Below is the text of an email I sent to the Irish Times editor on the 25th of June. The email was received by the Irish Times systems but I have had no response. Hugh Linehan on Twitter engaged but just to refer me to the Editor. Iâ€™ve published the letter here for wider reference. Readers might want to check out posts by Fergal Crehan and myself here and on fergalcrehan.com
[update] I feel that this email raises important questions, particularly in light of the article on lobbyists and astroturfing and the EU Data Protection Regulation in todayâ€™s Financial Times.[/update]
Dear Mr Oâ€™Sullivan
Over the past few days a number of stories have appeared in the Irish Times purporting to highlight important Data Protection issues. In all cases the reporting has been at best incomplete, with no validation of claims made or any attempt to present counterpoints or other relevant facts, and at worst a simple retreading of a press release without any apparent fact checking or questioning of the information being spoonfed to the correspondent.
On the 22nd June the Irish Times ran a story headlined â€œAmbulances unable to use GPS trackingâ€ which drew a connection between alleged Data Protection restrictions and the death of a child. http://www.irishtimes.com/news/ambulances-unable-to-use-gps-tracking-1.1438980. The statement of data protection law contained in this article was incorrect. A number of sections of the Data Protection Acts specifically allow for processing of and disclosure of personal data, particularly where there is a risk to the safety, life, or health of an individual.
A cursory Google search or request for comment to either the Office of the Data Protection Commissioner or a specialist in Data Protection law and practice such as myself could have clarified this. Specifically disclosure of/processing of GPS data would be permitted under Section 8(d) and Section 8(f) of the Data Protection Acts in the case of an emergency services requirement.
As someone with experience in the telecommunications sector and Data Protection issues, there are other more fundamental problems with real-time GPS tracking and, unfortunately, life is not like an episode of CSI where there is perfect information available in perfect real-time with perfect accuracy. This could and should have been reflected in the article. The real barrier to accurate dispatch of ambulances is the failure of successive governments to roll out a post-code system or equivalent address identification system that would allow for more granular and accurate location of addresses. An Postâ€™s Geodirectory (which is the defacto standard for address validation) is designed for postal delivery not ambulance dispatch. Post codes were to be implemented in 2008.
On the 24th June the Irish Times ran a story headlined â€œEU Regulation could restrict genealogical researchâ€ http://www.irishtimes.com/news/eu-regulation-could-restrict-genealogical-research-1.1440075, which reported that the revised EU General Regulation on Data Protection could restrict access to parish records and other genealogical data such as registers of births, marriages, and deaths.
Again â€“ this is utter bunkum. The EU Data Protection Regulation is unlikely to apply to deceased persons (as is the case with the current Irish Data Protection legislation which excludes the deceased, but is not the case in some other EU countries). Furthermore the Right to Be Forgotten has been defined and discussed thus far in a circumspect manner as to exclude Public Registers such as parish records or Registries of Births, Marriages, or Deaths. Yes, Data Protection rules will and do apply to genealogists working with data relating to living people, but only insofar as the data cannot be used for other purposes and other obligations to keep data safe and secure.
While I acknowledge that the EU Data Protection Regulation is as yet not finalised I would submit that that makes it even more important that responsible reporting on the actual or potential future trends in EU Data Protection law and the rights of citizens should be balanced and facts and assertions checked and validated.
Today (25th June) the Irish Times business section ran a story heralding that the ASAI would be introducing rules requiring organisations using online advertising behaviour tracking to provide notice of this from September. http://www.irishtimes.com/business/sectors/media-and-marketing/firms-to-give-notice-if-collecting-online-data-for-ads-1.1440129 This appears at first glance to be a good news story about self-regulation in the Internet Advertising industry, with the Interactive Advertising Bureau holding a consumer awareness campaign from today.
Again â€“ a simple fact check on this story would have highlighted the existence of this legislation and raised questions about why the ASAI is suddenly taking an interest in cookies. It would, of course, have highlighted that the Irish Times was one of a number of organisations contacted by the Data Protection Commissioner last year with regard to compliance with SI336 http://www.dataprotection.ie/viewdoc.asp?m=&fn=/documents/press/listwwebsites.htm
So is the real story here not why the ASAI, with limited enforcement powers, feels it is important to step in to the policy and enforcement role of the Office of the Data Protection Commissioner, rather than simply ensuring its members comply with what is required under a law that is 2 years old? Is the DPC grinding to a halt? Is the Advertising Industry attempting to put lipstick on the pig that is self-regulation? Why is the ASAI seeking to confuse people about who to complain to about breaches of Cookies Regulations (them or the DPC or both)? Why?
There is a worrying pattern in these stories. The first two decry the Data Protection legislation (current and future) as being dangerous to children and damaging to the genealogy trade (a Fr Ted-like â€œDown with this sort of thingâ€ positioning). The third sets up an industry â€œself-regulationâ€ straw man and heralds it as progress (when it is decidedly not, serving only to further confuse consumers about their rights).
If I was a cynical person I would find it hard not to draw the conclusion that the Irish Times, the â€œpaper of recordâ€ has been stooged by organisations who are resistant to the defence of and validation of fundamental rights to privacy as enshrined in the Data Protection Acts and EU Treaties, and in the embryonic Data Protection Regulation. That these stories emerge hot on the heels of the pendulum swing towards privacy concerns that the NSA/Prism revelations have triggered is, I must assume, a co-incidence. It cannot be the case that the Irish Times blindly publishes press releases without conducting cursory fact checking on the stories contained therein?
Three stories over three days is insufficient data to plot a definitive trend, but the emphasis is disconcerting. Is it the Irish Timesâ€™ editorial position that Data Protection legislation and the protection of fundamental rights is a bad thing and that industry self-regulation that operates in ignorance of legislation is the appropriate model for the future? It surely cannot be that press releases are regurgitated as balanced fact and news by the Irish Times without fact checking and verification? If I was to predict a â€œData Protection killed my Puppyâ€ type headline for tomorrowâ€™s edition or another later this week would I be proved correct?
Attached is an updated copy of an op-ed piece on Data Protection reform I submitted in collaboration with Fergal Crehan BL earlier this month (06/06/2013). It remains unpublished. If it helps, Iâ€™ll dress it up as a Press release and send it to the news desk instead.
Daragh O Brien