Ireland IP & Technology Law Blog : Dublin Lawyers & Attorneys for Intellectual Property, Communications & Information Technology Law in Ireland, U.S. & England

The High Court is to make a preliminary reference to the Court of Justice of the European Union on the extent to which national legislation intended to implement an EU Directive, must itself also comply with the European Charter of Fundamental Rights in order to be fully compatible with EU law, a matter with the potential to be of significant impact throughout the EU.

The High Court has asked the CJEU whether EU Directive 2006/24/EC, which requires member states to retain details in relation to mobile, internet and email data, respects the right to privacy of the user.

The questions arise in the context of a case taken by Digital Rights Ireland against the Minister for Communications, Marine and Natural Resources and others, regarding the extent to which the State can require telecommunications providers to retain and to provide to the State, data on how customers use its services.

The Directive was transposed in Ireland last year by the Communications (Retention of Data) Act 2011. The Act does not require data concerning the content of calls or emails to be retained, however the identity of the person sending and receiving the communication must be retained in addition to information as to the time the communication was sent, and in the case of mobile phones, the location of the phones. The Act requires telecommunication providers to retain telephone data for 2 years and internet data is to be retained for 12 months, in order to ensure that the data is available for the purpose of the investigation, detection and prosecution of serious crime.

See here for a previous discussion of the Act.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Minister Sherlock has, today, published the draft European Union (Copyright and Related Rights) Regulations 2012, which are expected to be signed imminently. Minister Sherlock has strenuously denied claims that the proposed legislation mirrors the Stop Online Piracy Act (SOPA) in the United States, stating that such claims “are not based on fact”.

The draft Regulations are, in fact, brief and to the point. They amend the Copyright and Related Rights Act 2000 (the 2000) Act), by explicitly providing for the right of a copyright owner to apply to the High Court for an injunction against an intermediary whose services are used by a third party to infringe their copyright or related right. 

This right is already available in all other Member States of the EU, as two EU directives (the Copyright Directive 2001/29/EC and the Enforcement Directive 2000/31/EC) specifically require that copyright holders are in a position to apply for such injunctions.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The European Commission has published its proposals to reform the EU's Data Protection Directive (95/46/EC).

The proposed Regulation, unlike the 1995 Data Protection Directive, which gives Member States a wide discretion in respect of its implementation, will be directly applicable once implemented. The Vice President of the European Commission, Viviane Reding, has said that the implementation of a single set of rules on data protection, valid across the EU, law will do away with the current fragmentation and costly administrative burdens. 

Under the new proposals, multinational companies will be regulated in a ‘one-stop shop’. Companies will only have to deal with a single national data protection authority in the EU country where they have their main establishment. At the moment, businesses are supervised by a different authority in each Member State in which they carry out data processing activities.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

As we reported recently, the CJEU held in Scarlet Extended SA (“Scarlet”) v Societe belge des auteurs, compositeurs et editeurs (“SABAM”), Case C-70/10 that an order requiring a Belgian internet service provider to filter certain peer to peer files is not permissible under EU law. The CJEU found that any national measures to protect copyright must “strike a fair balance between the protection of copyright and the protection of the fundamental rights of individuals who are affected by such measures”.

This case is also noteworthy for its landmark decision that internet protocol addresses constitute “protected personal data”.  The CJEU held that the injunction sought, requiring installation of the contested filtering system, “would involve a systematic analysis of all content and the collection and identification of users’ IP addresses from which unlawful content on the network is sent. Those addresses are protected personal data because they allow those users to be precisely identified.”
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Vice President of the European Commission and EU Justice Commissioner, Viviane Reding, recently issued a statement regarding the proposed reform of the Data Protection Directive (95/46/EC), indicating the proposal will be published in early 2012. The proposals contained in the new legislative package, which is intended to fix weaknesses in the current data protection framework, include:

·         A 'one-stop-shop' for businesses and consumers when it comes to data protection matters - one law and one single data protection authority for each business; that of the Member State in which they have their main establishment. Under the current data protection regime, companies that operate in several Member States must comply with different laws and different decisions taken by data protection authorities in 27 Member States. A non-European company operating in the European Union has to abide by 27 different interpretations of the EU law on data protection. 

·         Making the binding corporate rules simpler to use, with a single point of contact for companies amongst the European data protection authorities. Once the binding corporate rules are approved by one data protection authority, they should be recognised by all European data protection authorities, without the need for additional national authorisation in case of further transfers.

·         Cutting red tape by eliminating unnecessary costs and administrative burdens to create a more business-friendly regulatory environment. This means doing away with the general requirement to notify data processing to data protection authorities.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Ireland has transposed the new E-Privacy Directive 2009/136/EC. The Directive amends the E-Privacy Directive 2002/58/EC and has attracted much attention due to the new rules it imposes in relation to the use of internet cookies.

The new rules are contained in the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011 and took effect from 1 July 2011 (the "New Regulations"). While it is expected that a pragmatic approach will be taken by the Office of the Data Protection Commissioner to enforcement in relation to the new rules on cookies, unlike other jurisdictions, there is no formal compliance grace period in Ireland.

What are 'Cookies'?

The current law
Up to now, the law concerning the use of cookies required internet users to be informed of the use of cookies and to be offered the right to refuse such use. In practice, many websites have complied with this requirement by using their privacy policy to notify people on how they use cookies and giving users the opportunity to 'opt out', by changing their browser preferences. An exception to this opt-out approach exists where the cookie is strictly necessary in order to provide a service explicitly requested by the user.

The new rules
There is no specific reference to "cookies" in the New Regulations. However, Regulation 5 deals with Confidentiality of Communications and in particular prohibits use of "an electronic communications network to store information or to gain access to information already stored in the terminal equipment of a subscriber or user...".

Exceptions
The exceptions, each of which must be met, to this prohibition are:

Where the subscriber or user has given consent; and where clear and comprehensive information is given in accordance with the Data Protection Acts 1988 and 2003 which is prominently displayed, easily accessible and includes, without limitation, information on the purposes for which the information will be processed. Importantly, where information is stored merely to enable transmission of communications across networks or where it is strictly necessary in order to provide a service explicitly requested by the subscriber, then, the new rules don't apply.

The New Regulations require that technical and user friendly means to obtain consent are used. However the Regulations do not specify the technical or operational steps to be taken, the type of consent that is required and when this consent should be obtained.

Guidance
The Office of the Data Protection Commissioner has issued guidance on the Regulations, which confirms that the method of obtaining consent that was acceptable under the previous legislation, relying on existing browser settings, will no longer be sufficient. Browser settings are regarded as having some deficiencies as a method of obtaining consent. For example, some cookies can circumvent browser settings.

Key considerations for companies with websites

In the light of the Data Protection Commissioner's guidance, it will be incumbent on individual companies to carry out their own assessment of their activities from a technical and compliance perspective, to ascertain:

• If their activities fall within the scope of Regulation 5 (3). This is likely to require analysis of the technical operation of their websites and the extent to which they may be facilitating 'cookies' that actually capture personal data through links or other associations with third parties;

• If any of the exceptions apply. For instance, where cookies are essential in order to complete an online purchase transaction, the compliance burden for such website operators may be less than where cookies are intentionally used as part of  targeted profiling and marketing of customers/website visitors;

• How to categorise cookies that are to be used, the nature of the consent that will be required and the effective means to obtain that consent. This will present the challenge of balancing the need for website users to have a positive experience on a particular website with the need to comply with the New Regulations. For example, listing specific cookie filenames on websites and providing information on their purpose may become increasingly common;

• Due diligence on existing website terms and conditions and other notices to assess what changes must be made to ensure the obligations contained in Regulation 5(3) are met. It is likely that we will see cookie specific notices and banners on websites that allow users to see the relevant cookies and site data and make informed choices about settings. A good live example can be found at the UK Information Commissioner's website.

Consent
There remains uncertainty in relation to the core issue of consent. For instance, the New Regulations do not specify exactly when the consent should be obtained, whether a single consent will suffice for repeat browsing activity and changing cookies or how explicit the consent needs to be.  However, it is clear that the law in Ireland has now shifted in a manner that rules out reliance on a passive approach to consent and more interaction with web users will be required.

Implications
The end result is that companies relying on online interaction with customers will need to be ever more alert to the need for pro-active steps to ensure their legal compliance with these New Regulations. Given the lack of a formal grace period in Ireland (unlike the UK) and the increased financial penalties for non-compliance that have been introduced under the New Regulations, taking steps to post interim notices and other information in relation to steps being taken to comply with the new rules would be prudent, pending implementation of the necessary technical and functional changes to websites.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Another week another Facebook privacy controversy. This time it involves their new “Tag Suggestions” feature which utilises facial recognition software which automatically identifies people as photos are uploaded and then encourages their friends to tag them. It was designed to speed up the process of tagging pictures by recognising the faces of people within the photos uploaded to the site.

 This latest creation of Facebook founder, Mark Zuckerberg, has not however been welcomed by Privacy groups and data protection officials. The European Union has promised a thorough investigation will be carried out by their data protection regulators to establish whether any privacy laws have been violated. A representative of the Article 29 Data Protection Working Party stated that “tags of people should only happen based on people’s prior consent and it cannot be activated by default”. He addressed the main area of controversy surrounding the new feature which was not the involvement of facial recognition software but rather the way in which Facebook introduced it. Facebook has set the feature as default on existing users’ accounts thus placing the onus on the Facebook user to opt-out of the feature if they do not want to be automatically tagged in photos - this will involve changing their privacy settings which, as any Facebook user will acknowledge, can be particularly confusing.

 As your friend uploads photos, Facebook will scan them to determine whether they look like you and then will proceed to urge your friend to tag you in them, without your permission. This is nothing new for Facebook since their system at the moment enables anyone to tag pictures of you without your pre-approval placing the onus on you to un-tag yourself.

 While Facebook’s continuous endeavour to create new features is admirable, the new function may be a step too far. UK and Irish authorities have vowed to look into Facebook’s new photo-tagging function and the risks it may pose for users. Whether their opinion will have any real impact on the world’s most popular social-networking site remains to be seen. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Article 29 Data Protection Working Party (Working Party) issued an opinion on geolocation services on smart mobile devices on 16 May 2011. The opinion seeks to specifically clarify the legal requirements for GPS, GSM base stations and WiFi data under the Data Protection Directive. The Working Party’s opinions are not strictly binding but are in practice followed.

The Working Party has adopted the position that as geolocation data from smart mobile devices reveal intimate details about the private life of their owner, it must be considered personal data for the purposes of the Data Protection Directive. The Working Party believes that the Data Protection Directive should apply in all cases where personal data are being processed as a result of the processing of location data. In the view of the Working Party, the Directive on Privacy and Electronic Communications should only apply to the processing of base station data by public electronic communication services and networks.

The Working Party identified three different functionalities in the context of the provision of geolocation services, (i) the controller of a geolocation infrastructure; (ii) the provider of a specific geolocation service; and (iii) the developer of the operating system of a smart mobile device, all of which have different responsibilities for the processing of personal data.

The Working Party has concluded that in most cases, geolocation data may only be processed with users’ prior consent and must also ensure the customer is informed about the terms of such processing. The Working Party notes that geolocation services switched on by default should not be mistaken for freely given consent. In addition, the Working Party has adopted the position that such consent cannot be obtained by opt-out mechanisms or by mandatory acceptance of general terms and conditions. The Working Party is of the view that users should be required to renew their consent at least once a year.

The opinion confirms the views expressed by the European Data Protection Supervisor in relation to geolocation data.

You can view the opinion here http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2011/wp185_en.pdf

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The E-Privacy Directive (2009/136/EC), which formed part of the EU telecommunications regulation reform package passed in November 2009, makes it mandatory for public communications providers (i.e. ISPs and telcos) to inform national authorities of any data security breaches. Member States have until 25 May 2011 to transpose this Directive. (See our Weekly Knowledge Update - 2 February 2010). 

The European Network and Information Security Agency (ENISA) recently published a Report on ‘Data Breach Notifications in the EU’ which provides a review of the new mandatory notification requirement and also looks at what steps members have already taken independent of this requirement.

The Report highlights that data breach notifications are not yet mandatory in most EU countries, and consequently stakeholders are looking for information and best practices from countries that already have notification procedures either as a mandatory law, or as a code of practice. In Germany for example, there is a legal obligation to issue notifications to both the local Data Protection Authority (DPAs) and data subjects in cases of data breaches. Also, in Spain, there is a legal obligation for data controllers, as part of their security policy, to draw up provisions providing for a procedure of notification, management and response to data security breach incidents. 

Meanwhile, in the UK and in Ireland, there is no legal obligation to notify the local DPA. However, in Ireland, last year, the Office of the Data Protection Commissioner issued a Data Security Breach Code of Practice and a Guidance note, which recommends notification of all security breach incidents to the DPC within two working days of becoming aware of the incident. Organisations should also give immediate consideration to notifying data subjects. Similarly, in the UK, the DPA has issued a guidance note, which recommends that it should be notified of serious breaches.

 The majority of regulatory authorities surveyed by ENISA indicated their support of mandatory data breach notifications for the telecoms sector, but raised concerns about their ability to handle the workload, fearing that the number of breaches would result in a large number of investigations. They agreed that a system to prioritise notifications would be the best approach. The DPAs also raised concerns about the fact that mandatory notifications are not yet extended to other sectors of the economy, which might cause members of the public to single out telecoms operators as being less safe than other companies, since notifications will be coming primarily from service providers

The Report identifies a number of areas that require further support at EU or national level, in order to ensure a smooth transition to mandatory notifications, including:

• Risk Assessment Guidance – so as to avoid issuing notifications for breaches that pose no risk and undermine customers’ confidence in an organisation;
• Notification Threshold Criteria – to enable consistent methodology across Europe;
• Procedures for responding to a breach;
• Evaluation Period – to review how the notification process is working;
• Automation – development of an automated system of data breach notifications through a web-based form; and
• Extension of mandatory notifications to other sectors.

 ENISA Report - Data Breach Notifications in the EU.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The European Commission has approved Israel's status as a country ensuring an "adequate level of protection" under the Data Protection Directive (95/46/EC).

The Data Protection Directive prohibits personal data from being transferred to third countries, outside the EEA, unless the country ensures an adequate level of data protection or certain limited exceptions apply (such as where the data subject has explicitly consented to the transfer or a data transfer agreement incorporating the EC-approved standard contractual clauses is used). 

The countries approved to date by the European Commission as having an adequate level of data protection include: Switzerland, Guernsey, Argentina, Isle of Man, Faroe Islands, Jersey and Andorra. Canada has been approved for certain types of personal data. The ‘Safe Harbour’ arrangement has also been approved, to facilitate transfers of personal data to US organisations which have signed up to the arrangement. Recently, the Commission has also approved the transfer of advance airline passenger data to the US, Canada, and Australia.

European Commission website – list of approved third countries.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Communications (Retention of Data) Act 2011 (the Act) was signed into law by the President on 26 January 2011. The Act has not yet been published, but there appear to have been no amendments to the Bill after the Committee Stage in the Dáil. 

The Act transposes the Data Retention Directive (2006/24/EC) (the Directive). The Directive requires telephone and internet service providers to retain details of internet and call data for not less than 6 months and not more than 2 years, in order to ensure that the data is available for the purpose of the investigation, detection and prosecution of serious crime. 

The Act requires telephone service providers to retain telephone data for two years, and internet data to be retained by internet service providers for 12 months. Telephone data was previously retained for three years pursuant to Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 (which the Act repeals). Internet data was not previously required by law to be monitored or retained. 

The Act does not require data concerning the content of calls or emails to be retained, however the identity of the senders and receivers of the communication must be retained as well as the data and time the communication was sent, and in the case of mobile phones, the location of the phones.

The Act requires service providers retaining such data to take certain security measures in relation to the retained data. For example, data (with the exception of data accessed and preserved as a result of a disclosure request) must be destroyed by the service providers at the end of the specified retention periods, however a grace period of one month after the retention period has expired is provided for, in order to facilitate any last minute requests. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Data Protection Commissioner has written to political parties this week cautioning them about communicating with individuals by text, email or phone in the forthcoming General Election.

The Commissioner, Mr Billy Hawkes, advised candidates that they should avoid sending electoral messages to persons other than those who could “reasonably be assumed to consent to receipt of such messages”, such as party members for example.

The warning from the Commissioner comes in the wake of a large number of complaints following on from the June 2009 local election campaign, a lot of cases in which the individual had no prior contact with the political party and had voiced concern at the manner in which their details were sourced. Investigation into the complaints revealed that contact details had been obtained from third party sources such as friends, colleagues, sports clubs and schools. The Commissioner has advised the political parties not to attempt to obtain or use contact information from third parties in this way.

The restrictions placed on direct marketing by the Data Protection Acts do not apply however to direct mailing carried out in the course of political activities by a political party or its members. Candidates are permitted to send letters and leaflets to anyone on the Registrar of Electors.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On 24 November 2010, the UK’s Information Commissioner issued two organisations with substantial fines for serious breaches of the UK Data Protection Act 1998.

Hertfordshire County Council was fined £100,000 for two successive data protection breaches where council employees sent two faxes containing highly sensitive personal information to the wrong recipients on two separate occasions. The council reported both breaches to the Information Commissioner’s Office (ICO). The Commissioner ruled that, after the first breach occurred, the council did not take sufficient steps to reduce the likelihood of another breach occurring.

An employment services company, A4e, was also fined £60,000 following the loss of unencrypted laptop containing sensitive personal information relating to 24,000 people who had used community legal advice centres in Hull and Leicester. The company reported the incident to the ICO, and also notified the people whose data could have been accessed. The Commissioner found that the company had not taken reasonable steps to avoid the loss of the data when it issued the employee with the unencrypted laptop, despite knowing the amount and type of data that would be processed on it.

The Irish Data Protection Commissioner does not have equivalent legal powers to issue large penalties for serious contraventions of the Data Protection Acts. At present only offences under the Data Protection Acts attract financial penalties, the maximum of which is €250,000 (or 10% of turnover if the offender is a body corporate) for offences relating to unsolicited marketing messages. 

However, the Report of the Irish Data Protection Review Group, published earlier this year, recommended the introduction of legislation providing for penalties for serious contraventions of the Data Protection Acts. 

It will be interesting to see if any new equivalent legislation is introduced here. 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On 4 November 2010, the EC Commission issued a Communication entitled “A comprehensive approach on personal data protection in the European Union”. Following a review of the current EU data protection legislation and a public consultation, several issues were identified as being problematic and posing challenges to the current EU legislative framework. These issues include the need to address the impact of new technologies and the need to streamline international data transfers.

The Communication sets out the Commission’s strategy for modernising the EU legislative framework to take account of these challenges. The key objectives of the strategy are to:

- strengthen individuals’ rights;
- enhance the internal market dimension;
- revise data protection rules in the area of police and judicial cooperation in criminal matters;
- ensure high levels of protection for data transferred outside the EU; and
- improve the enforcement of data protection rules.

The Commission will accept feedback, by 15 January 2011, on the issues raised in this Communication and will propose legislation in 2011. The Commission also intends to pursue non-legislative measures, such as encouraging self-regulation and self-awareness campaigns, in parallel.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The European Commission has referred the UK to the Court of Justice for the European Union (“CJEU”) for not fully implementing EU rules on the confidentiality of electronic communications such as e-mail or internet browsing.

The Commission considers that existing UK law governing the confidentiality of electronic communications is in breach of the UK’s obligations both under the ePrivacy Directive 2002/58/EC and the Data Protection Directive 95/46/EC in three specific areas:

·         there is no independent national authority to supervise the interception of some communications, although the establishment of such authority is required by the ePrivacy and Data Protection Directives, in particular, to hear complaints about the interception of communications;

·         current UK law authorises interception of communications not only where people have consented to the interception, but also when the person intercepting the communication “has reasonable grounds for believing that consent to do so has been given”. These UK provisions do not comply with EU rules defining consent as “freely given, specific and informed indication of a person’s wishes”; and

·         current UK law prohibiting and providing sanctions in cases of unlawful interception are limited to intentional interception only, whereas EU law requires member states to prohibit and to ensure that there are sanctions against any unlawful interception, regardless of whether or not it was committed intentionally.

The case centres on the UK Government’s failure to act against BT over its use of Phorm, a scanning software that tracks users’ web use in order to serve them ads that are related to the recorded internet activity. BT used this technology without telling users, which led to complaints to UK regulators and the Commission that this breached privacy laws.

No doubt the outcome will be of interest to Irish Data Controllers and the Irish Data Protection Commissioner –

if the CJEU finds against the UK, this could provide the Commission with the impetus it needs to impose stricter rules on all member states, in particular its stated objective of strengthening and harmonising consent rules. 

We will keep the Blog updated on developments.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Google Street View launched in Ireland this week.

Street View’s online panoramic mapping service gives internet users a “car’s eye view” of streets while allowing them to virtually explore a location.

Over 80,000 km of roads, as well as Ireland’s top tourist destinations and historic monuments, including the new Aviva Stadium, Dublin Zoo, the Botanical Gardens and Fota Wildlife Park, have been mapped and snapped. Images for the Irish version of the service have been collated since 2009.

Speaking at the official launch, Mary Hanafin commented on the benefits the service will have for Irish tourism. The Minister acknowledged people’s concerns about their privacy being breached, however deputy data protection commissioner Gary Davis said his office worked closely with Google to ensure that any privacy concerns were dealt with before the launch date.

The launch is good news for Google; it had a minor brush with the Office of the Irish Data Protection Commission earlier this year but the company has now satisfied all data protection requirements.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Following the launch today of a new “Places” feature, Facebook users in the UK have the ability to track friends’ whereabouts. “Places” is a tool that has been developed to help Facebook users share where they are, find out who is in the same vicinity and discover services and events in the area.

“Places” will be accessible either from Facebook’s mobile version or via an iPhone app that Facebook has designed. Users will be able to log in and broadcast their whereabouts and their location will then appear in their status update.

People can also tag their friends when checking into a location. Every time anyone is tagged, they will be notified and will have to choose whether to accept or not.

“Places” has launched in the US and Japan and the service will soon be rolled out to the rest of Europe.

This will inevitably give rise for data protection issues in Europe, as data protection offices across Europe take stock – we will keep the Blog updated on developments!

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The German Government has presented a draft law governing workplace privacy.  The bill includes a proposal which restricts prospective employers from viewing Facebook profiles of potential candidates and would make it illegal for them to become a Facebook friend with an applicant in order to view their private postings.

Facebook has about 10 million users in Germany and there are currently no rules in place that regulate the use by companies of Facebook data.

Under the bill, employers would still be permitted to conduct a search for publicly accessible information about prospective employees on the internet. They would also be entitled to access information on job networking sites (as opposed to purely social networking sites) such as LinkedIn.

The German Interior Minister acknowledged that some of the new regulations might be complicated to enact and stated that if an employer turns down an application from a potential employee it might be difficult to prove that the reason for doing so was on foot of the content of Facebook postings.

The penalties proposed under the bill are substantial: A rejected job applicant who proves they have been rejected for a position based on violation of the new law could take a company to court claiming damages and fines of up to €300,000 could be imposed on employers that become friends with prospective employees in order to glean personal information from their postings.

Peter Schaar, the German Commissioner for Data Protection and Freedom of Information, endorsed the proposal stating it was “a substantial improvement on the status quo in dealing with employees’ data”. That may be the case, however it is difficult to see how this new law will be enforced.

The bill will go to the German Parliament to be debated when we will see how it develops. There are no similar proposals in Ireland but it is interesting to see how other EU countries are tackling this issue - if it succeeds there will no doubt be a political will for similar protections in Ireland.
 

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The European Commission has recently approved in Decision 2010/87/EU new model clauses for the transfer of personal data from a data controller established in the EU to a data processor established in a third country outside the EEA.  The new "data controller to data processor" model clauses, which replace the clauses approved by Decision 2002/16/EC, came into effect on 15 May 2010.  The "data controller to data controller" model clauses (approved by Decisions 2001/497/EC & 2004/915/EC) remain unchanged. Pursuant to the EU Data Protection Directive 95/46/EC personal data may only be transferred to countries outside the European Economic Area if that recipient country ensures an adequate level of data protection, or one of a limited number of specified exemptions applies (such as the data subject giving his/her consent to the transfer). 

This means that from 15 May 2010, any data controller wishing to demonstrate “adequacy” by using the EU “data controller to data processor” model clauses will need to use these new 2010 model clauses.

Existing "data controller to data processor" contracts concluded under clauses approved by Decision 2001/16/EC will remain valid, unless the parties to the contract wish to make changes to the existing contract.  In that event the parties will need to enter into a new contract, which includes the new model clauses.

The main change implemented by the new "data controller to data processor" model clauses is that they contain express provisions allowing the outsourcing by the data processor of its processing activities to another sub-processor(s).  The previous "data controller to data processor" model clauses had been criticised for not taking into account the practice of more globalised data processing activities and the onwards transfers of data from a data processor established in a third country to another non-EEA sub-processor. The new model clauses contain a number of restrictions in respect of any sub-processing activities.  The data importer is required to inform the data exporter and obtain its prior written consent before disclosing the personal data to a third party processor.  In addition, the sub-processing must consist only of the same operations agreed in the contract between the data exporter and the data importer.  The data importer must also enter into a written contract with the sub-processor, incorporating the same model clauses as the contract between the data exporter and the data importer, and must provide the data exporter with a full copy of the sub-contract. 

The new 2010 model clauses are available to download from the EU’s Eur-Lex website: eur-lex.europa.eu/LexUriServ/LexUriServ.do(pdf.)

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The Data Protection Review Group published its Report (pdf) on Data Protection in May 2010. The Group, which was appointed by the Minister for Justice, Equality and Law Reform, was formed to look at whether legislative changes were necessary to address the lack of any specific legal obligation to report security breaches of data.

The key recommendations contained in the Report are:

1. Legislation should provide for a general offence by a data controller of deliberate or reckless acts or omissions in relation to the data protection principles, including contraventions of the security principle in relation to data breach incidents.

2. The reporting obligations of data controllers in relation to data breaches should be set out in a statutory Code of Practice. The Group recommended that there should be a legal requirement to report breaches of data to the Data Protection Commissioner (DPC) but not necessarily to data subjects.

The European Commission is expected to make a proposal for a new or amending Data Protection Directive either later this year or during 2011 and the Report states that the introduction of any Irish legislation is likely to be influenced by the pace of such EU developments. The Minister has requested the DPC to begin preparing a statutory Code of Practice.

In the meantime, although there is no legal requirement to notify the Office of the Data Protection Commissioner of a security breach, depending on the nature and severity of the breach, it is usually recommended to consult with the Office in the event of one arising.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

On 5 May 2010 the High Court delivered its decision in a case brought by Digital Rights Ireland (DRI) with respect to three procedural issues that need to be cleared before litigating the main issue of whether large-scale surveillance is in accordance with constitutional guarantees of fundamental rights.

The most significant of the issues was the Plaintiff's application for a reference to be made to the European Court of Justice (ECJ) on the validity of Directive 2006/24/EC.

The court stated that the case raised important constitutional questions and held that a reference to the ECJ was necessary and that it was appropriate to make the reference at the current stage of the proceedings.

The other two issues dealt with security for costs and whether or not the DRI has standing (as a company) to assert privacy rights on behalf of others. The court held in DRI's favour on both counts, recognising that DRI was a "sincere and serious litigant" with a legitimate interest in the case.

The parties have been invited to submit questions to be framed to the ECJ and the case will be listed next on 11 June.

Click here (pdf) for a summary of the case.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

The High Court, in a reserved judgement delivered by Mr Justice Charleton on 16th April, has sanctioned the “three strikes” regime previously agreed between Eircom and the record industry, by holding that terminating internet accounts of persons suspected of illegally sharing music does not entail a breach of data protection laws or human rights.   This is a landmark ruling by the Irish courts as it represents one of the first successful attempts by the record industry in Europe to implement a three strikes regime by way of legal proceedings, rather than through the legislative process.

As previously reported, Eircom and the record companies signed a settlement agreement in January 2009 designed to prevent Eircom subscribers from using the Internet for the purpose of illegal filesharing.  Under the agreement, the record companies notify Eircom of IP addresses which they believe are being used for illegal downloading, Eircom sends warnings to the relevant subscriber, and ultimately terminates the subscriber’s account if the warnings are not heeded.  The agreement did not entail any requirement on the part of Eircom to disclose the identity of its subscribers to the record companies.

The Data Protection Commissioner (DPC) raised a number of concerns about the three strike regime, which resulted in the parties seeking a ruling from the High Court.

• The first question addressed was whether IP addresses constitute ‘personal data’ within the meaning of the Data Protection Acts 1988-2003.  Mr Justice Charleton held that an IP address was not personal data as it did not identify a living individual and he saw no likelihood arising that Eircom would disclose the identity of its subscribers to the record companies.
• The second question addressed was whether terminating access to an internet account was a breach of the fundamental rights and freedoms of the subscriber.  Mr Justice Charleton found that it did not: “I find it impossible to imagine that such interference is unwarranted because there is some fundamental right or freedom or legitimate interest in the data subject whereby, in contrast to those who engage in other forms of unlawful copyright theft which may leave them more readily subject to the law, the internet is used for the violation. There cannot be a right to infringe the constitutional rights of others, absent some argument as to a genuine and compelling competing right”. 
• The final question addressed was whether the “three strike” regime involved  the processing of “sensitive” personal data.  The judge found that it did not, as the termination of an account did not implicate the commission of a criminal offence.

Interestingly, today's Irish Times (24 May) reports that Eircom will begin the process of cutting off the broadband service of customers deemed to be continually sharing music online illegally from today.   Eircom will initially telephone infringing customers to ask if they know that the illegal activity is occurring on their broadband network.  Repeat offenders will have their service withdrawn for seven days if they are identified a third time, or for a year if they are identified for a fourth time.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

Referral marketing is attractive to marketers but just because others are doing it does not mean that you should.  You could be committing a criminal offence under Irish data protection legislation if you send marketing messages by email or SMS to people referred to you by your customers.  The reason for this is that under data protection legislation you may not send marketing messages by electronic means to a person unless they have agreed to receive those messages.   Unfortunately for those of you in the marketing business, it is not possible for one customer to opt-in to marketing communications on behalf of another.  The Irish Data Protection Commissioner views this type of marketing as an unsolicited communication which could be deemed to be an offence under Irish Law.

…under Irish data protection legislation you may not send marketing messages by electronic means to a person unless they have agreed to receive those messages.

So the next time you ask your customers to refer a friend - be careful - because you might yourself end up being referred to the Data Protection Commissioner through a complaint that you have breached the code.

• Email This
• Print
• Comments
• Trackbacks
• Share Link

In a recent report, the Irish Council for Bioethics has examined the ethical, social and legal issues associated with the collection and storage of biometric information (PDF).  The increase of identity theft has heightened the need for stronger identity verification systems many of which are based on the collection of biometric information that is unique to an individual (for example fingerprint, iris scans, etc.)  At the same time, the collection of this type of information has increased the risk of invasion of privacy and improper use of personal information.

... there must be a clear rationale to justify the necessity of using such biometric information.

The Council stated that while biometric technologies can enhance security and protect privacy, they can also have adverse implications for privacy.  The Council noted that it may be appropriate to override certain individual rights to benefit the common good, and it expressed concerns that this principle may be overused without justification. 

According to the Council, biometrics should be used as a proportionate response to the challenge at hand and that there must be a clear rationale to justify the necessity of using such biometric information.

• Email This
• Print
• Comments
• Trackbacks
• Share Link