This is a topic I’ve looked at myself in the past in some detail when I was volunteering with a similar organisation doing similar things. About five years ago I mapped out the considerations and what needed to be done to ensure certainty (this was in the wake of Schrems I and long before Schrems II).
Working out what had to be done meant thinking some previously unthinkable things. It encountered huge resistance in the organisation. Ultimately, despite getting some early wins (data localised to EU, role based access on database that would allow access to personal data to be restricted by geographic region if required, EU-based processors engaged for development work and application support, and other stuff), we didn’t get fully to a point where I was happy that the compliance risk was fully mitigated. The internal resistance became to much to overcome as the objective that was being pursued became conflated with other internal politics in the organisation. For example, setting up an “Operations Entity” in the EU to manage all the back-end data processing activities was something that didn’t happen, because it required significant changes to the bylaws and governance structures of the organisation.
So, I can understand why organisation might struggle with these things if they are constrained in their resources. It does mean having to think long and hard about your information architecture and processes. And it can effectively amount to a a perceived shift in the organisation’s internal power dynamic if suddenly “head office” has become a figure-head function and the real work is being done elsewhere. It does mean having to consider the impact and implications for your brand if your compliance is called into question.
There is another strategy that I might pursue now if I had the time over again. But I don’t, and frankly I don’t think I’d put myself in that thankless (unpaid) position again.
But I do think this is something that global membership organisations need to start thinking about. I just seem to have been thinking about it a bit longer than others. The problems raised by the IAPP in their webinar and that I have raised in my complaint are not new. We just need to get around to solving them. And that means thinking outside the box and rising above any internal “toy-town” politics that might exist in an organisation.
As I write this I am listening to an IAPP webinar on LinkedIn Live discussing Article 49 derogations for data transfers outside the EU.
There is some consternation in the discussion about the narrow interpretations that are applied in relation the derogations under Article 49. It’s great to see the IAPP discussing the limitations of these derogations. A few key points jumped out at me…
Ruth Boardman was very clear that the “compelling legitimate interest” basis could not be relied upon for repetitive transfers and was really something you looked to if nothing else could be identified. “This is likely to be fairly limited”.
Consent as a basis for transfer was generally viewed as a challenge as it pushed the issue onto the data subject, and it also raised issues of the elements of consent having to be met. In addition, Recital 111 of GDPR was identified as a challenge given it requires transfers to be “occasional and necessary” for both consent based transfers and transfers on the basis of contractual necessity.
For “direct collection” of information by organisations based outside the EU/EEA (the example given on the webinar was a podcast subscription service), the point was made (by Omer) that this wouldn’t necessarily be a transfer as the Controller is targetting data subjects in the EU for products and services directly and is collecting the data directly and must comply with GDPR, but the situation is very unclear. However, Ruth Boardman pointed out that, even if the direct collection argument stacks up, this just defers the problem as the organisation then has to deal with any transfers of data to 3rd party hosting, payment processors, contract administrative staff etc. Personally… I still think this raises a challenge for organisational and technical controls to ensure compliance with GDPR under Article 5(2) and Article 24 where the 3rd country doesn’t offer essentially equivalent protections for personal data as per the line of jurisprudence in the Schrems cases.
Omer Tene discussed the how the question of ‘direct collection’ has rattled around the EDBP agenda for a while now, and notwithstanding the view of the EU Commission that this wouldn’t be a transfer outside the EU/EEA, the important decision rested with the Supervisory Authorities. Also, Recital 114 can’t be ignored: there remains a requirement for a controller to make use of solutions that provide data subjects with enforceable and effective rights regarding the processing of their data once it has been transferred.
A Key Takeaway
The key takeaway is that the question of derogations is both straightforward (they are limited scope exceptions to the norm) and complicated (those exceptions have to be interpreted narrowly, because they are exceptions). Much of the coverage on the IAPP website of derogations makes this very point, particularly in the wake of DPC v Facebook & Schrems. Even the reported remarks of AG von Danwitz, the rapporteur on the Schrems II case at the CJEU, that indicate Article 49 derogations might be an option worth considering are not entirely without caveat (particularly as he didn’t want to prejudge any cases that might arise on this topic).
An Action
As this is a key issue that requires clarification from the EDPB, and as it seems that something needs to be done to move the discussion from an abstract agenda item at the EDPB to a more tangible decision making process that has a consistency and co-operation mechanism where each Supervisory Authority can submit their reasoned opinions on interpretation.
Therefore, back in January I filed a complaint with the Irish Data Protection Commission about transfers of data to a 3rd country (the US) by an organisation that has its headquarters in the United States but operates an EMEA headquarters in Brussels and has market presence in many of the EU member states. I am a customer of this organisation. They rely on consent, contractual necessity, or compelling legitimate interests (all of which were discussed on the IAPP’s webinar and all of which have ‘issues’ that need to be addressed).
Interestingly, this organisation (at the time I submitted the complaint) was referencing Article 41 and Article 44 of GDPR as the basis for their transfers. This has now been amended to correctly identify Article 49 GDPR as the basis for transfer. But… AT THE TIME OF MY compliant they had it arse ways. So it’s a good job I saved the version of the data protection notice for posterity to the Internet Archive and included a screenshot in my complaint.
I thought this provided a good live case to test a number of the issues which might be relevant in this context, including questions of establishment, the appropriate lead supervisory authority when the organisation has a nominated establishment in an EU member state but has a point of presence in others, as well as providing a real scenario to test the specific guidance of the EDPB on the interpretation of and application of the Article 49 derogations.
My complaint specifically addresses many of the points that the IAPP raised on the webinar today, for which no easy answers were put forward. That means we need a DECISION!!
My complaint is attached below for anyone to read.
But well done to the organisation in question for taking the time in the last two and a half months to correct the reference to Article 44 in respect of derogations relied upon and correctly referencing Article 49. It’s a pity that they continue to reference Article 41 GDPR in the context of adequacy. Article 41 GDPR deals with Monitoring bodies for Codes of Conduct. I assume they meant Article 45.
Oh… and the organisation I complained about is the IAPP.
I’m sure they’ll agree that anything that moves this to a formal decision within a framework where each Supervisory Authority can make formal reasoned submissions to achieve a consensus on enforcement is important.
We are living in strange times. And I’m not just talking about Covid, forest fires, or the potential discovtaery of signs of alien life on Venus. No, I’m talking about the bizarro-world scenario of Max “Europe vs Facebook” Schrems joining common cause with (checks notes) Facebook against the Irish Data Protection Commission over (checks notes again) their decision to take an enforcement action against Facebook.
As I see it there are a few things going on that don’t seem to make sense.
(This blog post is my own personal opinion and does not necessarily reflect the postion of Castlebridge).
Hurry up, Go Slow!
Back in July Noby.eu announced that they had been granted leave to have a judicial review of the Data Protection Commission’s processes because Max believes the DPC is taking too long to reach decisions in cases he has filed complaints in. The only remedy he could be seeking here is for the DPC to speed things up.
A few days later, the CJEU issued its ruling in Data Protection Commissioner vs Facebook and Schrems. That case answered a range of procedural questions that the DPC had had referred to the CJEU from the Commercial Division of the Irish High Court (I’ve commented before elsewhere about how I think that that particular route to the CJEU was a bizarre choice, but I digress…). If you want to find out more about the questions raised, I wrote about them here last July.
A few weeks after that, the Data Protection Commission wrote to Facebook to advise them that an investigation had been opened on the DPC’s own volition under GDPR into Facebook’s use of Standard Contracual Clauses. Prior to this becoming public knowledge Max appeared at the LIBE Committee of the European Parliament. At this meeting he disclosed having received correspondence from the Data Protection Commission about their intention to carry out an own volition investigation and their preliminary decision. Schrems made a statement to the effect he expected it would take a number of years before the DPC would take any enforcement action.
However, the letter that Max received from the DPC set out their rationale clearly and set out the time period that Facebook were given to respond to the DPC’s preliminary position. That was 21 days. The DPC intention was then to make a draft decision for submission to the EDPB within 21 days for review as part of the consistency and co-operation mechanisms under GDPR.
Wanting to the DPC to slow things down. While at the same time wanting things to speed up.
Max’s argument…
I have some sympathy with Max’s position. His complaint was filed on the 1st December 2015. It has taken a long and winding road. However, the CJEU (as Max points out in his correspondence to the DPC) required that the finalisation of the matter referred to them be completed with all “due diligence”. The DPC has taken a narrow scope on this case, which is cause for criticism. The criticism is triggered by Facebook shifting the goal posts again in correspondence to rely on contractual necessity (one of the Article 49 derogations).
That doesn’t mean haste. And it also doesn’t mean “in the manner that any individual might desire”.
What it means is in the way that is most likely to deliver a robust result.
So, why an own volition investigation?
While Max argues that there is no rational reason for initiating an own volition investigation, I actually think there is if the DPC is trying to ensure that they are applying all due diligence to getting to the end result. The unfortunate fact (as Max keeps reminding us) is that his complaint was initiated pre 25th May 2018. Section 8 of the Data Protection Act 2018 requires the DPC to decide all cases initiated before 25th May 2018 under the old Data Protection Acts 1988 and 2003.
This is a problem. Or at least a potential pitfall.
Apart from the fact that the penalties under the old legislation were piss poor, there is the sorry fact that the DPC is currently facing an appeal and a judicial review by the Department of Employment and Social Protection in respect of an inquiry commenced under the old legislation with the decision issued post May 2018. So, it is probable that, in order to avoid falling into the same shithole on a second high profile case, the DPC took a prudent decision to move quickly on a new GDPR-based investigation focussing on the specific issues that were before the CJEU.
Another reason the DPC might want a ‘clean slate’ on things at this point is that the case, and the associated papers, will need to be brought under Article 60(3) to the EDPB. But the EDPB didn’t exist under the 1988 and 2003 legislation. And there was no consitency and co-operation mechanism. So moving forward with any disclosure of case details to other supervisory authorities under the ‘old rules’ could invite an automatic judicial review of the decision making processes of the DPC by Facebook, resulting in the whole thing being chucked.
But I’m speculating on that one. It’s just the way I’d have juggled this to ensure that the case was dealt with with all due diligence (which is legal speak for “avoiding fuck ups”).
But what would that mean for Max’s original complaint? Well, it’s still live. Which means that a result on this own volition investigation would clear the way for a simpler closure of his original complaint, because it could be dealt with locally but in a manner consistent with a parallel decision under GDPR.
Out of Sight Out of Mind?
The last few days have been good for Max. He is back at the centre of the media circle on this issue. The Data Protection Commission is constrained in commenting on active cases lest they make an arse of it like the ICO has a habit of doing. So it’s easy to make claims like it’ll take years to get a decision out of the DPC on their own case when they are not in a position to challenge it because they have to take the higher ground.
He has accused the DPC of leaking the news of their investigation to the Wall Street Journal. He has launched a Judcial Review of their process (another one), and he has found common cause with Facebook.
But he has made it all about him again. Rather than about the outcome. Which should be a long awaited decisive action against a large corporation with resources enough to keep the DPC in a pit of appeals and Judicial Reviews if the DPC were to act in haste without taking due diligence of the steps they are taking.
It’s a messy situation as the DPC has to navigate a number of mines in this minefield. But the far side would seem to be in sight. After all, the Article 49 contractual necessity argument put forward by Facebook is utter shite and fails at the first hurdle under both GDPR and the 1995 Directive/ DPA1988 & 2003, so it won’t take long to put that one to bed, leaving FB with no other angles (and Max with nothing else to complain about).
I know from personal experience that when you get into an adversarial posture with someone over a long time it can be difficult to step back and appreciate your common ground. You end up renting out space in your head to the ‘avatar’ of your counter-party. But if you don’t step back you might wind up with strange bedfellows.
It is odd that, in this case, the adage of “the enemy of my enemy is my friend” seems to have lead to Max ‘friending’ Facebook.
As the old saying goes in Irish, “déanann boscaí folmha an torann is mó“
So, 81 people attended a Golf Society event in a hotel in Clifden during a time when the country was losing control again on a pandemic, largely through community transmission.
At the time, the public health REGULATIONS (not guidance) were that events like this could permit a maximum of 50 people.
Weddings had been cancelled. Christenings postponed. Family reunions put on the long finger. But this Golf Society held its event regardless. In the time period that the event happened, three counties were put on ‘local lockdown’, embuggering local businesses who were just starting to get back on their feet.
That’s bad. It gets worse.
The Golf Society was the Golf Society of the Oireachtas, the parliament that had recently passed the very regulations that the legislation contravened. It was attended by a Government Minister (who sat at Cabinet and received the briefings from the National Public Health Emergency Team), an EU Commissioner, a former Attorney General (now a Supreme Court Judge) who had been involved in drafting the regulations that this event contravened. We also had a gaggle of Senators, and the CEO of the Irish Banking Federation.
Naturally, when the Irish Examiner broke the story, the people of Ireland were a bit annoyed (bear in mind, we call the Second World War an “Emergency”). Even the childhood favourite of middle-aged (good grief, I am middle aged now) people around Ireland, Bosco, found it necessary to comment on the ludicrousness of the situation.
If Grownups don’t do what they are supposed to do how can they expect everyone else to behave
Bosco, @boscoofficial on Twitter
Today, we awake to:
A Government Minister resigning as a Minister (the second Minister for Agriculture to resign in as many months)
A wave of form letter apologies on social media from other politicians who attended the event.
Mea culpa, mea culpa, mea minima culpa
Every TD and Senator who attended the Golf Society dinner apologizing on Twitter this morning
The apologies are meaningless as they:
Follow a suspiciously similar structure and phrasing
Cite the confusion about the new public health guidance that have come into effect this week, which glosses over the fact that the gathering was illegal under the regulations that existed at the time
Apologise for any offence or upset that was caused.
It is wonderful how humility can be found in the WhatsApp group of a PR handler but a backbone to actually consider the public health regulations and decide to forego attending an event that might breach public health restrictions.
The details of the event are apparently that there was a partition between groups in the venue. This gives us a supremely jesuitical position that there were actually two separate events of 46 and 35 people respectively, well under the 50 person limit. But they shared catering staff, the parties on the other side of the partition were able to take part in the “main event” and were referenced in speeches etc. it is reported. It is an arguable position legally, but a non-starter optically and morally.
It turns out that it was not Alexander Hamilton in the room where it happened, but rather A Large Partition. But Irish political leaders should know from history that introducing a partition into the equation as a workaround for an intractable difficulty just causes more problems.
Bosco called it clearly. If the grownups can’t follow the rules how can they expect the rest of us to. This whole situation is Brazen, Offensive, Stupid, Callous, and Objectionable. It’s gone the Full BOSCO, particularly when elected representatives apologies for the upset they have caused and not for the vainglorious double standard they have applied to respecting restrictions designed to curtail the spread of a serious public health threat.
Of course, the Minister and other grandees were probably in the big room at the big table. Spare a thought for the poor souls on the other side of the partition at the kids’s tables who are today facing the same anger and frustration from colleagues and constituents. If the erection of a partition to sub-divide the attendees at a single event turns out to be a valid defence legally it will mean that they were at the kids’ table, outside the room where it happened. And if this turns out to be a legally valid defence (and someone can surely ask the opinion of the former AG and current Supreme Court judge on that point), then it will be a further kick in the teeth to families who have cancelled weddings, birthdays, christenings, and other events because of restrictions on numbers.
And spare a thought for the front-line healthcare workers who have been battling this pandemic either on the wards or in the labs. This whole event is a kick in the face for them and their families.
We are all in this together. But some of us are more in it than others.
Back at Easter, Wexford County Council announced they were using drones to help police travel restrictions in respect of Covid-19. Cameras mounted on drones constitute a form of mass surveillance over a public area. As such, Article 35 of GDPR requires that a DPIA be undertaken.
Full stop. Failure to do so is a contravention of the legislation. End of story.
With that in mind, I sent an FOI request to Wexford County Council for a copy of their DPIA. I was interested to see how they had laid it out and what lessons local authorities would have learned from the Data Protection Commission’s audit of 31 local authorities in respect of Community CCTV (a not dissimilar technology to drone mounted cameras).
Imagine my surprise (no do… it’s a good exercise because I wasn’t surprised at all) when the response back from Wexford County Council was 10Mb of documentation and a cover note that confirmed that no Data Protection Impact Assessment could be found.
Wexford County Council’s Response
The image opposite is taken from Wexford County Council’s response to my request, which was quite simple. I had just asked for the DPIA and any associated documentation.
The response to the request for the DPIA was odd. My request was refused because the record didn’t exist or couldn’t be found.
Ergo, Wexford County Council had acted in contravention of Article 35 GDPR by failing to undertake a Data Protection Impact Assessment for processing which a DPIA was required.
Complaint to the Data Protection Commission
I submitted the complaint opposite to the DPC on the 4th of June 2020. The complaint was clear that the only subject matter of my complaint was the failure to complete a DPIA. (click on image to enlarge)
I referred to the extensive correspondence that Wexford CoCo had provided to me (130 pages of it), a lot of which was basically attempts to retrospectively determine a justification for the processing. But nowhere was there a DPIA conducted before the processing.
The DPC’s response
The DPC’s investigation engaged in correspondence with the County Council. I’m going to be blunt here. I don’t see why they bothered. The breach that I complained about was not about the processing or any impact on any individual, but rather that a governance requirement under the legislation had not been complied with.
However, the DPC’s letter to me concluding their investigation is a little odd.
1. The Clarifications
The DPC asked a number of clarifying questions. I paraphrase them here.
Were drones used?
If yes, why?
What was the legal basis for the use of the drones?
How was the use of drones compatible with obligations under Data Protection Act 2018
Question 1 makes sense. If the drones weren’t used there was no risk of processing personal data, ergo there was no need to conduct a DPIA. However, I’d argue that the contemplation of using drones would trigger a need for a DPIA to help ensure that the use respected Data Protection by Design / by Default.
The County Council’s response was that drones were used between 10th April and 29th April 2020. So, at some time prior to the 10th of April a DPIA should have been done.
Question 2 clarified the purpose for the use of the drones. Was there any intention to process personal data?
The Council used the recordings to inform them “whether any further increase in population movement was evident between the 10th and 29th of April 2020, by examining vehicle volumes”. So, the purpose was to count vehicles and monitor vehicle movements.
Question 3 examines the legal basis for the use of the drones.
This is where things get a little squirrely for me. The Council advised the DPC that given the public health situation, their function as a local authority, and “the functions permitted under COVID 19 regulations” that their actions were measured, proportionate, and essential”.
So, measured, proportionate, but potentially lacking a legal basis.
Bear in mind, I’ve read the 130 pages of internal correspondence and documentation that Wexford County Council provided me in response to my FOI. It wasn’t clear what legal basis or framework they were relying on at all, even to them.
Question 4 deals with whether the Data Protection Act actually applies. Based on the information that Wexford County Council provided, I’d agree with the DPC’s apparent view that this is outside the scope of the Act as individuals and vehicle identification numbers couldn’t be identified from the footage. The drones were flown at altitude and were not using a sufficiently high resolution camera.
2. The DPIA Question
The DPC’s letter to me tells me that they have slapped Wexford County Council’s wrist and that they have updated their Drone Policy to require a “Data Protection Impact Statement” to be completed before drones are bought or used. The DPC will take these commitments into account in future.
While there has been a remedial action taken, a few things wrinkle with me:
It’s not a “STATEMENT”, it’s an “ASSESSMENT” – if Wexford County Council are adopting a ‘tick box’ approach to this they are doing it very wrong.
There appears to be no sanction of any kind for a failure to do a basic thing from a Data Protection Governance perspective.
The core of my complaint actually hasn’t been addressed. No DPIA was undertaken in contravention of Article 35. This needed to be an explicit stated finding of the DPC in my view. After all, I handed them a signed confession to that bit. As it stands, the engagement by the DPC appears to have been one of retrospectively determining if a breach of other rights and freedoms arose rather than taking the easy win of a definite enforcement action for a clear cut infringement of the legislation.
Yes, Wexford County Council has promised not to be naughty in future and has made changes to their policies and procedures. But a “no harm, no foul” approach here is less than ideal. After all, Local Authorities have been the subject of a special investigation into Community CCTV. Therefore, knowledge and awareness of the requirements on Public Bodies to undertake DPIAs should have been there, particularly for surveillance over public areas.
What next?
I’ve written to the DPC to confirm if they used any of their enforcement powers under Article 58 of GDPR in relation to the specific contravention in respect of the Data Protection Impact Assessment. I’ve also FOI’d Wexford County Council for correspondence between them and the DPC between June and August, and a copy of any DPIA that may have been done for the use of drones for any purposes. I’m interested to understand more of the approach taken by the DPC to this case.
After all, the reticence of the DPC to actually levy a sanction here is a concern. It was an open goal. A simple case, with a complaint that included a signed confession. A formal decision that breach had occurred would have been useful, particularly as senior staff in other local authorities have expressed incredulity to me that a DPIA might be needed for launching a camera-enabled drone.
Hopefully the DPC will issue updated guidance specifically in respect of the application of Data Protection by Design to the use of Drones. After all, it was only an exam question in the Law Society of Ireland’s Certificate in Data Protection Practice four times since 2013 (I know… I set the exam).
It’s been just over a year since I wrote anything on this blog. That’s too long. So I’ll be writing some stuff today and tomorrow about my experiences using FOI to identify where mandatory procedural aspects of Data Protection law are not being followed by public bodies and the response of the Data Protection Commission to these.
Ultimately, good data protection practice starts with good governance and effective enforcement.
First up will be my write up of what happened when I asked Wexford County Council for a copy of their DPIA for the deployment of drones and the outcome of the DPC’s investigation.
These are things I’m doing as a private individual, not as part of my work in Castlebridge, so rather than clutter things up on the Castlebridge blog, I’ve nudged this blog back into life. (I’ll also be doing similar with iqtrainwrecks as the last few months have thrown up some fantastic case studies).
Over the past few days, the Irish Times has carried a larger volume than usual of the “Data Protection Commissioner is evil” letters, giving out about her “nonsensical powers” because the bad lady won’t let them do things they want to do with data about people who are/might be alive.
I don’t always agree with the ODPC (more often than not we have “differences of opinion” on things). But when (against all the odds) they appear to be DOING THEIR JOB, I will defend them. So, I wrote a letter to the Editor. It is probably too long and will get gutted or not published at all. Here it is (with links to the original letters)
Sir –
Over the past few days your letters page has carried unchallenged comments about the Data Protection Commissioner and her “nonsensical powers”.
Robert Frewen states that Electoral register information is available in hard copy through libraries. This is true, but it differs from an on-line and searchable resource in a number of key ways, namely that each search is manual and laborious and the library staff can act as a foil against trawling for data – multiple searches will easily be spotted and librarians are a fearsome breed in my experience. He also states that electoral register information is available on-line. This is incorrect. Electoral registers are available to search online, but only if you have the exact name and address of the individual – so you are searching for information you already have in your possession, not trawling for new facts.
Claire Bradley writes that the DPC’s decision is “small minded” and that “most of the people eligible to vote in the 1940s would be dead by now”. Unfortunately, that means that some of the people eligible to vote in the 1940s (such as my own Grandfather) are still very much alive and continue to enjoy a fundamental right to data privacy. This fundamental right is what the DPC has acted to uphold. Far from being a small minded sectoral interest, the DPC has acted in support of a broadly based fundamental principle.
The DPC has made similar decisions in relation to other genealogy resources, which have been widely reported by the Irish Times, and clear rules of thumb have been established for births, marriages, and deaths. Perhaps rather than bemoaning the application of fundamental human rights rules to personal data, Ms Bradley might contribute more constructively by suggesting a reasonable and proportionate rule of thumb for the publication of electoral registers in an open and searchable format. The DPC, in my experience, welcomes such constructive discussion. Perhaps a benchmark can be found in the release of the 1911 Census Records?
It is important to note that the DPC has not said that any records should be destroyed, just that they cannot be made available for an open and unrestricted search. Yet.
Finally, Cllr Lacey seems to bemoan the DPC’s recommendation to Local Authorities that they respect and comply with Data Protection principles such as ensuring access to data and processing of data is conducted with a specified and lawful purpose. I would suggest that rather than blaming the DPC for the loss of patronage and perceived power that Councillors may have experienced when their participation in housing allocation was curtailed, he instead address his complaint to the Department of the Environment and ensure that a clear and explicit statutory basis in primary legislation is created to clearly set out what data about Council tenants Councillors can have access to, why, and under what controls such access will operate.
The release of Electoral Register data from the 1960s, 1970s and 1980s constitutes the release of personal data of living individuals for a purpose unrelated to the purpose for which it was obtained, and brings with it a risk of identity theft. If Cllr Lacey believes that the release of this data is sufficiently important, he should seek to have every person communicated with to obtain their consent to the release of their data for this new and, at the time, unforeseen purpose.
It is rare in recent times that I find an opportunity to fall full square behind the DPC and the actions of her office. This is one. Their function is imperfect, and in a professional context as Data Protection consultant and trainer, I have more than ample grounds to be critical of their actions at times. But far from being nonsensical, the powers of the DPC are woefully inadequate in many ways for the challenge that they face as one of the leading Data Privacy regulators in the world upholding and protecting a fundamental right. As the Oireachtas prepares the updated Data Protection Act to beef up the DPC in line with the requirements of the General Data Protection Regulation, one hopes that the many weaknesses of the DPC will be addressed to make them more fit for purpose.
“Wha!!! Data Protection laws make things hard!” is a dumb argument. Better for people who have valid interests to assess what the “win-win” outcome would be and strike an appropriate balance.
Damn them all to hell! They finally went and did it! They blew it up!”
That was my immediate reaction to the Brexit news this morning.
A campaign that was polluted by lies and misinformation from the pro-Brexit side, including a bold claim that voting to leave the EU would save £350 Million a year, a claim that was debunked during the campaign but which the Pro-Leave side persisted with on the side of their “battle bus”. A claim that the Pied Piper of Brexit himself, Nigel Farage, has started back pedalling away from within single digit hours (barely minutes) of his side’s victory.
A campaign that cost a wife and mother her life simply because she had an opinion that differed from that of an armed man who had embraced the propaganda of the pro-Brexiters and, rather than risk his vote not being heard, stabbed and shot Jo Cox to death. Yes, we all now know the depth of Shooty McShootface’s political opinion. And two children are without their mother.
A campaign where politicians blatantly lied and spread misinformation, capitalising on decades of anti-EU sentiment from a media controlled by an immigrant who likes being able to push governments around but gets told to fuck off by EU officials.
A campaign where a Minister of the Crown actually said, in response to experts calling bullshit on his arguments, that “People have had enough of experts”.
A campaign where, having won and having chased their people pleasing PR obsessed Prime Minister out of office (bye bye Dave), the heirs apparent to the Government of the United Kingdom stopped and, in the manner of kids who have seen a kid who has eaten all the sweets in the sweet shop and now realise what the words “diabetic” and “coma” mean when an ambulance paramedic is shouting them into a radio, have faltered in their cocksuredness that this Brexit thing is something that’s needed. “No need to rush things” says Boris Johnson. “I’ll have to consult with learned minds” says Gove. Hopefully none of those learned minds are actually experts, because we all know Gove has had enough of them. But if they’re not experts, then is Gove just consulting with the winners of his local Trivial Pursuits club raffle?
Perhaps the arse falling out of the UK (and global) economy as if they had personally shovelled the economic equivalent of senokot and pure dysentery into the bowels of the world financial systems has softened their cough.
Perhaps they didn’t think they’d win so they didn’t have a plan? And now the plan they need will have to be a tad more cunning than one of Mister E. Blackadders. Because the plan they had been following thus far seems to have been concieved by Mr S. Baldrick. But no sensible politician or political leader places the economic futures of millions, the fate of the United Kingdom, and the stability of the global economy in jeopardy without having some semblence of a plan to deal with the fall out when things go their way.
Oh fuck.
But that’s not the bit that gets me angry. Campaigns like this are always fuelled by lies and misinformation from at least one of the sides involved. And a certain class of politician is always going to think of themselves as Machiavelli (instead of Ronald McDonald) and try to use a hiccup to foment a crisis that gets them to the leadership position they want. That’s just the bullshit cut an thrust of politics.
What gets me angry, and makes me very worried, is the Facebook-isation of democracy in two contexts:
The UK Electorate seems to think that voting in a referendum is of no more significance than liking a cat video on facebook.
Social media is full of videos and tweets of people saying that they have changed their mind and want a do over. That’s not how it works. Democracy is important. People die to get the right to vote. So… why not think about things before you put your scrawl in a box. Waking up with “Voters’ regret” doesn’t change the fact that you voted against your own best interests and those of your peers. You can’t fix your dumb vote with a smiley face emoticon and an “Unlike Brexit” vote.
This tells me that the education system (one of the things the Brexiters blamed the EU and immigration for messing up, when it is more likely to be chronic underfunding by successive governments) has failed to teach citizens of the soon-to-be-Disunited Kingdom what voting in elections and referenda is actually all about. It’s not about finding out who gets to stay in the Big Brother House. It’s about finding out if your kids get to have a future and at least the opportunities that you had. (One bright note in this is that the younger generation who grew up with social media bullshit and reality TV actually seem to be able to tell the difference between waffle and reality. It’s just a pity their older siblings, parents, and grandparents seem to have forgotten they were voting in a referendum, not on the outcome of Strictly.
Brexit was a world altering decision. To say you voted to leave “because you didn’t think your vote would count” means you don’t understand voting, or vote counting, or addition, or just generally the concept of accountability for your actions. Crying that you want a do-over so you can vote the right way the next time is not the answer. There may be no next time (except if you are Irish and voting on an EU Referendum in Ireland, in which case we tend to keep asking variations on the question until we get the answer that is needed, like Mrs Doyle in Father Ted only with Treaties instead of Tea).
The Filter Effect of algorithms in Social Media may have had an impact that may be impossible to quantify
Facebook has proven, through its own experiments, that showing people sad news on their timeline makes them sad. But the algorithms that filter and shape our experiences of social media filter our view of the world. It is not beyond the bounds of possibility that people who rely on social media for their news and for their impression of public opinion and trends simply fell into an echo chamber were the messages that bombarded them made them perceive and feel that their vote wouldn’t count.
With the bullshit misinformation and outright lies that circulated during the campaign, the bots and filters would have had a lot to play with in shaping a negative world view. That world view might have made marginal voters (the old reliable undecided voter) to vote Leave because they felt any other choice wouldn’t count.
I am speculating of course. But the algorithms that shape our world have biases inherited from the world views that created them, and they consume the data exhaust we leave for them to form a model of the world as we would like to see it and how the data says we perceive it. This has to have an impact.
Taking these two things together we find ourselves with an electorate who are algorithmically brainwashed but don’t consider their democratic function to be of such importance that they will take time to trust but verify the information they are given. And in that context we have shallow thinking, reflexive voting, and undesirable outcomes. And that is just the politicians.
It is also another day that the Irish Department of Health and Children will spend counting down the hours until they can destroy material evidence of bad things that have happened to women in the State. Material evidence that they obtained through the operation of a Redress Scheme the terms of reference of which require the return of these records to the women who submitted them.
The Dept of Health has made statements to the effect that there is no need to retain the records as the women will be able to get copies again from their hospitals if they need them. But this ignores the defined retention schedule for clinical records relating to maternity care which is 25 years after the date of last pregnancy. It also ignores that there have been mergers and closures of hospitals and there is every chance that the hospital copies of records will not be available.
The Data Protection Commissioner is standing on the side line, apparently unconcerned that the destruction of records proposed is in contravention of the Terms of Reference of the Redress Scheme. She (or more accurately her Office) appears to have adopted the position that compliance with the Data Protection requirement to “retain for no longer than is necessary” automatically requires the destruction of records when the period of their usefulness purpose for has expired. “Allumer les déchiqueteuses” as they say in French.
A cynic would suggest that that is what the Department are counting on, given the renewed attention the United Nations is giving this issue as a question of Human Rights. A cynic might suggest that Digital Rights Ireland might have a point in their case about the independence of the DPC given the Office’s apparent unwillingness to engage with the balancing of rights issues that exist here.
My daughter is at an age where she wants to know what Daddy does for a living. She has decided I’m a “superhero spy guy” because I travel, wear suits, and try to help people but can’t always talk about it. Her child’s mind has not yet discovered Death by PowerPoint or the “clay layer” of change management, but she has started to learn about History. And History is important.
This issue is one where I have put my shoulder to the wheel to try and find a solution. It’s important. The medical records that face destruction in 12 days time represent important history. They are a record of the personal history of women who have already suffered and endured pain and indignity. They are a record of the social history of how the Irish State has treated women and women’s rights.
They are a record of a history we should not forget, even if it is painful for us to remember.
There is a valid historical value in these records being retained where they cannot be returned to the individuals so that their stories can be told in the aggregate. There is a practical value in the records being placed in trust with an independent body who can provide them back to individuals on request, while still supporting historical research. There is a Public Interest in remembering.
Ireland is not the only EU country to have struggled with the challenge of how to handle files from the past that evidence the gap between how we want to remember and what we need to remember. Countries of the former Soviet satellite states in Eastern Europe, including Germany, have retained the files that the Secret Police held on citizens. Individuals can request their own files back. Copies are held for historical research. Access for other purposes is strictly controlled. All of this operates in some of the most conservative Data Protection regimes in Europe. Perhaps Ireland needs to adopt a similar approach to the darker periods of our collective past.
For today’s International Women’s Day I hope my superpower (pedantic analysis of data privacy legislation and fundamental principles) can contribute in some way to ensuring that my daughter grows up in an Ireland that has learned from is painful past and treats its wives, daughters, and mothers with more fundamental respect than her grandmothers’ generation enjoyed.
Treating the records of Survivors of Symphisiotomy with greater respect than the survivors themselves have received would be a start.
Over on the company site I’ve written a piece on Data Retention policies that references the Symphisiotomy redress scheme as a case study in data retention planning (not in a good way). For those who didn’t spot it yesterday and who are glued to the national media that isn’t referencing this huge story, let me summarise:
The State, in the form of the Redress Scheme, has told women who endured symphisotomies that they have until Monday to request their own medical records back or the State will take it on itself to destroy them. This is the same State that some of these women might want to sue, relying on these records as part of their case. The State has told the women and their legal representatives not by way of a letter, but by way of a notice on their website.
Here, on my personal blog, I get to have a small rant from time to time. This is one of those times. Because this sucks donkey balls. It is a further hideous abuse of women who have suffered, largely in silence, for years.
Donkey. Balls.
The terms of reference of the redress scheme (paragraph 46) clearly distinguish between two types of records: medical records provided by the applicants (the women who have endured the fall out of symphisiotomy) and records obtained from other sources by the Redress Scheme itself.
Paragraph 46 sets out that, for the first category of data “reasonable efforts” must be made to return the records. It does not set out a requirement for the destruction of the records. The second category of records it sets out will be destroyed when the Redress Scheme has run its course.
Regardless of source, this is personal and sensitive personal data relating to identifiable individuals. It is subject to the rights and duties outlined in the Data Protection Acts and in the EU Charter of Fundamental Rights. Those rights include the right to data privacy, which encompasses a right to get your data, and a right to dignity.
The Data Protection Acts and the Data Protection Directive require that data not be retained by a data controller any longer than necessary for the purpose for which it was obtained. It does not require that the data be destroyed. The women whose original medical records are in question here may have any number of purposes for them outside the scope of the Redress Scheme. On-going care and treatment of any complications arising from a symphisiotomy, seeking further legal advice, simply reminding their children and grand children of how poorly the State has treated them, historical record…. it doesn’t matter.
However, the State has skin in the game with regard to the destruction of these records. If they are gone, then it becomes impossible for any of these women to exercise their rights in further legal actions because the evidentiary documentation they need will have been destroyed. This may not be the conscious intent but it is the practical reality: the State is effectively destroying evidence when these records are destroyed. While the records may not ultimately carry the day as evidence in a court action, they are still evidence of what I had hoped were historic attitudes to women in this State.
But the haste with which the State is moving to dispose of these records and the clamorous droning of the shredders firing up heralds otherwise.
The Redress Scheme was required to make reasonable efforts to arrange for the return of documents. A message on a website when your target audience are lawyers and elderly women is not reasonable. It smacks of a box being ticked: “Did we put something out there about it? – TICK”. It is not an appropriate mechanism of communication to those audiences. A letter to a lawyer, a snippet on Marian Finucane or other radio or TV for the affected women, a feck off big advert in the news paper… all of these are infinitely more appropriate.
I would compare this to the full court press that was done in the media to raise awareness of the closing date for women to apply and provide their records to the Redress Scheme. A cynic might think that this was a cunning strategy to get the evidence in from the affected women and then arrange for its destruction before it could be used in litigation. But that would be awfully cynical.
But this is the pattern that the permanent Government (the Civil Service) seems to fall into in matters like this: Protect the State at all costs.
Compare the approach to the retention of data about primary school children to this Redress Scheme: The Dept of Education has argued trenchantly that a) data relating to medical or psychological assessments is not sensitive personal data (it is) and b) that they need to hold the data indefinitely (expressed as “until the child reaches their 30th birthday and then review”).
Why would the Dept of Education want to know all the sensitive data about kids for many years after they would have left the school system? They have not provided a coherent answer to this, despite the Grecian work of Simon McGarr (note: Trojans partied and were massacred, the greeks stayed up late and built a horse). The DPC has been left spinning as they apparently had approved of all of this and have been fought to the wire by Simon to ensure they enforce the actual law.
The answer to why is the O’Keefe case, which put the Department on the hook for child abuse in schools. So – get all the data on all the kiddies and hold it for ever in case any of them sue because of a thing so it can be used in defence of an action.
Keep it all for ever in case someone sues. In breach of Data Protection rules which require retention to be “necessary and proportionate”.
With this Redress Scheme the opposite seems to be happening: Shred focking everything in case we might be sued. Let’s ignore that shredding this data is not within the terms of reference of the Scheme. Let’s ignore that no reasonable effort has been made to arrange the return of records. Let’s create a situation where a room full of records can be whipped in to the shredder so that if any of them were thinking of suing the State they won’t be able to.
And in the middle of this we have the Data Protection Commissioner, whose office has told survivors that they are “looking into the matter”. Not that they will use their powers under the Data Protection Acts to order the proposed act of processing (i.e. the destruction) to be suspended pending a review given the tight timescale, but that they are looking at it.
This is the same Data Protection Commissioner that the Department of Education believed had pre-approved the POD database. The same Data Protection Commissioner that has approved the publication of the name and home address of every naturalised citizen in the State without a clear purpose other than ‘the Aliens Act 1956 requires it’. The same Data Protection Commissioner that the Department of Enterprise explicitly references as an agent of State policy in strategy documents.
If it walks like a duck and quacks like a duck it is probably a duck. If it pulls the plug on the destruction of medical records provided to the State by women seeking redress for suffering, it might actually be a Regulator.
They have until Monday to act to vindicate and uphold the rights of women whose rights have already been trampled enough.
