My email to Irish Times Editor, sent 25th June

Below is the text of an email I sent to the Irish Times editor on the 25th of June. The email was received by the Irish Times systems but I have had no response. Hugh Linehan on Twitter engaged but just to refer me to the Editor. I’ve published the letter here for wider reference. Readers might want to check out posts by Fergal Crehan and myself here and on fergalcrehan.com

[update] I feel that this email raises important questions, particularly in light of the article on lobbyists and astroturfing and the EU Data Protection Regulation in today’s Financial Times.[/update]

Dear Mr O’Sullivan

Over the past few days a number of stories have appeared in the Irish Times purporting to highlight important Data Protection issues. In all cases the reporting has been at best incomplete, with no validation of claims made or any attempt to present counterpoints or other relevant facts, and at worst a simple retreading of a press release without any apparent fact checking or questioning of the information being spoonfed to the correspondent.

On the 22nd June the Irish Times ran a story headlined “Ambulances unable to use GPS tracking” which drew a connection between alleged Data Protection restrictions and the death of a child. http://www.irishtimes.com/news/ambulances-unable-to-use-gps-tracking-1.1438980. The statement of data protection law contained in this article was incorrect. A number of sections of the Data Protection Acts specifically allow for processing of and disclosure of personal data, particularly where there is a risk to the safety, life, or health of an individual.

A cursory Google search or request for comment to either the Office of the Data Protection Commissioner or a specialist in Data Protection law and practice such as myself could have clarified this. Specifically disclosure of/processing of GPS data would be permitted under Section 8(d) and Section 8(f) of the Data Protection Acts in the case of an emergency services requirement.

As someone with experience in the telecommunications sector and Data Protection issues, there are other more fundamental problems with real-time GPS tracking and, unfortunately, life is not like an episode of CSI where there is perfect information available in perfect real-time with perfect accuracy. This could and should have been reflected in the article. The real barrier to accurate dispatch of ambulances is the failure of successive governments to roll out a post-code system or equivalent address identification system that would allow for more granular and accurate location of addresses. An Post’s Geodirectory (which is the defacto standard for address validation) is designed for postal delivery not ambulance dispatch. Post codes were to be implemented in 2008.

On the 24th June the Irish Times ran a story headlined “EU Regulation could restrict genealogical research” http://www.irishtimes.com/news/eu-regulation-could-restrict-genealogical-research-1.1440075, which reported that the revised EU General Regulation on Data Protection could restrict access to parish records and other genealogical data such as registers of births, marriages, and deaths.

Again – this is utter bunkum. The EU Data Protection Regulation is unlikely to apply to deceased persons (as is the case with the current Irish Data Protection legislation which excludes the deceased, but is not the case in some other EU countries). Furthermore the Right to Be Forgotten has been defined and discussed thus far in a circumspect manner as to exclude Public Registers such as parish records or Registries of Births, Marriages, or Deaths. Yes, Data Protection rules will and do apply to genealogists working with data relating to living people, but only insofar as the data cannot be used for other purposes and other obligations to keep data safe and secure.

While I acknowledge that the EU Data Protection Regulation is as yet not finalised I would submit that that makes it even more important that responsible reporting on the actual or potential future trends in EU Data Protection law and the rights of citizens should be balanced and facts and assertions checked and validated.

Today (25th June) the Irish Times business section ran a story heralding that the ASAI would be introducing rules requiring organisations using online advertising behaviour tracking to provide notice of this from September. http://www.irishtimes.com/business/sectors/media-and-marketing/firms-to-give-notice-if-collecting-online-data-for-ads-1.1440129 This appears at first glance to be a good news story about self-regulation in the Internet Advertising industry, with the Interactive Advertising Bureau holding a consumer awareness campaign from today.

However the ASAI’s rules merely reflect what the law of the land ACTUALLY IS AS OF JULY 2011. Under SI336 organisations making use of cookies or similar on-line tracking are required to disclose this fact and secure explicit consent, particularly where that tracking will take place across multiple websites. Unlike the ASAI’s non-statutory enforcement powers, SI336 is enforced by the Data Protection Commissioner’s Office with breaches warranting penalties of up to €5000 on summary conviction or €250,000 on indictment.

Again – a simple fact check on this story would have highlighted the existence of this legislation and raised questions about why the ASAI is suddenly taking an interest in cookies. It would, of course, have highlighted that the Irish Times was one of a number of organisations contacted by the Data Protection Commissioner last year with regard to compliance with SI336 http://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/press/listwwebsites.htm

So is the real story here not why the ASAI, with limited enforcement powers, feels it is important to step in to the policy and enforcement role of the Office of the Data Protection Commissioner, rather than simply ensuring its members comply with what is required under a law that is 2 years old? Is the DPC grinding to a halt? Is the Advertising Industry attempting to put lipstick on the pig that is self-regulation? Why is the ASAI seeking to confuse people about who to complain to about breaches of Cookies Regulations (them or the DPC or both)? Why?

There is a worrying pattern in these stories. The first two decry the Data Protection legislation (current and future) as being dangerous to children and damaging to the genealogy trade (a Fr Ted-like “Down with this sort of thing” positioning). The third sets up an industry “self-regulation” straw man and heralds it as progress (when it is decidedly not, serving only to further confuse consumers about their rights).

If I was a cynical person I would find it hard not to draw the conclusion that the Irish Times, the “paper of record” has been stooged by organisations who are resistant to the defence of and validation of fundamental rights to privacy as enshrined in the Data Protection Acts and EU Treaties, and in the embryonic Data Protection Regulation. That these stories emerge hot on the heels of the pendulum swing towards privacy concerns that the NSA/Prism revelations have triggered is, I must assume, a co-incidence. It cannot be the case that the Irish Times blindly publishes press releases without conducting cursory fact checking on the stories contained therein?

Three stories over three days is insufficient data to plot a definitive trend, but the emphasis is disconcerting. Is it the Irish Times’ editorial position that Data Protection legislation and the protection of fundamental rights is a bad thing and that industry self-regulation that operates in ignorance of legislation is the appropriate model for the future? It surely cannot be that press releases are regurgitated as balanced fact and news by the Irish Times without fact checking and verification? If I was to predict a “Data Protection killed my Puppy” type headline for tomorrow’s edition or another later this week would I be proved correct?

Attached is an updated copy of an op-ed piece on Data Protection reform I submitted in collaboration with Fergal Crehan BL earlier this month (06/06/2013). It remains unpublished. If it helps, I’ll dress it up as a Press release and send it to the news desk instead.

Yours

Daragh O Brien

Posted in Data Protection, Ethics & Law of Information and tagged , .