Timeline of Garda Taping Scandal

Irish Independent 27^th March 2014

June 2013: Garda Ombudsman report on arrest and beating of Anthony Holness in Waterford refers to recording of phone conversations in garda station. The report goes unnoticed.

October: Garda management becomes aware of the extent of the phone recordings due to another case.

November 11: Garda Commissioner consults with Attorney General's (AG) office on recording of phone calls.

November 25: Ian Bailey, the self-confessed suspect in the Sophie Toscan du Plantier murder, and his partner Jules Thomas, are separately suing the State for wrongful arrest in the investigation.

Their legal teams are told "unexpected electronic material" has been found in a trawl of garda case files. The High Court gives the gardai until this week to unscramble the data – believed to be recorded phone calls.

November 27: Garda Commissioner orders a halt to routine recording of non-999 calls at Garda stations.

February 28, 2014: Department of Justice informed by Chief State Solicitor's Office and gardai about the recording of phone calls.

March 10: Garda Commissioner writes to the Department of Justice revealing gardai were involved in widespread recording of phone calls in and out of stations.

March 11: Commissioner Callinan meets with officials in the Department of Justice and the AG's office on the issue of the taped phone calls related to a civil case.

March 15: Mr Shatter flies to Mexico for St Patrick's Day visits.

March 19 and 20: Garda HQ sends copies of letters between it and the AG's office and the Data Protection Commissioner on the controversial taping of phone calls to the Department of Justice.

March 21: Mr Shatter returns from Mexico.

March 23: Taoiseach Enda Kenny meets AG Maire Whelan, who briefs him on taping scandal.

March 24: Mr Shatter learns of the issue and meets Taoiseach and AG.

On Taoiseach's instructions, Dept of Justice Secretary General Brian Purcell meets Commissioner Callinan to inform him of Government's views.

March 25: Cabinet meeting due to be dominated by Transport Minister Leo Varadkar's demand for Commissioner Callinan to withdraw comments about whistleblowers.

Mr Callinan informs Department of Justice of his retirement at 9am. Cabinet meets at 10.30pm and Mr Shatter receives the letter sent to him on March 10 at 12.40pm.

Government decides to launch Commission of Investigation into garda taping

Recording phone calls could have implications for data protection

Irish Times, Wednesday 26^th March 2014  

Taping and recording of phone calls in Garda stations could have serious implications for data protection and for the legal privilege of discussions between people detained at Garda stations and their solicitors, legal experts have said.

It could also potentially result in the overturning of some convictions in specific circumstances.

Under Irish law, it is not illegal for a person to record a phone call if they are a party to that call, but it is an offence if a third party records a call without authorisation under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993.

Legislation also requires that when personal data of individuals is collected a record must be kept of it, and it must be registered under data protection legislation.

The Data Protection Acts state that a person’s information should only be collected for specific purposes and callers should be informed they are being recorded.

One leading barrister working in criminal law who did not want to be named said there could be serious implications if calls between people detained at Garda stations and their lawyers were recorded.

Privilege
Such discussions attract absolute legal privilege and could never be used as evidence in a court of law, he said, but there was a risk that information collected could be used against a person detained.

“It is impossible to come up with any conceivable justification for the gardaí or an adverse party to record that secretly,” he said.

He said it could be a leap to assume that because calls were recorded, they were listened to, but if they were it could come close to “perverting the course of justice”.

If information gleaned from recording a phone call was used in evidence it could lead to the exclusion of some evidence at trial or to an argument of abuse of process.

The recording of calls could also have implications for cases involving disclosure.

Gardaí and the Director of Public Prosecutions have an obligation to provide disclosure of any material that is of any relevance and the courts have interpreted this broadly, he said.

So if a person called a Garda station to speak to a garda about a case, that communication if recorded would be subject to the normal disclosure.

He said yesterday’s revelations could lead to a flood of applications for disclosure of any calls being made.

“There must be cases out there now where that is a live issue; there is a flurry to prove the fact of the phone call, and then evidence of its content from people’s recollections,” he said.

In past cases, disclosure has been sought to see if there is a record of a telephone call to a Garda station and gardaí have produced records from a phone company.

‘Remarkable’
“It is remarkable now that they were producing the phone records if at the same time they also knew they had recordings,” the barrister said.

He also said he thought it was possible that if a person could show they had been convicted in specific circumstances where there was a live issue in respect of the content of a telephone call, a conviction could be overturned.

A second barrister working in the area of criminal law said the implications for data protection were very important. Gardaí appeared to be retaining personal data on individuals and legislation required that a proper record of such data be kept and that it is registered with the data protection commissioner.

“Presumably they haven’t done that,” he said.

If they had done it and a scheme had been put in place and authorised that would raise other issues.

He said any recording of calls to solicitors was very serious as they could be used as “intelligence gathering” exercises.

Separately, the Irish Council for Civil Liberties has said the Government should allow its new statutory Commission of Investigation examine “the full spectrum of Garda accountability issues” that have arisen in recent weeks.

Three companies fined over calls and emails to customers

Irish Times Tue, Feb 4, 2014

Three companies have been given court convictions for making unsolicited marketing phone calls and sending spam emails. Energy company Airtricity Ltd, clothing chain Next and Pure Telecom are the latest firms to be successfully prosecuted at Dublin District Court by the office of the Data Protection Commissioner. The case was taken after the watchdog received complaints from members of the public about being contacted for marketing purposes.

Judge William Hamill noted yesterday the companies had pleaded guilty at an early stage to charges under the Data Protection Act, and had contributed to the costs of bringing the case. But he refused to spare them recorded convictions. Pure Telecom was fined €500, Airtricity has to pay a €75 fine and Next was fined €100. Assistant Data Protection Commissioner Tony Delaney told Judge Hamill that one woman had used Next’s unsubscribe facility to stop getting spam from the clothing chain. However, that did not work and on February 25th and February 28th last year she received more marketing emails from the company. “One of them was a gift idea for mother’s day,” Mr Delaney said adding that they were, “typical marketing emails but clearly when she had opted out she should not have been getting them”.

Complaint

Judge Hamill noted the company had no prior convictions and that Next had used a third-party company to handle the unsubscribe process but has since stopped dealing with them.

In relation to Pure Telecom, Mr Delaney said his office received a complaint from a man with an ex-directory phone number who had received two promotional cold calls last March.

Judge Hamill was told Pure Telecom had been fined €1,250 in 2010 for a breach of data protection regulations. The company’s director Paul Connell said the calls came from a third-party agent which has since been dismissed, and he apologised to the complainant.

The court also heard a man with an ex-directory phone number had received a call on May 10th last offering a promotion on behalf of Airtricity which had then been using a third-party sales company to handle a promotion.

Judge Hamill heard this company had been using an old computer with an out-of-date call list from 2009.

The court heard Airtricity had no prior convictions but had been given a formal warning in 2010 in relation to other complaints.

77 per cent of company data breaches are caused by employees

The Journal.ie
21st January 2014

The survey found that almost a quarter of Irish companies have experienced multiple data breaches over the past twelve months.

MORE THAN HALF of Irish companies have experienced a data breach in the last twelve months, the majority of which are caused by staff members.

A new report from the Irish Computer Society (ICS), which surveyed IT administrators working in 256 Irish-based companies, found that 51 per cent of companies experienced a data breach in the past twelve months, while 22 per cent experienced multiple breaches.

The majority said that staff members were the main cause of data breaches with 77 per cent of incidents caused by “negligent employees.”

Other threats that concerned IT managers were unsecure end user devices, such as unencrypted laptops containing sensitive data, and external attackers trying to obtain data.

When asked about the correct adoption of data protection procedures, more than one in three said that policies are not implemented or are just partially implemented. Only 39 per cent said that its data protection policies were fully implemented.

The report also found that most employees were satisfied with the level of training they received in data protection with 57 per cent saying they received the right amount. 24 per cent of those surveyed said they received no training in this area, while 16 per cent said they received insufficient training.

The Chairman of the Association of Data Protection Officers, Fintan Swanton, believed it highlighted the need for organisations to take steps in managing their company’s data.

Employees might appreciate the importance of data security, but organisations need to instil a culture of compliant data management… It is as much a case of protecting the organisation’s commercial reputation, as it is of protecting the individual’s privacy.

The survey comes after new data protection legislation come into effect. The new legislation will require most organisations to have a Data Protection Officer.

Retailers seek tougher online security on data breaches

Irish Independent

Monday 13 January 2014

A top retail trade group executive on Sunday called for tougher security standards that could mean more spending for the industry, its banks and business partners after a series of data breaches at major merchants.

Stores and card processing companies have reported a steady stream of security breaches for years without a major backlash from consumers, such as those disclosed by TJX Cos in 2007 and by Heartland Payment Systems Inc in 2009.

But the latest thefts - including attacks on Target Corp and Neiman Marcus - have involved a broad set of merchants and could mark a watershed moment for security standards as calls grow for changes in the protection of consumer information.

One sign of the change is a new enthusiasm for payment cards that store customer information on computer chips and require users to type in personal identification numbers.

Mallory Duncan, general counsel of the National Retail Federation that represents Target, Wal-Mart and other big stores, said in an interview on Sunday that the trade group encouraged its members to upgrade to the higher-security cards even though they cost more than old systems that store data on magnetic stripes.

The breaches are "unfortunate but we're not entirely surprised," Duncan said at his organization's annual convention now being held in New York.

"The technology that exists in cards out there is 20th-century technology and we've got 21st-century hackers," he said.

Duncan said the trade group had only made its backing for the higher-security cards public since the Target breach. Banks have quietly begun to offer the cards but mainly for customers to use while traveling. Big U.S. card networks led by Visa Inc will not require the higher security until next year at the earliest.

It is not clear the new "Chip-and-PIN" cards would have prevented the breaches at Target and elsewhere. At the very least they make stolen data harder to re-use, a reason the technology has caught on widely in Europe and Asia.

They have met with much less enthusiasm in the United States, in part because losses to fraud - just 5 cents for every $100 spent via plastic - have been manageable for merchants and their banks. But rising fraud rates, and the risk of identity theft, could change the calculation.

Public concern about access to personal data on rise in Ireland

Irish Times 7th January 2014

 

Data Protection Commissioner Billy Hawkes: “One thing we certainly don’t have is a light touch. We have a very rigorous approach to oversight of organisations.”

While the revelations of whistleblower Edward Snowden about the surveillance activities of the United States National Security Agency (NSA) extended tentacles into the related area of data protection in 2013, regulators in the European Union spent most of the year wrestling with proposals to harmonise the law across 28 member states.

A new EU regulation, first tabled in a proposal by the European Commission in 2012, would place new responsibilities on the regulators and also on businesses throughout the union.

Negotiations have stalled and the regulation is now unlikely to scrape through before the European Parliament elections in May. But the proposals still on the table would, in theory, place an extra burden on Ireland’s Data Protection Commissioner, Billy Hawkes.

The so-called one-stop shop mechanism would likely see him become the lead regulator in Europe for major multinationals with head offices in Ireland, including such companies as Facebook, Google and Apple.

In comments at a privacy conference in Brussels last month, Mr Hawkes indicated he did not relish the prospect of taking on the responsibility for regulating such multinationals for all citizens of the EU.

One-stop shop
Saying he would not view the one-stop shop “with any great enthusiasm”, he suggested it would draw resources from dealing with complaints about the likes of telecommunications firms and others, which are a greater source of complaints to his office by Irish citizens.

“However, as a good European, which I try to be, I do accept the logic of the one-stop shop and I will accept the consequences and the burdens that go with it,” he said.

Speaking at his office in Portarlington before that conference, Mr Hawkes said he was already prioritising for attention those companies operating across the EU for which processing of personal data was core to their activities.

“Depending on, obviously, the number of the companies involved – and certainly if many more companies were to declare to be established in Ireland for data protection purposes – we would require more resources to be able to discharge our oversight responsibilities.”

He welcomed what he said was a clear commitment by Minister for Justice Alan Shatter to ensure he was adequately resourced for any new responsibilities – though again it remains to be seen what will emerge.

Privacy campaigners such as the Austrian-based Europe v Facebook group believe his office has not been sufficiently robust in its enforcement actions.

The group, led by Max Schrems, is seeking judicial review of Mr Hawkes’s decision not to pursue complaints made to his office about the gathering of personal data under the NSA’s Prism programme from US firms based here. Mr Hawkes is also in the process of making formal decisions on 22 earlier complaints by the group relating to the privacy policies of Facebook, which underwent a major audit by his office two years ago.

Light-touch regulation
Mr Hawkes cautiously describes the approach taken by the complainants as “forceful” and, not for the first time, rejects the suggestion of “light touch” regulation by his office.

“One thing we certainly don’t have is a light touch,” he said. “We have a very rigorous approach to oversight of organisations but we do try to use the resources that are given to us in an intelligent way. It does not necessarily involve always hiring more people on our staff. It can also involve using outside expertise to help us in particular areas.”

European Court ruling condemns mass surveillance

From Digital Rights Ireland

12th December 2013

The Advocate General of the European Court of Justice today gave an important opinion in our favour in a case brought by Digital Rights Ireland to challenge European mass surveillance law.

The challenge – which we started in 2006 – is to the Data Retention Directive. This is a law which requires ISPs and telecoms companies to record details of all your internet and telephone use – logging details of who you ring or text, where you travel and who you email – and to record that information for up to two years. We argue that this constitutes an unjustified invasion of the right to privacy and in an interim ruling the Advocate General has agreed, holding that the law is a “particularly serious” interference with individual privacy which creates a:

faithful and exhaustive map of a large portion of a person’s conduct strictly forming part of his private life, or even a complete and accurate picture of his private identity.

The Advocate General accepted our argument that storing this information on all citizens created an “increased risk” that it could be used for unlawful, fraudulent and malicious purposes against them – something we have already seen in Ireland where a Garda sergeant has abused the system to spy on a former lover and where it has been used to spy on journalists.

The Advocate General also held that this type of surveillance would have a “chilling effect” on freedom of expression, and went on to say that the Directive failed to provide even “minimum guarantees” regarding access to or use of the information collected on all citizens. According to the Advocate General the Directive therefore “is as a whole incompatible with Article 52(1) of the Charter of Fundamental Rights of the European Union”.

According to the Advocate General:

the collection and, above all, the retention, in huge databases, of the large quantities of data generated or processed in connection with most of the everyday electronic communications of citizens of the Union constitute a serious interference with the privacy of those individuals, even if they only establish the conditions allowing retrospective scrutiny of their personal and professional activities. The collection of such data establishes the conditions for surveillance which, although carried out only retrospectively when the data are used, none the less constitutes a permanent threat throughout the data retention period to the right of citizens of the Union to confidentiality in their private lives. The vague feeling of surveillance created raises very acutely the question of the data retention period…

the effects of that interference are multiplied by the importance acquired in modern societies by electronic means of communication, whether digital mobile networks or the Internet, and their massive and intensive use by a very significant proportion of European citizens in all areas of their private or professional activities. [emphasis added]

A final judgment on our case will be delivered next year. In approximately 80% of cases the European Court of Justice follows the opinion of the Advocate General. Even pending the full judgment, however, this is already a significant step forward in the very first case of this nature to be brought to the ECJ and confirms the importance of our case.