Wednesday, 23 November 2016

Businesses will have to pay for data protection services

Irish Independent 15th November 2016

Irish businesses will have to cough up for new data protection officers thanks to EU laws coming down the tracks, according to the Irish data protection commissioner.

Speaking to the Irish Independent, Helen Dixon said that the General Data Protection Regulation will be a "wake up call" for Irish organisations which do not currently have such facilities in place
 Ms Dixon said that dozens of foreign-based tech companies had recently been in touch with her office over data compliance responsibilities after a potential move to Ireland.
The GDPR is one of a number of data and security issues to be discussed at Dublin InfoSec 2016 today. The RDS conference, which includes talks by Wikileaks journalist Sarah Harrison and cyber psychologist Mary Aiken, will focus on topics ranging from how to survive being hacked to ransomware attacks and responding to data breaches.

The conference is being held as news of one of the world's biggest data breaches broke last night. Over 400 million email addresses and passwords from the adult-themed dating network 'Adult Friend Finder' were exposed, with tens of thousands of Irish email addresses said to be included in the breach.
Meanwhile, Ms Dixon said that it would be a matter of months before the Irish data regulator's office knows whether, or to what extent, Yahoo can be held accountable for its recent data breach that affected over 500 million email users.
"We're in daily contact and in constant activity," she said.
"That is the subject of significant activity for the office and is in fact a scenario that is changing day by day in terms of the information that we're gathering."

Last week, Yahoo filed a document with US authorities revealing that some staff knew of the data breach as far back as 2014. The company, which only admitted the massive breach in September of this year, has claimed that the meltdown was caused by state-sponsored hackers.

Monday, 7 November 2016

Fears of intensified censorship as China passes controversial cybersecurity bill

The Journal 7th November 2016
CHINA HAS PASSED a controversial cybersecurity bill, further tightening restrictions on online freedom of speech, raising concerns that it could intensify already wide-ranging internet censorship.
The ruling Communist Party oversees a vast censorship system – dubbed the Great Firewall – that aggressively blocks sites or snuffs out internet content and commentary on topics considered sensitive, such as Beijing’s human rights record and criticism of the government.
The law, which was approved by the National People’s Congress Standing Committee, bans internet users from publishing a wide variety of information, including anything that damages “national honour”, “disturbs economic or social order” or is aimed at “overthrowing the socialist system”.
National security
The law requires companies to verify a user’s identity, effectively making it illegal to go online anonymously.
It also includes provisions for protecting the country’s networks and private user information.
Early drafts of the legislation drew a wave of criticism from rights groups and businesses, which objected to its vague language.
Foreign companies, in particular, expressed concern about language that would require them to cooperate with Chinese authorities to “protect national security”, broadly-worded language that was included in the final version of the law.
“This dangerous law commandeers internet companies to be de facto agents of the state, by requiring them to censor and provide personal data to the authorities at a whim,” said Patrick Poon, China researcher at overseas-based rights group Amnesty International.
Internet rumours
Chinese authorities have long reserved the right to control and censor online content. But the country stepped up its controls in 2013, launching a wide-ranging internet crackdown that targeted activists and focused on the spread of so-called “internet rumours”.
Hundreds of Chinese bloggers and journalists were detained as part of the campaign to assert greater control over social media, which has seen influential critics of Beijing paraded on state television.
Under regulations announced at the time, Chinese internet users face three years in prison for writing defamatory messages that are re-posted 500 times or more. Web users can also be jailed if offending posts are viewed more than 5,000 times.
Comments posted on social media have been used in the prosecution of various activists, such as human rights lawyer Pu Zhiqiang.
“If online speech and privacy are a bellwether of Beijing’s attitude toward peaceful criticism, everyone – including netizens in China and major international corporations – is now at risk,” said Sophie Richardson, China Director of Human Rights Watch.

“This law’s passage means there are no protections for users against serious charges.

Tuesday, 11 October 2016

Private investigator guilty of data protection breach

RTE News, 10th October 2016

The director of a Galway-based private investigation company has pleaded guilty at Tuam District Court to breaches of the Data Protection Act.

Michael Ryan, of Glen Collection Investments Ltd, in Glenamaddy, obtained personal information from the Department of Social Protection when he was working on behalf of AIB and Bank of Ireland.

Today's court proceedings follow an investigation by Assistant Data Protection Commissioner Tony Delaney.

The case arises from a complaint by an individual, Daniel Lannon, that his personal data, including details of a previous address in Louth, had been handed over unlawfully to a private investigator.
Ryan had been carrying out work for Croskerrys Solicitors in Dublin, a firm specialising in debt recovery, that was acting for AIB.

The court heard he obtained personal information from his sister-in-law, Catriona Bracken, who was an employee of the Department of Social Protection in Athlone.

The personal data of 61 individuals had been accessed on behalf of the two main banks in this investigation.

Ms Bracken, AIB and Bank of Ireland were not represented in court as the prosecution related solely to Ryan and his company. The court heard the company was not registered with the Data Protection Commissioner and had no authorisation to process personal information on databases.

The court heard that while it is not against the law for solicitors and banks to hire private investigators, it remains a serious breach of the Data Protection Act to obtain personal information unlawfully.

It was the tactics and methodology used that were of serious concern in this case.

Judge Conal Gibbons said that by publicising prosecutions of this nature, citizens would have their rights protected and vindicated in the courts.

He also expressed concern that banks did not take greater care to ensure the people they were hiring to help recover debt were fully compliant with rules and regulations.

The judge took into account the guilty plea and the financial circumstances of Ryan when he imposed a fine of €7,500.

The court heard the 47-year-old father of five was in mortgage arrears.

He had no previous convictions and received modest fees of between €45 and €100 for each 'trace' he carried out illegally.

Today's successful prosecution was welcomed by the State's data protection watchdog.

Assistant Commissioner Delaney said private investigators acting unlawfully would continue to be vigorously pursued.

Friday, 23 September 2016

Data Protection Commissioner seeking answers after massive Yahoo privacy breach

The Journal, 23rd September 2016
YAHOO HAS SAID that a massive attack on its network in 2014 allowed hackers to steal data from half a billion users and may have been “state sponsored.”
The Data Protection Commissioner here has been notified of the data breach by the multinational, which has its European HQ based in Dublin.
“Yahoo have notified us of the breach,” a spokeswoman told
Our office has raised a number of issues for which we’re seeking clarification on, and are waiting for a response from Yahoo.
Helen Dixon was appointed as Data Protection Commissioner for Ireland in September 2014, heading up the office in Portharlington, Co Laois.
Yahoo, which confirmed details of the breach last night, months after reports of a major hack, said its investigation concluded that “certain user account information was stolen” and that the attack came from “what it believes is a state-sponsored actor.”
“Based on the ongoing investigation, Yahoo believes that information associated with at least 500 million user accounts was stolen,” said a statement by the US internet giant in what is likely the largest-ever breach for a single organization.
The comments come after a report earlier this year quoted a security researcher saying some 200 million accounts may have been accessed and that hacked data was being offered for sale online.
Yahoo said the stolen information may have included names, email addresses, birth dates, and scrambled passwords, along with encrypted or unencrypted security questions and answers that could help hackers break into victims’ other online accounts.
While there is no official record of the largest breaches, many analysts have called the Myspace hack revealed earlier this year as the largest to date, with 360 million users
Ammunition for hackers
Computer security analyst Graham Cluley said the stolen Yahoo data “could be useful ammunition for any hacker attempting to break into Yahoo accounts, or interested in exploring whether users might have used the same security questions/answers to protect themselves elsewhere on the web.”
He noted that while Yahoo said that it believes the hack was state-sponsored, the company provided no details regarding what makes them think that is the case.
“If I had to break the bad news that my company had been hacked… I would feel much happier saying that the attackers were ‘state-sponsored,’” rather than teen hackers, Cluley said in a blog post.
University of Notre Dame associate teaching professor and data security specialist Timothy Carone told AFP that the Yahoo hack fit the “big picture” when it comes to cyberattacks launched by spy agencies in Russia, China, North Korea or other countries.
“It just smacks of traditional trade craft,” Carone said.
It is a broad sweep of getting information on people and building up profiles on those who may be of use to them.
Carone described Russia, China and North Korea as the usual three suspects in state-sponsored hacks, but cautioned that allies are not above cyber snooping as well.
“People have to realize that anything they put out there is fair game,” he said, stressing a need for internet users to remain wary.
Unprotected passwords
It appeared that looted Yahoo data did not include unprotected passwords or information associated with payments or bank accounts, the Silicon Valley company said.
Yahoo is asking affected users to change passwords, and recommending anyone who has not done so since 2014 to take the same action as a precaution.
Users of Yahoo online services were urged to review accounts for suspicious activity and change passwords and security question information used to log in anywhere else if it matched that at Yahoo.
“Online intrusions and thefts by state-sponsored actors have become increasingly common across the technology industry,” Yahoo said in a statement.
Yahoo and other companies have launched programs to detect and notify users when a company strongly suspects that a state-sponsored actor has targeted an account.
$4.8 billion
Confirmation of the major cyber breach comes two months after Yahoo sealed a deal to sell its core internet business to telecom giant Verizon for $4.8 billion, ending a two-decade run as an independent company.
It was not immediately clear if the data breach could impact the closing of the deal or the price agreed by Verizon.
“Frankly, the timing couldn’t be worse for Yahoo,” Cluley said.
The telecom firm said it was reviewing the new information.
“Within the last two days, we were notified of Yahoo’s security incident,” Verizon said in a statement.
“We will evaluate as the investigation continues through the lens of overall Verizon interests, including consumers, customers, shareholders and related communities.”

Wednesday, 14 September 2016

Austrian court refers Max Schrems’s Facebook case to ECJ

Irish Times 14th September 2016
 Austrian student Max Schrems’ high-profile class action case over Facebook’s privacy rules has been referred to the European Court of Justice by Austria’s highest court.
The court in Luxembourg will now have to decide whether Max Schrems can bring a class action suit on behalf of European or even worldwide users of the social network.
Mr Schrems launched a class action suit against Facebook on behalf of 25,000 other people in 2014, accusing it of having invalid privacy policies and processing customer data illegally.
Facebook argued that the Austrian court did not have jurisdiction over the case, which slowly worked its way up the Austrian legal system before being referred to the EU’s top court. The company argues that Mr Schrems is not a consumer but an activist and so cannot legally represent other consumers.
Mr Schrems said he hoped the European court would be “consumer friendly” when it decided the jurisdiction question, praising it for having been so in previous cases. “Filing thousands of individual lawsuits before thousands of courts would be an absurd exercise,” he said.

Procedural questions
A spokeswoman for Facebook said: “Mr Schrems’s claims have twice been rejected on the grounds that they cannot proceed as ‘class action’ on behalf of other consumers in Austrian courts. We look forward to addressing the procedural questions presented to the [European Court of Justice] to resolve these claims.”
The referral is the latest twist in a five-year dispute between Facebook and Mr Schrems, which began when he was a student and has already upturned data protection law in the EU. Mr Schrems founded the organisation Europe v Facebook, which he is funding from small donations from “many concerned citizens” across Europe.
In a landmark judgment last year, the European Court of Justice struck down a crucial data transfer deal that allowed the likes of Facebook and Amazon to transfer personal data easily from the EU to the US, following a complaint from Mr Schrems.

The court ruled that the deal was invalid because the data of EU citizens were not sufficiently protected from US spies. Edward Snowden, the US National Security Agency whistleblower, praised Mr Schrems at the time, saying he had changed the world for the better.

A separate legal method of transferring data across the Atlantic – known as model contract clauses – is also under question in a related case in Ireland, again involving Mr Schrems. These clauses are relied on by 80 per cent of companies that transfer data from the EU to the US, lawyers estimate.

Monday, 15 August 2016

Cyclists may breach data laws with on-board cameras

Irish Examiner 02-08-2016
If a cyclist or homeowner uses footage from these cameras, beyond a personal capacity, then they may be in breach of data-protection law.
“If an individual is using CCTV or a body-worn camera and processing personal data beyond what is a ‘personal or household activity’ then they may assume the role of a data controller and as such they would be required to comply with data protection legislation,” a spokesperson from the DPC’s office said.
The issue came up in the commissioner’s annual report for 2015, published in June, listing it as one of three major data protection matters that arose.
The spokesperson from the commissioner’s office stated however, that where an individual processes data from such cameras for their own personal affairs or keeps it for recreational purposes, this is exempt from the data protection law.
However, even if the activity is exempt a person such as a neighbour might object to it and take a civil action.
“Though outside the remit of this office, it may be the case that even where this exemption does apply, an individual who objects to the recording, for example a neighbour who objects to images of his or her property being recorded, may be able to take a civil action based on the constitutional and common law right to privacy,” said the spokesperson.
The commissioner’s report also made an audit finding on the excessive use of body-worn cameras.

“Our general guidance in this area is that we would consider that body-worn cameras should only be activated in extreme cases in response to specific pre-defined criteria, where it could be justified for security and safety purposes,” reads the report.

Friday, 5 August 2016

Tinder violates data protection rules: EU lawmaker

Tinder violates data protection rules: EU lawmaker
The Indian Times, 4th August 2016

An EU lawmaker says dating app Tinder breaches the bloc's data protection rules because it uses personal data without explicit consent and should be investigated by the European Commission.

The dating app, owned by website operator Match Group Inc, imposes unlawful conditions on users, pushing them to consent to unclear clauses that allow the company to use their data even after they close their accounts, socialist lawmaker Marc Tarabella said in a statement.

"Once you subscribe, the company can do whatever it wants with your data. It can show them, distribute them to whomever or even modify them. The lack of transparency cannot be the rule," Tarabella said.

The Belgian politician , who in 2014 was among the leading European parliament members calling for a break-up of Google 's search engine from its commercial services, also accused dating app Happn and jogging app Runkeeper of violating EU data protection rules.

Tinder representatives were not immediately available for comment.

A Commission spokeswoman said it was up to national authorities to enforce EU rules on data and consumer protection. However, the Commission has conducted such investigations in the past.

"The problem is always the lack of transparency and the notion of consent," Tarabella said, adding that companies often sell users' data to third parties without consumers being aware or having explicitly consented to it.

EU rules protect consumers who no longer want their data to be used. Companies are also required to provide "easy-to-understand information" and to obtain an explicit consent from users to process personal data.

Thursday, 14 July 2016

Privacy Shield: The new EU rules on transatlantic data sharing will not protect you

Irish Times, 12 July 2016

The European Union’s data protection laws are intended to ensure that we can entrust personal data to our devices and online services without fear of privacy violations. To make sure that this European standard is not undermined, it is essential to clarify under which circumstances personal data can be transferred to other countries – ones that may not have the same privacy protection laws.
The European Commission will today adopt the so-called Privacy Shield, which will allow companies to transfer personal data from the EU to theUnited States. It follows the European Court of Justice ruling that the previous system for the transfer of data to the US, called Safe Harbour, violated fundamental rights to privacy.
Does Privacy Shield protect the privacy of European users when their data is sent to the United States? Various indicators suggest it does not.
With regard to the private sector, it is painfully obvious that the rules give nowhere near the level of protection and principles afforded by the EU. For example, if you share your personal information with your doctor, you reasonably expect that he will only use this information for the purpose of curing you – not to gossip behind your back. This expectation is enshrined in EU law as “purpose limitation”.
Privacy Shield allows the sharing of your data for very broad and generic purposes, such as “for all services we may provide to you and others”. This undermines a very crucial protection. Many other data protection rules, such as the deletion of data or the sharing of data, are interlinked with this principle.
Privacy Shield is meant to be based on “notice and choice”, which sounds promising. However, Privacy Shield does not give users much “choice”. It actually gives companies a general blanket approval to use the personal data of any person under the sun. Only in two specific cases can users object.
They would first have to know which US company was using their data, and then contact the company and actively “opt out”. This gives US companies a significant competitive advantage over European firms. Under the European “opt-in” system, companies typically have to ask customers for consent.
In addition, the rules for legal redress are rather complex. If European customers believe their rights have been violated, they have to first contact private US arbitration bodies and their national authorities, who in turn contact the US authorities, in order to be finally able to address concerns with a “privacy shield board”.

No guarantees

None of this guarantees that the person responsible for oversight will be empowered to actually review the practices of any company and, for example, review servers and software. None of the options available are directly enforceable by a customer. In sum, even if a company violates the fundamental rights of a customer, it is very unlikely there will be any real consequences.
The rules concerning personal data in the public sector are equally worrisome. In its Safe Harbour ruling, the European Court of Justice strongly criticised mass-surveillance laws in the US, which have not changed in the meantime. While US citizens enjoy certain protection against surveillance measures, “non-US persons” are specifically exempted.
Not only does the final Privacy Shield use the exact same wording on mass surveillance laws as Safe Harbor, but the US now even admits that it will continue to collect personal data stemming from Europe in bulk.
Blanket mass surveillance without any reasonable suspicion is contrary to the principles of European human rights. European courts have consequently ruled clearly against blanket access to personal data for not being in line with the fundamental rights to privacy and data protection.
Legal redress against measures in the public sector is little more than a farce. An EU citizen may address an ombudsperson in the US, which is not a court or independent body, but an undersecretary of the US government.

Confirm nor deny

While the new ombudsperson can raise issues within the US government, the reply to the individual concerned will always contain the same two sentences: first, the US will not confirm or deny any surveillance; and, second, all US laws were adhered to, or any non-compliance was remedied.
This ombudsperson is not what the Europe Court of Justice meant when it asked for individual redress.
Privacy Shield needs to fulfil the criteria laid down in European Union law and by its courts, which have clearly stated that blanket data collection is not compatible with the fundamental right to data protection.
This is also a problem for European businesses that are obliged to meet EU data protection standards but which will, under Privacy Shield, face competition from US companies who face no such obligation. Nor does this new deal provide legal certainty for the industry that is so desperately needed.
The European Commission should hold off on activating Privacy Shield until more work is done on the US side. Given the countless insufficiencies, it is otherwise highly likely that the new Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice

Thursday, 7 July 2016

Proposed legislation allowing snooping may not be in line with EU rulings

The Minister for Justice Francis Fitzgerald has obtained cabinet approval in relation to legislation that will allow Gardai to intercept emails and social media messages, which will include Facebook, Twitter, Whatsapp and other social networks. The move comes after Gardai investigating organised crime raised concerns that criminals were communicating online, outside the remit of surveillance laws. 

There is concern that the proposed legislation will not be in line with a ruling of the European Court of Justice which effectively through out a proposal for similar legislation. We cannot foresee the implications such legislation will have on privacy rights or data protection issues. Furthermore such legislation may not be in line with EU rulings. 

Monday, 4 July 2016

Private Investigator prosecuted by Data Protection Commissioner

Private Investigator James Cowley pleaded guilty to 13 charges under Section 22 of the Data Protection Act for unlawfully obtaining access to personal data and disclosing it to third parties without authorisation of the Department of Social Protection. He had been hired by Permanent TSB, Zurich, Alliance and the State Claims Agency to carry out surveillance on claimants. The prosecution has been welcomed by the Office of the Data Protection Commissioner. It was the third successful prosecution by the ODPC in the last two years in relation to offences committed by private investigators.
The Data Protection Commissioner, Helen Dixon said the following in relation to the prosecution, “This outcome is a strong signal to private investigators that they must fully comply with data protection legislation. As this case highlights, where private investigators fail to comply with the law they will be rigorously pursued and prosecuted for offending behaviour. It is also a timely reminder to all companies and businesses which hire private investigators of their responsibilities under the Data Protection Acts to ensure that all work carried out on their behalf by private investigators is done lawfully. I would urge public bodies and private sector organisations who appoint private investigators to review their terms of engagement, in order to satisfy themselves that any means of collection of personal data used by the investigators they hire are in line with the law."

Fintan Lawlor, Lawlor Partners Solicitors, was the first solicitor in Ireland to secure compensation for a data subject whose rights had been breached under the Data Protection Acts 1988 and 2003. The plaintiff in the case of Collins v FBD has been pursued by a private investigator. 

Thursday, 12 May 2016

A New Parliamentary Investigation Unit Established

Lawlor Partners Solicitors welcome the commitment given by the government today in ‘a programme for partnership government’ that a new parliamentary investigation unit will be established to assist and improve the ability of the Oireachtas committees to conduct investigative work and inquiries.

Lawlor Partners has extensive experience in advising and representing clients at all stages of the inquiry process.

Please contact Fintan Lawlor for any further inquiries, telephone (01) 8725 255 or email: For more information see our website :

Wednesday, 20 April 2016

CCTV images of illegal dumpers raise privacy concer

CCTV images of illegal dumpers raise privacy concerns

Tue, Apr 12, 2016, 01:00 Updated: Tue, Apr 12, 2016, 08:41

The Data Protection Commissioner has contacted Dublin City Council over its use of images of people captured on CCTV illegally dumping household waste.
The council last week erected a poster in a litter blackspot in the north inner city, showing 12 people caught on CCTV dumping rubbish on the street.
The faces are slightly blurred, due to the quality of the CCTV footage, but they would be able to identify themselves, as most likely would their neighbours, the council said.
The poster has been bolted to a wall behind a Perspex shield at Frankfort Cottages, near the Five Lamps, one of the city’s worst areas for illegal dumping. CCTV cameras were installed a number of weeks ago and they had some effect in reducing dumping.
However, within a day of the poster going up last week, the street was clear.
“It was remarkable. For the last 10 years we’ve had signage there warning people not to illegally dump, but every day we would have to clear up bags, and sofas and other furniture, and even builders’ rubble, but this poster has made such a difference,” said John McPartlan, public domain officer with the council.

Rights to privacy

However, yesterday morning the commissioner’s office contacted the council.
“Officials from this office have contacted the DCC in relation to the publication of CCTV stills.
“It should be pointed out that the processing of personal data must be done fairly, demonstrate proportionality and not be overly prejudicial to the fundamental right of the individual to data privacy.”
Mr McPartlan said he would be responding to the commissioner this week.
“We have to make a case that our use of the images is proportionate response to the issue, and our view is that it is, because illegal dumping leaves the city in a terrible mess.”
He added the council had published no names and no personal information.
The poster shows people dumping refuse sacks and smaller supermarket bags, as well as a woman dumping a suitcase and two young men dumping a sofa.

Litter blackspot

The council has been making concerted efforts to clean up the north inner city, but the area has languished near the bottom of the Irish Business Against Litter (Ibal) national survey, although it recently moved up from 39th to 37th most littered urban area.
The council in December 2013 announced a “blitz” on dumping black spots in the city where residents leave their rubbish in the streets instead of paying for waste collection.
It established a north inner city litter action group which has gone door to door asking people to provide proof they are disposing of their waste legally, and has had some success in persuading households to sign up to pay to have their bins collected.
However, no measure has had the instant effect of the poster. Local Independent councillor Nial Ring said he and other local councillors “fully endorsed” the measure.
“This is the nearest we can get to a name and shame policy. I would recommend that we get more CCTV cameras and put up more posters because it has got results.

“We don’t want to be in the Ibal relegation zone, we want to be the LeicesterCity of the litter league.”