TV Licence checks and “Data Protection Principles” [updated]

This morning’s Irish Times reports this morning that the (current) Irish Communications Minister  is seeking cabinet approval for powers to enable the agency that collects TV Licences (currently An Post, the Irish post office) to access subscriber koi data from subscription TV providers such as Sky or UPC to crack down on TV licence evasion. We are assured by the Minister that the whole thing will be done “ in accordance with strict data protection guidelines”. Ignoring for a moment that “Data Protection” is not a guideline but is a fundamental right of EU citizens enshrined in law and derived from both the TFEU and the European Charter on Fundamental Rights and implemented in Irish law as a result of an EU Directive (ergo… not a guideline but kind of a big thing to keep an eye on), what might those guidelines be?

[Update] TheJournal.ie are reporting that this proposal has passed the Cabinet. The mechanism that is to be applied is reported as being:

“An Post will be allowed access the subscription data held by the likes of UPC and Sky to cross-reference their subscriber databases with its own data on TV licence fee payers”

I address the implications of this below in an update paragraph inserted in the original text. [/update]

Guidelines

In general Data Protection terms, once there is a statutory basis for processing (and access to data is processing) then the processing is lawful. What appears to be being proposed here is legislation that will allow subscriber data of one group of companies to be accessed by another company for the purposes of checking if someone is getting moving pictures on a telly box or similar device. So that’s the box ticked and we can move on, right? Oh, so long as we have protocols around the how, when, and why of access to the data right (because they are always followed)? And of course, the legislation will prevent scope creep in terms of  the use of the data and the potential sources of data that might be accessed using the legislation (e.g. telecommunications service providers who might have broadband going into a home or onto a device). Well, since April (and thanks to the great work of Digital Rights Ireland) we actually have some guidance from the Court of Justice of the European Union.

This is guidance that Minister Rabbitte’s department should be distinctly aware of as it affected legislation that they are responsible for, the Communications Data Retention Directive (from which the Irish Communications Data Retention Act got its authority). In that case, the ECJ was very clear: any processing of personal data needs to be a proportionate for the outcome required. In the Digital Rights Ireland case, the ECJ felt that requiring the retention of call traffic and internet usage data on the off chance it might be useful to authorities to counter terrorism was a disproportionate response. Access to specific data would not be disproportionate, but wholesale data slurping was a breach of fundamental rights to data privacy as enshrined in the EU Charter of Fundamental Rights. This reasoning was followed by Hogan J in the recent case of Schrems vs The Data Protection Commissioner in the High Court where Hogan deftly summarises the constitutional, statutory, and EU Treaty bases for Data Privacy rights in Ireland and the EU.

The upshot is that, regardless of the existence of a statutory authority to do a particular piece of processing, the processing itself must be a proportionate invasion of an individual’s right to Personal Data Privacy and their right to Privacy – two distinctly separate rights now under EU law. So, what would be a proportionate response in this context? How big is the problem?

The Proportionality Conundrum

According to the Minister, 16% of households don’t pay for a TV licence. According to ComReg 73% of households receive TV services via a subscription service. So 27% of people don’t pay for a TV service subscription and 16% don’t have a TV license, so there are more people who don’t have a paid TV subscription then don’t have a TV license? It is not outside the bounds of possibility that the ENTIRETY of the 16% that the Minister seeks to pursue are contained in the 27% that Sky and UPC would also love to separate from their subscriptions. Perhaps these people don’t have a television at all?

Even assuming that the two groups are unrelated, the question of whether allowing An Post access to the subscriber lists of UPC and Sky is a proportionate response. It’s not. If it is not a proportionate response for serious offences under the now defunct Data Retention Directive to allow law enforcement blanket access to telecommunications call history and internet usage data, it is probably not proportionate for a private company to have access to the subscriber lists of potential competitors (who knows what An Post might want to pivot into, given they are in the telecommunications business ) for the purposes of detecting where people don’t have a TV license.

[Update] Based on a report on TheJournal.ie, it appears that what is proposed is an en masse cross checking of data between An Post’s TV License database and the databases of Sky and UPC.  This is borders, in effect, on a form of mass surveillance. It is, in my opinion, that this would be unlikely to be seen as a proportionate response to the problem. This is particularly the case where alternatives to the bulk access to data can achieve the same overall objective without the need for the data to be processed in this way. [/update]

What would be proportionate would be for An Post to be able to make a request, on a case by case basis, for confirmation if a property which does not have a TV license is in receipt of a subscription TV service, once there was a detection that there was someone resident at the address or a business operating at the address which had a receiving device (i.e. a TV). Sky or UPC would simply need to respond with a “Yes they have service” or “No they do not” with no other data being accessed.

A wrinkle though…

One wrinkle is that Sky and UPC are not just TV service companies. They are telecommunications service providers as well. They provide home phone and broadband services. So the scope of the potential legislation is to allow a telecommunications company (An Post) access to the subscriber data of other telecommunications companies. This raises significant issues from a Data Protection perspective under SI336 ,where telecommunications providers have very serious security obligations to their subscribers around notifying of potential security issues on their network and also notifying subscribers and the Data Protection Commissioner where there has been a breach of data security.

It also raises the spectre of other telecommunications companies being required to provide the same data, depending on how the legislation is drafted.

Almost inevitably, the telecommunications providers would be asked to provide data to An Post about users who were accessing particular types of services or IP addresses (e.g. RTE online services or TV3 Player, or Netflix, or similar). This is EXACTLY the type of data that the ECJ has ruled on in the Digital Rights Ireland case. Proportionality raises its head again, along with the need to avoid information security breaches on the part of the telecommunications companies being asked to provide access to their data.

The Upshot

At this remove I can identify a few mechanisms that would be a proportionate interference in personal data privacy rights, and would minimise the risks of unauthorised access to or disclosure of subscriber data by a telecommunications service provider.

  1. An Post would need to make their requests as part of an investigation of a specific instance of an offence with a view to prosecution. Each request would need to relate to the investigation of a specific offence (“Mr X, at address Y, has no TV license but has a receiving apparatus he claims is not connected to any service, please verify he is not a subscriber”). The subscription TV service providers or Telecommunications service providers would simply respond back with a “Yes” or “No” to the specific question. But that answer may not confirm if they use their broadband to access streamed broadcast services. It is very easy to mask internet usage by using VPN tunnelling services, so the net may not catch all the fishes the Minister is trawling for.
  2. Another option would be to simply add the cost of the TV license to the subscription fee for Sky or UPC television services and, potentially, to the cost of broadband services in the State.  This would require zero sharing of data and a single annual transaction between the service providers and the State. It would also avoid entirely the risk of unauthorised access to or disclosure of subscriber data as a result of An Post (or any other entity) having access to subscriber data.

(Of course, just because you have a broadband connection doesn’t mean you are watching TV programmes on your device. I have a good friend who has a very large computer monitor and watches DVDs streamed from a laptop. They have broadband. For email, internet access, and work stuff. Their TV and movie viewing is entirely DVD boxed set driven.  A mechanism would be required for people in that category to opt-out, unless this is a flat-rate tax on telecommunications services flying under a false flag. That is a matter for a different blog post.)

What ever approach is ultimately taken it will need to constitute an invasion of data privacy that is proportionate to the problem that presents itself. THAT is the Data Protection requirement that must be met. It is not a guideline. It is the law, and it is a matter of fundamental rights.

For the Minister to view Data Protection as a “guideline” further evidences the horridly discordant tone at the top in the Irish State about Data Protection (which I’ve written about here and here and here and here).

Posted in Data Protection.