Data Retention Act the Subject of a Reference to the Court of Justice of the European Union

Posted on January 31, 2012 by Michelle Halton

The High Court is to make a preliminary reference to the Court of Justice of the European Union on the extent to which national legislation intended to implement an EU Directive, must itself also comply with the European Charter of Fundamental Rights in order to be fully compatible with EU law, a matter with the potential to be of significant impact throughout the EU.

The High Court has asked the CJEU whether EU Directive 2006/24/EC, which requires member states to retain details in relation to mobile, internet and email data, respects the right to privacy of the user.

The questions arise in the context of a case taken by Digital Rights Ireland against the Minister for Communications, Marine and Natural Resources and others, regarding the extent to which the State can require telecommunications providers to retain and to provide to the State, data on how customers use its services.

The Directive was transposed in Ireland last year by the Communications (Retention of Data) Act 2011. The Act does not require data concerning the content of calls or emails to be retained, however the identity of the person sending and receiving the communication must be retained in addition to information as to the time the communication was sent, and in the case of mobile phones, the location of the phones. The Act requires telecommunication providers to retain telephone data for 2 years and internet data is to be retained for 12 months, in order to ensure that the data is available for the purpose of the investigation, detection and prosecution of serious crime.

See here for a previous discussion of the Act.

Tags: , , , , , ,

Data Protection - The Article 29 Working Party issues Opinion on the definition of "consent"

Posted on September 5, 2011 by Davinia Brennan

The EU's Article 29 Working Party has issued an Opinion on the definition of "consent" in which it examines the individual elements and requirements for consent to be valid under the Data Protection Directive (95/46/EC) and the e-Privacy Directive (2002/58/EC). The Opinion also includes recommendations for improving the concept of consent in the context of the ongoing review of the Data Protection Directive.

The Opinion provides practical examples of valid and invalid consent, and analyses the meaning of key concepts such as "freely given", "specific", “informed", “explicit”, and "unambiguous". The Opinion further clarifies some aspects relating to the notion of consent, such as the timing as to when consent must be obtained and how the right to object differs from consent.

  Some of the key conclusions of the Article 29 Working Party click are:    

·         For consent to be valid, it must be freely given. This means that there must be no risk of deception, intimidation or significant negative consequences for the data subject if he/she does not consent. Due to the element of subordination in the employment context, careful assessment must be given as to whether employees are free to consent.

·         Consent must be specific. Blanket consent without determination of the exact purposes does not meet the threshold. This requires the use of specific consent clauses, separated from the general terms of conditions of the contract.

·         Consent must be informed. This requires, firstly, the use of clear language so that data subjects understand what they are consenting to and for what purposes. Secondly the information must be provided directly to individuals, so that it cannot be overlooked. It is not sufficient for it to be merely available somewhere.

·         Explicit consent to process sensitive data requires the data subject to take some positive action, either oral or in writing. Therefore explicit or express consent cannot be obtained by the presence of a pre-ticked box.

·         For non-sensitive data consent must be unambiguous. This requires the use of mechanisms to obtain consent that leave no doubt as to the individual’s intention to provide consent. 

·         Consent based on an individual’s inaction or silence does not normally constitute valid consent. The use of default settings which the data subject is required to modify in order to reject the processing, such as the use of pre-ticked boxes, do not meet the requirements for unambiguous consent. The data subject should be given the opportunity to make a decision and express it, for instance by ticking the box himself.

·         Reliance on consent does not relieve the data controller of his obligation to comply with other requirements of the data protection legal framework, such as the principle of proportionality.

·         Consent should be given before the processing of personal data starts, or before any further use of the data for purposes not covered by an initial consent, where there is no other legal ground for the processing.

To view the Opinion please click here.

 

     

Tags: , , , ,

Google Street View Service Available in Ireland

Posted on October 1, 2010 by Emma Heffernan

Google Street View launched in Ireland this week.

Street View’s online panoramic mapping service gives internet users a “car’s eye view” of streets while allowing them to virtually explore a location.

Over 80,000 km of roads, as well as Ireland’s top tourist destinations and historic monuments, including the new Aviva Stadium, Dublin Zoo, the Botanical Gardens and Fota Wildlife Park, have been mapped and snapped. Images for the Irish version of the service have been collated since 2009.

Speaking at the official launch, Mary Hanafin commented on the benefits the service will have for Irish tourism. The Minister acknowledged people’s concerns about their privacy being breached, however deputy data protection commissioner Gary Davis said his office worked closely with Google to ensure that any privacy concerns were dealt with before the launch date.

The launch is good news for Google; it had a minor brush with the Office of the Irish Data Protection Commission earlier this year but the company has now satisfied all data protection requirements.

Tags: , , , , ,

Germany to Pass Privacy Law to Limit the use of Facebook when Hiring - Will Ireland Follow?

Posted on September 1, 2010 by Ciara Cullen

The German Government has presented a draft law governing workplace privacy.  The bill includes a proposal which restricts prospective employers from viewing Facebook profiles of potential candidates and would make it illegal for them to become a Facebook friend with an applicant in order to view their private postings.

Facebook has about 10 million users in Germany and there are currently no rules in place that regulate the use by companies of Facebook data.

Under the bill, employers would still be permitted to conduct a search for publicly accessible information about prospective employees on the internet. They would also be entitled to access information on job networking sites (as opposed to purely social networking sites) such as LinkedIn.

The German Interior Minister acknowledged that some of the new regulations might be complicated to enact and stated that if an employer turns down an application from a potential employee it might be difficult to prove that the reason for doing so was on foot of the content of Facebook postings.

The penalties proposed under the bill are substantial: A rejected job applicant who proves they have been rejected for a position based on violation of the new law could take a company to court claiming damages and fines of up to €300,000 could be imposed on employers that become friends with prospective employees in order to glean personal information from their postings.

Peter Schaar, the German Commissioner for Data Protection and Freedom of Information, endorsed the proposal stating it was “a substantial improvement on the status quo in dealing with employees’ data”. That may be the case, however it is difficult to see how this new law will be enforced.

The bill will go to the German Parliament to be debated when we will see how it develops. There are no similar proposals in Ireland but it is interesting to see how other EU countries are tackling this issue - if it succeeds there will no doubt be a political will for similar protections in Ireland.
 

Tags: , , , , , , , ,

Ireland to Send Data Retention Questions to Europe

Posted on May 27, 2010 by Emma Heffernan

On 5 May 2010 the High Court delivered its decision in a case brought by Digital Rights Ireland (DRI) with respect to three procedural issues that need to be cleared before litigating the main issue of whether large-scale surveillance is in accordance with constitutional guarantees of fundamental rights.

The most significant of the issues was the Plaintiff's application for a reference to be made to the European Court of Justice (ECJ) on the validity of Directive 2006/24/EC.

The court stated that the case raised important constitutional questions and held that a reference to the ECJ was necessary and that it was appropriate to make the reference at the current stage of the proceedings.

The other two issues dealt with security for costs and whether or not the DRI has standing (as a company) to assert privacy rights on behalf of others. The court held in DRI's favour on both counts, recognising that DRI was a "sincere and serious litigant" with a legitimate interest in the case.

The parties have been invited to submit questions to be framed to the ECJ and the case will be listed next on 11 June.

Click here (pdf) for a summary of the case.

Tags: , , , ,