A New Parliamentary Investigation Unit Established

Lawlor Partners Solicitors welcome the commitment given by the government today in ‘a programme for partnership government’ that a new parliamentary investigation unit will be established to assist and improve the ability of the Oireachtas committees to conduct investigative work and inquiries.

Lawlor Partners has extensive experience in advising and representing clients at all stages of the inquiry process.

Please contact Fintan Lawlor for any further inquiries, telephone (01) 8725 255 or email: fintan@laworpartners.ie. For more information see our website : www.lawlorpartners.ie

CCTV images of illegal dumpers raise privacy concer

CCTV images of illegal dumpers raise privacy concerns

Tue, Apr 12, 2016, 01:00 Updated: Tue, Apr 12, 2016, 08:41

The Data Protection Commissioner has contacted Dublin City Council over its use of images of people captured on CCTV illegally dumping household waste.

The council last week erected a poster in a litter blackspot in the north inner city, showing 12 people caught on CCTV dumping rubbish on the street.

The faces are slightly blurred, due to the quality of the CCTV footage, but they would be able to identify themselves, as most likely would their neighbours, the council said.

The poster has been bolted to a wall behind a Perspex shield at Frankfort Cottages, near the Five Lamps, one of the city’s worst areas for illegal dumping. CCTV cameras were installed a number of weeks ago and they had some effect in reducing dumping.

However, within a day of the poster going up last week, the street was clear.

“It was remarkable. For the last 10 years we’ve had signage there warning people not to illegally dump, but every day we would have to clear up bags, and sofas and other furniture, and even builders’ rubble, but this poster has made such a difference,” said John McPartlan, public domain officer with the council.

Rights to privacy

However, yesterday morning the commissioner’s office contacted the council.

“Officials from this office have contacted the DCC in relation to the publication of CCTV stills.

“It should be pointed out that the processing of personal data must be done fairly, demonstrate proportionality and not be overly prejudicial to the fundamental right of the individual to data privacy.”

Mr McPartlan said he would be responding to the commissioner this week.

“We have to make a case that our use of the images is proportionate response to the issue, and our view is that it is, because illegal dumping leaves the city in a terrible mess.”

He added the council had published no names and no personal information.

The poster shows people dumping refuse sacks and smaller supermarket bags, as well as a woman dumping a suitcase and two young men dumping a sofa.

Litter blackspot

The council has been making concerted efforts to clean up the north inner city, but the area has languished near the bottom of the Irish Business Against Litter (Ibal) national survey, although it recently moved up from 39th to 37th most littered urban area.

The council in December 2013 announced a “blitz” on dumping black spots in the city where residents leave their rubbish in the streets instead of paying for waste collection.

It established a north inner city litter action group which has gone door to door asking people to provide proof they are disposing of their waste legally, and has had some success in persuading households to sign up to pay to have their bins collected.

However, no measure has had the instant effect of the poster. Local Independent councillor Nial Ring said he and other local councillors “fully endorsed” the measure.

“This is the nearest we can get to a name and shame policy. I would recommend that we get more CCTV cameras and put up more posters because it has got results.

“We don’t want to be in the Ibal relegation zone, we want to be the LeicesterCity of the litter league.”

European Parliament passes tougher data protection laws

Irish Times Apr 14, 2016

The European Parliament has voted through tougher rules on data protection, aimed at boosting privacy and giving authorities greater powers to take action against companies that breach the rules.

The rules, including the much-needed General Data Protection Regulation (GDPR), were four years in the making and form the new backbone of laws for data regulators to pursue companies with heavy fines - as much as 4 per cent of annual turnover for global companies - for incidents such as data breaches, which have become increasingly common.

Viviane Reding, MEP and former vice-president of the European Commissionwho proposed the changes in 2012, said: “This is a historic day for Europe. This reform will restore trust in digital services today, thereby reigniting the engine for growth tomorrow.

“There can be no freedom without security, and no security without freedom. Today’s concomitant adoption of these three legislations sends a strong signal that national security and data protection can and must go hand in hand.”

                                                                                        

National rules

The new data privacy laws comprise of the GDPR, which governs the use and privacy of EU citizens’ data, and the Data Protection Directive, which governs the use of EU citizens’ data by law enforcement.

Together they aim to create strong data protection law for Europe’s 500 million citizens; streamline legislation between the 28 member states pushing a digital single market and boost police and security cooperation. It is due to replace the outdated patchwork of national rules that have only allowed for small fines in cases of violation.

The new laws have already proved controversial with companies wishing to operate with EU citizens’ data, placing an administrative burden on some, including those based outside of Europe.

The next step in strengthening of data regulation across the EU is an overhaul of the ePrivacy Directive, which will now commence in earnest, to bring it inline with the changes laid out in the GDPR.

Passenger name data

The European Parliament also voted through the EU Passenger Name Record (PNR), which aims to aid law enforcement in tracking people’s movement across Europe.

EC’s first vice-president Frans Timmermans, vice-president of the Digital Single Market Andrus Ansip, and Commissioner for Justice, Consumers and Gender Equality Vera Jourova, said: “These new rules come at a time when improved cooperation in the fight against terrorism and other serious crime is more necessary than ever, as shown by the recent terrorist attacks in Paris and Brussels.”

Ms Reding added: “Faced with the transnational nature of the digital revolution and the fight against terror, EU-wide rules are the only solution to our problems.

“PNR is an important tool to track terrorists flying in and out of Europe in a much wider toolkit, which should also include the systematic sharing of information in all EU databases.”

Minister says data protection commissioner is independent

RTE News 28th January 2016

The Minister for European Affairs and Data Protection has defended the Office of the Data Protection Commissioner, saying it is completely independent of government.

Minister Dara Murphy was responding to the news that Digital Rights Ireland is to take legal action against the Government, challenging whether the office is truly an independent data authority under EU law.

DRI says a series of judgments from the EU's top court have stressed the critical importance of a truly independent data protection authority.

However, DRI says it will claim in court that Ireland has failed to properly implement EU data protection law or follow the requirements of the Charter of Fundamental Rights by failing to ensure the Irish ODPC is genuinely independent from government.

Speaking to RTÉ News, Mr Murphy said he was aware of the impending case, but said it would be up to the courts to decide.

He added that the ODPC and its functions are completely independent of government.

He acknowledged that the ODPC is government funded, but said apart from that it is like many other agencies in the state that are independent of government.

Mr Murphy also defended the public sector's attitude to data protection, following criticism earlier today from Data Protection Commissioner, Helen Dixon.

The minister said improvements in compliance with data protection rules are needed across society including Government departments and the public sector generally.

But he said the new European General Data Protection Regulation will change and strengthen data protection rules.

He added he had recently brought local authorities and semi-state companies together to impress upon them the strong obligations they have in this area.

He said public bodies are engaging, although that doesn't mean there is not more work to be done in the area.

On the controversy around the Garda Síochána Ombudsman Commission's accessing of journalists phone records, Mr Murphy said the Minister for Justice was right to commission an investigation into it, as it is absolutely essential that citizens have confidence in any state agency that processes or handles their data.

Commissioner critical of compliance levels 

Earlier, Ms Dixon criticised the level of compliance with data protection laws in the public sector.

Ms Dixon released a statement setting out priorities for data protection rights and protocol in 2016 to mark the tenth annual Data Protection Day.

In particular, she has called for improvements to the legislative process to ensure greater deliberation and scrutiny of issues that interfere with the fundamental right to data protection.

The commissioner acknowledged data protection is not an absolute right and in certain circumstances, must yield to other competing rights.

However, she also stated that if a public body is going to interfere with data protection rights, it must generally be provided for by law, be proportionate, necessary and made in the general interest or need to protect others rights.

Ms Dixon concludes that consideration must be given to all of these matters when drafting legislation. Her pointed comments come as her office prepares to begin an audit of contentious powers used by several public bodies, including An Garda Síochána and GSOC, to access telephone records and other electronic messages.

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website : www.lawlorpartners.ie

Employers can read office hours messages sent by workers

Irish Times Wed, Jan 13, 2016

Employers can read office hours messages sent by workers - court Company within its rights to read messages sent by employee during work, ECHR says

A European court ruling that an employer was within its rights to read the private emails of a worker is not expected to have implications for Irish workplace practices.

In a case before the European Court of Human Rights (ECHR) in Strasbourg, judges ruled that a company which had read an employee’s messages sent through Yahoo Messenger while he was at work was within its rights to do so.

The ruling said the man, an engineer in Romania, had breached company policy and his employer had a right to check if he was completing his work.

Bogdan Mihai Barbulescu (35) was employed by a private company as an engineer in charge of sales. At his employer’s request, he created a Yahoo Messenger account for the purpose of responding to clients’ enquiries.

The company informed him in July 2007 that records showed he had used the internet for personal purposes, contrary to its rules. He insisted in writing that he had only used the messaging app for work purposes, but was then presented with a 45-page transcript of his communications with his brother and his fiancée. 

The ECHR said the employer had acted within its disciplinary powers.

• Privacy can no longer be a low-level, box-checking exercise
• EU data protection reform may promise more than it deliver
• Data protection reform increases Ireland’s role

The ruling affects all EU countries that have ratified the European Convention on Human Rights, which includes Ireland.

In passing down the ruling, the judges stated that unregulated spying on employees would not be acceptable, and called on a set of polices to be drawn up by employers that would clearly state what information they could collect and how.

Many employers in Ireland already have workplace policies on internet use and write them into contracts.

Dr TJ McIntyre, chairman of the privacy rights body Digital Rights Ireland, said the ECHR decision in the Romanian case was likely to be “quite narrow”.

“It’s about communication on the employer’s own devices and in circumstances where private use was prohibited and where the individual said it was only professional use.

“It doesn’t necessarily change the position that unless you’ve been very explicitly warned that your communications can be monitored that it would still be illegal to do so.”

Mr McIntyre said there was often a “blurring of the lines” between the personal and the professional, such as where people sometimes used their own devices for professional communications.

“It’s potentially dangerous in that sense. Any situation where the employer has the capacity to read your messages is one where you should be worried.”

The Data Protection Commissioner has taken the view that people can be expected to have “a certain degree of privacy in their communications on employers’ equipment, unless it’s explicitly ruled out”.

The DPC’s guidance says the limitation of the employee’s right to privacy should be “proportionate to the likely damage to the employer’s legitimate interests”.

 “In the absence of a clear policy, employees may be assumed to have a reasonable expectation of privacy in the workplace,” the office says.

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website : www.lawlorpartners.ie

Data protection reform increases Ireland’s role

Irish Time Wed, Dec 16, 2015 - Pamela Newenham

As the majority of the world’s largest tech companies have their European headquarters in Ireland, the Irish Data Protection Commissioner will effectively have to regulate data issues for those companies’ operations throughout the EU

Sweeping reform of data protection law, approved by European Union officials last night, aims to subject companies to just one regulator.

The so-called one-stop- shop system means companies won’t have to deal with a different regulator in each country where they operate. They will only have to deal with the regulator in the country where their European headquarters is located.

The problem was highlighted in the Belgian Privacy Commission’s court case against Facebook. The social network argued it only had to answer to the regulator in Ireland where its European headquarters is based.

Headquarters 

As the majority of the world’s largest tech companies have their European headquarters in Ireland, the Irish Data Protection Commissioner will effectively have to regulate data issues for those companies’ operations throughout the EU.

Irish MEP Seán Kelly said Ireland is prepared for the changes, with a near doubling of the Data Protection Commissioner’s budget, and an increase in staff at the office from 29 to 50.

The new law, if passed, will also require companies to report privacy breaches to authorities or face heavy penalties.

Companies will have to alert national authorities of a data breach within 72 hours.

A problem with current data protection laws is that regulators can only levy fines which are small in comparison to the revenues of the companies involved.

The threat of sanctions of 4 per cent of global revenues – the figure was negotiated last night – will ensure businesses are more mindful of data protection, according to lawyers.

“It will be a deterrent which is the most important thing. If it wasn’t a deterrent, companies would just break the law, pay the fine and get on with it,” Mr Kelly said.

Data controllers 

John Higgins, director general of Digital Europe, the organisation which represents the digital technology industry in Europe, said questions still linger on topics such as the allocation of roles and responsibilities between data controllers and data processors.

“During a period of economic recovery, European citizens and businesses cannot afford regulation which unnecessarily stifles job creation, competitiveness and data-driven investment,” he added.

He said adherence to the self-imposed end of 2015 deadline for reaching an agreement must not come at any cost.

 “While we understand the pressure facing negotiators to reach an agreement during yesterday’s trilogue discussions, it must not come at any price.

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website : www.lawlorpartners.ie

Increase seen in law suits for failing to protect personal data

Thu, Mar 26, 2015

Increase seen in law suits for failing to protect personal data

Data Protection Commissioner Helen Dixon said there had been an increase in the number of civil cases taken against organisations for failing to protect personal data.

Conference hears case against government department settled before court hearing

 There has been in increase in the number of civil law actions taken against organisations and even government departments for failing to protect people’s personal information, a conference has heard.

Such an action against one government department for allegedly breaching a person’s data protection rights settled ahead of a listed court hearing this week.

The action, understood to have been against the Department of Social Protection, is one of an increasing number of such cases being taken against companies or public bodies that allegedly fail in their duty of care to protect people’s personal information.

The issue was raised at a Public Affairs Ireland (PAI) data protection conference in Dublin on Wednesday.

Several such cases under the Data Protection Acts have been listed for hearing in the past year or so, but they have generally been settled on the steps of the court.

They included the case of a woman who sued a pharmacist for allowing her husband view CCTV footage which showed her buying a pregnancy test. Another such case involved a GP who handed over excessive personal information about a patient to an insurance company.

The actions are taken under section 7 of the Data Protection Acts, which provide that a data controller owes a duty of care to individuals in respect of the personal information it collects or processes.

Data Protection Commissioner Helen Dixon told the PAI conference there had really been “no activity” in relation to such civil lawsuits until “very recently” but that there were now “quite a number of cases” where people were taking actions under section 7 of the Acts.

The commissioner cannot impose direct fines on organisations that fail to respect data protection rights. This will change under proposals in a new European data protection regulation currently being negotiated.

Ms Dixon also noted a recent case involving a GP who had handed over excessive personal data about a patient to an insurance company. Her office had been called as a witness. The case was settled after a day in court.

“In that particular case, the witness from the [Data Protection Commissioner] said that it really had huge impact on them to hear the data subject in that case set out for the court the damage that was suffered as a result of that unfair disclosure of their data – the excessive data disclosure – to the insurance company.”

The person had gone on to suffer enormous health problems as a result of the data breach.

Ms Dixon said she was aware of another case listed that had directly involved a government department, but it had been settled out of court.

While she did not identify the government department concerned, the commissioner said she imagined the person in question had been paid damages.

Rob Corbet, a partner and Head of Technology and Innovation at Arthur Cox, also confirmed in his speech to the event that there had been an increase in the number of people suing for breaches of their data protection rights.

The commissioner reminded those in the public sector of their responsibilities in relation to handling personal data, noting her office had successfully prosecuted private investigators last year for offences involving the ‘blagging’ of people’s personal details from a government department.

Ms Dixon said that over 100 data breaches involving public sector bodies were reported to her office every year.

“Fortunately, in most instances in recent years these have concerned breaches that are really non-systemic and haven’t affected a great volume of data subjects.”

Minister for Data Protection Dara Murphy, who also addressed the event, spoke about the Government’s key priorities for the year.

He said he had established an inter-departmental committee on data issues, bringing together the key individuals dealing with data protection in each government department.

Mr Murphy said the committee would assist in the delivery of “more effective public policy through the improved use of data”.

He said exciting advances in technology created huge potential for society and for the economy.

Departments and State agencies needed to show leadership and commitment to data protection rules as they evolved over the next year, during which a conclusion to negotiations on the new European General Data Protection Regulation is expected, he said.

The minister said the committee’s engagement would be formalised in the coming weeks with the establishment of a “data issues forum”, with input from business, civil society and other key stakeholders.

Dr Eoin O’Dell, Associate Professor of Law at Trinity College Dublin, addressed the conference on the challenges posed for privacy by new technologies and the Internet of Things.

He said that increasingly, the kind of personal and public data becoming available, as well as the sharing of public sector information and datasets online, would have an impact on decision-making processes.

“All of this is heading towards a nice, bright Utopian future. But, I think that this rhetoric needs to be accompanied by an attention to privacy, both on our own part in the creation of the data, and in our professional lives in the use of the data.”

Fintan Lawlor is a dedicated data protection consultant and solicitor at Lawlor Partners. For more information see our website : www.lawlorpartners.ie