The DOBlog

Category: Data Protection

data protection

  • Irish Water and the DPC’s letter and what it means

    [This is a repost of a post I wrote o the 24th of September. Some people said they had difficulty accessing it so I am reposting it. I’ve updated it with links to other relevant posts that I’ve made since then. They are included in-line]

    This evening [24th Sept] the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

    Dear Deputy Shortall,

    I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

    Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

    [This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

    One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

    The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

    If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

    Update: As Irish Water is subject to the Data Protection Acts, the apparent absence of an operational “movers/leavers” policy for people changing address is a problem. I explain why here. The summary being that one of the obligations under the DPA is to keep data accurate and up-to-date, in the context of the purposes for which it is being processed.]

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    [This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

    The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

    Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

    I suspect Irish Water may get a mention but not for the right reasons.

    Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

    Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

    update: Today, on foot of an Irish Times article, I wrote this post which points out that Irish Water are citing a purpose for retaining PPSNs that give a retention period of at least 6 years. And it is not a purpose that is related to the validation of entitlements to allowances.]

    The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

    [Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

    The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

    Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

    Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

    Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

    Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identify where possible what type of data and for what purpose a transfer would occur.

    [This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

    I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

    Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

    The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

    Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

    I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

    Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

    The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

    I suspect this particular well has not yet run dry.

  • Roll Up, Roll Up – see the amazing psychic dog! (minor update)

    Roll up Roll Up, meet the new DPC!
    Roll up Roll Up, meet the new DPC! (says Irish Times)

    Every so often I read things in the newspaper that make me go “Yay!”. More frequently I read things that make me go “Boo!”. Today, as with other days, I read something that made me go “WHAT THE F….?!?!”.

    Over the past few weeks the Irish Times has done a bang up job breaking some excellent stories about Data Protection issues in Ireland. Karlin Lillington, Elaine Edwards, and others have sought to “Tell the Story of Why” and push past the usual soundbites and bullshit gloss that usually passes for data-related journalism in Ireland.

    One great example of this was the work done on a story about how the Dept of Arts Heritage and the Gaeltacht had erred in exposing data on living people (whose data privacy rights are protected under the Data Protection Acts and the Treaty for the Formation of the European Union, as well as the Irish Constitution – and if you want a potted guide to all of that Gerard Hogan gives a great summary here) on the IrishGenealogy.ie website. This was despite having had consultation with the Office of the Data Protection Commissioner and having had guidance on what was and was not acceptable from a Data Protection perspective.

    The various pieces written by Elaine Edwards were detailed, explained the core of the issues well, and generally added to the quality of discourse.

    On the 23rd of July, in their Online edition, the Irish Times ran this piece of utter nonsense dressed up as journalism. It’s such a poorly researched and written piece that I can understand why the author felt it best to leave their name off the byline [update- unfair to author, it was a leader piece, but if so my comments below are even more relevant – /update].

    It is true that the DPC raised issue regarding a property price register. The issue was that the sharing of data between different entities that would be required to create such a register, while of interest to the public, lacked a legislative basis and therefore risked breaching the Data Protection Acts. Legislation was passed two years ago that provided the “air cover” for the sharing of data to build a property register and lo and behold there is a property price register in place now, linked to the LPT process.

    Comparisons between Irish law and UK law are often as valid as comparing an apple and orange, and complaining about the bitterness of the orange skin as you try to bite into it, on the basis that they are both fruit.

    But the doozy in this article for me is the challenge to the DPC as to why they didn’t spot that the Dept of Arts Heritage and the Gaeltacht were in breach of the Data Protection Acts for a year. The anonymous author of this article asserts that the DPC’s job is to ensure compliance with the Data Protection Acts.

    Actually no. That is not their job. To make the Regulator responsible for ensuring compliance breaches a number of concepts in Governance, such as segregation of duties.

    Their job is to enforce the Act, to provide advice on how to not be non-compliant (which they did in this case), and investigate and prosecute offences under the legislation (albeit with a role in relation to education and awareness building as well).

    The responsibility for ensuring compliance rests with the Data Controller doing the processing, in this case the Dept of Arts, Heritage and the Gaeltacht, who were non-compliant because they did the very thing they were told not to do by the DPC. Responsibility for ensuring compliance rests with the IT project team who developed interfaces that shared too much data, the testers who didn’t spot it, and the Data Controller in the Dept who didn’t double check that the business rules were followed.

    The DPC’s job is to hold the Data Controller ACCOUNTABLE.

    The bizarre logic of the writer of the article simply makes no sense. Are the Gardai responsible for ensuring compliance with the Road Traffic Acts? No. Their job is the detection of, investigation of, and prosecution of offences. Just like the DPC in this context – when the Office was made aware of a possible breach of the Acts, they investigated and took action immediately.  (Ensuring compliance with the Road Traffic Acts is the responsibility of the road user).

    For all the sense that is in the article, the anonymous scribe [update-anonymous as it is a leader piece-/update] might as well have advocated that the soon to depart Mr Hawkes be replaced with a Psychic Dog who would detect all the potential future crimes, just like Tom Cruise in Minority Report.

    Lazy, sloppy, and brain numbingly dumb hackery dressed up as journalism, an article of this low quality has no place in a paper of merit such as the Irish Times.

    Good, informed, and informative journalism on Data protection issues must be encouraged however.

  • An anniversary post (of sorts)

    A little under a year ago I wrote two posts on this blog regarding the Irish DPC, Facebook, and Safe Harbor.

    The blog posts in question are here and here

    Those posts were written under less than ideal conditions; sitting at train stations or in cramped train carriages, eyes streaming with hayfever (or perhaps I was weeping for the death of privacy.. sometimes it’s hard to tell),  typing furiously on an iphone, with limited access to internet, so were rattled off essentially off the top of my head at the time based solely on the information that was in the public domain.

    The gist of what I wrote in those posts was as follows:

    1. The Data Protection Commissioner’s Office has to enforce the law that is in front of them.
    2. The law that is in front of them says that transfers to Facebook are OK under Safe Harbor
    3. To conduct an investigation would mean the DPC would have to challenge a decision of the European Commission (specifically the Safe Harbor decision).
    4. That was probably the reason why other Data Protection Authorities, while complaining about Facebook, PRISM, and Safe Harbor hadn’t actually done anything to suspend transfers, because they too were not able to directly challenge a decision of the European Commission.

    In June we received the judgement of Hogan J. in Schrems vs DPC. This case was initiated as a judicial review of the decision of the DPC not to launch a full blown investigation in to Safe Harbor and Facebook.

    In that judgement, Hogan J. held that:

    1. The DPC had correctly interpreted and enforced the law that was in front of them. Transfers from Facebook Ireland to Facebook US were permitted as a result of Safe Harbor.
    2. A question needed to go to the ECJ as to whether the DPC could actually ignore or look beyond the Commission Decision on Safe Harbor when looking at whether processing was lawful. (In essence this is a question that is asking the ECJ to rule on Safe Harbor in light of the changes in EU Data Protection law since it was implemented a decade and a half ago. Since then Data Privacy has become clearly recognised as a fundamental right and the Digital Rights Ireland case has clarified the need for proportionality in data processing, particularly on-line surveillance).

    And with that he sent a question to the European Court of Justice that potentially will have echoes as profound as Gavrilo Princip’s revolver shot on a side street in Sarajevo a century ago.

    It was particularly heartening to me to read paragraphs 80 and 81 of Hogan J.’s judgement when it came out. In those paragraphs he basically says exactly what I said a year ago: the EU Commission had decided that Safe Harbor was an appropriate mechanism for cross border data transfer and the DPC was tied t the findings of the Commission under the Irish Data Protection Acts and the underlying Directive. That’s pretty much what I said in this blog post.

    I am loathe to engage in precognition on the ECJ case that we are presented with now. However, I will venture the following for now:

    1. This is no longer a case about an Austrian law postgrad taking on an administrative functionary in on the western spiral arm of the EU.
    2. This has become a case about information flows and fundamental rights (thanks in no small part by some deft adjudication by Hogan J).
    3. This has become a question of information society (the ethics, rights, rules, and benefits of information processing) versus information economy (individuals as units of production, and surveillance of the drones by Big Brother). It will have a profound impact no matter what the outcome.
    4. While Max Schrems has taken his case against the Irish Data Protection Commissioner, ultimately it is the Safe Harbor mechanism that is on trial now at the ECJ.
    5. If Safe Harbor is found to be not fit for purpose as a result of the disproportionate threats to data privacy rights of EU citizens, we will move into a very interesting era. If it turns out that national Data Protection Authorities can second guess decisions of the EU Commission when the surrounding laws or social environment changes, that will have ripples out far beyond the world of Data Protection law and practice.

    The role of Digital Rights Ireland as amicus curae in this case is to be welcomed. They add no baggage to the wagon train, but having been to the ECJ already on a data protection issue they are familiar with the winding trail ahead.

    It is to be hoped that politicians and functionaries in the civil services of Member States and the Commission, as well as the media and the general public, wake up to the issues here and start paying attention. In the absence of a global drive to establish functioning and balanced frameworks for effective cross border data transfer we may find ourselves with exactly the same problems that gave rise over three decades ago to the need for the OECD Guidelines , and in turn Council of Europe Convention 108 and the entire framework of EU Data Protection laws in the first place.

    Interesting times indeed.

  • TV Licences, Data Protection, and the comments of the DPC

    It was great to hear the Data Protection Commissioner on Newstalk this afternoon explaining the situation regarding the proposed TV License data slurp. I’ll post a link to the podcast when it is available.

    A quick summary of key points that he made is as follows:

    1. The Government must pass legislation to allow for any access to data.
    2. The accessing of subscriber data is an interference with fundamental rights so, while Public Interest (e.g. maximising revenue from TV licence to keep Fair City on the air), the Government must convince the Oireachtas that the levels of access proposed are justified. The DPC specifically said that “the Oireachtas need to think about this”.
    3. He went on later to restate the importance of the Public Interest needing to out weigh and justify the interference in fundamental rights.
    4. He specifically flagged that whatever mechanism and process is proposed in legislation, it needs to be a “reasonable and proportionate measure”
    5. An Post should only have access to the minimum amount of information necessary to confirm if there is use of a TV service.

    Hmmm.. I’ve heard comments like that somewhere else recently

    A slight difference of opinion…

    The DPC compared the access of data from TV service providers as being similar to the legislation that was brought in to establish the Property Register for the LPT tax.

    I respectfully have to disagree a little on this. The LPT register required a completely new database to be created from scratch for the purposes of effectively, efficiently, and fairly levying a new tax. Data was drawn from multiple State and private sector data sets to create the best possible register for that purpose [disclosure: my company was involved in some preliminary work around the establishment of the LPT Register].

    What is proposed in the case of the TV licence is to supplement an existing private sector database (An Post’s) with data from potential competitors for the purpose of detecting non-compliance with an existing tax/levy. It is a subtle difference and should affect the determination of what is proportionate. There is already an investigation and detection function for TV licence enforcement. Any level of access other than on a case by case basis for the investigation of and prosecution of non-payment would require a clear justification in my view to pass a proportionality test. Rather than comparing to the LPT establishing something new, a more appropriate comparison would be to existing Revenue powers to request data from banks in the course of an investigation, not as a general blanket bulk extraction.

    The Thin End of the Wedge

    The DPC is “concious of making sure that this won’t be the thin end of the wedge”. In that case attention needs to be paid to how the legislation evolves. As I pointed out yesterday, Sky and UPC are both also providers of telecommunications services. In defining what data is being accessed for what purpose, it needs to be clarified if this legislative data grab will be constrained just to television service packages or to a wider range of product offerings. And within that there then needs to be consideration as to how An Post would verify that a broadband subscriber was or was not using their service to stream TV to a laptop or handheld device, a scenario that is currently not covered by the TV licence, but is proposed to form part of a Household Broadcasting Charge in the not too distant future.

    This is where there is another key difference between this proposed legislation and the LPT. The LPT legislation, from the very beginning, made clear that data would be obtained from private sector organisations to enrich and validate data on the Register obtained from existing State sources. While some thought that it was the tightening of Big Brother’s grubby mitts around our data, it was at least an open and transparent initiative.

    If the intent here is to build a Household Broadcasting Charge Register by enriching the existing An Post data sets with 3rd party data, then the Minister and Department should come out and state that and place the Public Interest question around this proposed legislation on a more transparent footing, which in turn may affect the consideration of what form of mechanisms and measures would be reasonable and proportionate to achieve that end. That will ensure that the legislation that the Oireachtas may eventually pass will be fit-for-purpose, that the correct balance of rights between the individual, the organisation, and the State will be considered, and there can be a proper debate and provision of information about what constitutes a “reasonable and proportionate measure” in that context.

    If the data is required to support existing investigation and detection processes for the current TV licence, I would suggest that what is reasonable and proportionate is more in line with Revenue’s powers of access to bank records on a case by case basis then the mass integration of data required to create the infrastructure for an entirely new tax head, and it is on that basis that the assessment of “reasonable and proportionate” should be made.

    The de minimis principle

    The DPC was clear that only the minimum necessary amount of information for the specific purpose could or should be shared. Hear hear!

    Of course, his comment presumes a bulk sharing obligation is required or is proportionate. As I wrote yesterday, and as I mention above, if the proportionate response is to improve evidence gathering in investigation of suspected non-payment of a licence fee then An Post (or any other collecting agency) could simply ask, on a case by case basis, “Does X address have a television service” and receive a simple yes or no response.

    The Commissioner’s comments don’t rule that approach out however.

    Of course, de minimis is a principle that applies to the purpose and intent of the processing. If the intent or purpose is to ensure that everyone who has a Sky or UPC subscription has paid their TV licence, it would be quicker, easier, and cheaper, to make them collecting authorities for their customers and leave An Post with the rump, with the Department managing a reconciliation process on an annual basis. It would add €13 or so to a Sky TV subscription, and it would ensure that every location where a single customer had a Sky TV box installed was paying the fee.

    The Prickly Problem of Proportionality

    It is good to see the DPC making positive comments about how the Oireachtas needs to reflect on how any legislation that might emerge would impact on fundamental rights. The Government must convince the Oireachtas (but with a majority, that is a fudge), but the Oireachtas has to act in accordance with the Constitution and with our obligations under EU Treaties. The ECJ has ruled on the Data Retention Directive and has made it clear that for serious offences that the interference in data privacy rights through retention of or bulk access to communications data must be proportionate. Digital Rights Ireland have yet to return to the High Court for the next round of their challenge to the Communications Retention of Data Act 2011, but it defines a “serious offence” as being one carrying a prison sentence of at least 5 years.

    For a €160 licence fee and a summary offence with a €1000 fine on first offence or €2000 on subsequent offences (people go to jail for non-payment of fine, not non-payment of TV licence) it will be interesting to see how proportionality will be established.

    It may be that the Government will need to consider alternative mechanisms for enforcement of the TV Licence (or future Broadcasting Charge) that does not require the sharing of data. The key objective, after all, is to maximise the cash inflow for the State to support development of indigenous broadcasting while at the same time minimising enforcement costs and minimising the extent to which data is being shared and processed between private sector organisations, albeit on behalf of the State.

    Of course, any reliance on full and frank debate in the Oireachtas has to recognise that the Government has a majority and we operate a whip system in our parliament. Government TDs will vote with the Government line. Which means that legislation might get passed that is actually a disproportionate response to the problem. Gerard Cunningham (@faduda) kindly reminded me of this on twitter.

    Ultimately, the Minister needs to be clear in his Problem Statement before rushing to a solution, and the Oireachtas needs to think outside the box when assessing the reasonableness and proportionality of the legislative response to the realities of the telecommunications and broadcasting markets.

  • TV Licence checks and “Data Protection Principles” [updated]

    This morning’s Irish Times reports this morning that the (current) Irish Communications Minister  is seeking cabinet approval for powers to enable the agency that collects TV Licences (currently An Post, the Irish post office) to access subscriber koi data from subscription TV providers such as Sky or UPC to crack down on TV licence evasion. We are assured by the Minister that the whole thing will be done “ in accordance with strict data protection guidelines”. Ignoring for a moment that “Data Protection” is not a guideline but is a fundamental right of EU citizens enshrined in law and derived from both the TFEU and the European Charter on Fundamental Rights and implemented in Irish law as a result of an EU Directive (ergo… not a guideline but kind of a big thing to keep an eye on), what might those guidelines be?

    [Update] TheJournal.ie are reporting that this proposal has passed the Cabinet. The mechanism that is to be applied is reported as being:

    “An Post will be allowed access the subscription data held by the likes of UPC and Sky to cross-reference their subscriber databases with its own data on TV licence fee payers”

    I address the implications of this below in an update paragraph inserted in the original text. [/update]

    Guidelines

    In general Data Protection terms, once there is a statutory basis for processing (and access to data is processing) then the processing is lawful. What appears to be being proposed here is legislation that will allow subscriber data of one group of companies to be accessed by another company for the purposes of checking if someone is getting moving pictures on a telly box or similar device. So that’s the box ticked and we can move on, right? Oh, so long as we have protocols around the how, when, and why of access to the data right (because they are always followed)? And of course, the legislation will prevent scope creep in terms of  the use of the data and the potential sources of data that might be accessed using the legislation (e.g. telecommunications service providers who might have broadband going into a home or onto a device). Well, since April (and thanks to the great work of Digital Rights Ireland) we actually have some guidance from the Court of Justice of the European Union.

    This is guidance that Minister Rabbitte’s department should be distinctly aware of as it affected legislation that they are responsible for, the Communications Data Retention Directive (from which the Irish Communications Data Retention Act got its authority). In that case, the ECJ was very clear: any processing of personal data needs to be a proportionate for the outcome required. In the Digital Rights Ireland case, the ECJ felt that requiring the retention of call traffic and internet usage data on the off chance it might be useful to authorities to counter terrorism was a disproportionate response. Access to specific data would not be disproportionate, but wholesale data slurping was a breach of fundamental rights to data privacy as enshrined in the EU Charter of Fundamental Rights. This reasoning was followed by Hogan J in the recent case of Schrems vs The Data Protection Commissioner in the High Court where Hogan deftly summarises the constitutional, statutory, and EU Treaty bases for Data Privacy rights in Ireland and the EU.

    The upshot is that, regardless of the existence of a statutory authority to do a particular piece of processing, the processing itself must be a proportionate invasion of an individual’s right to Personal Data Privacy and their right to Privacy – two distinctly separate rights now under EU law. So, what would be a proportionate response in this context? How big is the problem?

    The Proportionality Conundrum

    According to the Minister, 16% of households don’t pay for a TV licence. According to ComReg 73% of households receive TV services via a subscription service. So 27% of people don’t pay for a TV service subscription and 16% don’t have a TV license, so there are more people who don’t have a paid TV subscription then don’t have a TV license? It is not outside the bounds of possibility that the ENTIRETY of the 16% that the Minister seeks to pursue are contained in the 27% that Sky and UPC would also love to separate from their subscriptions. Perhaps these people don’t have a television at all?

    Even assuming that the two groups are unrelated, the question of whether allowing An Post access to the subscriber lists of UPC and Sky is a proportionate response. It’s not. If it is not a proportionate response for serious offences under the now defunct Data Retention Directive to allow law enforcement blanket access to telecommunications call history and internet usage data, it is probably not proportionate for a private company to have access to the subscriber lists of potential competitors (who knows what An Post might want to pivot into, given they are in the telecommunications business ) for the purposes of detecting where people don’t have a TV license.

    [Update] Based on a report on TheJournal.ie, it appears that what is proposed is an en masse cross checking of data between An Post’s TV License database and the databases of Sky and UPC.  This is borders, in effect, on a form of mass surveillance. It is, in my opinion, that this would be unlikely to be seen as a proportionate response to the problem. This is particularly the case where alternatives to the bulk access to data can achieve the same overall objective without the need for the data to be processed in this way. [/update]

    What would be proportionate would be for An Post to be able to make a request, on a case by case basis, for confirmation if a property which does not have a TV license is in receipt of a subscription TV service, once there was a detection that there was someone resident at the address or a business operating at the address which had a receiving device (i.e. a TV). Sky or UPC would simply need to respond with a “Yes they have service” or “No they do not” with no other data being accessed.

    A wrinkle though…

    One wrinkle is that Sky and UPC are not just TV service companies. They are telecommunications service providers as well. They provide home phone and broadband services. So the scope of the potential legislation is to allow a telecommunications company (An Post) access to the subscriber data of other telecommunications companies. This raises significant issues from a Data Protection perspective under SI336 ,where telecommunications providers have very serious security obligations to their subscribers around notifying of potential security issues on their network and also notifying subscribers and the Data Protection Commissioner where there has been a breach of data security.

    It also raises the spectre of other telecommunications companies being required to provide the same data, depending on how the legislation is drafted.

    Almost inevitably, the telecommunications providers would be asked to provide data to An Post about users who were accessing particular types of services or IP addresses (e.g. RTE online services or TV3 Player, or Netflix, or similar). This is EXACTLY the type of data that the ECJ has ruled on in the Digital Rights Ireland case. Proportionality raises its head again, along with the need to avoid information security breaches on the part of the telecommunications companies being asked to provide access to their data.

    The Upshot

    At this remove I can identify a few mechanisms that would be a proportionate interference in personal data privacy rights, and would minimise the risks of unauthorised access to or disclosure of subscriber data by a telecommunications service provider.

    1. An Post would need to make their requests as part of an investigation of a specific instance of an offence with a view to prosecution. Each request would need to relate to the investigation of a specific offence (“Mr X, at address Y, has no TV license but has a receiving apparatus he claims is not connected to any service, please verify he is not a subscriber”). The subscription TV service providers or Telecommunications service providers would simply respond back with a “Yes” or “No” to the specific question. But that answer may not confirm if they use their broadband to access streamed broadcast services. It is very easy to mask internet usage by using VPN tunnelling services, so the net may not catch all the fishes the Minister is trawling for.
    2. Another option would be to simply add the cost of the TV license to the subscription fee for Sky or UPC television services and, potentially, to the cost of broadband services in the State.  This would require zero sharing of data and a single annual transaction between the service providers and the State. It would also avoid entirely the risk of unauthorised access to or disclosure of subscriber data as a result of An Post (or any other entity) having access to subscriber data.

    (Of course, just because you have a broadband connection doesn’t mean you are watching TV programmes on your device. I have a good friend who has a very large computer monitor and watches DVDs streamed from a laptop. They have broadband. For email, internet access, and work stuff. Their TV and movie viewing is entirely DVD boxed set driven.  A mechanism would be required for people in that category to opt-out, unless this is a flat-rate tax on telecommunications services flying under a false flag. That is a matter for a different blog post.)

    What ever approach is ultimately taken it will need to constitute an invasion of data privacy that is proportionate to the problem that presents itself. THAT is the Data Protection requirement that must be met. It is not a guideline. It is the law, and it is a matter of fundamental rights.

    For the Minister to view Data Protection as a “guideline” further evidences the horridly discordant tone at the top in the Irish State about Data Protection (which I’ve written about here and here and here and here).

  • Facebook, Manipulation, and Data Protection – part 2

    Right. Having gotten some day job work out of the way I return to this topic to tease out the issues further.

    One aspect that I didn’t touch on in the last post was whether or not Data Protection exemptions exist for research and if those exemptions apply in this case. This discussion starts from the premise that EU Data Protection law applies to this Facebook research and that Irish Data Protection law is the relevant legislation.

    The Exemption

    Section 2(5) of the Data Protection Acts 1988 and 2003 provides an exemption for processing for research purposes:

    (a) “do not apply to personal data kept for statistical or research or other scientific purposes, and the keeping of which complies with such requirements (if any) as may be prescribed for the purpose of safeguarding the fundamental rights and freedoms of data subjects.

    And

    (b) “the data or, as the case may be, the information constituting such data shall not be regarded for the purposes of paragraph (a) of the said subsection as having been obtained unfairly by reason only that its use for any such purpose was not disclosed when it was obtained, if the data are not used in such a way that damage or distress is, or is likely to be, caused to any data subject

    The key elements of the test therefore are:

    1. The data is being processed for statistical or scientific purposes
    2. And the processing of the data complies with requirements that might be prescribed for safeguarding fundamental rights and freedoms

    This means that for research which is being undertaken for scientific purposes with an appropriate ethics review that has identified appropriate controls to safeguard fundamental rights of Data Subjects, which since the enactment of the Charter of Fundamental Rights in the EU includes a distinct right to personal data privacy. This was reaffirmed by the Digital Rights Ireland case earlier this year.

    The question arises: was the Facebook study as scientific purpose? It would appear to be so, and in that context we need to examine if there was any processing requirements set out to safeguard fundamental rights and freedoms of Data Subjects. That is a function of the IRB or Ethics committee overseeing the research. Cornell University are clear that the issues of personal data processing were not considered in this case as their scientists were engaged in a review and analysis of processed data and they did not believe that there was human research being undertaken.

    Whether or not you consider that line of argument to be Jesuitical bullshit or not is secondary to the simple fact that no specific requirements were set out from any entity regarding the controls that needed to be put in place to protect the fundamental rights and freedoms (such as freedom of expression) that the Data Subject should enjoy.

    Legally this means that the two stage test is passed.  Data is being processed for a scientific purpose and there has been no breach of any provision set down for the processing of the data to safeguard fundamental rights, so consent etc. is not required to justify the processing and the standard around fair obtaining is looser.

    Apparently if your review doesn’t consider your research to be human research then you are in the clear.

    Ethically that should be problematic as it suggests that careful parsing of the roles of different participants in research activity can bypass the need to check if you have safeguarded the fundamental rights of your research subjects. That is why ethics reviews are important, and especially so when it comes to the ethics of “Big Data” research. Rather than assessing if a particular research project is human research we should be asking how it isn’t, particularly when the source of the data is identifiable social media profiles.

    A Key Third test…

    The third part of the test is whether or not the data is being used in a way that would cause damage or distress to the data subject. This is a key test in the context of the Facebook project and the design of the study. Consent and fair obtaining requirements can be waived where there is no likelihood of damage or distress being caused to the research subject.

    However, this study specifically set out to create test conditions that would cause distress to data subjects.

    It may be argued that the test is actually whether or not the distress would be measured as an additional level of distress that would be caused over and above the normal level of distress that the subject might suffer. But given that the Facebook study was creating specific instances of distress to measure a causation/correlation relationship between status updates and emotional responses, it’s hard to see how this element of the exemption would actually apply.

    Had Facebook adopted a passive approach to monitoring and classifying the data rather than a directed approach then their processing would not have caused distress (it would have just monitored and reported on it).

    The Upshot?

    It looks like Facebook/Cornell might get off on a technicality under the first two stages of the test. They were conducting scientific research and there was no prerequisite from any Ethics committee to have any controls to protect fundamental rights. However that is simply a technicality and it could be argued that, in the absence of a positive decision that no controls were needed, it may not be sufficient to rely on that to avail of the Section 2(5) exemption.

    However, it may be that the direct nature of the manipulation and the fact that it was intended to cause distress to members of the sample population might negate the ability to rely on this exemption in the first place, which means that consent and all the other requirements of the Data Protection Acts should apply and be considered in the conduct of the research.

    The only saving grace might be that the level of distress detected was not found to be statistically large. But to find that they had to conduct the questionable research in the first place.

    And that brings us back to the “wibbly-wobbly, timey-wimey” issues with the consent relied upon in the published paper.

    Ultimately it highlights the needs for a proactive approach to ethics and data privacy rights in Big Data research activities. Rather than assuming that the data is not human data or identifiable data, Ethics committees should be invoked and required to assess whether the data is and ensure that appropriate controls are defined to protect fundamental rights. Finally, the question of whether distress will be caused to data subjects in the course of data gathering needs to be a key ethical question as it can trigger Data Protection liability in otherwise valuable research activities.

  • Facebook Research, Timeline Manipulation, & EU Data Protection Law

    This is an initial post based on the information I have to hand today (1st July 2014). I’ve written it because I’ve had a number of queries this morning about the Data Protection implications of Facebook’s research activity. I’m writing it here and not on my company’s website because it is a work in progress and is my personal view. I may be wrong on some or all of these questions.

    Question 1: Can (or should) the Data Protection Commissioner in Ireland get involved?

    Facebook operates worldwide. However, for Facebook users outside the US and Canada, the Data Controller is Facebook Ireland, based in Dublin. Therefore EU Data Protection laws, in the form of the Irish Data Protection Acts 1988 and 2003 applies to the processing of personal data by Facebook. As a result, the Irish Data Protection Commissioner is the relevant regulator for all Facebook users outside the US and Canada. The key question then is whether or not Facebook constrained their research population to data subjects (users) within the US and Canada.

    • If yes, then this is not a matter for investigation by EU data protection authorities (i.e. the Data Protection Commissioner).
    • If no, then the Irish Data Protection Commissioner and EU Data Protection laws come into play.

    If Facebook didn’t constrain their population set, it is therefore possible for Facebook users outside of the US and Canada to make a complaint to the DPC about the processing and to have it investigated. However, the DPC does not have to wait for a complaint. Section 10 of the Data Protection Acts empowers the Commissioner to undertake “such investigations as he or she considers appropriate” to ensure compliance with legislation and to “identify any contravention” of the Data Protection Acts 1988 and 2003.

    [update] So, it is clear that the data was obtained from a random sample of facebook users. Which raises the question of the sampling method used – was it stratified random sampling (randomised within a sub-set of the total user base) or random sampling across the entire user base? If the former then the data might have been constrained. If the latter, the data inevitably will contain data subjects from outside the US/Canada region. [/update]

    Answer: If Facebook hasn’t constrained their population to just North America (US/Canada) then… Yes.

    Question 2: If Irish/EU Data Protection Law applies, has Facebook done anything wrong?

    Tricky question, and I wouldn’t want to prejudge any possible investigation by the Data Protection Commissioner (assuming the answer to Question 1 would get them involved).  However, based on the information that is available a number of potential issues arise, most of them centred on the question of consent. Consent is a tricky issue in academic research, market research, or clinical research. The study which was conducted related to the psychological state of data subjects. That is categorised as “Sensitive Personal Data” under the Data Protection Acts. As such, the processing of that data requires explicit consent under Section 2B of the Acts. Beyond the scope of the Data Protection Acts, clinical research is governed by ethical standards such as the Nuremburg Code which also requires a focus on voluntary and informed consent:

    The voluntary consent of the human subject is absolutely essential… and should have sufficient knowledge and comprehension of the elements of the subject matter involved as to enable him to make an understanding and enlightened decision. This latter element requires that before the acceptance of an affirmative decision by the experimental subject there should be made known to him the nature, duration, and purpose of the experiment

    Question 2A: Was Consent Required? Consent is required for processing of sensitive personal data. For that data to be sensitive personal data it needs to be data that is identifiable to an individual and is sensitive in nature. However, if the data being processed was anonymised or pseudonymised then it falls outside the scope of personal data, assuming appropriate controls are in place to prevent re-identification. The Irish Data Protection Commissioner has published guidance in 2007 on Clinical Research in the Healthcare sector which provides some guidance on the question of consent, albeit from the perspective of a pure clinical healthcare perspective. A key point in the guidance is that while anonymising data may remove the Data Protection question around consent, it doesn’t preclude the ethical questions around conducting research using patient data. These kind of questions are the domain of Ethics Committees in Universities or commercial research organisations. Research of this kind are governed by Institutional Review Boards (IRB) (aka Ethics Committees).

    Apparently Cornell University took the view that, as their researchers were not actually looking at the original raw data and were basing their analysis of results produced by the Facebook Data Science team they were not conducting human research and as such the question of whether consent was required for the research wasn’t considered. The specifics of the US rules and regulations on research ethics are too detailed for me to go into here. There is a great post on the topic here which concludes that, in a given set of circumstances, it is possible that an IRB might have been able to approve the research as it was conducted given that Facebook manipulates timelines and algorithms all the time. However, the article concludes that some level of information about the research, over and above the blanket “research” term contained in Facebook’s Data Use policy would likely have been required (but not to the level of biasing the study by putting all cards on the table), and it would have been preferable if the subjects had received a debrief from Facebook rather than the entire user population wondering if it was them who had been manipulated. Interestingly, the authors of the paper point to Facebook’s Data Use Policy as the basis of their “informed consent” for this study:

    As such, it was consistent with Facebook’s Data Use Policy, to which all users agree prior to creating an account on Facebook, constituting informed consent for this research.

    Answer: This is a tricky one. For the analysis of aggregate data no consent is required under DP laws and, it appears, it raises no ethical issues. However, the fact that the researchers felt they needed to clarify that they had consent under Facebook’s Data Use policy to conduct the data gathering experiments suggests that they felt they needed to have consent for the specific experimentation they were undertaking, notwithstanding that they might have been able to clear ethical hurdles over the use of the data once it had been obtained legally.

    Question 2b: If consent exists, is it valid? The only problem with the assertion by the researchers that the research was governed by Facebook’s Data Use policy is that, at the time of the study (January 2012) there was no such specified purpose in Facebook’s Data use policy. This has been highlighted by Forbes writer Kashmir Hill.

    The text covering research purposes was added in May 2012. It may well have been a proposed change that was working its way through internal reviews within Facebook, but it is impossible for someone to give informed consent for a purpose about which they have not been informed. Therefore, if Facebook are relying on a term in their Data Use Policy which hadn’t been introduced at the time of the study, then there is no valid consent in place, even if we can assume that implied consent would be sufficient for the purposes of conducting psychological research. If we enter into a degree of speculation and assume that, through some wibbly-wobbly timey-wimey construct (or Kashmir Hill having made an unlikely error in her analysis), there was a single word in the Data Use Policy for Facebook that permitted “research”, is that sufficient?

    For consent to be valid it must be specific, informed, unambiguous, and freely given. I would argue that “research” is too broad a term and could be interpreted as meaning just internal research about service functionality and operations, particularly in the context in which it appears in the Facebook Data Use Policy where it is lumped in as part of “internal operations”. Is publishing psychological and sociological research part of Facebook’s “internal operations”? Is it part of Facebook’s “internal operations” to try to make their users sad? Interestingly, a review of the Irish Data Protection Commissioner’s Audit of Facebook in 2012 reveals no mention of “Research” as a stated purpose for Facebook to be processing personal data. There is a lot of information about how the Facebook Ireland User Operations team process data such as help-desk queries etc. But there is nothing about conducting psychometric analysis of users through manipulation of their timelines. Perhaps the question was not asked by the DPC?

    So, it could be argued by a Data Protection regulator (or an aggrieved research subject) that the consent was insufficiently specific or unambiguous to be valid. And, lest we forget it, processing of data relating to Sensitive personal data such as psychological health, philosophical opinions etc. requires explicit consent under EU law. The direct manipulation of a data subject’s news feed to test if it made them happier or sadder or had no effect might therefore require a higher level of disclosure and a more positive and direct confirmation/affirmation of consent other than “they read the document and used the service”. There are other reasons people would use Facebook other than to be residents of a petri dish.

    Does this type of research differ from A/B testing in user interface design or copywriting? Arguably no, as it is a tweak to a thing to see if people respond differently. However A/B testing isn’t looking for a profound correlation over a long term between changes to content and how a person feels. A/B testing is simply asking, at a point in time, whether someone liked presentation A of content versus presentation B. It is more functionally driven market research than psychological or sociological analysis.

    Answer: I’d have to come down on the negative here. If consent to the processing of personal data in the manner described was required, it is difficult for me to see how it could be validly given, particularly as the requirement is for EXPLICIT consent. On one hand it appears that the magic words being relied up on by the researchers didn’t exist at the time of the research being conducted. Therefore there can be no consent. Assuming some form of fudged retroactivity of consents given to cover processing in the past, it is still difficult to see how “research” for “internal operations” purposes meets the requirement  of explicit consent necessary for psychological research of this kind. It differs to user experience testing which is more “market research” than psychological and therefore is arguably subject to a higher standard.

    Question 3: Could it have been done differently to avoid Data Protection Risks

    Short answer: yes. A number of things could have been done differently.

    1. Notification of inclusion in a research study to assess user behaviours, with an option to opt-out, would have provided clarity on consent.
    2. Analysis of anonymised data sets without directed manipulation of specific users timelines would not have raised any DP issues.
    3. Ensure validity of consent. Make sure the text includes references to academic research activities and the potential psychological analysis of user responses to changes in Facebook environment. Such text should be clearly highlighted and, ideally, the consent to that element should be by a positive act to either opt-in (preferred) or to opt-out
    4. Anonymise data sets during study.
    5. Restrict population for study to US/Canada only – removes EU Data Protection issues entirely (but is potentially a cynical move).

    Long Answer: It will depend on whether there is any specific finding by a Data Protection Authority against Facebook on this. It does, however, highlight the importance of considering Data Protection compliance concerns as well as ethical issues when designing studies, particularly in the context of Big Data. There have been comparisons between this kind of study and other sociological research such as researchers walking up to random test subjects and asking them to make a decision subject to a particular test condition. Such comparisons have merit, but only if we break them down to assess what is happening. With those studies there is a test subject who is anonymous, about whom data is recorded for research purposes, often in response to a manipulated stimulus to create a test condition. The volume of test subjects will be low. The potential impact will be low. And the opportunity to decline to participate exists (the test subject can walk on by… as I often did when faced with undergrad psychology students in University) With “Big Data” research, the subject is not anonymous, even if they can be anonymised. The volume of test subjects is high. Significantly (particularly in this case) there is no opportunity to decline to participate. By being a participant in the petri-dish system you are part of the experiment without your knowledge. I could choose to go to the University coffee shop without choosing to be surveyed and prodded by trainee brain monkeys. I appear to have no such choice with Data Scientists. The longer answer is that a proper consideration of the ethics and legal positioning of this kind of research is important.

  • Stand up for Digital Rights, Ireland.

    In the Western world our rights are under attack. In the UK for example the policy of the Tory party is to abolish the Human Rights Act (http://www.bbc.co.uk/news/uk-politics-21726612). In the fast changing world of data and information private companies and governments alike go to great lengths to peer inside our digital lives in a manner often disproportionate to or ineffective for the stated purposes of ‘national security’ or copyright enforcement. The revelations over the summer from Edward Snowden, and a variety of other stories relating to the use, misuse, and abuse of our private personal data by companies and governments alike have resulted in Dictionary.com making “Privacy” its Word of the Year for 2013 (http://blog.dictionary.com/privacy/)

    Last year saw the Irish Government, in its presidency of the European Union, preside over a significant watering down of rights and protections for individual data privacy in the proposed EU Data Protection Regulation. This regulation was subject to 4000 proposed amendments and one of the most intrusive lobbying campaigns by organisations seeking to reduce the protections over personal data privacy afforded to EU citizens. But last year also saw Digital Rights Ireland punch significantly above it’s weight on the European stage, with their appeal to the ECJ on the retention of telephone, sms, and internet usage data by telecoms companies on behalf of governments – precisely the same information that was at the centre of Snowden’s PRISM disclosures.

    Digital Rights Ireland plays a valuable role in the evolution of our personal digital rights, particularly as we struggle to define where we must draw the line between an Information Economy, where the users of services are the means of production, and an Information Society, where powerful tools for communication and interaction allow us to engage, but to wear a mask or withdraw to our personal fortresses of solitude where we can define and redevelop our sense of self as people. Not as products.

    However, DRI had one set back in 2013 which puts their ability to stand up for our rights, your rights, in an Information Society. They were on the losing side in litigation about copyright issues. Their role in the case – to be a counterpoint voice for the people and to bring additional information and perspective to the Court. The impact: the music industry looked for costs of the guts of €30,000 against DRI for one day in Court. This was reduced to €13,000 on appeal to the Taxing Master. No other party to the case is seeking costs against DRI.

    The risk now is that DRI might be liquidated by the music industry representatives. For standing up and suggesting alternative solutions might be needed, for pointing out how web filtering is easily circumvented, and basically being a devil’s advocate on the side of the individuals who make up our society.

    Money must be found. DRI runs on a shoestring, favours, and jellybabies. There is no salary for its directors,  no top ups, no big dinners or extravagant radio adverts. Just people who care and give up time from their day jobs to provide a voice for Digital Rights. That voice will fall silent if they cannot raise the €13,000 needed as soon as possible.

    It is time to stand up for Digital Rights, Ireland. Rather than buying a data slurping tablet in the sales, or downloading another privacy invading smartphone app\tracking device, go to www.digitalrights.ie and check out what they do for you. Then go here (http://www.digitalrights.ie/support-us-in-2014/) to learn more about their problem. Then go here http://www.digitalrights.ie/support/ to donate, either a once off payment or a recurring donation.

    And if you don’t, you risk waking up one day as a just another unit of production in an Orwellian dystopia.

  • DPC, Prism, Safe Harbor and stuff

    The Irish DPC has come under fire in the international media on foot of their failure to act on a complaint by Europe v Facebook about US multinationals with bases in Ireland allowing data to be accessed by the NSA.

    The gist of EVF’s complaint is that this access invalidates Safe Harbor and therefore makes the transfer of data by these companies to the US is therefore illegal.

    EVF may indeed be right. The key 2-legged test to be passed is whether the access by law enforcement/national security agencies to the data that is being transferred is necessary for the national security/law enforcement purpose, and whether the access/processing is in turn proportionate to the objective when balanced against the fundamental right to privacy.

    Prism and similar programmes quite probably fail either or both legs of that test. Certainly the ECJ seemed to be very concerned with whether European governments had done enough to demonstrate necessity and proportionality with regard to EU communications data retention (http://www.contentandcarrier.eu/?p=435).

    This is the ECJ case that the Irish DPC refers to in the written response to Europe-v-Facebook.

    Safe Harbor is a scheme entered into by the European Commission and the US Dept of Commerce to facilitate transfers of data to the US. It is decidedly imperfect and had been the subject of criticism since it was introduced in 2000.

    It is one of the mechanisms under which organisations can transfer personal data outside the EEA (28 EU member states plus Norway, Iceland & Liechtenstein) under S11 of the Data Protection Acts

    S11 does give the DPC the power to prohibit such transfers in certain circumstances. The DPC needs to be of the view that data protection rules are likely to be contravened and individuals are likely to be harmed as a result. This power is limited in that it does not apply where the transfer is required or authorised by law.

    And here’s the rub:

    • Safe Harbor is a scheme that authorises the transfer. So the DPC can’t unilaterally prohibit the transfer of data where Safe Harbor is being applied.
    • The Irish DPC does not have statutory authority to second guess the EU Commission on the legality of Safe Harbor
    • PRISM is, at this time, understood to have a statutory basis in the US and no-one court has yet ruled on the necessity and proportionality of its data gathering, so there is no breach of Data Protection rules per se. If the ECJ gives guidance re similar EU laws this could alter things.

    In short, the Irish DPC’s hands are probably tied by the law.

    Billy Hawkes lacks the legal authority to rule on the validity of Safe Harbor, so while transfers under Safe Harbor are valid in the EU Commissions eyes he probably can’t prohibit a transfer that is based on Safe Harbor. That is probably for the EU Commission to do.

    Nor is he empowered to make a finding of fact against the NSA regarding the necessity and proportionality of their processing (that’s for the US courts, or for the EU Commission to adopt as part of their review of Safe Harbor) – but will be bound by whatever principles of proportionality and necessity for communications meta-data processing emerge from the ECJ Data Retention Directive case, which is likely in my view to be more of a steer to the EU Commission regarding controls that would be required in “Son of Safe Harbor” than empowering the DPC to torpedo Safe Harbor himself.

    I suggest that it is this reasoning which the German DPAs have applied in their action which has had the effect of prohibiting transfers in scenarios where they had direct competence but served only to send up a warning flare that Safe Harbor and Model Contract Clauses might be broken – but DPAs lack the statutory competence to actually do anything about it and it must be addressed by the Commission.

    Rather than “regulator fails to enforce law”, this story is more correctly “Regulators hampered by broken law unsuited for modern age”

  • The DPC, Prism, and the Tech Giants (updated)

    Europe v Facebook has issued a press release today decrying the failure of the Irish DPC to find fault with the reliance on Safe Harbor by US technology companies in the transfer of personal data of EU citizens to the US where it fell into the net of PRISM.

    The soundbite friendly position evf is taking is that the Irish DPC is kowtowing to economic interests in not pulling the plug on Safe Harbour as German DPAs have done.

    However I would suggest that the position is slightly more nuanced than that. The key test that needs to be met for the national security/law enforcement exemptions to Safe Harbour is one of necessity and proportionality of the invasion of privacy set against the national security/law enforcement requirement.

    The EU currently has a Data Retention Directive. It is law in most EU member states, but is currently subject to an action in the Irish High Court which has referred questions to the ECJ, which ultimately rest on issues of necessity (I.e is it necessary to retain the metadata of every call, web access, email, sms sent over a comms provider in the EU, and if it is necessary is it proportional to do so for EVERYONE compared to the actual risk/objective).

    This ECJ action is referred to explicitly by the DPC in their response to evf.

    In the absence of a ruling in that case or a decision by the EU commission that PRISM constitutes an unnecessary and disproportionate intrusion under Safe Harbour the DPC is acting in line, in my view, with the law that is in front of him.

    But the Germans have pulled the plug I hear you cry! Yes. They have – to a point. But the German Constitutional Court has also struck down their national implementation of the EU Communications Retention Directive. So the law in Germany is slightly but significantly different.

    But this awkward disjointment of laws highlights the need for improved standardisation of Data Protection laws in Europe and an improved collegiate operating structure for DPAs. This is part of what the revised General Regulation on Data Protection was to deliver.

    It also highlights the questionable justification for double standards for law enforcement as illustrated by the existence of the parallel revisedDirective on Data Protection for EU law enforcement agencies which differs from the draft Regulation.

    As a childhood (and adult) fan of the classic TV show “Yes, Minister” I’m minded to give the DPC some benefit of the doubt in their position as it would be preferable for there to be an EU bloc position on Safe Harbor rather than piecemeal action. That requires either EU Commission termination of Safe Harbor due to its abuse on grounds of inappropriate and unnecessary intrusion, or a ruling from the ECJ that defines those rules in an EU context in regard of our own data sucking activities.


    After a little digging, it turns out that the position of the German DPAs doesn’t differ all that much from the Irish position. They actually haven’t suspended Safe Harbor, just called on the European Commission to clarify how Prism etc is compatible with EU privacy principles.
    http://www.huntonprivacyblog.com/2013/07/articles/german-dpas-halt-data-transfer-approvals-and-consider-suspending-transfers-based-on-safe-harbor-eu-model-clauses/
    What is suspended are transfers based on any other basis other than model contract terms or Safe Harbor.

    So, in effect, the German DPAs have kicked the ball back to the European Commission in a manner similar to the Irish DPC, but have forgotten to mention the significant ECJ hearing as well.

    That is not to say that I am thrilled with how it has been handled. The DPC should have issued a formal decision on this setting out their position so that evf could appeal against it in Court. That would be an interesting case to see and I suspect many of the arguments that would need to be put forward have already been drafted in respect of Digital Right Ireland’s High Court and ECJ actions.

    Of course, I don’t rule out the possibility of an overworked under resourced Data Protection authority making an error in their assessment of the legal position. And, unfortunately given the dischordant “tone at the top” from Alan Shatter on matters Data Protection the political landscape Billy Hawkes must navigate is challenging.

    This will get very interesting I suspect.

    (And I’ve left the question of whether the Irish DPC even has the powers under the domestic legislation to do what evf are requesting for another day)