The DOBlog

Category: Information Quality

  • Reposted: Irish Water, the letter from the DPC, and what it all means

    [On the 24th September I posted this. I’ve updated it to insert relevant updates in other posts in context]

    This evening the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

    Dear Deputy Shortall,

    I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

    Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

    [This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

    One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

    “The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

    If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

    Update: Today I posted this which looked at the apparent lack of a “signed off” movers/leavers process for when people change address and the data protection and operational implications. That is basic utility billing stuff, and is also a basic requirement under the Data Protection Acts – at least to have the mechanism by which changes to data can be made in the course of a customer life cycle.]

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    [This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

    The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

    Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

    I suspect Irish Water may get a mention but not for the right reasons.

    Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

    Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

    Update: I wrote this this morning following an Irish Times report that Irish Water would use PPSN as part of debt collection. This is not a stated purpose, and is not the “sole purpose” that the DPC had recognised and approved of.  It appears Irish Water are unclear internally about things that the Regulator believes they are clear about]

    The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

    [Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

    The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

    Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

    Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

    Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

    Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identifywhere possible what type of data and for what purpose a transfer would occur.

    [This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

    I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

    Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

    The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

    Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

    I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

    Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

    The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

    I suspect this particular well has not yet run dry.

  • Irish Water and PPSN data

    This morning the Irish Times has a story about Irish Water, landlords, tenants, and PPSNs

    The article tells us that:

    Bills are to be issued quarterly, but as Irish Water will have the tenant’s PPS number, the utility firm will be able to pursue the tenant for any arrears and even apply any arrears to new accounts, when the tenant moves to a new address.

    What this tells me as a data geek is:

    1. Irish Water has a purpose for PPSN data that goes beyond the purpose agreed with the DPC (the validation of allowances)
    2. They are using PPSN as a primary key to identify people linked to properties (which goes beyond the “validation of allowances” purpose agreed with the DPC)
    3. Irish Water have some mechanism to identify tenants versus landlords, otherwise they are retaining ALL PPSN details for a period of at least six years. (It may be the PRTB data they have access to under S26 of the Water Services Act 2013).
    4. The retention period for PPSN is likely to be 6 years from the date of the final bill issued, but only where there are arrears on the account. Therefore, retention will be a rolling period for PPSN as bills are issued. It will only crystallise at 6 years once a final bill issues.
    5. The tenant who fills out the Irish Water application will be responsible for any arrears, even if they only wash every second week while their flatmates operate a water park in the kitchen.
    6. Irish Water haven’t modeled scenarios correctly as not every tenant in a rented property will be registered on the Application form… only one. I refer back to point number 5.

    Let’s just remind ourselves of what Irish Water told the Data Protection Commissioner they were going to use PPSN data for. The quote below is from a letter sent by the Acting Data Protection Commissioner to Roisin Shorthall TD that I blogged about last week.

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    I’ve highlighted the relevant sentence. And the crucial word. So any use of or retention of PPSN for purposes other than validating allowances is potentially a breach of the Data Protection Acts. Full Stop. End of story. Move along.

    [It also means that they can’t validate the rest of the data – only the entitlement. So they can verify that the PPSN of Joe Blow is valid, and that the PPSN data provided for Joe’s 623 children is valid and that those 623 children exist and are resident in the jurisdiction. No more. So they cannot legally “enrich” their data from the DSP’s data sets (despite what some people are stating might be the case). Of course, this is a perfect reason why the Water Allowance for Children, which is payable only to children in receipt of Child Benefit, would have been better paid as an allowance from the DSP, as I’ve blogged about already.]

    Are Irish Water making this up as they go along ?  If so, this crisis of communication around a critical issue of Regulatory compliance could be a lot worse under the surface. For example, has Irish Water modeled their data and processes to allow for customer life events (births, deaths, marriages, divorces, people moving in, people moving out)? Not doing that will lead to data quality and data protection headaches down the line. If those scenarios are not catered for in their processes, bills will be wrong. Designing for Privacy means considering data and its processing, which means you being to look at how the organisation knows or can know important facts about things it needs to know. Lurching around like a drunken uncle at a country wedding does not suggest good design for processes, data, or privacy.

    At an upcoming conference on the 7th of November I’ll be talking about Data Protection, Data Governance, and Privacy by Design. The other delegates include some of the world’s leading experts on Data Governance, Information Strategy, and Data Quality. It’s a pretty darn good conference.

    Irish Water might want to send some people so they can learn from the other delegates and I about Data Protection, Data Modelling, and Data Governance.

    [Update: This status update has appeared via the @IrishWater twitter account which seems to suggest the Irish Times had it wrong:

    Because Irish Water can’t be wrong can they? Left hand needs to communicate with right hand and then talk to their customers!]

  • Irish Water and the DPC’s letter and what it means

    [This is a repost of a post I wrote o the 24th of September. Some people said they had difficulty accessing it so I am reposting it. I’ve updated it with links to other relevant posts that I’ve made since then. They are included in-line]

    This evening [24th Sept] the Data Protection Commissioner has contacted Irish Water in relation to their processing of personal data. Deputy Roisin Shorthall TD has published a response from the Commissioner’s office on her website to questions she has raised. The response reads as outlined below. I’ve annotated it with an explanation of the key issues raised. Key sentences are highlighted:

    Dear Deputy Shortall,

    I have been asked by the Commissioner Helen Dixon to respond to you on her behalf.

    Thank you for your query in relation to concerns you are hearing about Irish Water’s proposed collection and use of personal data. This Office is concerned to ensure there is clarity on these matters for the 2.2 million prospective customers of Irish Water. Clearly, the obligations under the Data Protection Acts in this regard fall directly on Irish Water as the Data Controller in terms of ensuring they are collecting data in a lawful way and using it for a legitimate stated purpose which they make clear to users of their service. Notwithstanding the obligation on Irish Water, this Office is in on-going contact with them in an effort to ensure they take on board our best-practice advice in this regard.

    [This paragraph confirms that Irish Water is the Data Controller and is subject to the Data Protection Acts.

    One of the fundamental principles of Data Protection under the Acts and the EU Directive is that data should be processed for a specified and lawful purpose. There is a requirement on Data Controllers to be clear with people about what uses their data will be put to. It is Irish Water’s job to make sure that that clarity is there.

    The DPC is in on-going contact in an effort to ensure they take on board our best-practice advice” basically means that Irish Water has not done things the DPC might have expected and they are engaging with them to try and fix the situation. Under the Data Protection Acts the DPC must always seek an amicable resolution in the first instance. That usually involves a lot of “on-going contact” with organisations that have not quite got what is required of them.

    If the DPC is in “on-going contact” with you to give “best practice advice” you are NOT compliant, you are engaged in an amicable resolution process with the DPC. The only distinction is that the DPC has not yet made a decision that you are not compliant. If an Enforcement Notice issues at all in this instance it will be interesting to see what happens.

    Update: As Irish Water is subject to the Data Protection Acts, the apparent absence of an operational “movers/leavers” policy for people changing address is a problem. I explain why here. The summary being that one of the obligations under the DPA is to keep data accurate and up-to-date, in the context of the purposes for which it is being processed.]

    The collection of the PPSN for use by Irish Water in verifying occupants of a household is provided for in legislation. We are satisfied from this Office’s interactions with Irish Water that it is intended to use the PPSN for the sole purpose of confirming the qualification for a free water allowance of occupants of the household (including children) and in line with conditions set down for its use by the Department of Social Protection. However, we are in agreement that the Data Protection Notice published does not currently give sufficient clarity and detail in this regard and we are corresponding with Irish Water and providing our views on this.

    [This paragraph confirms that there is a statutory basis for Irish Water to ask for PPSNs. It sets out that Irish Water has told the DPC that the SOLE purpose for processing PPSN is to confirm the qualification for free water allowances.

    The bit in bold is interesting. The DPC are “giving their views” on the clarity of the Data Protection notice (which is also referred to as a “fair processing notice” in Data Protection-speak) because they are of the view that the notice as published doesn’t give sufficient clarity. Not having sufficient clarity means that the Data Protection notice fails a basic test: that of being specific as to the purpose or purposes of processing. That is a breach of the Data Protection Acts, but is not, in and of itself an offence under the Acts for a host of technical reasons that hurt my head to explain.

    Again, if the DPC is contacting you to “provide views” on something, you are not compliant. The DPC does not tend to write letters telling you you’re brilliant and should have a gold star. Correspondence providing views is part of the investigation/amicable resolution process that the DPC is required under the Acts to follow. If an organisation is compliant the DPC wastes neither stamp, nor electron, nor oxygen molecule engaging in “correspondence” – the exception being where an organisation is audited or investigated and good practices are found to be in place. In that case you might get a mention in the Annual Report.

    I suspect Irish Water may get a mention but not for the right reasons.

    Also, the DPC does not specifically mention the question of the retention period or purposes for retention of PPSNs. I would assume that that topic would form part of the discussion as, if there is no purpose beyond the initial validation of allowances there is no lawful purpose for Irish Water to retain PPSNs.

    Again, the issue of clarity was the very topic I picked up on when I wrote my first blog post about the Data Protection Notice 18 days ago. It’s reassuring to see that the Data Protection Commissioner shares the concerns I raised.

    update: Today, on foot of an Irish Times article, I wrote this post which points out that Irish Water are citing a purpose for retaining PPSNs that give a retention period of at least 6 years. And it is not a purpose that is related to the validation of entitlements to allowances.]

    The issue of disclosure of personal data to third parties inevitably arises in the case of Irish Water where they are already using contractors to fit water metres and for other outsourced functions. This Office has asked Irish Water to be transparent in terms of making clear the categories of the data processors to whom they are providing the data and for what purpose and to provide contact details in the event that a customer wishes to raise a data protection concern. We are currently following up with Irish Water on this matter.

    [Again, the question of clarity and transparency raises its head here. The Office of the Data Protection Commissioner correctly recognises that there are times when the use of third parties to do things for a company. Contractors are the third party in question. Third parties, doing work for Irish Water, under contract. These are known as Data Processors.

    The DPC here is requiring Irish Water to be transparent about the CATEGORIES of data processor they will disclose data to, for what purpose, and to give contact details if there is a Data Protection concern. Normally, the Data Controller is the entity concerns are raised to and they use their contract (for the love of spuds let Irish Water have proper data processor agreements in place) to address the issue with the Data Processor via a right of audit or inspection (as is actually required under the Data Protection Acts). If the DPC is now requiring contact details to be provided for Data Processors as well, I can’t see how that fits with only identifying categories, but would be happy to help figure it out. 

    Interestingly, the DPC seems to be going beyond what I’d included in my mockup “alternative universe” version of the Data Protection Notice. I’ll be taking note of that and advising clients accordingly.

    Also, the requirement to specify “categories” of recipients of data differs slightly but significantly from their Direct Marketing guidance in relation to providing marketing lists to or conducting marketing on behalf of third parties, which currently requires the SPECIFIC organisations data will be shared with to be disclosed at the time of data capture. If that requirement was intended to be specific categories as well, it makes a lot more sense and the current wording needs to be revisited to correct what appears might be a transcription error.

    Again, the DPC is “following up with Irish Water on this matter”. An organisation that is compliant with the requirements of the Acts does not require the DPC to “follow up”, and yet again the DPC is following up on issues of transparency, clarity, communication, and (in essence) customer focus.All of which were issues that I raised nearly 3 weeks ago.]

    Equally, Irish Water as part of their business model may use outsourced service providers outside of the EEA. We are not aware that this is currently part of their actual business plan but it would appear to be the case that they wish to ensure this eventuality is covered in their Data Protection Notice. Again, we have asked them to be more explicitly clear in the notice in relation to how they would protect the data and to identify where possible what type of data and for what purpose a transfer would occur.

    [This paragraph means that the DPC agrees that the use of outsourced data processors outside the EEA is something Irish Water MAY do in the future. This is very common. High street supermarkets use software development teams in India, telephone companies use database administrators in other countries, many SMEs use tools and technologies that have their data sitting outside the EEA. It’s a common thing. Irish Water include it in their Data Protection notice as a future proofing element.

    I note with interest that the DPC is asking for Irish Water to more explicitly state what type of data and for what purpose the data would be transferred outside the EEA. This is essentially the same question I asked in my original blog post when I wrote;

    Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?”

    The DPC’s request for Irish Water to provide more information about how they would protect the data is essentially the same as my query about “under what controls”.

    Again, if the DPC is asking you to be more explicit in how you are communicating things, then that means you are not compliant and are in the “amicable resolution zone” where the DPC talks gently to you to encourage more compliant behaviours. That’s a good thing if it is happening during planning and design of a system or process, but is a horrendously bad thing to have happen when you are up and running with your processing. At any point the gentle communication could develop teeth and you might be instructed to do something by way of an enforcement notice. The DPC is empowered to block any data transfer outside the EEA using a Prohibition Order under Section 11 of the Data Protection Acts.]

    I hope this information is of use to you. We do understand the urgency of the matter in light of the obligation on customers to return application forms to Irish Water and we are communicating our views in relation to this urgency to Irish Water.

    Yours sincerely, John O’Dwyer Deputy Data Protection Commissioner

    The DPC does not address in this communication the question of whether Irish Water’s approach to marketing consents is valid (I believe it is not). I’d expect that correspondence is on-going in relation to that aspect at the moment as well. And while Irish Water may wish to insist they are compliant in that regard, I beg to differ.

    I suspect this particular well has not yet run dry.

  • Irish Water Data Protection Notice: A review…

    circle of trustIrish Water have published their Data Protection notice on their website. This document is a key element in any organisation’s data protection compliance. It is the way in which the organisation demonstrates “fair obtaining” of personal data and sets out the specific lawful purposes for which they are processing data.  It is essential that these documents are as clear as possible, particularly for audiences who may have literacy difficulties. This is why I strongly recommend to clients that they do not let their legal team write these. Ultimately, data protection compliance is about ensuring you don’t have a surprised customer. It’s also about ensuring you establish and maintain a “Circle of Trust” about why you are asking for data and how you will process it.
    In this post I’ll go through the Irish Water Data Protection notice and parse each paragraph and explain what it means and, where necessary, point you to the relevant legal justification for the processing that is taking place.

    Irish Water Data Protection Notice

    (sourced from https://www.water.ie/data-protection-notice/ 05/09/2014)

    In order for Irish Water to provide the Customer with Water Services, it is necessary for Irish Water to collect and use data, including personal public service numbers, relating to the Customer. This data is used mainly to manage and administer the Customer account and for operational reasons, including for example, visits to the Premises, works required at the Premises and construction and maintenance activities. In addition, data relating to the Customer may be used for health and safety, administration, risk assessment, marketing and credit checking purposes. Irish Water may use the data relating to the Customer to carry out credit checks and for fraud prevention with licensed agencies including the Department of Social Protection and fraud prevention agencies. This data may be recorded by these organisations to prevent fraud, help make credit decisions about the Customer and for debt collection purposes. Irish Water may keep the Customer’s data for a reasonable period after the Customer ceases to be supplied with Water Services but will not keep it for any longer than is necessary and/or as required by law.

    [comment: This paragraph basically says they are going to process data about you, including your PPSN.  The problem arises here with their description of the purposes for which data is to be processed. It appears that they will be using your PPS number for things such as site visits and construction and maintenance activities. That strikes me as being irrelevant data and excessive for the purpose for which it is being put to use.

    Data relating to “health and safety issues” might relate to a record of illnesses or medical conditions which might affect your need for uninterrupted water supply – the ESB has similar data processing for elderly customers or customers with medical equipment in the premises so they don’t cut people off from life as a consequence of cutting them off from the ‘leccy. This would probably be covered under the provision in the Data Protection Acts that allows processing where it is necessary to prevent injury or damage to the health of the data subject. A key word there is “necessary”. 

    Administration, risk assessment, marketing, and credit checking would be covered under the heading of processing that is in the legitimate interests of the Data Controller. Nothing too bad there. We need organisations to be able to move paper about people to run the show.  

    The credit checking purpose raises its head again later in this paragraph. Credit checking and fraud prevention are legitimate purposes, checking with the DSP is likely to be related to validation and verification of PPSNs and validation of any claim of receipt of a relevant Social Welfare payment. But this is unclear. The question of sharing with “fraud prevention agencies” is one that I would watch closely to be honest: does this mean sharing data with private investigators/tracing agents? If so, what controls will be applied to this? I would hope that Irish Water have learned the lessons of various Credit Unions regarding the oversight and control of such agencies?

    “This data may be recorded by these agencies” is a worrying sequence of words. This suggests a transfer of data that will be retained by these agencies. There is nothing stated here regarding the retention period that will apply to this data. One possible interpretation is that all data of all customers will be handed to unknown tracing agents to hold on to for a vague “fraud prevention” objective that may not be related to Irish Water itself but may be utilized by other entities. I hope that is not the case. Also, why would these agencies need to retain data for “debt collection purposes” if they had been given it for fraud and credit checking purposes at customer sign up? That smells decidedly disproportionate and, frankly, non-compliant. Unless a person has failed to pay their bill there is no reason for their data to be retained by anyone for “debt collection” purposes. If you’ve passed the credit check and you account is in good order, there is zero lawful purpose for any 3rd party to have access to data about you and your family.  I’m hoping against hope that I’m misreading this, but I doubt it (I do this for a living).

    The retention period that is referenced in the last sentence is “a reasonable period”. That’s a similar duration as the length of string I have in my pocket. Curtailing it with reference to “as necessary and/or as required by law” is lawyer weasel words. This sentence is largely meaningless. If you are a ceased customer who has no outstanding debt with the company then there is no legal time period applicable and Irish Water would need to set a policy – many of my clients have similar issues and we get them to PICK A NUMBER and JUSTIFY IT WITH A REASON. Regarding ceased customers, the relevant period is the statute of limitations on a debt. “What about if people sue us or we are suing people?” organisations ask me: Have a ‘legal hold’ provision I reply. “Data may be retained on a case by case basis where necessary to seek legal advice or exercise or defend legal rights” is one useful form of words.]

    Irish Water may share the Customer’s data with agents or third parties who act on behalf of Irish Water in connection with the activities referred to above. Such agents or third parties are only permitted to use the Customer’s data as instructed by Irish Water. They are also required to keep the Customer’s data safe and secure. The data that we collect from you may be transferred to, and stored at, a destination outside the European Economic Area (“EEA”). In the event that the data is stored outside of the EEA, Irish Water shall procure that all relevant laws are complied with to secure the data. It may also be processed by staff operating outside the EEA who works for us or for one of our suppliers. Such staff maybe engaged in, among other things, the processing of your request for information and the provision of support services. By submitting data to Irish Water, the Customer agrees to this transfer, storing or processing. Irish Water will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Clause 19.

    [comment:

    This clause should have a “data sharing” heading. It repeats a bit of what was in the previous section. “Such agents or third parties are only permitted to use the Customer’s data as instructed by Irish Water” is a reasonable sentence. Of course, it must be assumed that those agents and third parties have contracts with Irish Water that specify the purposes and controls for processing. 

    This section also tells us that data “may be transferred to, and stored at, a destination outside the European Economic Area”. This suggests use of outsourced data centres or data processors that are outside the EEA. There is nothing wrong with this in and of itself, but the problem comes with the next statement: “Irish Water shall procure that all relevant laws are complied with to secure the data”. This is problematic, apart from the awkward use of the word “procure”. Cross border data transfer outside the EEA requires either that the destination country is either a Safe Country , be covered by Safe Harbor (i.e. the US), or be undertaken using model contracts.

    Why is our data being transferred? Staff outside the EEA working for Irish Water or a supplier will be processing data if we request information or to provide support services. This sounds like either IT support services being provided outside of the EEA or direct customer support call-centre type services being provided outside of the EEA. Question: Is Irish Water planning to outsource call centre operations to India? Also: What countries are they intending to transfer data to, and under what controls?

    Apparently, by submitting data to Irish Water we will have agreed to the transfer. This is probably not valid consent under EU Data Protection law. While it is specific and informed, it is not freely given. Individuals have to provide data to Irish Water. While I am heartened to see that Irish Water will take all steps reasonably necessary to ensure data is treated securely, I’m bloody confused where “Clause 19” comes from (I suspect this Data Protection notice is an extract from a longer T&Cs document). Unfortunately, Irish Water are not required to take all “reasonably necessary steps”. They  are required to ensure appropriate organisational and technical controls.

    And as for processing “in accordance with this Clause 19”? Well, without knowing what that Clause 19 actually is (it might be this paragraph *shudder* or it could be something else) I can’t add anything about the impact or meaning of that sentence.]

    Irish Water may disclose the Customer’s data to third parties in the event that it sells or buys any business or assets, in which case it may disclose Customer data to the prospective seller or buyer or such business or assets; if Irish Water or substantially all of its assets are acquired by a third party, in which case Customer data held by it about its Customer will be one of the transferred assets. Irish Water may also disclose Customer data if it is under a duty to disclose or share Customer data in order to comply with any legal obligation, or in order to protect the rights, property, or safety of Irish Water, its customers or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction. Irish Water will also disclose Customer data if it believes in good faith that it is required to disclose it in order to comply with any applicable law, a summons, a search warrant, a court or regulatory order, or other valid legal process.

    [comment: 

    The inclusion of a disclosure purpose covering sale or transfer of assets is normal and common sense for any business. The biggest asset in most businesses now is its customer data. Disclosure of data when buying an asset is a question mark purpose, but one scenario might be due diligence when buying another water services business serving the Irish market to validate the size of the additional customer base being acquired. I’d question the legitimacy of disclosing data when buying a non-water sector business however. 

    This clause also says that Irish Water will disclose data if required to do so under any legal obligation or to protect rights, property, or safety of Irish Water, its customers, or others. This is allowable under the Data Protection Acts, but should not be read as a blanket provision allowing any kind of disclosure. Appropriate governance controls would need to be in place to ensure that the “legal obligation” is valid and to ensure that the decision about protecting rights, property, and safety is taken under appropriate guidelines and controls.  Of course, we can’t ignore the last sentence here which basically restates in a different way the kinds of legal obligation under which data might be disclosed. The “believes in good faith” clause suggests to me that IW will not contest any order requiring disclosure of data. My reading: If you are drinking tea while engaged in illegal downloading, IW will tell IRMO if asked.

    This paragraph reiterates the exchange of and disclosure of data to third parties for fraud prevention and credit control. I’ve already raised an eyebrow about that earlier.]

    From time to time the Customer may speak to employees of Irish Water (or agents acting on its behalf) by telephone. To ensure that Irish Water provides a quality service, the telephone conversations may be recorded. Irish Water will treat the recorded information as confidential and will only use it for staff training/quality control purposes, confirming details of the conversations with Irish Water or any other purposes mentioned in this Clause 19.

    [comment: 

    This actually a reasonably good provision, at least in part. It provides for the recording of calls with their employees or sub-contractors (i.e. customer service staff in call centres – see my question re: where those call centres might be in the future earlier).

    The problems with this clause are that it starts with specific statements of purpose (“staff training/quality control”) and then degenerates quickly into catch-all vagueness (“or any other purposes mentioned in this Clause 19”). Firstly: Clause 19 is not numbered or identified in this document. Secondly, I’m a Data Protection professional and I can’t say that, even after a number of readings, I could list what specific purposes are mentioned in this document. There are a lot of “reasonable”, “as necessary”, and “because we’re worth it” type phrases. I can’t scan quickly and directly to a single section that says: “These are the purposes for which we are processing information”.]

    The Customer has a right to ask for a copy of the Customer’s data (Irish Water is entitled to charge a nominal administration fee for this) which is held by Irish Water about the Customer. If the Customer wishes to avail of this right, a request must be submitted in writing to: Irish Water, Data Protection Officer, PO Box 860, South City Delivery Office, Cork City. In order to protect the Customer’s privacy, the Customer may also be asked to provide suitable proof of identification. If any of the Customer’s details are incorrect the Customer is entitled to notify Irish Water to amend such details. Where the Customer has any queries in respect of Customer data it should contact Irish Water using the details provided in Clause 20.2.

    [comment:

    This paragraph tells us we have a right to ask for a copy of our data and we have to submit the request in writing. Correct thus far, this is as required under Section 4 DPA). They say they are entitle to charge an administration fee. This is correct. It’s €6.35 maximum. They don’t tell us how to pay that (postal orders, 10 €0.65 stamps, 635 1-cent coins…). They provide a postal address to send our requests to. It’s worth bearing  in mind that the Data Protection Acts only require that the request is in writing and organisations are not actually allowed to prescribe a standard form or mechanism for sending in Subject Access Requests. Personally, I’d have used an email address for this in addition to the postal address to ensure capture of SARs early in the process. I also hope their processes for handling requests that come in are better defined and resourced than this classic example.

    That Irish Water are telling us they may ask for proof of identification for a Section 4 request is not a bad thing. It is good practice to verify the identity of a requester and is a basic organisational control practice to prevent unauthorised disclosure. Of course, once identification information is provided (e.g. passport copy) and the identification process has been met, the data should not be retained. The DPC looked at this in Case Study 16 of this year’s Annual Report.

    This paragraph also requires us to address any queries in respect of data to a different address. We’re told the contact details are in Clause 20.2. Out of context, that is utterly meaningless – they might as well have asked us to send our requests attached to an Owl care of Hogwarts. It is important to note that queries in respect of customer data are most likely Section 3 requests – requests to confirm if data is being processed, and why, or requests to have data rectified or erased under Section 6 of the DPA. The use of two different addresses for Data Protection related processes strikes me as potentially inefficient and an inevitable cause for confusion. I always recommend to clients that they have a single “Data Protection request” funnel and have well defined back-office processes to sort the requests and process them effectively and efficiently.

    If the Customer signs up for any of the Irish Water online services and Irish Water communicate with the Customer by email, the Customer is solely responsible for the security and integrity of the Customer’s own email account. The Customer accepts that electronic mail passing over the Internet may not be free from interference by third parties. Consequently, while Irish Water will take all reasonable security measures, Irish Water cannot guarantee the privacy or confidentiality of information relating to the Customer when passing over the Internet. Unfortunately, the transmission of information via the internet is not completely secure. Although Irish Water will do its best to protect Customer data, it cannot guarantee the security of Customer data transmitted via the internet; any transmission is entirely at the Customer’s own risk.

    [comment: Summary of this is that Irish Water accept no responsiblity for the security of email communications. This is true. They can’t be responsible for external malicious attacks on your email account. This is a limitation of liability clause. It is not unreasonable. Of course, IW could give the option of using encrypted email communication…

    Marketing [note: this is where some fun starts]

    Irish Water and/or authorised agents acting on behalf of Irish Water, may wish to contact the Customer by text message, email, post, landline or in person about water related with products or services which may be of interest to the Customer (“Marketing Purpose”).

    [Comment: 

    This paragraph does not meet the requirements of SI336.

    1. Marketing by SMS requires opt-in consent under Section 13(1) of SI336. Given there is no alternative water service provider, any implied consent that might be argued would likely be invalid on grounds of it not being freely given. This basically amounts to a pre-ticked box on a web-form, which the Article 29 Working Party has already said doesn’t meet the requirement for informed opt-in consent.
    2. The same goes for marketing by email.. (SI336 lumps email and SMS messages in under the same term – electronic message).
    3. Post is OK for an opt-out mechanism under SI336
    4. Landline calls are also OK for an opt-out mechanism under SI336 (Section 13(5))

    The “in person” provision is door to door selling. 

    The catch all “related with products or services which may be of interest to the Customer” clause here is very wide. The service being offered does not have to be related to your water service – This is sufficiently broad that Irish Water could call you to sell Andalusian Time Share units if they so desired.

    I note that their consent landgrab does not extend to mobile phones. If I was mischievious, I’d suggest that people enter their mobile phone number as a contact number as SI336 requires prior, explicit, opt-in consent for calls to mobile numbers (SI336, Section 6). 

    If the Customer does not wish to be contacted for Marketing Purposes as set out above, the Customer may exercise a right of opt-out by either writing to Irish Water at FREEPOST, Irish Water, Data Protection Opt-out, PO Box 860, South City Delivery Office, Cork City or by calling Irish Water on 1890 278 278.

    [comment: You can send your opt-out requests by a freepost letter or by ringing their call centre. Another address, another set of processes. It is clear that there is a strong presumption that opt-out is a sufficient mechanism for their marketing. This is incorrect.]

    Conclusion

    There are some good things about this Data Protection notice. However, they are outweighed by:

    1. Poor structure and layout that makes it very difficult to find relevant information and understand what is being done with data
    2. Some extremely vague and non-specific provisions, as well as some “kitchen sink” “just-in-casery” in terms of what is being addressed
    3. Some simply unsupportable approaches to obtaining consent
    4. An appearance of a fragmented and not properly thought through approach to governance of Data and management of Data Protection obligations.

    The upshot:

    • Tinfoil hat brigade will have wriggle room to misunderstand potentially valid and allowable processing purposes, which will lead to more nonsense and noise.
    • The rest of us will find our data being processed in a range of vague and unspecified ways to which we will be told “you consented”, which we actually didn’t as consent needs to be freely given and meaningful and it is difficult to see how one can consent to take -it-or -leave-it provisions in the terms and conditions of a monopoly organisation.
    • Irish Water will wind up dealing with Data Protection complaints, some groundless but many with a strong basis.
    • Irish Water will engage in activities that will actually breach Data Protection rules when they engage in marketing, and will attempt to argue that customers consented. This will result in investigations by the DPC, and avoidable legal costs in defending prosecutions.

    My rating: 5/10 – close, but no cigar.

  • Roll Up, Roll Up – see the amazing psychic dog! (minor update)

    Roll up Roll Up, meet the new DPC!
    Roll up Roll Up, meet the new DPC! (says Irish Times)

    Every so often I read things in the newspaper that make me go “Yay!”. More frequently I read things that make me go “Boo!”. Today, as with other days, I read something that made me go “WHAT THE F….?!?!”.

    Over the past few weeks the Irish Times has done a bang up job breaking some excellent stories about Data Protection issues in Ireland. Karlin Lillington, Elaine Edwards, and others have sought to “Tell the Story of Why” and push past the usual soundbites and bullshit gloss that usually passes for data-related journalism in Ireland.

    One great example of this was the work done on a story about how the Dept of Arts Heritage and the Gaeltacht had erred in exposing data on living people (whose data privacy rights are protected under the Data Protection Acts and the Treaty for the Formation of the European Union, as well as the Irish Constitution – and if you want a potted guide to all of that Gerard Hogan gives a great summary here) on the IrishGenealogy.ie website. This was despite having had consultation with the Office of the Data Protection Commissioner and having had guidance on what was and was not acceptable from a Data Protection perspective.

    The various pieces written by Elaine Edwards were detailed, explained the core of the issues well, and generally added to the quality of discourse.

    On the 23rd of July, in their Online edition, the Irish Times ran this piece of utter nonsense dressed up as journalism. It’s such a poorly researched and written piece that I can understand why the author felt it best to leave their name off the byline [update- unfair to author, it was a leader piece, but if so my comments below are even more relevant – /update].

    It is true that the DPC raised issue regarding a property price register. The issue was that the sharing of data between different entities that would be required to create such a register, while of interest to the public, lacked a legislative basis and therefore risked breaching the Data Protection Acts. Legislation was passed two years ago that provided the “air cover” for the sharing of data to build a property register and lo and behold there is a property price register in place now, linked to the LPT process.

    Comparisons between Irish law and UK law are often as valid as comparing an apple and orange, and complaining about the bitterness of the orange skin as you try to bite into it, on the basis that they are both fruit.

    But the doozy in this article for me is the challenge to the DPC as to why they didn’t spot that the Dept of Arts Heritage and the Gaeltacht were in breach of the Data Protection Acts for a year. The anonymous author of this article asserts that the DPC’s job is to ensure compliance with the Data Protection Acts.

    Actually no. That is not their job. To make the Regulator responsible for ensuring compliance breaches a number of concepts in Governance, such as segregation of duties.

    Their job is to enforce the Act, to provide advice on how to not be non-compliant (which they did in this case), and investigate and prosecute offences under the legislation (albeit with a role in relation to education and awareness building as well).

    The responsibility for ensuring compliance rests with the Data Controller doing the processing, in this case the Dept of Arts, Heritage and the Gaeltacht, who were non-compliant because they did the very thing they were told not to do by the DPC. Responsibility for ensuring compliance rests with the IT project team who developed interfaces that shared too much data, the testers who didn’t spot it, and the Data Controller in the Dept who didn’t double check that the business rules were followed.

    The DPC’s job is to hold the Data Controller ACCOUNTABLE.

    The bizarre logic of the writer of the article simply makes no sense. Are the Gardai responsible for ensuring compliance with the Road Traffic Acts? No. Their job is the detection of, investigation of, and prosecution of offences. Just like the DPC in this context – when the Office was made aware of a possible breach of the Acts, they investigated and took action immediately.  (Ensuring compliance with the Road Traffic Acts is the responsibility of the road user).

    For all the sense that is in the article, the anonymous scribe [update-anonymous as it is a leader piece-/update] might as well have advocated that the soon to depart Mr Hawkes be replaced with a Psychic Dog who would detect all the potential future crimes, just like Tom Cruise in Minority Report.

    Lazy, sloppy, and brain numbingly dumb hackery dressed up as journalism, an article of this low quality has no place in a paper of merit such as the Irish Times.

    Good, informed, and informative journalism on Data protection issues must be encouraged however.

  • Stand up for Digital Rights, Ireland.

    In the Western world our rights are under attack. In the UK for example the policy of the Tory party is to abolish the Human Rights Act (http://www.bbc.co.uk/news/uk-politics-21726612). In the fast changing world of data and information private companies and governments alike go to great lengths to peer inside our digital lives in a manner often disproportionate to or ineffective for the stated purposes of ‘national security’ or copyright enforcement. The revelations over the summer from Edward Snowden, and a variety of other stories relating to the use, misuse, and abuse of our private personal data by companies and governments alike have resulted in Dictionary.com making “Privacy” its Word of the Year for 2013 (http://blog.dictionary.com/privacy/)

    Last year saw the Irish Government, in its presidency of the European Union, preside over a significant watering down of rights and protections for individual data privacy in the proposed EU Data Protection Regulation. This regulation was subject to 4000 proposed amendments and one of the most intrusive lobbying campaigns by organisations seeking to reduce the protections over personal data privacy afforded to EU citizens. But last year also saw Digital Rights Ireland punch significantly above it’s weight on the European stage, with their appeal to the ECJ on the retention of telephone, sms, and internet usage data by telecoms companies on behalf of governments – precisely the same information that was at the centre of Snowden’s PRISM disclosures.

    Digital Rights Ireland plays a valuable role in the evolution of our personal digital rights, particularly as we struggle to define where we must draw the line between an Information Economy, where the users of services are the means of production, and an Information Society, where powerful tools for communication and interaction allow us to engage, but to wear a mask or withdraw to our personal fortresses of solitude where we can define and redevelop our sense of self as people. Not as products.

    However, DRI had one set back in 2013 which puts their ability to stand up for our rights, your rights, in an Information Society. They were on the losing side in litigation about copyright issues. Their role in the case – to be a counterpoint voice for the people and to bring additional information and perspective to the Court. The impact: the music industry looked for costs of the guts of €30,000 against DRI for one day in Court. This was reduced to €13,000 on appeal to the Taxing Master. No other party to the case is seeking costs against DRI.

    The risk now is that DRI might be liquidated by the music industry representatives. For standing up and suggesting alternative solutions might be needed, for pointing out how web filtering is easily circumvented, and basically being a devil’s advocate on the side of the individuals who make up our society.

    Money must be found. DRI runs on a shoestring, favours, and jellybabies. There is no salary for its directors,  no top ups, no big dinners or extravagant radio adverts. Just people who care and give up time from their day jobs to provide a voice for Digital Rights. That voice will fall silent if they cannot raise the €13,000 needed as soon as possible.

    It is time to stand up for Digital Rights, Ireland. Rather than buying a data slurping tablet in the sales, or downloading another privacy invading smartphone app\tracking device, go to www.digitalrights.ie and check out what they do for you. Then go here (http://www.digitalrights.ie/support-us-in-2014/) to learn more about their problem. Then go here http://www.digitalrights.ie/support/ to donate, either a once off payment or a recurring donation.

    And if you don’t, you risk waking up one day as a just another unit of production in an Orwellian dystopia.

  • DPC, Prism, Safe Harbor and stuff

    The Irish DPC has come under fire in the international media on foot of their failure to act on a complaint by Europe v Facebook about US multinationals with bases in Ireland allowing data to be accessed by the NSA.

    The gist of EVF’s complaint is that this access invalidates Safe Harbor and therefore makes the transfer of data by these companies to the US is therefore illegal.

    EVF may indeed be right. The key 2-legged test to be passed is whether the access by law enforcement/national security agencies to the data that is being transferred is necessary for the national security/law enforcement purpose, and whether the access/processing is in turn proportionate to the objective when balanced against the fundamental right to privacy.

    Prism and similar programmes quite probably fail either or both legs of that test. Certainly the ECJ seemed to be very concerned with whether European governments had done enough to demonstrate necessity and proportionality with regard to EU communications data retention (http://www.contentandcarrier.eu/?p=435).

    This is the ECJ case that the Irish DPC refers to in the written response to Europe-v-Facebook.

    Safe Harbor is a scheme entered into by the European Commission and the US Dept of Commerce to facilitate transfers of data to the US. It is decidedly imperfect and had been the subject of criticism since it was introduced in 2000.

    It is one of the mechanisms under which organisations can transfer personal data outside the EEA (28 EU member states plus Norway, Iceland & Liechtenstein) under S11 of the Data Protection Acts

    S11 does give the DPC the power to prohibit such transfers in certain circumstances. The DPC needs to be of the view that data protection rules are likely to be contravened and individuals are likely to be harmed as a result. This power is limited in that it does not apply where the transfer is required or authorised by law.

    And here’s the rub:

    • Safe Harbor is a scheme that authorises the transfer. So the DPC can’t unilaterally prohibit the transfer of data where Safe Harbor is being applied.
    • The Irish DPC does not have statutory authority to second guess the EU Commission on the legality of Safe Harbor
    • PRISM is, at this time, understood to have a statutory basis in the US and no-one court has yet ruled on the necessity and proportionality of its data gathering, so there is no breach of Data Protection rules per se. If the ECJ gives guidance re similar EU laws this could alter things.

    In short, the Irish DPC’s hands are probably tied by the law.

    Billy Hawkes lacks the legal authority to rule on the validity of Safe Harbor, so while transfers under Safe Harbor are valid in the EU Commissions eyes he probably can’t prohibit a transfer that is based on Safe Harbor. That is probably for the EU Commission to do.

    Nor is he empowered to make a finding of fact against the NSA regarding the necessity and proportionality of their processing (that’s for the US courts, or for the EU Commission to adopt as part of their review of Safe Harbor) – but will be bound by whatever principles of proportionality and necessity for communications meta-data processing emerge from the ECJ Data Retention Directive case, which is likely in my view to be more of a steer to the EU Commission regarding controls that would be required in “Son of Safe Harbor” than empowering the DPC to torpedo Safe Harbor himself.

    I suggest that it is this reasoning which the German DPAs have applied in their action which has had the effect of prohibiting transfers in scenarios where they had direct competence but served only to send up a warning flare that Safe Harbor and Model Contract Clauses might be broken – but DPAs lack the statutory competence to actually do anything about it and it must be addressed by the Commission.

    Rather than “regulator fails to enforce law”, this story is more correctly “Regulators hampered by broken law unsuited for modern age”

  • The DPC, Prism, and the Tech Giants (updated)

    Europe v Facebook has issued a press release today decrying the failure of the Irish DPC to find fault with the reliance on Safe Harbor by US technology companies in the transfer of personal data of EU citizens to the US where it fell into the net of PRISM.

    The soundbite friendly position evf is taking is that the Irish DPC is kowtowing to economic interests in not pulling the plug on Safe Harbour as German DPAs have done.

    However I would suggest that the position is slightly more nuanced than that. The key test that needs to be met for the national security/law enforcement exemptions to Safe Harbour is one of necessity and proportionality of the invasion of privacy set against the national security/law enforcement requirement.

    The EU currently has a Data Retention Directive. It is law in most EU member states, but is currently subject to an action in the Irish High Court which has referred questions to the ECJ, which ultimately rest on issues of necessity (I.e is it necessary to retain the metadata of every call, web access, email, sms sent over a comms provider in the EU, and if it is necessary is it proportional to do so for EVERYONE compared to the actual risk/objective).

    This ECJ action is referred to explicitly by the DPC in their response to evf.

    In the absence of a ruling in that case or a decision by the EU commission that PRISM constitutes an unnecessary and disproportionate intrusion under Safe Harbour the DPC is acting in line, in my view, with the law that is in front of him.

    But the Germans have pulled the plug I hear you cry! Yes. They have – to a point. But the German Constitutional Court has also struck down their national implementation of the EU Communications Retention Directive. So the law in Germany is slightly but significantly different.

    But this awkward disjointment of laws highlights the need for improved standardisation of Data Protection laws in Europe and an improved collegiate operating structure for DPAs. This is part of what the revised General Regulation on Data Protection was to deliver.

    It also highlights the questionable justification for double standards for law enforcement as illustrated by the existence of the parallel revisedDirective on Data Protection for EU law enforcement agencies which differs from the draft Regulation.

    As a childhood (and adult) fan of the classic TV show “Yes, Minister” I’m minded to give the DPC some benefit of the doubt in their position as it would be preferable for there to be an EU bloc position on Safe Harbor rather than piecemeal action. That requires either EU Commission termination of Safe Harbor due to its abuse on grounds of inappropriate and unnecessary intrusion, or a ruling from the ECJ that defines those rules in an EU context in regard of our own data sucking activities.


    After a little digging, it turns out that the position of the German DPAs doesn’t differ all that much from the Irish position. They actually haven’t suspended Safe Harbor, just called on the European Commission to clarify how Prism etc is compatible with EU privacy principles.
    http://www.huntonprivacyblog.com/2013/07/articles/german-dpas-halt-data-transfer-approvals-and-consider-suspending-transfers-based-on-safe-harbor-eu-model-clauses/
    What is suspended are transfers based on any other basis other than model contract terms or Safe Harbor.

    So, in effect, the German DPAs have kicked the ball back to the European Commission in a manner similar to the Irish DPC, but have forgotten to mention the significant ECJ hearing as well.

    That is not to say that I am thrilled with how it has been handled. The DPC should have issued a formal decision on this setting out their position so that evf could appeal against it in Court. That would be an interesting case to see and I suspect many of the arguments that would need to be put forward have already been drafted in respect of Digital Right Ireland’s High Court and ECJ actions.

    Of course, I don’t rule out the possibility of an overworked under resourced Data Protection authority making an error in their assessment of the legal position. And, unfortunately given the dischordant “tone at the top” from Alan Shatter on matters Data Protection the political landscape Billy Hawkes must navigate is challenging.

    This will get very interesting I suspect.

    (And I’ve left the question of whether the Irish DPC even has the powers under the domestic legislation to do what evf are requesting for another day)

  • Buying back the mortgaged off

    Today’s Irish Times has a ‘news’ story about a man who, during the boom, sold his home and land for €3million and has just bought it back for €215,000.

    Fair play to him. He sold a property and home he loved and made a profit. Now he can have his cake and eat it, returning wealthier to the same home and hearth.

    The same, unfortunately, is not true of protections for fundamental human rights. In the current economic turmoil it is tempting to mortgage them or sell them off in the interests of supporting business and reducing red tape. However, when the economy recovers it will probably be impossible to push the pendulum back towards respecting the rights we have forgone in the interests of economic expedience. We will have a recovered economy but a diminished society.

    This is what is happening with the EU Data Protection Regulation. Earlier this month the Irish Government, in one of the last acts of their EU Presidency, trumpeted their ‘victory’ in the first four chapters of the Regulation, getting a quasi kind of agreement to introduce a level of protections that has been watered down to near homeopathic levels. Whatever good is in some of the proposals the Irish Government is horribly undermined and hollowed out by the move to a purely “risk based” model of regulation (similar to that which has worked so well in Financial Services) amongst other things.

    I’ve written about that in detail here with Fergal Crehan.

    Principles diluted do not retain the memory of the principle. Homeopathic regulation doesn’t work. The parts of the Regulation that might have served to retain focus and concentration were the sections around enforcement and penalties.

    Today we learn via a leaked document that these sections have likewise been diluted to homeopathic levels by the Irish EU Presidency (again, annoyingly in tandem with some good and positive changes)

    • The specific levels of fines to be levied have been omitted from the document (Dr. Chris Pounder on the Hawktalk blog suggests this may be due to there being no agreement, my view is that if it has been taken out whatever is put back in will be a lot less attention focussing than the 2% of global turnover levels previously proposed)
    • A range of mitigating factors and considerations have been introduced which must be considered by a Data Protection Authority before levying a penalty of any amount. 13 different factors to be considered. One for every tooth a Regulator might have had. One more line of defence to be argued over before enforcement can commence.

    So, errant Data Controllers may now be in a position where they can self-assess their risks based on their own perception of the risk and impacts of their actions (just like people of a certain generation used to self-assess whether they were sober enough to drive), but just in case they get it horribly wrong the hoops a Regulator will have to jump through before being able to levy any form of meaningful penalty have grown in number and vagueness.

    This the text book definition of light touch regulation. History has shown repeatedly, and at great cost, that this simply does not work.

    The man in the newspaper today bought back his old family home and made a tidy profit because of a catastrophic failure of culture, governance, and regulation. Rules around due diligence and proper management of lending were set aside or worked around because it was “good for business”.

    We must learn the lessons of history or we will have mortgaged our rights to be “left alone” in the interests of economic expedience and only those who held on to their financial muscle in this crisis will be able to make the payment needed to buy back that right through the Courts.

    An appropriate balance must be struck between the economy and the society.

  • An Op-Ed about Data Protection

    Fergal Crehan and I drafted the original version of this op-ed piece on the evening of the 5th of June, completing it on the 6th and submitting it immediately to the Irish Times as a topical opinion piece. The article was originally drafted in response to the EU Council of Ministers publication of proposed amendments to the EU General Data Protection Regulation that would significantly undermine the protections awarded to individuals and their data under EU law.

    It wasn’t published (but them’s the breaks as they say).

    I’ve updated it to include reference to the Prism and Tremora stories that were just beginning to break the week the original piece was drafted. I’ve also included references to some anti-data protection stories that have appeared in the Irish Times since the beginning of June, and a nod to the legacy of light touch regulation and associated attitudes that has recently emerged in the Irish press.

    I took the decision in consultation with Fergal to publish this here as the points that are raised are important ones regarding the nature of the society we want to live in. The failure of the Irish Times to fact check recent stories raises a further question as to the role of a neutered as opposed to neutral press in the definition of and shaping of that society.

    Journalists more than anyone should be alert to and resisting of any efforts to dilute or invade privacy, because it is only where there is privacy that there is the freedom for sources and whistle blowers to express privately (to journalists) facts that should be made public by the media. The logging of data about what numbers you dial, when, where from, and the uses that data can be put to could conceivably jeopardise sources, result in stories that need to be told being silenced, and force public and private conformity with a “party line” regardless of consequences. “All the President’s Men” would have been a significantly different movie if Nixon had had access to a Minority report level of analytics about who called who and who was where when – which is possible today.

    A Free Press should be concerned in equal measure about attacks on the freedom of expression and the rights to Privacy. This is why Data Protection should be a hot topic of relevance, not a dry techie story of limited interest. Responsible journalists need to inform themselves of the rights that exist, the ways those rights are being undermined, and how the existence of those rights that are under threat.

    A skewed balance struck

    For some years now, the EU has been preparing a regulation to update and standardise data protection law in Europe. The expectation was that the rules would be strengthened, giving citizens more protection against misuse of their information. It was a shock then, when the Irish Presidency brought forward a draft regulation which not only dilutes many of the original proposals of the EU Commission, but represents a neutering of many data protection rights rights enjoyed up until now.

    Data protection is a human right, closely bound up with privacy, and is unsurprisingly taken especially seriously by European countries whose citizens suffered under the police states of Nazis or Soviets, or even both. It is the right not to have your personal information hoarded, sold, disclosed or otherwise misused. “Data Protection” may not stir passions like other rights do, but in an increasingly data driven world, its importance cannot be overstated. We are already at risk of a two-tier privacy system, where the rich and famous can go to court for super-injunctions, while Joe Citizen cannot sit peacefully at home without their phone ringing with unwanted direct marketing calls.

    Ireland has had the privilege of shepherding the revised Data Protection rules through the process of negotiation and agreement. The vision set out by the European Commission in its initial drafts was to provide a simplified regulatory structure for business and strengthened rights for individuals over how, where, and why information about them is processed, and by whom. This vision became the subject of one of the most intensive lobbying campaigns by US firms ever seen in the EU.

    In February it emerged that amendments tabled by a group of MEPs that diluted the protection of personal data were copied verbatim from the submissions of these lobbyists. Sean Kelly, the Irish MEP responsible for those amendments, recently received an award from an advertising industry group for his work. The Council of Ministers recently issued a set of proposed changes to the Regulation that are being touted by Alan Shatter, the outgoing President of the Justice and Home Affairs Council, as providing “better protection for citizens” while also “providing a better strategy and architecture for business”.

    However, privacy advocates have highlighted that while the proposed changes are good for business they are a serious weakening of protections EU citizens have historically enjoyed. Advocates in favour of the proposed changes cite the importance of data in the modern economy and the potential for jobs.

    But are we building an economy or a society? In a speech this week President Michael D. Higgins tells us that the EU is a “union of citizens” and the institutions of the EU must work to protect those citizens. The proposed Regulation weakens those very protections.

    The proposed changes introduce a “risk based”, self-regulation approach. This seems not unlike the “light touch” regulation which was adopted in order to attract financial services companies to Ireland, and which fuelled the financial services boom. With our government now keen to attract more data-based firms like Facebook and LinkedIn to Ireland, it seems lessons of recent history are not being learned. And in the week of the Anglo Tapes it is more important than ever that we learn these lessons.

    This approach has been hailed as “non-prescriptive”. But a regulation that doesn’t prescribe anything is a mere suggestion, which can and will be ignored unless there are adverse consequences. Ireland’s Data Protection Commissioner is chronically underfunded, but he can and does bring prosecutions for breach of the Data Protection Acts. It is difficult to see how a these kinds of criminal convictions could be achieved under the proposed regulation. 

    Under the proposed Regulation, if your personal data is lost or stolen, the decision about whether to tell you will be left in the hands of the people who lost the data. This effectively means that there will be no right to know when your personal information is lost.

    Last year Target, the US supermarket, broke the news to a father that his teenage daughter was pregnant by sending her unsolicited targeted adverts for baby products. Current laws make this potentially illegal in Europe. However, direct marketing rules are to be changed under the proposed Regulation. Companies would no longer need your permission to market to you once they have obtained your data. This is an extraordinary win for the marketing lobby, a turn from a right to privacy, to a right to invade privacy. The telemarketer, a scourge familiar to any American with a phone, is set to become an unwelcome part of our daily life too.

    The recent revelations of unfettered and covert surveillance on the private commmunications of every individual in every country by US and UK intelligence services has highlighted the risks of the Panopticon. Some argue that if you have nothing to hide you have nothing to fear. But that flies in the face of our fundamental values that everyone has a right to a place where they can have private thoughts and private communications. These rights are under attack and must be defended.

    But at a smaller scale, recent articles in the Irish Times have linked Data Protection rules with inefficiencies in the Ambulance service which have contributed to deaths. ‘Data Protection rules mean we can’t use GPS for ambulances’ was the claim. Bunkum is the answer. Such processing is permissible under Section 8 of the Data Protection Acts. ‘Data Protection rules will curtail genealogy’ was another claim. Again, bunkum. The draft Regulation will likely apply only to living persons, Public Registers will have certain exemptions, and the Right to be Forgotten is not a right to be airbrushed from history, as has been made clear by Commissioner Reding on many occasions, and has been made clear by the ECJ in the past week.

    Data is hailed as “the new oil”. “Big data” is mined to predict everything from musical taste to voting habits. It is disturbing when rights, once considered uncontroversial, are watered down or neutralised because it has become profitable to do so. What is proposed in this draft of the Regulation is something unprecedented in the history of the EU – the effective abolition of a human right enshrined in EU Treaties. As citizens, we can only wonder and worry which other human rights will become inconvenient to big business, and what their fate will be.