Thursday, 15 May 2014

European Court Ruling Bolsters Right To Be Forgotten

ECJ ruling calls search engines data ‘controllers’ and provides data subjects with a means to prompt search engines to delete links even if the provider has published them lawfully

May 13, 2014

By Jedidiah Bracy, CIPP/US, CIPP/E
In what many are calling an historic decision, the European Union’s highest court has ruled that Google must provide users, in certain instances, with a right to delete links about themselves, including in some cases, public records.

The European Court of Justice (ECJ) said the automatic indexing of information that contains personal data “must be classified as ‘processing of personal data’” and that “the operator of the search engine must be regarded as the ‘controller’ in respect to that processing…” Additionally, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person,” even “when its publication in itself on those pages is lawful.”

An individual’s fundamental rights, the court also ruled, override “the economic interest of the operator of the search engine but also the interest of the general public” in having that information. The exception would be the role played by the subject in public life and if the general public’s right to access the information is justified.

On leave from her role as European justice commissioner, Viviane Reding said, “Companies can no longer hide behind their servers being based in California or anywhere else in the world” and that “the data belongs to the individual, not the company.”

In comments provided to The Privacy Advisor, German Green Member of Parliament and architect of the proposed data protection regulation Jan Philipp Albrecht said the ruling “is the right decision” and that it “clarifies that European data protection law is applicable as soon as a data controller is operating on the European market.” He also stressed the importance of adopting “a uniform and consistent data protection regulation in order to strengthen the enforcement of such rights in all areas of the law and throughout the EU” and that governments “must finally deliver on this issue at the next Justice and Home Affairs Council in June.”

Companies can no longer hide behind their servers being based in California or anywhere else in the world.

Viviane Reding, European Justice Commissioner

For some, however, the fact that existing legislation provides for the right to be forgotten puts in question the need for a new regulation at all. Richard Cumbley of Linklaters told The New York Times, “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.”

But Wilson Sonsini’s Christopher Kuner said this ruling could actually provide further impetus to pass the proposed General Data Protection Regulation, as it more clearly spells out the Right-to-be-Forgotten concept and is more uniform in its application. Right now there are 28 different countries with 28 different privacy regimes. “If I were a company,” he said, “I’d say bring on the regulation because at least there’s a specific article on this, but today’s ruling is based on multiple articles” from the Directive.

Calling the decision “a real game-changer,” privacy expert Eduardo Ustaran, CIPP/E, told The Privacy Advisor, “As a result, search engines operating in Europe will now have to deploy measures to deal with the obligations and rights attached to the personal information revealed in searches.”

Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.” In a 2012 article for The Privacy Advisor, a number of experts detailed some of the technical problems companies may face in implementing such controls.

The case goes back to a 2009 incident involving a Spanish citizen who objected to having a Google search of his name include a 1998 Spanish newspaper article that reported on his financial debts and the forced sale of his property. The plaintiff said he had resolved the financial issue and demanded that the local newspaper delete the links to the story. When it refused, the plaintiff asked Google to do the same. The case made its way to the Spanish data protection authority, which ordered Google to remove the links. Google challenged the DPA’s ruling and the case was finally referred to the ECJ.

The most recent ruling contrasts with a preliminary ruling in June 2013 by the ECJ’s Advocate General Niilo Jääskinen, who decided Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.

In the past, Google has argued that the right to be forgotten amounts to censorship. A Google spokesman told Wired, “This is a disappointing ruling for search engines and online publishers in general. We are very surprised that it differs so dramatically from the advocate general’s opinion and the warning and consequences that he spelled out. We now need to take time to analyse the implications.”

The ECJ ruling has some up in arms about potential freedom of expression and censorship concerns. Ustaran said, “Whilst the court does not go so far as letting people share their online persona without taking freedom of expression into account, it allows some form of tailor-made censorship.”

George Mason University’s Adam Thierer went further, arguing, “Right-to-be-forgotten efforts are well-intentioned and seductive, but ultimately, they will require onerous censorial controls that place serious pressure on free speech, journalistic pursuits and net freedom more generally.”

As legal experts begin parsing out the legal ramifications of the ruling—Patrick van Eecke takes an initial swing in this post for The Privacy Tracker—ultimately, commenters agree, the ripples will be felt for some time.

Technologically speaking, Prof. Joel Reidenberg points out that algorithms are at play here as well.

Kuner said there remain a lot of unanswered questions and that this ruling “opens the door to many unintended consequences.”

Beyond Google, what other companies will this apply to? If your website has a Google search bar in it, does that make you a co-controller? He also said the ripple effect will not only place an administrative burden on search engine companies, but on the courts and data protection authorities as well. Will they have the resources to deal with a flood of complaints?

“In summary,” Ustaran concluded, “this decision could have very serious implications for the way in which we all access information on the Internet.”

Tuesday, 13 May 2014

Woman’s medical records disclosed to an insurance company

Irish Times, 12th May 2014

 The Data Protection Commissioner’s office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild (above), which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

The disclosure by a GP of a woman’s medical records to an insurance company and the sending of an email containing a patient file by another GP to an incorrect address were among the case studies highlighted in the 2013 annual report.

Notification was also received by the Data Protection Commissioner’s office from a medical practitioner that their computer system had been compromised by ‘ransomware’ and that they were unable to access their patient files.

They had received a demand for € 5,000 in return for the reinstatement of the data but they had informed gardaí and had not paid the ransom. Five months worth of patient files were lost as the practitioner also discovered the back-up files had been infected with the rogue software.

Case studies highlighted also included a complaint against Carphone Warehouse, after a trainee employee gave out a customer’s home address in an “isolated” area to two individuals who claimed to have found her mobile phone and wanted to return it to her after it was stolen and seeking a reward for finding it.

The report said the disclosure of the woman’s address to strangers resulted in “considerable distress”. Regardless of the fact that the employee concerned was a trainee, this disclosure should not have happened.

Electric Ireland was the subject of a complaint over its ‘Feet on the Street’ marketing campaign after a sales agent called to a former customer’s home and was in possession of their personal details.

The Data Protection Commissioner told Electric Ireland its processing of the information was unlawful.

Mr Hawkes said companies needed to “tread carefully” in the space of win-back marketing campaigns as “without the prior marketing consent of the former customers concerned, there is no legal basis to process marketing lists using such retained personal data”.

It was also “disappointing” that the telecommunications sector remained a cause of complaint given the number of prosecutions taken against that sector in recent years for marketing offences.

Prosecutions were taken during the year against Eircom, Meteor, Telefonica (O2) and Vodafone for such offences.

The office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild, which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

Some 61 per cent of data breaches were the result of postal mailing breaches. The annual report said that while a number of these were the result of mail merge issues at the printing stage, “an unacceptably high” percentage were the result of human error.

Complaints about unsolicited direct marketing text messages, emails, phone calls and fax messages were 22.4 per cent of the total.

Bad customer service was increasingly the driving force behind people making requests under the Data Protection Acts to get access to their personal data, the commissioner’s office said.

The 517 complaints concerning access requests accounted for some 56.8 per cent of the total of 910 complaints opened by the Data Protection Commissioner’s office in 2013. This was the highest number ever received by the office in this category.

Mr Hawkes said this pointed to the extent of the difficulties being experienced by individuals in their efforts to exercise their rights and the barriers that some data controllers place in their way.

“Data protection has to be a corporate concern, a boardroom concern, with the clear direction coming from the top of every organisation whether that’s in the public or private sector.”

Audits were carried out on 40 organisations last year, including LinkedIn Ireland, Siptu, AA Ireland, the Health and Safety Authority, Irish Life, An Post, IBRC, Carlow Institute of Technology, Advanced Laser Light and several credit unions.

Public service told to better protect personal data

Commissioner Billy Hawkes cites example of man whose data was accessed by ex-wife working in Department of Social Protection

 Irish Times , Monday 12th May 2014

 Action is needed to tackle deficiencies in how the public service protects the personal data of citizens before such action is triggered by a “crisis”, the Data Protection Commissioner has said.

Billy Hawkes was speaking today on the publication of his annual report for 2013, which is his final annual report in the office. He retires in August.

 Mr Hawkes highlighted a number of issues of concern and said his audits of State organisations had “in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State”.

Laudable objectives such as fraud prevention and greater efficiency must meet a test of proportionality in the manner in which data is used.”

 In one case study published in the report, his office received a complaint from a man concerned about inappropriate access to his details by an employee of the Department of Social Protection– namely his ex wife.

 There were 12 instances of unauthorised access to his records between February 2004 and July 2009. An investigation was carried out by the department and the matter was referred to the HR division for possible action under the Civil Service Disciplinary Code.

Mr Hawkes said once again this case highlighted “the unacceptable practice by some individuals of snooping through official records for personal reasons unconnected with their official duties”. Taking no action against individuals caught in engaging in such activity was “not acceptable” and it should be clear to all users there there were “serious negative consequences” for unauthorised access to personal information for unofficial purposes.

“Varying degrees of personal information relating to every citizen in the State is held on databases within Government Departments and officials who have access to this information to conduct their official duties are entrusted to access and use that information in accordance with the requirements of their functions,” he said.

“Straying beyond the boundaries of their official duties in terms of accessing personal records amounts to unlawful activity by the individuals concerned. For that reason, it is critical that data controllers, such as a Government Department in this case, have robust disciplinary policies in place to deal with any breaches.”

Mr Hawkes told The Irish Times he believed “the State system in general is not paying sufficient attention to its responsibilities for the quantum of data it holds on all of us”.

“I suppose if I had a parting wish as Data Protection Commissioner it is that there would be system-wide action taken on data protection – that would be the responsibility of the Department of Public Expenditure and Reform - rather than have it triggered by a crisis, which I think is inevitable unless action is taken.”

In relation to the audit of the An Garda Síochana Pulse system, which was published earlier in the year, Mr Hawkes recommended in his report that the force should have a dedicated data protection unit.

He said he expected the force to now “actively enforce” the terms of a directive from headquarters and to take “strong and appropriate disciplinary action against any persons abusing their access to Pulse and prosecutions against any person found to be using such access for gain”.

He also expressed concern about the use for criminal purposes of the fingerprints of individuals who were required to provide such prints in connection with applications for asylum, visas and residence.

In his report, Mr Hawkes said the debate resulting from the revelations last year by the former NSA contractor Edward Snowden of the extent of access by US and European intelligence agencies to personal data had “thrown a welcome spotlight on the general issue of state access to personal data”.

A recent decision by the Court of Justice of the European Union to invalidate the EU Data Retention Directive relating to phone and internet data had “clearly set out the need for proportionality in this area”.

“The CJEU judgment also shows the importance of challenging such privacy-destroying measures, as was done in this case by Digital Rights Ireland, supported by the Irish Human Rights Commission. ”