that the directive was properly adopted as an internal market measure (by qualified majority voting) rather than as a criminal matter (requiring unanimity). Where does this leave us and our case?

While it’s a pity to see the Directive upheld, the Government’s challenge was a very narrow one, dealing only with the essentially technical matter of the legal basis for the Directive. The Government didn’t raise and the ECJ wasn’t asked to decide on the fundamental rights issues. Indeed it expressly stated:

The Court notes at the outset that the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement by the directive of fundamental rights resulting from interference with the exercise of the right to privacy.

Consequently, the decision doesn’t affect the core of our challenge to the Directive, which will still go ahead on the basis that it infringes the rights to privacy and freedom of expression. At the moment we’re waiting on a decision from the High Court on our application to refer these issues to the ECJ – we’re confident that when these issues reach the ECJ that they will decide in our favour.

2 comments February 10th, 2009

Keeping an eye on UK developments

Karlin Lillington has an interesting story in today’s Irish Times on recent UK developments in surveillance and what they might mean for Ireland. Here’s an excerpt:

NET RESULTS: When it comes to abuse of privacy, where Britain goes, Ireland tends to follow. That’s why we should be worried – very worried – about developments across the Irish Sea that emerged as the year rolled over into 2009, writes Karlin Lillington.

First came a New Year’s Eve story in the Guardian that home secretary Jacqui Smith will propose the creation of a single giant communications database and the option of outsourcing the storage of all the personal details held under the UK’s data retention regime to a private firm.

That means potentially that a single repository – a massive, national communications database – would hold all the details about, though not the content of, everyone’s e-mails, phone calls, faxes, text messages and internet use.

The same array of data is retained in Ireland as well, though at the moment, as is the case in Britain, data is retained by the communications providers, not in a central database.

Gathering such a spread of private information into a single database would create a “hellhouse” of personal private data that would not only be vulnerable to security breaches on a massive scale but would prove too great a temptation for law enforcement, according to Britain’s former director of public prosecutions, Sir Ken McDonald.

McDonald was scathing in his criticism of the idea. “Authorisations for access might be written into statute,” he told the Guardian. “But none of this means anything. All history tells us that assurances like these are worthless in the long run. In the first security crisis, the locks would loosen.”

While “security” would be cited as the main impetus for such a database, “the notion of total security is a paranoid fantasy that would destroy everything that makes living worthwhile” and bring an “ugly future”, he said.

One of the areas she points out – remote searches or the ability of the police to remotely hack into your computer to find evidence or monitor your activity – will certainly be one of the big issues of 2009. While Irish law doesn’t currently deal with this issue, there are moves at EU level to encourage (and possibly eventually require) all member states to allow remote searches. This becomes more worrying when combined with a growing law enforcement desire to be able to conduct “remote cross border searches” – that is, for the police in country A to be able to hack into a computer in country B. This strategy – also known as “chasing bits across borders” presents its own problems for privacy and especially accountability.

6 comments January 9th, 2009

Time to take a close look at surveillance

Last week the Cabinet approved the heads of a Surveillance Bill which, if enacted, will allow Gardaí to break into private property to place covert video cameras and audio bugs, and to use evidence gathered in that way in criminal prosecutions. The Bill – which was already on the legislative programme but was rushed forward after the murder in Limerick of Shane Geoghegan – is intended to place existing Garda practices on a statutory basis in line with Ireland’s obligations under the European Convention on Human Rights.

At the moment, due to the lack of statutory controls, material gathered in this way (such as transcripts of conversations) can be used for intelligence purposes but would not be admissible in criminal trials. The Bill aims to remedy this by providing that Gardaí will have to obtain authorisation from a District Court judge before this type of surveillance can be carried out (except in cases of exceptional urgency) and that a designated judge of the High Court will keep the overall operation of the system under review. In addition, these methods can only be used in respect of crimes carrying a possible sentence of at least five years imprisonment and where the surveillance is, in all the circumstances, proportionate.

The Bill promises to regularise the law in this area and to that extent must be welcomed. It is unfortunate, however, that it took a high profile and tragic murder before this was given priority. As far back as 1996 the Law Reform Commission in a Consultation Paper identified a need for reform and in a 1998 Report it recommended that there should be a legal basis for Garda surveillance of this type. Successive Ministers for Justice have, however, largely ignored this recommendation. (The most remarkable example being in 2006 when the Privacy Bill introduced by then Minister for Justice Michael McDowell targeted surveillance by the media – but entirely excluded Garda surveillance from its scope.) In light of over a decade of government inactivity, the Bill is long overdue.

The timing of the Bill aside, its provisions generally represent a substantial step forward. It has clearly been influenced by the constitutional guarantee of the inviolability of the dwelling and the safeguards which it provides are more robust than those recommended by the Law Reform Commission. It introduces for the first time in Irish law the principle that judicial approval should be required before surveillance is carried out. Unlike other forms of surveillance such as data retention – which currently can be used in respect of even the most minor crimes – the Bill is limited to genuinely serious offences and also introduces a requirement that the surveillance must be proportionate having regard to the impact on the rights of innocent third parties.

There are of course some aspects of the Bill which could be improved. For example, the procedure to deal with cases of exceptional urgency is too lax. Under the Bill as it stands those cases would bypass the judicial process entirely, so that surveillance could take place for up to 14 days without any authorisation. There must be a question mark as to whether this provision would be constitutional if it was used to break into and bug a dwelling. Instead, it would be preferable to deal with cases of urgency by permitting Gardaí to commence surveillance without a judicial authorisation but then requiring that an application be made to the District Court for permission to continue the surveillance.

However, while the Bill is generally good as far as it goes, there is a strong argument to be made that it doesn’t go nearly far enough.

Despite its broad title, it addresses only one very narrow area – the covert surveillance of locations by devices which are physically planted in those locations. Many other forms of surveillance – such as the use of GPS devices to track the position of cars, the use of long range cameras and microphones to monitor locations from a distance and live monitoring of internet activity – will still be entirely unregulated. As a result there will continue to be doubt as to whether Gardaí have the power to use these types of surveillance and as to whether the resulting evidence can be used in criminal prosecutions.

Meanwhile, although there is some legislation regulating other forms of surveillance such as the interception of communications, data retention and Garda use of CCTV, that legislation has developed on an ad hoc and reactive basis with few consistent principles applying to its use or oversight. Much of it is also out of date, most notably the 1993 interception of communications legislation which due to technological changes no longer adequately protects email and other internet communications.

Considered as a whole, therefore, the wider Irish law is inadequate. Given that many of these issues were flagged by the Law Reform Commission in 1998, it is hard to see any justification for the failure to address them to date. Although this Bill does provide for some improvements, it is at best a piecemeal response which will not address similar problems with other forms of surveillance. It is clear that the time has come for comprehensive reform of the overall law relating to surveillance. This Bill is a good first step towards that reform. But it is only a first step, and it would be regrettable if the government were to continue to ignore this area until forced to act by another highly visible crime.

7 comments November 28th, 2008

English DPP warns against “relentless pressure of a security State”

The outgoing head of the Crown Prosecution Service and DPP for England and Wales, Sir Ken MacDonald QC, has used his retirement speech to warn against UK government proposals to expand data retention:

As I near my conclusion, let me, in my final public speech as DPP, repeat my call for level headedness and for legislative restraint in an age of dangerous movements.

We need to take very great care not to fall into a way of life in which freedom’s back is broken by the relentless pressure of a security State.

Over the last thirty years technology has given each of us, as individual citizens, enormous gifts of access to information and knowledge. Sometimes it seems as if everything is at our fingertips and this has made our lives immeasurably richer.

But technology also gives the State enormous powers of access to knowledge and information about each one of us. And the ability to collect and store it at will. Every second of every day, in everything we do.

Of course modern technology is of critical importance to the struggle against serious crime.

Used wisely, it can protect us.

But we need to understand that it is in the nature of State power that decisions taken in the next few months and years about how the State may use these powers, and to what extent, are likely to be irreversible. They will be with us forever. And they in turn will be built upon.

So we should take very great care to imagine the world we are creating before we build it. We might end up living with something we can’t bear.

2 comments October 21st, 2008

Data Retention – Advocate General recommends Irish Government challenge should be rejected

The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.

It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice.

Full text of the Advocate General’s opinion available here.

The German Working Group against Data Retention (Arbeitskreis Vorratsdatenspeicherung) is also bringing a legal challenge to data retention and has put out a press release on the Opinion.

Add comment October 14th, 2008

Data Retention – Advocate General will give opinion on Irish Challenge in two weeks

The agenda of the European Court of Justice has just listed Tuesday, October 14 for the Advocate General’s opinion on the State’s challenge to the Data Retention Directive. This won’t be a final decision – the Advocate General gives an opinion which is merely advisory and the court is not bound by it. In most cases, however, the court will follow the broad approach of the Advocate General.

What’s the significance of the State’s challenge? Here’s what we said about it before:

On the plus side, the challenge will certainly delay implementation of the Directive, and stands a very good chance of striking it down in its entirety. There is a very strong case that the passing of the Directive was flawed.

On the minus side, the challenge is purely procedural. The Government agrees with the principle of spying on every citizen – it merely alleges that the wrong legal mechanism was chosen. According to the Government, the measure should have been passed by unanimous agreement of all the member states – not by a majority voting procedure. We agree – the directive is clearly an attempt to deal with matters of criminal law that are reserved to the member states, and the fundamental rights of Irish citizens should not be set aside by the majority vote of other EU states. But we’re disappointed that the Government shows no interest in asserting the right to privacy of Irish citizens. The result is that the European Court of Justice, when it eventually deals with the case, will only be hearing about procedure – not privacy.

Obviously we hope that the Government’s challenge will succeed in invalidating the Directive. Whatever the outcome of their case, however, our own challenge to data retention – where we raise these privacy issues about Irish law as well as the Directive – will continue.

(Thanks to Joris van Hoboken for pointing out that the Opinion had been timetabled.)

Add comment October 3rd, 2008

Mixed messages on data loss

There’s some good news and some not-so-good news in the Irish Times today on how the government is responding to its ongoing problems with losing personal data.

First, the not-so-good news. In response to a parliamentary question from Labour leader Ruairí Quinn, it emerged that the rate of loss of electronic devices is increasing to approximately one per week. (A figure which includes e.g. laptops, desktops, usb keys, Blackberries, etc.) Worse, only three government departments have fully encrypted their portable devices and although the majority are in the process of doing this, two departments (Communication and Education and Science) have not done so at all.

So what’s the good news? After these figures emerged, the Minister for Justice indicated that he was considering introducing mandatory reporting where personal data is lost, which, according to the Irish Times, would extend to “all state agencies, banks and other entities”. We’ve been calling for mandatory reporting of data loss for some time now, something which has been endorsed by amongst others the European Data Protection Supervisor and the Irish Times and it’s good to see the Minister (albeit belatedly) acknowledge the need for change.

The devil is, however, in the details and (while it’s dangerous to read too much into a relatively short piece) there are indications in the story that what the Minister is considering is too narrow.

First, the story talks about reporting “when an electronic device containing information on members of the public is lost or stolen”. This reflects a rather old fashioned view of data being embodied in a particular tangible form – a view which is no longer valid. It makes little sense to say that there should be notification when a USB key is lost but not when an online database is compromised.

Secondly, the focus seems to be on data which goes “missing”. This might fit the traditional example of the laptop left on the bus – but excludes situation where a corrupt insider deliberately misuses data. A good example is the recent scandal where mortgage brokers illegally passed on details of buyer’s finances to estate agents and auctioneers. Such abuses are often more serious than inadvertent loss of data, and any duty to report should also include deliberate and illegal disclosures of data.

Thirdly, the duty to report would be to the Data Protection Commissioner, with the public being informed “in major cases”. This must not mean, however, that the individuals whose data is lost would only be informed “in major cases”. The risk to your finances if your details are lost is just as great whether or not you are the only victim. It would be little consolation to learn that you were not informed and given a chance e.g. to cancel your credit cards because you were the victim of a “minor breach” only.

These concerns aside, we welcome the Minister’s decision and look forward to seeing detailed proposals soon.

3 comments October 2nd, 2008

Implementing data retention – where’s the consultation?

This is a letter which the Department of Justice wrote in July 2006 indicating that they would consult us before drafting any measures implementing the Data Retention Directive. 18 months later we still haven’t heard anything concrete from them, despite reports that they plan to put laws in place within the next month. Equally in the dark are the ISPs and others in the internet industry who will face the technical challenges and cost of implementation:

Given the short timeframe for putting this legislation into action, the industry – ie ISPs – should know the score. They are charged with the responsibility of storing this vast bank of data on the Irish citizen, but frustratingly they are still not quite sure of their role in the process.

“We, as ISPs, do not have any difficulty with the objective of fighting serious crime but what we need are clear instructions on the expectations of governments across Europe as to what exactly it is we have to retain and when,” says Durrant.

Shane Deasy, managing director for wireless internet provider BitBuzz, while willing and able to comply with the new legislation, echoes Durrant’s sentiment: “There is a grey area – details we have yet to get answers to.

“The industry has met with the Department of Justice and has had several discussions on this forthcoming legislation but to my knowledge the industry has not yet been given information on exactly what data they are required to store and for how long.

“It may require a lot more storage on the part of the ISPs but at the moment we simply don’t know exactly what we are going to be asked to retain.”

Such is the confusion that Google has recently voiced its concerns on its Public Policy blog, stating that the approach taken by Justice may have the effect of damaging the Irish internet industry:

Ireland looks set to be amongst the first countries to transpose the directive. Concerns have been expressed that sufficient time may not be available for a full debate to discuss the very complex issues involved. There is also a real risk that a rushed transposition process could produce legislation which negatively impacts on consumer privacy and is harmful to the internet and telecomms sector. Our view is that it is vital that the reasonable concerns of privacy advocates and industry are taken into account. Google is going to take advantage of the current window of opportunity to get our views across, and we hope that other interested parties will do likewise.

So what will it take before the Department of Justice is prepared to engage in real consultation?

3 comments February 28th, 2008

Irish Privacy Expert – “Big Brother philosophy threatens public’s privacy”

Professor Robert Clark is a leading Irish expert on privacy and the law. Here’s what he had to say in the Independent about the Government’s handling of personal privacy:

Big Brother Philosophy Threatens Public’s Privacy

Do the Irish Government and state agencies — health, prison, law enforcement, semi-state bodies for example — have a legal obligation to keep your personal information private? The answer is a resounding “yes”.

But this does not mean that the law will necessarily be observed — bad things happen. Experience shows that human errors will greatly facilitate personal information misuse. Failure to keep computer passwords confidential, for instance, are estimated to be a major source of data security lapses.

Threats are often internal, rather than external. Examples that come to mind include a case in Belfast some years ago when an unmarried mother-to-be applied at her dole office for maternity benefit.

She was dreading telling her mother of the pregnancy but a nosey neighbour who worked in the office found out about the inquiry and told the entire neighbourhood. The welfare agency was held in breach of its duty to keep information in confidence.

A similar event occurred in Kerry last year when the gardai had to pay damages when information about a suspect found its way into the public domain by way of a garda leak.

The fact is that the State is likely to have access to personal information of the most sensitive kind — medical and health data, criminal records, religion, etc — and it is through data protection law that citizens draw the most protection.

While the Office of the Data Protection Commissioner is better resourced now, the complexity of finding meaningful solutions that face the commissioner in the internet age cannot be overestimated.

Privacy and data protection all too often lose out when confronted by pressure for more police powers or greater administrative convenience. The level of scrutiny by the Oireachtas was negligible. Successive Data Protection Commissioners have complained about this Big Brother philosophy but to little effect.

The practical point is this: the more public servants who can access the data, the more likely it is that something will go wrong.

The lesson to be taken from the UK child benefit disk debacle, in which two disks holding personal data about millions of people went missing, is that too many junior staff were able to access and copy too much information about too many citizens, in breach of internal rules.

The rules and legal position are clear — it is human error that accounts for most data breaches. Threats from hackers are often regarded as external threats but often the person who alters websites and files is a disgruntled employee or ex-employee who is out for revenge or wants to access information about others. Case law in relation to employee hackers shows that the employer is entitled to sack someone straying into personnel files of co-workers.

Where the threat is external, as in cases of identity theft, denial of service attacks, phishing, for example, our legislation appears to be less satisfactory.

Hacking was criminalised as a very minor offence back in 1991 but we have yet to see a review of the law relating to computer and technology misuse in the light of these more damaging developments.

To the extent that our lawmakers are not keeping information misuse laws up to date, it can be said that Sean and Maura Public are not being protected by the State.

A cynic might say that internet crimes and information theft are difficult to detect and investigate but this, while true, is not an excuse for legislative complacency.

Prof Robert Clark is a member of the Internet Advisory Board and is the author of ‘Data Protection Law in Ireland’

Add comment February 8th, 2008