Europe to force Google, Facebook to abide by EU privacy rules

Irish Times 6^th June 2014

A deal to force Internet companies such as Google and Facebook to abide by EU rules is a first step in a wider reform package to tighten privacy laws

Companies based outside the European Union must meet Europe’s data protection rules, ministers agreed on Friday, although governments remain divided over how to enforce them on companies.

The agreement to force Internet companies such as Google and Facebook to abide by EU rules is a first step in a wider reform package to tighten privacy laws - an issue that gained prominence following revelations of US spying in Europe.

Vodafone’s disclosure on Friday of the extent of telephone call surveillance in European countries showed the practice was not limited to the United States. The world’s second-largest mobile phone company, Vodafone is headquartered in the United Kingdom.

“All companies operating on European soil have to apply the rules,” EU Justice Commissioner Viviane Reding told reporters at a meeting in Luxembourg where ministers agreed on a position that has also been backed by the Court of Justice of the European Union (ECJ).

Germany and the European Commission, the EU executive, have been highly critical of the way the United States accesses data since former US National Security Agency contractor Edward Snowden last year revealed US surveillance programmes.

Disclosures that the United States carried out large-scale electronic espionage in Germany, including bugging chancellor Angela Merkel’s mobile phone, provoked indignation in Europe.

“Now is the day for European ministers to give a positive answer to Edward Snowden’s wake-up call,” Ms Reding said.

Commenting on Vodafone’s disclosure, she said: “All these kind of things show how important it is to have data protection clearly established.”

The reform package, which was approved by the European Parliament in March, has divided EU governments and still needs work to become law despite Friday’s progress.

While ministers also agreed on provisions allowing companies to transfer data to countries outside the European Union, there was no decision on how to help companies avoid having to deal separately with the EU’s 28 different data protection authorities.

That issue was thrown into stark relief by a ruling from Europe’s top court requiring Google to remove links to a 16-year-old newspaper article about a Spanish man’s bankruptcy.

The search engine has since received tens of thousands of requests across Europe, and under current rules has to deal with each national authority.

A ‘one-stop-shop’ arrangement would allow companies to deal exclusively with the data protection authority in the country where it has its main establishment. But governments are concerned about a foreign data protection authority making binding decisions that they would then have to enforce.

For example, if a complaint originated in Denmark against a company based in Ireland, the Danish authorities would have to implement a decision by the Irish data protection body, something that is both legally and politically difficult

Europe struck wrong balance on ‘right to be forgotten’ ruling, says Google boss

The Journal, 15^th May 2014

AFTER THE EU Court of Justice’s (ECJ) ruling earlier this week, Google’s Executive Chairman Eric Schmidt has said the European court struck the wrong balance when it made its decision on personal privacy.

Responding to a question asked at the company’s annual shareholder meeting, Schmidt said the case reflects a “collision between a right to be forgotten and a right to know,” and that the company believed “the balance that was struck [by the ECJ] was wrong.”

He said that since Google isn’t a media company, it is not protected under European data protection law and could have serious implications for the company.

Google’s Chief Legal Officer, David Drummond, told investors that it was still analysing the decision and the impact it could have for the search engine, but described it as “disappointing,” and said it “went too far.”

The ruling by the ECJ will force Google to remove links to content about a person, under certain conditions, if they submit an application to have it removed. The company would then have to weigh up whether that information is in the public interest and whether it should stay.

Google currently dominates the search engine space in Europe, claiming more than 90 per cent of search and vastly outperforming rivals like Bing and Yahoo.

European Court Ruling Bolsters Right To Be Forgotten

ECJ ruling calls search engines data ‘controllers’ and provides data subjects with a means to prompt search engines to delete links even if the provider has published them lawfully

May 13, 2014

By Jedidiah Bracy, CIPP/US, CIPP/E

In what many are calling an historic decision, the European Union’s highest court has ruled that Google must provide users, in certain instances, with a right to delete links about themselves, including in some cases, public records.

The European Court of Justice (ECJ) said the automatic indexing of information that contains personal data “must be classified as ‘processing of personal data’” and that “the operator of the search engine must be regarded as the ‘controller’ in respect to that processing…” Additionally, “the operator of a search engine is obliged to remove from the list of results displayed following a search made on the basis of a person’s name links to web pages, published by third parties and containing information relating to that person,” even “when its publication in itself on those pages is lawful.”

An individual’s fundamental rights, the court also ruled, override “the economic interest of the operator of the search engine but also the interest of the general public” in having that information. The exception would be the role played by the subject in public life and if the general public’s right to access the information is justified.

On leave from her role as European justice commissioner, Viviane Reding said, “Companies can no longer hide behind their servers being based in California or anywhere else in the world” and that “the data belongs to the individual, not the company.”

In comments provided to The Privacy Advisor, German Green Member of Parliament and architect of the proposed data protection regulation Jan Philipp Albrecht said the ruling “is the right decision” and that it “clarifies that European data protection law is applicable as soon as a data controller is operating on the European market.” He also stressed the importance of adopting “a uniform and consistent data protection regulation in order to strengthen the enforcement of such rights in all areas of the law and throughout the EU” and that governments “must finally deliver on this issue at the next Justice and Home Affairs Council in June.”

Companies can no longer hide behind their servers being based in California or anywhere else in the world.

Viviane Reding, European Justice Commissioner

For some, however, the fact that existing legislation provides for the right to be forgotten puts in question the need for a new regulation at all. Richard Cumbley of Linklaters told The New York Times, “Given that the EU has spent two years debating this right as part of the reform of EU privacy legislation, it is ironic that the ECJ has found it already exists in such a striking manner.”

But Wilson Sonsini’s Christopher Kuner said this ruling could actually provide further impetus to pass the proposed General Data Protection Regulation, as it more clearly spells out the Right-to-be-Forgotten concept and is more uniform in its application. Right now there are 28 different countries with 28 different privacy regimes. “If I were a company,” he said, “I’d say bring on the regulation because at least there’s a specific article on this, but today’s ruling is based on multiple articles” from the Directive.

Calling the decision “a real game-changer,” privacy expert Eduardo Ustaran, CIPP/E, told The Privacy Advisor, “As a result, search engines operating in Europe will now have to deploy measures to deal with the obligations and rights attached to the personal information revealed in searches.”

Operationally, this will “put search engines in the extremely onerous position of having to take a view on how to comply with potentially millions of individual requests.” In a 2012 article for The Privacy Advisor, a number of experts detailed some of the technical problems companies may face in implementing such controls.

The case goes back to a 2009 incident involving a Spanish citizen who objected to having a Google search of his name include a 1998 Spanish newspaper article that reported on his financial debts and the forced sale of his property. The plaintiff said he had resolved the financial issue and demanded that the local newspaper delete the links to the story. When it refused, the plaintiff asked Google to do the same. The case made its way to the Spanish data protection authority, which ordered Google to remove the links. Google challenged the DPA’s ruling and the case was finally referred to the ECJ.

The most recent ruling contrasts with a preliminary ruling in June 2013 by the ECJ’s Advocate General Niilo Jääskinen, who decided Google did not need to delete the links because it was not the “controller” of data and that information should only be deleted when the personal information is either incomplete or inaccurate.

In the past, Google has argued that the right to be forgotten amounts to censorship. A Google spokesman told Wired, “This is a disappointing ruling for search engines and online publishers in general. We are very surprised that it differs so dramatically from the advocate general’s opinion and the warning and consequences that he spelled out. We now need to take time to analyse the implications.”

The ECJ ruling has some up in arms about potential freedom of expression and censorship concerns. Ustaran said, “Whilst the court does not go so far as letting people share their online persona without taking freedom of expression into account, it allows some form of tailor-made censorship.”

George Mason University’s Adam Thierer went further, arguing, “Right-to-be-forgotten efforts are well-intentioned and seductive, but ultimately, they will require onerous censorial controls that place serious pressure on free speech, journalistic pursuits and net freedom more generally.”

As legal experts begin parsing out the legal ramifications of the ruling—Patrick van Eecke takes an initial swing in this post for The Privacy Tracker—ultimately, commenters agree, the ripples will be felt for some time.

Technologically speaking, Prof. Joel Reidenberg points out that algorithms are at play here as well.

Kuner said there remain a lot of unanswered questions and that this ruling “opens the door to many unintended consequences.”

Beyond Google, what other companies will this apply to? If your website has a Google search bar in it, does that make you a co-controller? He also said the ripple effect will not only place an administrative burden on search engine companies, but on the courts and data protection authorities as well. Will they have the resources to deal with a flood of complaints?

“In summary,” Ustaran concluded, “this decision could have very serious implications for the way in which we all access information on the Internet.”

Woman’s medical records disclosed to an insurance company

Irish Times, 12^th May 2014

 The Data Protection Commissioner’s office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild (above), which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

The disclosure by a GP of a woman’s medical records to an insurance company and the sending of an email containing a patient file by another GP to an incorrect address were among the case studies highlighted in the 2013 annual report.

Notification was also received by the Data Protection Commissioner’s office from a medical practitioner that their computer system had been compromised by ‘ransomware’ and that they were unable to access their patient files.

They had received a demand for € 5,000 in return for the reinstatement of the data but they had informed gardaí and had not paid the ransom. Five months worth of patient files were lost as the practitioner also discovered the back-up files had been infected with the rogue software.

Case studies highlighted also included a complaint against Carphone Warehouse, after a trainee employee gave out a customer’s home address in an “isolated” area to two individuals who claimed to have found her mobile phone and wanted to return it to her after it was stolen and seeking a reward for finding it.

The report said the disclosure of the woman’s address to strangers resulted in “considerable distress”. Regardless of the fact that the employee concerned was a trainee, this disclosure should not have happened.

Electric Ireland was the subject of a complaint over its ‘Feet on the Street’ marketing campaign after a sales agent called to a former customer’s home and was in possession of their personal details.

The Data Protection Commissioner told Electric Ireland its processing of the information was unlawful.

Mr Hawkes said companies needed to “tread carefully” in the space of win-back marketing campaigns as “without the prior marketing consent of the former customers concerned, there is no legal basis to process marketing lists using such retained personal data”.

It was also “disappointing” that the telecommunications sector remained a cause of complaint given the number of prosecutions taken against that sector in recent years for marketing offences.

Prosecutions were taken during the year against Eircom, Meteor, Telefonica (O2) and Vodafone for such offences.

The office dealt with 1,507 valid data breach notifications, including the largest such breach it had ever dealt with – the breach by the Ennis-based company Loyaltybuild, which processed holiday loyalty schemes on behalf of companies all over Europe, including Supervalu and Axa in Ireland.

Some 61 per cent of data breaches were the result of postal mailing breaches. The annual report said that while a number of these were the result of mail merge issues at the printing stage, “an unacceptably high” percentage were the result of human error.

Complaints about unsolicited direct marketing text messages, emails, phone calls and fax messages were 22.4 per cent of the total.

Bad customer service was increasingly the driving force behind people making requests under the Data Protection Acts to get access to their personal data, the commissioner’s office said.

The 517 complaints concerning access requests accounted for some 56.8 per cent of the total of 910 complaints opened by the Data Protection Commissioner’s office in 2013. This was the highest number ever received by the office in this category.

Mr Hawkes said this pointed to the extent of the difficulties being experienced by individuals in their efforts to exercise their rights and the barriers that some data controllers place in their way.

“Data protection has to be a corporate concern, a boardroom concern, with the clear direction coming from the top of every organisation whether that’s in the public or private sector.”

Audits were carried out on 40 organisations last year, including LinkedIn Ireland, Siptu, AA Ireland, the Health and Safety Authority, Irish Life, An Post, IBRC, Carlow Institute of Technology, Advanced Laser Light and several credit unions.

Public service told to better protect personal data

Commissioner Billy Hawkes cites example of man whose data was accessed by ex-wife working in Department of Social Protection

 Irish Times , Monday 12^th May 2014

 Action is needed to tackle deficiencies in how the public service protects the personal data of citizens before such action is triggered by a “crisis”, the Data Protection Commissioner has said.

Billy Hawkes was speaking today on the publication of his annual report for 2013, which is his final annual report in the office. He retires in August.

 Mr Hawkes highlighted a number of issues of concern and said his audits of State organisations had “in too many cases, shown scant regard by senior management to their duty to safeguard the personal data entrusted to them – a duty that is all the greater because of the legal obligation to provide such personal data to the State”.

Laudable objectives such as fraud prevention and greater efficiency must meet a test of proportionality in the manner in which data is used.”

 In one case study published in the report, his office received a complaint from a man concerned about inappropriate access to his details by an employee of the Department of Social Protection– namely his ex wife.

 There were 12 instances of unauthorised access to his records between February 2004 and July 2009. An investigation was carried out by the department and the matter was referred to the HR division for possible action under the Civil Service Disciplinary Code.

Mr Hawkes said once again this case highlighted “the unacceptable practice by some individuals of snooping through official records for personal reasons unconnected with their official duties”. Taking no action against individuals caught in engaging in such activity was “not acceptable” and it should be clear to all users there there were “serious negative consequences” for unauthorised access to personal information for unofficial purposes.

“Varying degrees of personal information relating to every citizen in the State is held on databases within Government Departments and officials who have access to this information to conduct their official duties are entrusted to access and use that information in accordance with the requirements of their functions,” he said.

“Straying beyond the boundaries of their official duties in terms of accessing personal records amounts to unlawful activity by the individuals concerned. For that reason, it is critical that data controllers, such as a Government Department in this case, have robust disciplinary policies in place to deal with any breaches.”

Mr Hawkes told The Irish Times he believed “the State system in general is not paying sufficient attention to its responsibilities for the quantum of data it holds on all of us”.

“I suppose if I had a parting wish as Data Protection Commissioner it is that there would be system-wide action taken on data protection – that would be the responsibility of the Department of Public Expenditure and Reform - rather than have it triggered by a crisis, which I think is inevitable unless action is taken.”

In relation to the audit of the An Garda Síochana Pulse system, which was published earlier in the year, Mr Hawkes recommended in his report that the force should have a dedicated data protection unit.

He said he expected the force to now “actively enforce” the terms of a directive from headquarters and to take “strong and appropriate disciplinary action against any persons abusing their access to Pulse and prosecutions against any person found to be using such access for gain”.

He also expressed concern about the use for criminal purposes of the fingerprints of individuals who were required to provide such prints in connection with applications for asylum, visas and residence.

In his report, Mr Hawkes said the debate resulting from the revelations last year by the former NSA contractor Edward Snowden of the extent of access by US and European intelligence agencies to personal data had “thrown a welcome spotlight on the general issue of state access to personal data”.

A recent decision by the Court of Justice of the European Union to invalidate the EU Data Retention Directive relating to phone and internet data had “clearly set out the need for proportionality in this area”.

“The CJEU judgment also shows the importance of challenging such privacy-destroying measures, as was done in this case by Digital Rights Ireland, supported by the Irish Human Rights Commission. ”

Timeline of Garda Taping Scandal

Irish Independent 27^th March 2014

June 2013: Garda Ombudsman report on arrest and beating of Anthony Holness in Waterford refers to recording of phone conversations in garda station. The report goes unnoticed.

October: Garda management becomes aware of the extent of the phone recordings due to another case.

November 11: Garda Commissioner consults with Attorney General's (AG) office on recording of phone calls.

November 25: Ian Bailey, the self-confessed suspect in the Sophie Toscan du Plantier murder, and his partner Jules Thomas, are separately suing the State for wrongful arrest in the investigation.

Their legal teams are told "unexpected electronic material" has been found in a trawl of garda case files. The High Court gives the gardai until this week to unscramble the data – believed to be recorded phone calls.

November 27: Garda Commissioner orders a halt to routine recording of non-999 calls at Garda stations.

February 28, 2014: Department of Justice informed by Chief State Solicitor's Office and gardai about the recording of phone calls.

March 10: Garda Commissioner writes to the Department of Justice revealing gardai were involved in widespread recording of phone calls in and out of stations.

March 11: Commissioner Callinan meets with officials in the Department of Justice and the AG's office on the issue of the taped phone calls related to a civil case.

March 15: Mr Shatter flies to Mexico for St Patrick's Day visits.

March 19 and 20: Garda HQ sends copies of letters between it and the AG's office and the Data Protection Commissioner on the controversial taping of phone calls to the Department of Justice.

March 21: Mr Shatter returns from Mexico.

March 23: Taoiseach Enda Kenny meets AG Maire Whelan, who briefs him on taping scandal.

March 24: Mr Shatter learns of the issue and meets Taoiseach and AG.

On Taoiseach's instructions, Dept of Justice Secretary General Brian Purcell meets Commissioner Callinan to inform him of Government's views.

March 25: Cabinet meeting due to be dominated by Transport Minister Leo Varadkar's demand for Commissioner Callinan to withdraw comments about whistleblowers.

Mr Callinan informs Department of Justice of his retirement at 9am. Cabinet meets at 10.30pm and Mr Shatter receives the letter sent to him on March 10 at 12.40pm.

Government decides to launch Commission of Investigation into garda taping

Recording phone calls could have implications for data protection

Irish Times, Wednesday 26^th March 2014  

Taping and recording of phone calls in Garda stations could have serious implications for data protection and for the legal privilege of discussions between people detained at Garda stations and their solicitors, legal experts have said.

It could also potentially result in the overturning of some convictions in specific circumstances.

Under Irish law, it is not illegal for a person to record a phone call if they are a party to that call, but it is an offence if a third party records a call without authorisation under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993.

Legislation also requires that when personal data of individuals is collected a record must be kept of it, and it must be registered under data protection legislation.

The Data Protection Acts state that a person’s information should only be collected for specific purposes and callers should be informed they are being recorded.

One leading barrister working in criminal law who did not want to be named said there could be serious implications if calls between people detained at Garda stations and their lawyers were recorded.

Privilege
Such discussions attract absolute legal privilege and could never be used as evidence in a court of law, he said, but there was a risk that information collected could be used against a person detained.

“It is impossible to come up with any conceivable justification for the gardaí or an adverse party to record that secretly,” he said.

He said it could be a leap to assume that because calls were recorded, they were listened to, but if they were it could come close to “perverting the course of justice”.

If information gleaned from recording a phone call was used in evidence it could lead to the exclusion of some evidence at trial or to an argument of abuse of process.

The recording of calls could also have implications for cases involving disclosure.

Gardaí and the Director of Public Prosecutions have an obligation to provide disclosure of any material that is of any relevance and the courts have interpreted this broadly, he said.

So if a person called a Garda station to speak to a garda about a case, that communication if recorded would be subject to the normal disclosure.

He said yesterday’s revelations could lead to a flood of applications for disclosure of any calls being made.

“There must be cases out there now where that is a live issue; there is a flurry to prove the fact of the phone call, and then evidence of its content from people’s recollections,” he said.

In past cases, disclosure has been sought to see if there is a record of a telephone call to a Garda station and gardaí have produced records from a phone company.

‘Remarkable’
“It is remarkable now that they were producing the phone records if at the same time they also knew they had recordings,” the barrister said.

He also said he thought it was possible that if a person could show they had been convicted in specific circumstances where there was a live issue in respect of the content of a telephone call, a conviction could be overturned.

A second barrister working in the area of criminal law said the implications for data protection were very important. Gardaí appeared to be retaining personal data on individuals and legislation required that a proper record of such data be kept and that it is registered with the data protection commissioner.

“Presumably they haven’t done that,” he said.

If they had done it and a scheme had been put in place and authorised that would raise other issues.

He said any recording of calls to solicitors was very serious as they could be used as “intelligence gathering” exercises.

Separately, the Irish Council for Civil Liberties has said the Government should allow its new statutory Commission of Investigation examine “the full spectrum of Garda accountability issues” that have arisen in recent weeks.