Below is an edited version of the letter I faxed to Brendan Howlin today regarding Freedom of Information Act fees proposed last Friday at the end of legislative drafting before the Committee Stage in the Irish Parliament.
While I agree that public service resources need to be utilised efficiently, particularly in the current (apparently getting better) economic context, I disagree that putting a paywall up (which is the practical effect of the fees proposed) is the solution. Better results could be achieved by actually managing information as an asset and ensuring appropriate governance and joined up thinking.
Dear Minister Howlin,
It was with dismay that I learned of the proposals in the current draft Freedom of Information Bill regarding the charging of fees. Simply put: the proposal regarding fees is dangerously retrograde, belies a failure of customer/citizen-centricity in Public Sector thinking and a missed opportunity to mandate improvements in Data Governance, runs counter to your own initiatives in relation to “Open Data”, and may indeed serve to weaken any strategy to break down ‘silo thinking’ in Public Service organisations to achieve operational efficiencies through better use of data internally.
· Dangerously Retrograde:
Creating an uncapped initial application fees structure for simple exercise of Freedom of Information rates is a dangerously retrograde step. Much of the waste in Public Service organisations over the past few years has been uncovered through journalists and others using FOI rights carefully.
An uncapped application fees structure, particularly the provisions which give rise to additional charges where data requests span multiple “administrative units”, creates a financial disincentive for budget-conscious editors or freelance investigative journalists to seek information which might be in the Public Interest.
By effectively curtailing the avenues of information access for citizens to only those who have resources to take an unknown punt on the final costs or to the official press releases our FOI regime that was weakened in 2003 will have been replaced with a model for ‘mushroom management’ in which citizens will be kept in the dark and fed what’s good for mushrooms.
· Failure of Customer/Citizen-centricity and Data Governance:
The erection of a “paywall” that will inevitably act as a disincentive to exercise of FOI rights belies a failure of Customer/Citizen-centricity in the Irish Public Sector. In tandem it highlights a failure to seize a valuable opportunity to drive strategic change in Data Governance processes, practices, and methodologies in the Public Service.
Rather than seeing the challenges raised by requests as an issue which must be curtailed through charges, the Irish Government can choose to invest some effort to understand the root causes of the issues that are reported. For example
o Could it be that multi-part requests being submitted under the current system are likely a function of journalists needing to maximize the ‘bang for their buck’ on each individual request. Removing this may remove the multi-part queries?
o How many queries relate to ‘standard’ information or reports which might be ‘pre-packaged’, perhaps in formats that require additional analysis by the requestor, but which meet the requirement for access to information?
o Are FOI access and accessibility a primary consideration in the design of new systems and processes? If not, should the Data Governance structures of departments be addressed to ensure “FOI-by-design” (producing standardized core reports etc), in the same way as “Privacy by Design” will be a requirement under the forthcoming EU Data Protection Regulation?
I am currently engaged in a project [details of project redacted for publication] where FOI requirements under regulations such as the Aarhus Convention as well as their voluntary compliance with various regulatory standards have been identified as key strategic drivers for precisely this kind of Data Governance change and re-alignment. The project team has identified further substantial benefits arising from the improvements in Data Governance and Information Quality in this organization that go beyond simple Freedom of Information capabilities.
By opting for a “paywall” that will keep enquiries out the Government is ignoring an internal dissatisfaction with status quo that can be leveraged to trigger and hopefully sustain Data Governance change in the Irish Public Sector. By knowing the cost of everything and the value of nothing, an opportunity to improve is being foregone.
· Free Information, Open Data: Fees are inconsistent with Open Data Strategy
Frankly my head is spinning trying to figure out what the strategic position regarding information is from the Government.
On one hand you are promoting “Open Data”, while on the other you are proposing changes that will make it harder for citizens (not just journalists) to get access to information in accordance with their rights.
Ultimately, it is my professional view that the very Data Governance and Information Quality benefits that the proposed “paywall” is forgoing in the context of FOI will inevitably emerge as challenges and barriers to producing Open Data that can be relied upon for service planning, development of applications, guiding investment strategies etc.
The “pre-packed” reporting solutions outlined above (which I believe were raised by Gavin Sheridan during the legislative consultation period) are Open Data. By implementing these and addressing root causes for current issues and inefficiencies in the FOI model in Ireland the Government has an opportunity for a double-win. Instead we are presented with cognitive dissonance where the Government trumpets Open Data with one hand but claws back Information Freedom with the other, while forgoing any operational efficiency benefits which would arise from tackling root causes in Data Governance practices.
· Breaking Down Silo Thinking in the Public Service
The Haddington Road Agreement aims to improve efficiency and effectiveness in the Public Sector and to reduce costs. Ultimately it will need to break down the traditional “silo” thinking that exists in all large organisations, and the provisions regarding staff mobility hint to that.
However the proposed charging structures under the FOI proposals run counter to this strategic vision. If one was cynical it could be described as a “Silos Charter” given that additional charging will be tied to the number of administrative units in which data is being processed.
What controls are being implemented to ensure that there is no fragmentation of administrative units to split data processing within FOI-able entities? In the absence of controls it is inevitable that fragmentation will exist, particularly in the context of processes, projects, or functions that might be of notable interest to people seeking to exercise their FOI rights.
On the other hand, improving Data Governance (data standards, meta-data, master data, clarification of data ownership rights, rules and accountabilities) and seeking to identify common methods for developing and delivering standardized reports would inevitably result in a breaking down of silos and the promotion of cross-functional ways of working within the Public Service.
However, hiding the silos behind a paywall appears to be the easy path which the preferred choice of the Government.
There is a significant potential opportunity to drive change in the governance and management of information in the Irish Public Sector. This change aligns with the objectives of Open Data and has potentially far reaching benefits beyond just FOI effectiveness.
A PayWall, which is what an uncapped open-ended application fee is in practice, removes this driver and allows both current inefficiencies to fester and current efficiencies to remain siloed, and deprives the citizen of their opportunity to find out answers to their questions of Government. Raising the paywall potentially beyond the reach of individuals, freelance journalists, and mainstream media is a dangerous retrograde step for transparent democracy.
FOI is the Parliamentary Question for the individual – it should not be locked away behind a paywall
The Irish DPC has come under fire in the international media on foot of their failure to act on a complaint by Europe v Facebook about US multinationals with bases in Ireland allowing data to be accessed by the NSA.
The gist of EVF’s complaint is that this access invalidates Safe Harbor and therefore makes the transfer of data by these companies to the US is therefore illegal.
EVF may indeed be right. The key 2-legged test to be passed is whether the access by law enforcement/national security agencies to the data that is being transferred is necessary for the national security/law enforcement purpose, and whether the access/processing is in turn proportionate to the objective when balanced against the fundamental right to privacy.
Prism and similar programmes quite probably fail either or both legs of that test. Certainly the ECJ seemed to be very concerned with whether European governments had done enough to demonstrate necessity and proportionality with regard to EU communications data retention (http://www.contentandcarrier.eu/?p=435).
This is the ECJ case that the Irish DPC refers to in the written response to Europe-v-Facebook.
Safe Harbor is a scheme entered into by the European Commission and the US Dept of Commerce to facilitate transfers of data to the US. It is decidedly imperfect and had been the subject of criticism since it was introduced in 2000.
It is one of the mechanisms under which organisations can transfer personal data outside the EEA (28 EU member states plus Norway, Iceland & Liechtenstein) under S11 of the Data Protection Acts
S11 does give the DPC the power to prohibit such transfers in certain circumstances. The DPC needs to be of the view that data protection rules are likely to be contravened and individuals are likely to be harmed as a result. This power is limited in that it does not apply where the transfer is required or authorised by law.
And here’s the rub:
- Safe Harbor is a scheme that authorises the transfer. So the DPC can’t unilaterally prohibit the transfer of data where Safe Harbor is being applied.
- The Irish DPC does not have statutory authority to second guess the EU Commission on the legality of Safe Harbor
- PRISM is, at this time, understood to have a statutory basis in the US and no-one court has yet ruled on the necessity and proportionality of its data gathering, so there is no breach of Data Protection rules per se. If the ECJ gives guidance re similar EU laws this could alter things.
In short, the Irish DPC’s hands are probably tied by the law.
Billy Hawkes lacks the legal authority to rule on the validity of Safe Harbor, so while transfers under Safe Harbor are valid in the EU Commissions eyes he probably can’t prohibit a transfer that is based on Safe Harbor. That is probably for the EU Commission to do.
Nor is he empowered to make a finding of fact against the NSA regarding the necessity and proportionality of their processing (that’s for the US courts, or for the EU Commission to adopt as part of their review of Safe Harbor) – but will be bound by whatever principles of proportionality and necessity for communications meta-data processing emerge from the ECJ Data Retention Directive case, which is likely in my view to be more of a steer to the EU Commission regarding controls that would be required in “Son of Safe Harbor” than empowering the DPC to torpedo Safe Harbor himself.
I suggest that it is this reasoning which the German DPAs have applied in their action which has had the effect of prohibiting transfers in scenarios where they had direct competence but served only to send up a warning flare that Safe Harbor and Model Contract Clauses might be broken – but DPAs lack the statutory competence to actually do anything about it and it must be addressed by the Commission.
Rather than “regulator fails to enforce law”, this story is more correctly “Regulators hampered by broken law unsuited for modern age”
Europe v Facebook has issued a press release today decrying the failure of the Irish DPC to find fault with the reliance on Safe Harbor by US technology companies in the transfer of personal data of EU citizens to the US where it fell into the net of PRISM.
The soundbite friendly position evf is taking is that the Irish DPC is kowtowing to economic interests in not pulling the plug on Safe Harbour as German DPAs have done.
However I would suggest that the position is slightly more nuanced than that. The key test that needs to be met for the national security/law enforcement exemptions to Safe Harbour is one of necessity and proportionality of the invasion of privacy set against the national security/law enforcement requirement.
The EU currently has a Data Retention Directive. It is law in most EU member states, but is currently subject to an action in the Irish High Court which has referred questions to the ECJ, which ultimately rest on issues of necessity (I.e is it necessary to retain the metadata of every call, web access, email, sms sent over a comms provider in the EU, and if it is necessary is it proportional to do so for EVERYONE compared to the actual risk/objective).
This ECJ action is referred to explicitly by the DPC in their response to evf.
In the absence of a ruling in that case or a decision by the EU commission that PRISM constitutes an unnecessary and disproportionate intrusion under Safe Harbour the DPC is acting in line, in my view, with the law that is in front of him.
But the Germans have pulled the plug I hear you cry! Yes. They have – to a point. But the German Constitutional Court has also struck down their national implementation of the EU Communications Retention Directive. So the law in Germany is slightly but significantly different.
But this awkward disjointment of laws highlights the need for improved standardisation of Data Protection laws in Europe and an improved collegiate operating structure for DPAs. This is part of what the revised General Regulation on Data Protection was to deliver.
It also highlights the questionable justification for double standards for law enforcement as illustrated by the existence of the parallel revisedDirective on Data Protection for EU law enforcement agencies which differs from the draft Regulation.
As a childhood (and adult) fan of the classic TV show “Yes, Minister” I’m minded to give the DPC some benefit of the doubt in their position as it would be preferable for there to be an EU bloc position on Safe Harbor rather than piecemeal action. That requires either EU Commission termination of Safe Harbor due to its abuse on grounds of inappropriate and unnecessary intrusion, or a ruling from the ECJ that defines those rules in an EU context in regard of our own data sucking activities.
After a little digging, it turns out that the position of the German DPAs doesn’t differ all that much from the Irish position. They actually haven’t suspended Safe Harbor, just called on the European Commission to clarify how Prism etc is compatible with EU privacy principles.
What is suspended are transfers based on any other basis other than model contract terms or Safe Harbor.
So, in effect, the German DPAs have kicked the ball back to the European Commission in a manner similar to the Irish DPC, but have forgotten to mention the significant ECJ hearing as well.
That is not to say that I am thrilled with how it has been handled. The DPC should have issued a formal decision on this setting out their position so that evf could appeal against it in Court. That would be an interesting case to see and I suspect many of the arguments that would need to be put forward have already been drafted in respect of Digital Right Ireland’s High Court and ECJ actions.
Of course, I don’t rule out the possibility of an overworked under resourced Data Protection authority making an error in their assessment of the legal position. And, unfortunately given the dischordant “tone at the top” from Alan Shatter on matters Data Protection the political landscape Billy Hawkes must navigate is challenging.
This will get very interesting I suspect.
(And I’ve left the question of whether the Irish DPC even has the powers under the domestic legislation to do what evf are requesting for another day)
Fair play to him. He sold a property and home he loved and made a profit. Now he can have his cake and eat it, returning wealthier to the same home and hearth.
The same, unfortunately, is not true of protections for fundamental human rights. In the current economic turmoil it is tempting to mortgage them or sell them off in the interests of supporting business and reducing red tape. However, when the economy recovers it will probably be impossible to push the pendulum back towards respecting the rights we have forgone in the interests of economic expedience. We will have a recovered economy but a diminished society.
This is what is happening with the EU Data Protection Regulation. Earlier this month the Irish Government, in one of the last acts of their EU Presidency, trumpeted their ‘victory’ in the first four chapters of the Regulation, getting a quasi kind of agreement to introduce a level of protections that has been watered down to near homeopathic levels. Whatever good is in some of the proposals the Irish Government is horribly undermined and hollowed out by the move to a purely “risk based” model of regulation (similar to that which has worked so well in Financial Services) amongst other things.
Principles diluted do not retain the memory of the principle. Homeopathic regulation doesn’t work. The parts of the Regulation that might have served to retain focus and concentration were the sections around enforcement and penalties.
Today we learn via a leaked document that these sections have likewise been diluted to homeopathic levels by the Irish EU Presidency (again, annoyingly in tandem with some good and positive changes)
- The specific levels of fines to be levied have been omitted from the document (Dr. Chris Pounder on the Hawktalk blog suggests this may be due to there being no agreement, my view is that if it has been taken out whatever is put back in will be a lot less attention focussing than the 2% of global turnover levels previously proposed)
- A range of mitigating factors and considerations have been introduced which must be considered by a Data Protection Authority before levying a penalty of any amount. 13 different factors to be considered. One for every tooth a Regulator might have had. One more line of defence to be argued over before enforcement can commence.
So, errant Data Controllers may now be in a position where they can self-assess their risks based on their own perception of the risk and impacts of their actions (just like people of a certain generation used to self-assess whether they were sober enough to drive), but just in case they get it horribly wrong the hoops a Regulator will have to jump through before being able to levy any form of meaningful penalty have grown in number and vagueness.
This the text book definition of light touch regulation. History has shown repeatedly, and at great cost, that this simply does not work.
The man in the newspaper today bought back his old family home and made a tidy profit because of a catastrophic failure of culture, governance, and regulation. Rules around due diligence and proper management of lending were set aside or worked around because it was “good for business”.
We must learn the lessons of history or we will have mortgaged our rights to be “left alone” in the interests of economic expedience and only those who held on to their financial muscle in this crisis will be able to make the payment needed to buy back that right through the Courts.
An appropriate balance must be struck between the economy and the society.
Fergal Crehan and I drafted the original version of this op-ed piece on the evening of the 5th of June, completing it on the 6th and submitting it immediately to the Irish Times as a topical opinion piece. The article was originally drafted in response to the EU Council of Ministers publication of proposed amendments to the EU General Data Protection Regulation that would significantly undermine the protections awarded to individuals and their data under EU law.
It wasn’t published (but them’s the breaks as they say).
I’ve updated it to include reference to the Prism and Tremora stories that were just beginning to break the week the original piece was drafted. I’ve also included references to some anti-data protection stories that have appeared in the Irish Times since the beginning of June, and a nod to the legacy of light touch regulation and associated attitudes that has recently emerged in the Irish press.
I took the decision in consultation with Fergal to publish this here as the points that are raised are important ones regarding the nature of the society we want to live in. The failure of the Irish Times to fact check recent stories raises a further question as to the role of a neutered as opposed to neutral press in the definition of and shaping of that society.
Journalists more than anyone should be alert to and resisting of any efforts to dilute or invade privacy, because it is only where there is privacy that there is the freedom for sources and whistle blowers to express privately (to journalists) facts that should be made public by the media. The logging of data about what numbers you dial, when, where from, and the uses that data can be put to could conceivably jeopardise sources, result in stories that need to be told being silenced, and force public and private conformity with a “party line” regardless of consequences. “All the President’s Men” would have been a significantly different movie if Nixon had had access to a Minority report level of analytics about who called who and who was where when – which is possible today.
A Free Press should be concerned in equal measure about attacks on the freedom of expression and the rights to Privacy. This is why Data Protection should be a hot topic of relevance, not a dry techie story of limited interest. Responsible journalists need to inform themselves of the rights that exist, the ways those rights are being undermined, and how the existence of those rights that are under threat.
A skewed balance struck
For some years now, the EU has been preparing a regulation to update and standardise data protection law in Europe. The expectation was that the rules would be strengthened, giving citizens more protection against misuse of their information. It was a shock then, when the Irish Presidency brought forward a draft regulation which not only dilutes many of the original proposals of the EU Commission, but represents a neutering of many data protection rights rights enjoyed up until now.
Data protection is a human right, closely bound up with privacy, and is unsurprisingly taken especially seriously by European countries whose citizens suffered under the police states of Nazis or Soviets, or even both. It is the right not to have your personal information hoarded, sold, disclosed or otherwise misused. “Data Protection” may not stir passions like other rights do, but in an increasingly data driven world, its importance cannot be overstated. We are already at risk of a two-tier privacy system, where the rich and famous can go to court for super-injunctions, while Joe Citizen cannot sit peacefully at home without their phone ringing with unwanted direct marketing calls.
Ireland has had the privilege of shepherding the revised Data Protection rules through the process of negotiation and agreement. The vision set out by the European Commission in its initial drafts was to provide a simplified regulatory structure for business and strengthened rights for individuals over how, where, and why information about them is processed, and by whom. This vision became the subject of one of the most intensive lobbying campaigns by US firms ever seen in the EU.
In February it emerged that amendments tabled by a group of MEPs that diluted the protection of personal data were copied verbatim from the submissions of these lobbyists. Sean Kelly, the Irish MEP responsible for those amendments, recently received an award from an advertising industry group for his work. The Council of Ministers recently issued a set of proposed changes to the Regulation that are being touted by Alan Shatter, the outgoing President of the Justice and Home Affairs Council, as providing “better protection for citizens” while also “providing a better strategy and architecture for business”.
However, privacy advocates have highlighted that while the proposed changes are good for business they are a serious weakening of protections EU citizens have historically enjoyed. Advocates in favour of the proposed changes cite the importance of data in the modern economy and the potential for jobs.
But are we building an economy or a society? In a speech this week President Michael D. Higgins tells us that the EU is a “union of citizens” and the institutions of the EU must work to protect those citizens. The proposed Regulation weakens those very protections.
The proposed changes introduce a “risk based”, self-regulation approach. This seems not unlike the “light touch” regulation which was adopted in order to attract financial services companies to Ireland, and which fuelled the financial services boom. With our government now keen to attract more data-based firms like Facebook and LinkedIn to Ireland, it seems lessons of recent history are not being learned. And in the week of the Anglo Tapes it is more important than ever that we learn these lessons.
This approach has been hailed as “non-prescriptive”. But a regulation that doesn’t prescribe anything is a mere suggestion, which can and will be ignored unless there are adverse consequences. Ireland’s Data Protection Commissioner is chronically underfunded, but he can and does bring prosecutions for breach of the Data Protection Acts. It is difficult to see how a these kinds of criminal convictions could be achieved under the proposed regulation.
Under the proposed Regulation, if your personal data is lost or stolen, the decision about whether to tell you will be left in the hands of the people who lost the data. This effectively means that there will be no right to know when your personal information is lost.
Last year Target, the US supermarket, broke the news to a father that his teenage daughter was pregnant by sending her unsolicited targeted adverts for baby products. Current laws make this potentially illegal in Europe. However, direct marketing rules are to be changed under the proposed Regulation. Companies would no longer need your permission to market to you once they have obtained your data. This is an extraordinary win for the marketing lobby, a turn from a right to privacy, to a right to invade privacy. The telemarketer, a scourge familiar to any American with a phone, is set to become an unwelcome part of our daily life too.
The recent revelations of unfettered and covert surveillance on the private commmunications of every individual in every country by US and UK intelligence services has highlighted the risks of the Panopticon. Some argue that if you have nothing to hide you have nothing to fear. But that flies in the face of our fundamental values that everyone has a right to a place where they can have private thoughts and private communications. These rights are under attack and must be defended.
But at a smaller scale, recent articles in the Irish Times have linked Data Protection rules with inefficiencies in the Ambulance service which have contributed to deaths. ‘Data Protection rules mean we can’t use GPS for ambulances’ was the claim. Bunkum is the answer. Such processing is permissible under Section 8 of the Data Protection Acts. ‘Data Protection rules will curtail genealogy’ was another claim. Again, bunkum. The draft Regulation will likely apply only to living persons, Public Registers will have certain exemptions, and the Right to be Forgotten is not a right to be airbrushed from history, as has been made clear by Commissioner Reding on many occasions, and has been made clear by the ECJ in the past week.
Data is hailed as “the new oil”. “Big data” is mined to predict everything from musical taste to voting habits. It is disturbing when rights, once considered uncontroversial, are watered down or neutralised because it has become profitable to do so. What is proposed in this draft of the Regulation is something unprecedented in the history of the EU – the effective abolition of a human right enshrined in EU Treaties. As citizens, we can only wonder and worry which other human rights will become inconvenient to big business, and what their fate will be.
Below is the text of an email I sent to the Irish Times editor on the 25th of June. The email was received by the Irish Times systems but I have had no response. Hugh Linehan on Twitter engaged but just to refer me to the Editor. I’ve published the letter here for wider reference. Readers might want to check out posts by Fergal Crehan and myself here and on fergalcrehan.com
[update] I feel that this email raises important questions, particularly in light of the article on lobbyists and astroturfing and the EU Data Protection Regulation in today’s Financial Times.[/update]
Dear Mr O’Sullivan
Over the past few days a number of stories have appeared in the Irish Times purporting to highlight important Data Protection issues. In all cases the reporting has been at best incomplete, with no validation of claims made or any attempt to present counterpoints or other relevant facts, and at worst a simple retreading of a press release without any apparent fact checking or questioning of the information being spoonfed to the correspondent.
On the 22nd June the Irish Times ran a story headlined “Ambulances unable to use GPS tracking” which drew a connection between alleged Data Protection restrictions and the death of a child. http://www.irishtimes.com/news/ambulances-unable-to-use-gps-tracking-1.1438980. The statement of data protection law contained in this article was incorrect. A number of sections of the Data Protection Acts specifically allow for processing of and disclosure of personal data, particularly where there is a risk to the safety, life, or health of an individual.
A cursory Google search or request for comment to either the Office of the Data Protection Commissioner or a specialist in Data Protection law and practice such as myself could have clarified this. Specifically disclosure of/processing of GPS data would be permitted under Section 8(d) and Section 8(f) of the Data Protection Acts in the case of an emergency services requirement.
As someone with experience in the telecommunications sector and Data Protection issues, there are other more fundamental problems with real-time GPS tracking and, unfortunately, life is not like an episode of CSI where there is perfect information available in perfect real-time with perfect accuracy. This could and should have been reflected in the article. The real barrier to accurate dispatch of ambulances is the failure of successive governments to roll out a post-code system or equivalent address identification system that would allow for more granular and accurate location of addresses. An Post’s Geodirectory (which is the defacto standard for address validation) is designed for postal delivery not ambulance dispatch. Post codes were to be implemented in 2008.
On the 24th June the Irish Times ran a story headlined “EU Regulation could restrict genealogical research” http://www.irishtimes.com/news/eu-regulation-could-restrict-genealogical-research-1.1440075, which reported that the revised EU General Regulation on Data Protection could restrict access to parish records and other genealogical data such as registers of births, marriages, and deaths.
Again – this is utter bunkum. The EU Data Protection Regulation is unlikely to apply to deceased persons (as is the case with the current Irish Data Protection legislation which excludes the deceased, but is not the case in some other EU countries). Furthermore the Right to Be Forgotten has been defined and discussed thus far in a circumspect manner as to exclude Public Registers such as parish records or Registries of Births, Marriages, or Deaths. Yes, Data Protection rules will and do apply to genealogists working with data relating to living people, but only insofar as the data cannot be used for other purposes and other obligations to keep data safe and secure.
While I acknowledge that the EU Data Protection Regulation is as yet not finalised I would submit that that makes it even more important that responsible reporting on the actual or potential future trends in EU Data Protection law and the rights of citizens should be balanced and facts and assertions checked and validated.
Today (25th June) the Irish Times business section ran a story heralding that the ASAI would be introducing rules requiring organisations using online advertising behaviour tracking to provide notice of this from September. http://www.irishtimes.com/business/sectors/media-and-marketing/firms-to-give-notice-if-collecting-online-data-for-ads-1.1440129 This appears at first glance to be a good news story about self-regulation in the Internet Advertising industry, with the Interactive Advertising Bureau holding a consumer awareness campaign from today.
Again – a simple fact check on this story would have highlighted the existence of this legislation and raised questions about why the ASAI is suddenly taking an interest in cookies. It would, of course, have highlighted that the Irish Times was one of a number of organisations contacted by the Data Protection Commissioner last year with regard to compliance with SI336 http://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/press/listwwebsites.htm
So is the real story here not why the ASAI, with limited enforcement powers, feels it is important to step in to the policy and enforcement role of the Office of the Data Protection Commissioner, rather than simply ensuring its members comply with what is required under a law that is 2 years old? Is the DPC grinding to a halt? Is the Advertising Industry attempting to put lipstick on the pig that is self-regulation? Why is the ASAI seeking to confuse people about who to complain to about breaches of Cookies Regulations (them or the DPC or both)? Why?
There is a worrying pattern in these stories. The first two decry the Data Protection legislation (current and future) as being dangerous to children and damaging to the genealogy trade (a Fr Ted-like “Down with this sort of thing” positioning). The third sets up an industry “self-regulation” straw man and heralds it as progress (when it is decidedly not, serving only to further confuse consumers about their rights).
If I was a cynical person I would find it hard not to draw the conclusion that the Irish Times, the “paper of record” has been stooged by organisations who are resistant to the defence of and validation of fundamental rights to privacy as enshrined in the Data Protection Acts and EU Treaties, and in the embryonic Data Protection Regulation. That these stories emerge hot on the heels of the pendulum swing towards privacy concerns that the NSA/Prism revelations have triggered is, I must assume, a co-incidence. It cannot be the case that the Irish Times blindly publishes press releases without conducting cursory fact checking on the stories contained therein?
Three stories over three days is insufficient data to plot a definitive trend, but the emphasis is disconcerting. Is it the Irish Times’ editorial position that Data Protection legislation and the protection of fundamental rights is a bad thing and that industry self-regulation that operates in ignorance of legislation is the appropriate model for the future? It surely cannot be that press releases are regurgitated as balanced fact and news by the Irish Times without fact checking and verification? If I was to predict a “Data Protection killed my Puppy” type headline for tomorrow’s edition or another later this week would I be proved correct?
Attached is an updated copy of an op-ed piece on Data Protection reform I submitted in collaboration with Fergal Crehan BL earlier this month (06/06/2013). It remains unpublished. If it helps, I’ll dress it up as a Press release and send it to the news desk instead.
Daragh O Brien
Great news but for a few minor facts that seem to have eluded the fact checking doubtless done by the journalist taking the by-line.
- The ASAI is a voluntary self regulatory body. It is not a statutory agency
- The DPC has already begun enforcement proceedings to encourage compliance. Among the organisations written to late last year was the Irish Times
So, the ASAI is essentially claiming credit for encouraging its members to comply with the law of the land 27 months late. This is presented unquestioningly in the article as a "good thing" being done by a responsible self-regulating body. But the ASAI is just moving to bring their members into line with the law. Late.
In doing so they muddy the waters for consumers by making it seem that they are the entity to complain to (they’re not – it’s the DPC, who can levy actual criminal penalties and fines). While the ASAI’s move to regulate the on-line data gathering practices of its members is laudable, responsible journalism would have pointed out that that is what the law actually is and this is not a proactive industry response.
"Look at us! Self regulation can work!" is the implied message. (That’s exactly the message by the way that has emerged from lobbyists who campaigned to dilute the protections for individual rights in the Draft EU Data Protection Regulation, and also the message that was trotted out in other industries in recent years with less than stellar results).
Taken in combination with a number of "data protection kills puppies" stories that the Irish Times has been running recently one can’t help but form the view that, in the absence of proper fact checking by journalists someone is st00ging the Irish Times and distorting the paper of record.
After all, this publication of unchecked errors as fact couldn’t possibly be editorial policy (could it?)
Last week the Irish Times published an article that I can only describe as poorly researched.
The gist of the article was that ambulance services were finding it difficult to get to the right addresses in time to save people because Data Protection rules don’t allow them to use GPS location of people’s phones.
Bullshit Improperly researched. Section 8 of the Data Protection Acts permits processing of and disclosure of data in exactly these circumstances, either under Section 8(d) (where there is a risk to the life or well being of a data subject) or Section 8(f) of the Data Protection Acts 1988 and 2003. This is a fact that so obscured by “The Man” that it can only be uncovered in one of five ways:
- Looking up the text of the Data Protection Acts on the DPC website (www.dataprotection.ie)
- Putting in a query to the Data Protection Commissioner’s Press Office.
- Contacting one of the various Data Protection consultants and trainers who frequent social media (*koff*)
- Asking a lawyer with Data Protection expertise
- Contact Digital Rights Ireland
At no time would the journalist have to venture into a multistorey carpark to meet a shadowy figure to uncover the truth.
SI336 introduced some elements about the use of location data requiring consent, but that was in the context of processing for commercial purposes and would be superseded by the Section 8 exemption in practice.
The Science Bit
That’s the law bit. Now the science bit. Get ready…
Life is not like CSI.
Everyone’s experience of GPS is that you have a device in your hand and the device knows where you are. that’s because the device is communicating with a satellite (and in the case of a mobile phone what ever cell towers are in range and potentially wifi networks you are connected to) to triangulate your location.
But that takes place ON YOUR DEVICE. The telcos don’t actually have that data (but Apple would if you have an iPhone and Google do if you run Android). Telcos would need to have an app installed to access that functionality of the phone and relay it to their data centres.
They can, however, extrapolate your data based on your nearest cell towers when you make or receive calls or texts. But that data is NOT PROCESSED REAL TIME, other than at a very low level in the network. Accessing it for law enforcement purposes can be a laborious task taking a number of days. Accessing it for the telco’s own uses happens in batch mode as well. Also it is NOT ACCURATE – it can be as imprecise as up to a 5km radius in rural areas (do your sums on that to find the total area) and sometimes it is way off (I’ve been billed for data usage on a device that was in the UK but was not registered as having been roaming). So you stand a reasonable chance of getting the right county, but not always.
Yes, location based targetting of messages can occur but that happens by the telco setting up a geo-fence based on an area around one or more cell towers and then pinging your details when your phone becomes active within the cell (a basic network level activity). They are waiting for you based on defined criteria. And it is not a real-time monitoring. They can’t easily identify where you are at a point in time. They can identify that you have come into a defined area they are monitoring.
Real-time pinging of mobile devices based on cell tower locations is technically possible but it isn’t easily done and can require a lot of resources.
If the Ambulance services wanted GPS data there is an easy way to get it. Develop a smartphone app for calling the emergency services that will relay device information and GPS co-ordinates and perhaps other data (like photos of the injured party or accident scene). Just like calling a Hailo cab. Of course that will only work for the people with a smartphone who have the app, who remember they have it, and who know how to use it.
But please don’t make up stuff about it being the Data Protection Act’s fault.
And do bear in mind that not every phone in the country is a smartphone with GPS capability. Landlines still exist and are used, and basic mobile phones lack GPS functionality.
Apart from “Hailo for Ambulances” (which I think I’ll have to go and patent really quickly), postcodes would be a better solution to avoid ambulances being sent to the wrong places (promised since 2008). Or using MPRN numbers from ESB meters in buildings where available, which allow addresses to be resolved reasonably accurately from the ESB Network.
Each of these have data protection issues, but not in the context of emergency services. Section 8 of the Data Protection Acts takes care of that.
So, can we please stop reprinting press releases without fact checking please Irish Times. 30 seconds. That’s all it would take. A call, an email, a DM on Twitter…
But it would avoid you being st00ged into printing utter nonsense about Data Protection stuff which you WILL be called on publically by the very people who could have told you to tread carefully if you’d asked.
The Data Protection Commissioner has just published his annual report. It makes (as always) interesting reading. It has only been released in the last 30 minutes but there are elements of it that I will return to in detail in a post on my company website later this week (once digested).
Over here on my personal blog I thought I’d pick up on a broader question that bubbles up frequently in Data Governance and Compliance, not least in Data Protection. That is the importance of “tone at the top”.
The DPC’s Annual report instances a number of breaches by way of case study and a report on an audit follow up. The audit of An Garda Siochana’s Pulse system is mentioned in dispatches. Which brings me to the troubling topic of this post.
The Minister for Justice and Defence has disclosed into the public domain information about another person (a Data Subject) relating to an alleged (and disputed) “stop and caution” which came into his possession one must assume in the course of his ministerial function from some, as yet unconfirmed, source. The Minister sees nothing wrong with disclosing personal data, and in this case potentially sensitive personal data, for his own purposes. He has stated in his defence that he felt the disclosure was in the “Public Interest”. His Taoiseach has backed him in his actions.
It brings to mind the argument put forward by Nixon when challenged by David Frost about the legality of certain actions. Just because you can do something doesn’t mean you should – this is the long repeated mantra of Data Protection practitioners world wide.
To extrapolate a little: a senior member of the executive management of an organisation has disclosed publicly information about another person that has come into their possession through the course of their professional activities. The disclosure is without a clear lawful purpose but the manager feels it is in the Public Interest to know the kind of person they are dealing with (“Public Interest” and “Of Interest to the Public” are two different concepts). The manager sees nothing wrong with this. His CEO sees nothing wrong with this and backs the manager.
If this was a private organisation the DPC would be investigating and the executive and CEO would potentially be facing personal liability under section 29 for their consent and connivance in the commission of an offence under the Data Protection Acts.
When the Minister for Justice and Defence, under whose Department the Data Protection Acts reside, cannot recognise where the political win that comes from dropping the other guy in it because you have a information about them others don’t have runs into conflict with fundamental rights to Personal Data Privacy and the Data Protection Acts themselves, the tone at the top is resonating bum notes.
When the Taoiseach sees no problem with this, the bum notes become cacophonic.
If the Minister is to argue that business owners and public servants should respect the law then his recent actions inject a diminished minor note to the fanfare he should have around Data Protection, what with him being the Minister in Europe charged currently with shepherding the revised Data Protection Regulation to a final text.
Why should an SME owner or CEO of a large corporate challenged with respecting the Data Protection Acts seek now to act in compliance with that legislation? The Minister can flaunt it, why not them? Why should a young garda officer on the beat, struggling to make the mortgage payment that month, respect the Data Protection Acts and their code of conduct under the Garda Siochana Act when offered money by external entities for information when the Minister can unthinkingly ignore the ethics and letter of the legislation in pursuit of political point scoring?
Over two years ago I wrote about the same issues arising in a political context. One key quote sticks out in the context of the current situation with regard to political leaders:
If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.
The Office of the Data Protection Commissioner is intended to be independent and is required under the TFEU to be so. However they operate under the auspices of the Department of Justice and Defence. In such a structure there is a significant risk that the clarinet solo of the Commissioner (still grossly under resourced) will be drowned out by the cacophonic discord of the Tone at the Top.
The DPC has commented today that:
in general the public sector, including ministers, has a solemn duty to protect any personal data coming into its possession and may only disclose it when it has the consent of the individual concerned or under another basis laid down in law.
Should Deputy Mick Wallace make, or have made, a complaint it would be interesting to see how the Government and the Commissioner’s office would act to avoid the kind of enforcement actions related to a lack of independence of the Regulatory Authority (the DPC) that have arisen in Hungary. Certainly it would be a matter worthy of mention in the 2013 Annual Report of the DPC. Bluntly it would represent a clear test of the independence of the Office of the Commissioner (and for that matter their resourcing) if they were to have to investigate a Minister rather than just a Minister’s department or agency.
The Data Protection Acts owe their genesis and evolution to the actions of political forces in Europe in the early years of the 20th century. We should be very worried when the Minister responsible for internal and external State Security feels that encroaching on a right to privacy without a clear lawful purpose is an acceptable political tool.
The Tone at the Top is braying some bum notes this week and some conductor needs to bring the orchestra back in tune. Otherwise, like all great bands, musical differences may trigger the beginning of the end.
I had looked forward to the Minister’s statement today but am underwhelmed by his position that Deputy Wallace’s status as a public personality is a justification for the disclosure. Where this the case, the DPC audit of the Gardaí and Dept of Social Protection would not have been so concerned about access of data relating to celebrities. The disconnect and discord in the “tone at the top” is palpable!
(If the use of the phrase “tone at the top” in connection with Fine Gael and Data Protection is familiar to some, this post might refresh your memory)
So, David Hall is challenging the provisions of the Personal Insolvency Act regarding the publication of details on public registers. I’m quoted in this Irish Times article about it. My comments, which I expand on here as an update to my earlier post, where to the effect that:
- The publication of detailed personal data on a publicly accessible register would invite the risk of identity theft in the absence of any appropriate controls over the access to that data.
Examples of public registers where controls are in place are the Electoral Register (search one name and address at a time), and the Companies Registration Office (find out the home addresses of Directors if you pay a small admin fee), or the list of Revenue Tax defaulters (publication only over a threshold, summary personal data published).
Public does not mean Open. Public means that it should be able to be accessed, subject to appropriate controls. The requirement to name people who are in an insolvency arrangement needs to be balanced against their right to personal data privacy and the risk of identity theft or fraud through the use of published personal data.
The mockup Register entries presented on the ISI website may do the organisation a disservice with the level of data they suggest would be included and I await the publication of further revisions and the implementation of a control mechanism to introduce balance between the requirement to publish a Register and the need to protect personal data privacy. But of course, Section 133 of the Personal Insolvency Act is silent as to what the actual content of the published Registers should be (at least as far as I can see). So there is scope for some haggling over the content of what the final Registers will be.
A key question to be considered here is what is the purpose of the Registers and what is the minimum data that would be adequate and relevant to be provided on a Register to meet that purpose.
Section 133(4) allows for the public to “inspect a Register at all reasonable times" and to take extracts or copies of entries, and even allows for a small fee to be charged (the “reasonable cost of making a copy”). So there is scope for some form of access control to be put in place either with a search mechanism like the electoral register and/or the operation of a paywall for the making of copies (e.g. generating a pdf report on headed paper, at €1 a go).
- Section 186 of the Personal Insolvency Act needs to be interpreted and applied with care.
Section 186 of the Personal Insolvency Act purports to suspend the operation of Section 4 of the Data Protection Acts in certain circumstances. This is the section which allows a Data Subject to request a copy of their personal data. This is a basic right under the Acts.
However the Data Protection Acts already contain provisions which allow for the suspension of Section 4 in Section 5 of the Data Protection Acts. Specifically Section 5(1)(d) allows for an exclusion for data which is being processed in the performance of a statutory function intended
…to protect members of the public against financial loss occasioned by
i) dishonesty, incompetence, or malpractice on the part of persons concerned in the provision of banking, insurance, investment or other financial services or in the management of companies or similar organisations
ii) the conduct of persons who have at any time been adjudicated bankrupt
in any case where the application of that section would be likely to prejudice the proper performance of any of those functions.
The operation of the Insolvency Service of Ireland would appear to fall under this section. But rather than a blanket exclusion, Section 5 has a more nuanced approach – you can’t have your data if it will prejudice the proper performance of the ISI’s role. Of course, 5(1)(d) only kicks in if there has been dishonesty, incompetence, or malpractice on the part of a bank that has resulted in a financial loss or risk of financial loss to the Data Subject.
Section 5 gives a number of other grounds for exclusion from the operation of Section 4. Among them are:
- If disclosing the data is contrary to the interests of protection the international relations of the State (which would raise an eyebrow I’m sure if cited in an insolvency situation).
- If legal privilege attaches to the records in the case of communications between clients and legal advisers.
If the restriction is on disclosure of personal data during the course of an investigation then this would likely be covered under Section 5(1)(a ) and there is legislative precedent in the Property Services (Regulation) Act 2011 to extend that to an investigation undertaken by the PRA under that Act.
An explanation and clarification?
The ISI has similar powers of investigation and prosecution of offences (section 180 and Chapter 5 of the Personal Insolvency Act 2012). Therefore the exemption from disclosure under Section 5(1)(a ) would apply. A “belt and braces” inclusion of an exemption from section 4 of the DPA for the investigation of offences would be consistent with the Acts.
However this would only be the case for the investigation of an offence. The processing of a general complaint would not fall within the scope of an offence under the Insolvency Act or other legislation.
Therefore a blanket opt out would not exist. If an offence is suspected Section 186 reinforces the existing provisions of the Data Protection Acts. But general complaints to the Complaints committee would (based on my reading) not, unless the complaint wound up in an offence being detected. Of course a Data Subject would only be entitled to their own data.
- Excessive Retention of Data on Public Registers is a concern.
This, of course, is another biggie from a Data Protection point of view.How long does this data need to be held for? In the UK similar schemes have the personal data removed from the public register 3 months after the debtor exits the scheme. Here…
Section 170 of the Personal Insolvency Act indicates that Personal Insolvency Practitioners will need to retain data for 6 years after the “completion of the activity to which the record relates”. This is consistent with the statute of limitations on a debt and makes sense – it would allow people who avail of an Arrangement to get access to information about their arrangement if required. However it is not the same as the Public Registers.
Section 133 sets out the provisions relating to the Registers of Insolvency Arrangements. It says nothing about the length of time a person’s data will be listed on a Register. Given the purpose is to maintain a searchable register of people who are in Insolvency Arrangements, the principle of not retaining data for longer than it is required for a stated purpose kicks in.
And, as is all to often the case in Irish legislation, we seem to be left looking to the UK for a benchmark period for retention: Duration of Arrangement plus 3 months… but that may be 3 months longer than required.
- Personal Solvency Practitioners acting as Data Processors, and the implications for security and awareness of obligations under the Data Protection Acts
This is a squeaky wheel issue in many respects. All too often organsiations will outsource functions or engage people to perform functions on their behalf on contract, which would set out the purposes of the processing and the role of the Processor and sanctions for breaching their obligations. The Personal Insolvency Act sets out how Personal Insolvency Practitioners will be appointed, empowers the ISI to set standards re: their level of education and skill, and imposes sanctions for breaches of the standards of conduct of the role.
The function of a PIP is one which could have been undertaken internally within the ISI but it has been decided to outsource it to these PIPs.
Therefore a PIP is likely to be viewed as a Data Processor acting on behalf of the Data Controller (ISI) [for more on this read here]. Therefore they need to be taking (at a minimum) appropriate security measures to prevent unauthorised access to data. The concern I expressed in the article was that it is an unknown quantity what level of understanding of their obligations under the Data Protection Acts a PIP will have and what training (if any) will be provided.
Section 161(c) of the Personal Insolvency Act 2012 provides a mechanism for this to be addressed through the prescribing of the completion of appropriate training from a qualified trainer with a proficiency in Data Protection as one of the training requirements for authorisation as a PIP.
[Disclosure: my company provides an extensive range of Data Protection compliance review and training services]