Data Security Breaches - Report of the DP Review Group

Posted on May 28, 2010 by John Whelan

The Data Protection Review Group published its Report (pdf) on Data Protection in May 2010. The Group, which was appointed by the Minister for Justice, Equality and Law Reform, was formed to look at whether legislative changes were necessary to address the lack of any specific legal obligation to report security breaches of data.

The key recommendations contained in the Report are:

1. Legislation should provide for a general offence by a data controller of deliberate or reckless acts or omissions in relation to the data protection principles, including contraventions of the security principle in relation to data breach incidents.

2. The reporting obligations of data controllers in relation to data breaches should be set out in a statutory Code of Practice. The Group recommended that there should be a legal requirement to report breaches of data to the Data Protection Commissioner (DPC) but not necessarily to data subjects.

The European Commission is expected to make a proposal for a new or amending Data Protection Directive either later this year or during 2011 and the Report states that the introduction of any Irish legislation is likely to be influenced by the pace of such EU developments. The Minister has requested the DPC to begin preparing a statutory Code of Practice.

In the meantime, although there is no legal requirement to notify the Office of the Data Protection Commissioner of a security breach, depending on the nature and severity of the breach, it is usually recommended to consult with the Office in the event of one arising.

 

Tags: , , ,

Ireland to Send Data Retention Questions to Europe

Posted on May 27, 2010 by Emma Heffernan

On 5 May 2010 the High Court delivered its decision in a case brought by Digital Rights Ireland (DRI) with respect to three procedural issues that need to be cleared before litigating the main issue of whether large-scale surveillance is in accordance with constitutional guarantees of fundamental rights.

The most significant of the issues was the Plaintiff's application for a reference to be made to the European Court of Justice (ECJ) on the validity of Directive 2006/24/EC.

The court stated that the case raised important constitutional questions and held that a reference to the ECJ was necessary and that it was appropriate to make the reference at the current stage of the proceedings.

The other two issues dealt with security for costs and whether or not the DRI has standing (as a company) to assert privacy rights on behalf of others. The court held in DRI's favour on both counts, recognising that DRI was a "sincere and serious litigant" with a legitimate interest in the case.

The parties have been invited to submit questions to be framed to the ECJ and the case will be listed next on 11 June.

Click here (pdf) for a summary of the case.

Tags: , , , ,

Ireland and the Smart Economy

Posted on May 10, 2010 by John Whelan

The Smart Economy is at the centre of the Irish Government’s programme to reposition Ireland in the coming years as an economic centre for IP rich industry.  The work of groups such as the International Content Service Centre Task force and the Innovation Task Force are focussed on positioning Ireland as the country of choice for knowledge-based foreign direct investment, as well as on driving indigenous growth in the exporting high technology sector.

It is hoped that the momentum that the Government started with these initiatives is now maintained by seeing through their implementation.

See the strategy documents of these taskforces:

Ireland has the three necessary ingredients needed to be an international innovation hub:

  1. a skilled workforce for the creation of IP;
  2. a robust legal system for the protection of IP; and
  3. a favourable tax regime for the exploitation of IP.

We need the Irish government to continue to look at IP legislative changes to give us a competitive advantage over other jurisdictions…

The Commercial Court which handles almost all IP enforcement cases is one of the most significant recent innovations in the Irish IP legal landscape.  The efficiency of disposal of cases and the quality of judgments have been recognised internationally.  We need the Irish government to complement this and look at legislative changes that give us a competitive advantage over other jurisdictions – other countries are competing, and so must we if our Smart Economy is to become a reality.

The favourable tax regime, while essential, may not be enough on its own – we have a strategic opportunity, if not a necessity, to differentiate ourselves now through our broader legal offering. 

For more on this topic, you may be interested in this more complete article by John Whelan that featured in the Sunday Business Post.

Tags: , , , , ,

"Your Country, Your Call" - Your IP?

Posted on May 9, 2010 by Judith Wrixon

It has been widely publicised that the Your Country Your Call competition, which closed on 30 April 2010, yielded in or around 9,000 entries.  The competition is designed, in the words of its promoter An Smaoineamh Mor Limited, to find two major proposals that when implemented will transform the Irish economy by creating jobs and opportunity.

Proposals were accepted in relation to nine categories: communications & technology; design, engineering & manufacturing; education & the arts; energy & the environment; food & agriculture; health, sport & nutrition; professional services; tourism & hospitality; and other.

Recently the intellectual property provisions contained in the competition terms and conditions have also attracted attention.  Section 7.2 provides that, at the option of An Smaoineamh Mor, the winning participants, in consideration of entry into the competition, shall irrevocably transfer to An Smaoineamh Mor all right, title and interest in and to the winning proposals and all IP rights therein.  The winning participants further agree to waive all moral rights to which they might be entitled, which would include the right at all times to be identified as the author of the work.

All participants should therefore be aware that in the event that they win the competition they may be precluded from exploiting their proposal at a later date.  However as the relevant section only applies to the winning entries, those that are not successful should still retain any basic IP rights they have in their work.  Two winners are due to be announced on 17 September 2010, and will each receive €100,000.  A further €500,000 is being put aside for the implementation of each of the winning proposals. 

Tags:

High Court Approves File Sharing Settlement - ISP Addresses not Personal Data

Posted on May 8, 2010 by John Cahir

The High Court, in a reserved judgement delivered by Mr Justice Charleton on 16th April, has sanctioned the “three strikes” regime previously agreed between Eircom and the record industry, by holding that terminating internet accounts of persons suspected of illegally sharing music does not entail a breach of data protection laws or human rights.   This is a landmark ruling by the Irish courts as it represents one of the first successful attempts by the record industry in Europe to implement a three strikes regime by way of legal proceedings, rather than through the legislative process.

As previously reported, Eircom and the record companies signed a settlement agreement in January 2009 designed to prevent Eircom subscribers from using the Internet for the purpose of illegal filesharing.  Under the agreement, the record companies notify Eircom of IP addresses which they believe are being used for illegal downloading, Eircom sends warnings to the relevant subscriber, and ultimately terminates the subscriber’s account if the warnings are not heeded.  The agreement did not entail any requirement on the part of Eircom to disclose the identity of its subscribers to the record companies.

The Data Protection Commissioner (DPC) raised a number of concerns about the three strike regime, which resulted in the parties seeking a ruling from the High Court.

  • The first question addressed was whether IP addresses constitute ‘personal data’ within the meaning of the Data Protection Acts 1988-2003.  Mr Justice Charleton held that an IP address was not personal data as it did not identify a living individual and he saw no likelihood arising that Eircom would disclose the identity of its subscribers to the record companies.
  • The second question addressed was whether terminating access to an internet account was a breach of the fundamental rights and freedoms of the subscriber.  Mr Justice Charleton found that it did not: “I find it impossible to imagine that such interference is unwarranted because there is some fundamental right or freedom or legitimate interest in the data subject whereby, in contrast to those who engage in other forms of unlawful copyright theft which may leave them more readily subject to the law, the internet is used for the violation. There cannot be a right to infringe the constitutional rights of others, absent some argument as to a genuine and compelling competing right”. 
  • The final question addressed was whether the “three strike” regime involved  the processing of “sensitive” personal data.  The judge found that it did not, as the termination of an account did not implicate the commission of a criminal offence.

Interestingly, today's Irish Times (24 May) reports that Eircom will begin the process of cutting off the broadband service of customers deemed to be continually sharing music online illegally from today.   Eircom will initially telephone infringing customers to ask if they know that the illegal activity is occurring on their broadband network.  Repeat offenders will have their service withdrawn for seven days if they are identified a third time, or for a year if they are identified for a fourth time.

 

Tags: , ,

Thinking about "Tell a Friend Marketing"? Think again

Posted on May 4, 2010 by Ciara Cullen

Referral marketing is attractive to marketers but just because others are doing it does not mean that you should.  You could be committing a criminal offence under Irish data protection legislation if you send marketing messages by email or SMS to people referred to you by your customers.  The reason for this is that under data protection legislation you may not send marketing messages by electronic means to a person unless they have agreed to receive those messages.   Unfortunately for those of you in the marketing business, it is not possible for one customer to opt-in to marketing communications on behalf of another.  The Irish Data Protection Commissioner views this type of marketing as an unsolicited communication which could be deemed to be an offence under Irish Law.

…under Irish data protection legislation you may not send marketing messages by electronic means to a person unless they have agreed to receive those messages.

So the next time you ask your customers to refer a friend - be careful - because you might yourself end up being referred to the Data Protection Commissioner through a complaint that you have breached the code.

Tags: , , , , ,

Landmark Decision for IT Suppliers - Pre-Contract Representations

Posted on May 1, 2010 by John Cahir

The High Court in London has issued a landmark judgment in the long-running dispute between BSkyB and EDS.  BSkyB claimed in excess of £700m in damages from EDS alleging that EDS’s bid team made fraudulent misrepresentations and breached their contract in the manner in which they won and subsequently performed the contract to supply and install a customer relationship management system for BSkyB.  BSkyB ultimately claimed that EDS failed to deliver the system and as a result BSkyB had to develop the system in-house. The case is the first fraudulent misrepresentation case involving an IT project to proceed to the English Courts.

EDS argued that its maximum liability under the contract was capped at £30m. The High Court rejected this argument and held that EDS’s contractual cap on liability did not apply to damages arising as a result of deceit/fraudulent misrepresentation. BSkyB have said that they anticipate damages will be an amount of at least £200m as a result of the ruling.

Since the events in question EDS has been acquired by Hewlett Packard. Hewlett Packard issued a statement saying that “this is a legacy issue, dating back to the EDS business in 2000, which HP inherited when it acquired EDS in 2008.”

The case is likely to have significant implications for the IT services sector.  It will see suppliers exercising greater vigilance in the statements made by their contract bid teams and will make the assessment of potential risk under a contract more difficult.

Tags: , ,