Irish Times - 23rd June 2014
A private investigator is facing 72 criminal charges in relation to alleged breaches of data protection legislation, including illegally accessing and disclosing personal information on individuals held by An Garda Síochána and the ESB.
Michael J Gaynor, trading as MJG Investigations, Beatty Grove, Celbridge, Co Kildare, was before Dublin District Court this morning facing a prosecution by the Data Protection Commissioner.
It is the first such criminal prosecution of its kind in the State.
Mr Gaynor faces three charges of illegally accessing personal information held by An Garda Síochána and of disclosing it without authority, under the provisions of section 22 (1) of the Data Protection Acts 1988 and 2003.
He faces a further nine charges of illegally accessing and disclosing personal information held by the ESB under the same section of the Acts.
Some 60 charges against him relate to illegally processing personal data without an entry in the register held by the Data Protection Commissioner for data processors.
Counsel for Mr Gaynor, Justin McQuade BL, said he needed to assess the file on the matter and to discuss whether certain matters may or may not be admissible.
He asked that the Data Protection Commissioner further distill the information in the summons and to outline what matters he would seek to rely on in the case.
Sophie More O’Ferrall of Philip Lee Solicitors, for the commissioner, said that while there may be “arguments to be had” over certain of the matters, it was the prosecution’s intention to rely on all of the matters that had been outlined in the file.
Judge John O’Neill adjourned the matter for mention to July 21st next.
Tuesday, 24 June 2014
Thursday, 19 June 2014
Facebook privacy case sent to Europe
Irish Examiner June 19, 2014
The European Court of Justice (ECJ) is to be asked to examine the law governing data protection following a student’s legal challenge over the rejection of his complaint about interference with personal privacy by the mass transfer of data by Facebook to the US intelligence services.
Max Schrems, an Austrian post-graduate law student behind a data privacy campaign group called ‘Europe v Facebook’, brought a High Court challenge claiming Ireland’s Data Protection Commissioner Billy Hawkes wrongly interpreted and applied the law governing the mass transfer of personal data of Facebook users to the US National Security Agency (NSA). Mr Hawkes found Mr Schrems’ complaint did not meet the threshold required to merit investigation. Mr Schrems had asked Mr Justice Gerard Hogan to quash that decision and refer it back to Mr Hawkes for re-consideration. He said the Commissioner’s decision was irrational and asked that a preliminary reference be made to the ECJ. Mr Hawkes, who found Facebook had acted within the terms of an EU-US data-sharing agreement in July 2000 called ‘Safe Harbour’, opposed the action. He found Facebook had no case to answer and was in compliance with relevant regulations.
The court heard Mr Hawkes rejected suggestions that he was not prepared to take on big companies, arguing that he was already investigating 22 other similar complaints from Mr Schrems, but this particular one did not warrant an investigation. Yesterday, Mr Justice Hogan said he was referring the matter to the ECJ for re-evaluation given that “much has happened” since the Safe Harbour agreement. This included the enhanced threat to national and international security, disclosures regarding mass and undifferentiated surveillance of personal data by US security forces, and the advent of social media.
The main development, from a legal perspective, was the introduction, after July 2000, of Article 8 of the Charter of Fundamental Rights of the EU governing personal data, he said. While Mr Schrems maintained Mr Hawkes had not adhered to the requirements of EU law by rejecting his (Schrems’) complaint, the opposite was the truth, the judge said. Mr Hawkes had demonstrated “scrupulous steadfastness” to the letter of a 1995 EU directive... which gave rise to the Safe Harbour agreement. Mr Schrems’ objection was, in reality, to the terms of the Safe Harbour regime itself rather that to the manner in which Mr Hawkes had actually applied that regime, he said.
There was perhaps much to be said for the argument that Safe Harbour had been overtaken by events, including the revelations by former NSA computer systems administrator Edward Snowden, which may be thought to have exposed “gaping holes” in contemporary US data protection practice, the judge said. The judge also noted the Snowden revelations demonstrated “a massive overreach” on the part of the security authorities “with an almost studied indifference to the privacy interests of ordinary citizens”. The judge said Mr Schrems contended the Snowden revelations about Prism showed there was no meaningful protection in US law or in practice regarding data transfer as far as surveillance was concerned and in particular there was no requirement by those services to obtain a court order for their activities.
In this specific complaint, Mr Schrems had not challenged the validity of either the Safe Harbour decision or of the original 1995 EU directive. In those circumstances, Mr Hawkes is bound by the 2000 Safe Harbour decision and until the issue of re-evaluating that decision is dealt with, Mr Schrems’ application for judicial review and the complaint to Mr Hawkes must fail, he said. Given the general novelty and practical importance of the issues raised, which have considerable practical implications for all 28 EU member states, it was appropriate this question should be determined by the ECJ. The case was adjourned until next month for papers of the referral to be prepared.
The European Court of Justice (ECJ) is to be asked to examine the law governing data protection following a student’s legal challenge over the rejection of his complaint about interference with personal privacy by the mass transfer of data by Facebook to the US intelligence services.
Max Schrems, an Austrian post-graduate law student behind a data privacy campaign group called ‘Europe v Facebook’, brought a High Court challenge claiming Ireland’s Data Protection Commissioner Billy Hawkes wrongly interpreted and applied the law governing the mass transfer of personal data of Facebook users to the US National Security Agency (NSA). Mr Hawkes found Mr Schrems’ complaint did not meet the threshold required to merit investigation. Mr Schrems had asked Mr Justice Gerard Hogan to quash that decision and refer it back to Mr Hawkes for re-consideration. He said the Commissioner’s decision was irrational and asked that a preliminary reference be made to the ECJ. Mr Hawkes, who found Facebook had acted within the terms of an EU-US data-sharing agreement in July 2000 called ‘Safe Harbour’, opposed the action. He found Facebook had no case to answer and was in compliance with relevant regulations.
The court heard Mr Hawkes rejected suggestions that he was not prepared to take on big companies, arguing that he was already investigating 22 other similar complaints from Mr Schrems, but this particular one did not warrant an investigation. Yesterday, Mr Justice Hogan said he was referring the matter to the ECJ for re-evaluation given that “much has happened” since the Safe Harbour agreement. This included the enhanced threat to national and international security, disclosures regarding mass and undifferentiated surveillance of personal data by US security forces, and the advent of social media.
The main development, from a legal perspective, was the introduction, after July 2000, of Article 8 of the Charter of Fundamental Rights of the EU governing personal data, he said. While Mr Schrems maintained Mr Hawkes had not adhered to the requirements of EU law by rejecting his (Schrems’) complaint, the opposite was the truth, the judge said. Mr Hawkes had demonstrated “scrupulous steadfastness” to the letter of a 1995 EU directive... which gave rise to the Safe Harbour agreement. Mr Schrems’ objection was, in reality, to the terms of the Safe Harbour regime itself rather that to the manner in which Mr Hawkes had actually applied that regime, he said.
There was perhaps much to be said for the argument that Safe Harbour had been overtaken by events, including the revelations by former NSA computer systems administrator Edward Snowden, which may be thought to have exposed “gaping holes” in contemporary US data protection practice, the judge said. The judge also noted the Snowden revelations demonstrated “a massive overreach” on the part of the security authorities “with an almost studied indifference to the privacy interests of ordinary citizens”. The judge said Mr Schrems contended the Snowden revelations about Prism showed there was no meaningful protection in US law or in practice regarding data transfer as far as surveillance was concerned and in particular there was no requirement by those services to obtain a court order for their activities.
In this specific complaint, Mr Schrems had not challenged the validity of either the Safe Harbour decision or of the original 1995 EU directive. In those circumstances, Mr Hawkes is bound by the 2000 Safe Harbour decision and until the issue of re-evaluating that decision is dealt with, Mr Schrems’ application for judicial review and the complaint to Mr Hawkes must fail, he said. Given the general novelty and practical importance of the issues raised, which have considerable practical implications for all 28 EU member states, it was appropriate this question should be determined by the ECJ. The case was adjourned until next month for papers of the referral to be prepared.
Wednesday, 11 June 2014
Journalist who ran Edward Snowden revelations warns of privacy risk
Irish Times Sat, Jun 7, 2014
Pulitzer Prize-winning journalist Glenn Greenwald has said Europeans should defend their online privacy themselves rather than wait for Ireland to adopt a more robust approach to regulating Facebook. A year after he began publishing material provided by Edward Snowden, exposing widespread US surveillance of global telecommunications, Greenwald said Irish politicians had little chance against large corporations such as Facebook, which he said were effectively operating outside democratic control. “These companies have become so incredibly powerful . . . that we have a situation where even elected governments are almost no match and that poses a very serious problem,” said Greenwald, speaking in Berlin, where he was promoting his book No Place to Hide. “It is inconceivable to think of the Irish Government, the EU or US government imposing meaningful constraints on companies like Facebook and Google. ”
Instead the most effective way of limiting digital surveillance, he said, was for people to think twice about using services “with a track record of supplying information to US intelligence”. Another approach, he said, was for people to “build bricks” around their online activity by encrypting their digital communication. Encrypting email and boycotting Facebook was, he said, “a more promising way of limiting their behaviour than hoping that some politicians in a capital somewhere will issue a regulation that does that”. Greenwald’s call comes ahead of a High Court ruling due on June 18th on whether Ireland’s Data Protection Commissioner (DPC) was correct not to investigate Snowden’s claims that Facebook International, based in Dublin and thus under Irish jurisdiction, supplied the NSA with European user data. Greenwald said he met Snowden recently in Moscow and that he found the computer specialist essentially unchanged from the man he met for the first time a year ago in Hong Kong. “The fact he is not in a penal cage is a pretty good thing.
He is free to participate in the debate he helped galvanise around the world,” said Greenwald. He is free to move around in Moscow and is able to keep a low profile, the journalist said, because he looks “like an 18-year-old kid from Iowa ... on an exchange programme” rather than a world-famous whistleblower. After months of revelations about high-level US spying in Germany, a Bundestag parliamentary inquiry has agreed to hear testimony from the ex-NSA contractor and has asked to meet him in Moscow for an “informal conversation” before deciding how to proceed.
While opposition parties and civil rights groups are demanding asylum for Snowden to allow him to testify in Berlin, the German government and their deputies sitting on the inquiry are opposed to this. Greenwald has described their stance as “shameful”, arguing that German politicians had “not just a moral but a legal duty” to their voters to conduct a thorough investigation of the NSA claims by questioning Snowden in person.
The wrangling over testimony, Greenwald said, suggested German politicians remained “fearful of doing anything that might offend Washington”. For his part, Snowden told Stern magazine that Berlin’s hesitation might be because “German intelligence services are in bed with the Americans”. “Clearly facts continue to be kept secret which would cause outrage in public,” he said. This week Germany’s attorney general opened a formal investigation into claims that the NSA tapped Chancellor Angela Merkel’s mobile phone, but said there was, so far, insufficient evidence for an investigation into claims of widespread data collection.
In Berlin, Greenwald promised to increase the pace of revelations from the Snowden files, a move he hopes will help boost awareness of the need for privacy in the digital age. “Even though privacy is a difficult value to express and defend, the need for it is intuitive to all human beings,” he said. On the first anniversary of his revelations, Snowden’s German lawyer confirmed this week that his client would apply to renew his asylum in Russia for another year. The whistleblower, meanwhile, warned that unchecked collection and cross-referencing of digital data, from email messages to mobile phone mast signals, had made it easier than ever before to analyse, predict and influence human behaviour. “By linking data and analysing it,” he told Stern magazine, “I don’t just know when you went to bed, I also know with whom.”
Pulitzer Prize-winning journalist Glenn Greenwald has said Europeans should defend their online privacy themselves rather than wait for Ireland to adopt a more robust approach to regulating Facebook. A year after he began publishing material provided by Edward Snowden, exposing widespread US surveillance of global telecommunications, Greenwald said Irish politicians had little chance against large corporations such as Facebook, which he said were effectively operating outside democratic control. “These companies have become so incredibly powerful . . . that we have a situation where even elected governments are almost no match and that poses a very serious problem,” said Greenwald, speaking in Berlin, where he was promoting his book No Place to Hide. “It is inconceivable to think of the Irish Government, the EU or US government imposing meaningful constraints on companies like Facebook and Google. ”
Instead the most effective way of limiting digital surveillance, he said, was for people to think twice about using services “with a track record of supplying information to US intelligence”. Another approach, he said, was for people to “build bricks” around their online activity by encrypting their digital communication. Encrypting email and boycotting Facebook was, he said, “a more promising way of limiting their behaviour than hoping that some politicians in a capital somewhere will issue a regulation that does that”. Greenwald’s call comes ahead of a High Court ruling due on June 18th on whether Ireland’s Data Protection Commissioner (DPC) was correct not to investigate Snowden’s claims that Facebook International, based in Dublin and thus under Irish jurisdiction, supplied the NSA with European user data. Greenwald said he met Snowden recently in Moscow and that he found the computer specialist essentially unchanged from the man he met for the first time a year ago in Hong Kong. “The fact he is not in a penal cage is a pretty good thing.
He is free to participate in the debate he helped galvanise around the world,” said Greenwald. He is free to move around in Moscow and is able to keep a low profile, the journalist said, because he looks “like an 18-year-old kid from Iowa ... on an exchange programme” rather than a world-famous whistleblower. After months of revelations about high-level US spying in Germany, a Bundestag parliamentary inquiry has agreed to hear testimony from the ex-NSA contractor and has asked to meet him in Moscow for an “informal conversation” before deciding how to proceed.
While opposition parties and civil rights groups are demanding asylum for Snowden to allow him to testify in Berlin, the German government and their deputies sitting on the inquiry are opposed to this. Greenwald has described their stance as “shameful”, arguing that German politicians had “not just a moral but a legal duty” to their voters to conduct a thorough investigation of the NSA claims by questioning Snowden in person.
The wrangling over testimony, Greenwald said, suggested German politicians remained “fearful of doing anything that might offend Washington”. For his part, Snowden told Stern magazine that Berlin’s hesitation might be because “German intelligence services are in bed with the Americans”. “Clearly facts continue to be kept secret which would cause outrage in public,” he said. This week Germany’s attorney general opened a formal investigation into claims that the NSA tapped Chancellor Angela Merkel’s mobile phone, but said there was, so far, insufficient evidence for an investigation into claims of widespread data collection.
In Berlin, Greenwald promised to increase the pace of revelations from the Snowden files, a move he hopes will help boost awareness of the need for privacy in the digital age. “Even though privacy is a difficult value to express and defend, the need for it is intuitive to all human beings,” he said. On the first anniversary of his revelations, Snowden’s German lawyer confirmed this week that his client would apply to renew his asylum in Russia for another year. The whistleblower, meanwhile, warned that unchecked collection and cross-referencing of digital data, from email messages to mobile phone mast signals, had made it easier than ever before to analyse, predict and influence human behaviour. “By linking data and analysing it,” he told Stern magazine, “I don’t just know when you went to bed, I also know with whom.”
Monday, 9 June 2014
Europe to force Google, Facebook to abide by EU privacy rules
Irish Times 6th
June 2014
A deal to force Internet companies such as Google and Facebook to abide
by EU rules is a first step in a wider reform package to tighten privacy laws
Companies based outside the European Union
must meet Europe’s data protection rules, ministers agreed on Friday, although
governments remain divided over how to enforce them on companies.
The agreement to force
Internet companies such as Google
and Facebook
to abide by EU rules is a first step in a wider reform package to tighten
privacy laws - an issue that gained prominence following revelations of US
spying in Europe.
Vodafone’s disclosure on
Friday of the extent of telephone call surveillance in European countries
showed the practice was not limited to the United States. The world’s
second-largest mobile phone company, Vodafone
is headquartered in the United Kingdom.
“All companies operating on European soil have to apply the rules,” EU
Justice Commissioner Viviane Reding
told reporters at a meeting in Luxembourg where ministers agreed on a position
that has also been backed by the Court of Justice of the European Union (ECJ).
Germany and the European
Commission, the EU executive, have been highly critical of the way
the United States accesses data since former US National
Security Agency contractor Edward Snowden
last year revealed US surveillance programmes.
Disclosures that the United
States carried out large-scale electronic espionage in Germany, including
bugging chancellor Angela Merkel’s mobile phone, provoked indignation in
Europe.
“Now is the day for European
ministers to give a positive answer to Edward Snowden’s wake-up call,” Ms
Reding said.
Commenting on Vodafone’s
disclosure, she said: “All these kind of things show how important it is to
have data protection clearly established.”
The reform package, which was
approved by the European
Parliament in March, has divided EU governments and still needs work
to become law despite Friday’s progress.
While ministers also agreed on
provisions allowing companies to transfer data to countries outside the
European Union, there was no decision on how to help companies avoid having to
deal separately with the EU’s 28 different data protection authorities.
That issue was thrown into
stark relief by a ruling from Europe’s top court requiring Google to remove
links to a 16-year-old newspaper article about a Spanish man’s bankruptcy.
The search engine has since
received tens of thousands of requests across Europe, and under current rules
has to deal with each national authority.
A ‘one-stop-shop’ arrangement
would allow companies to deal exclusively with the data protection authority in
the country where it has its main establishment. But governments are concerned
about a foreign data protection authority making binding decisions that they
would then have to enforce.
For example, if a complaint
originated in Denmark against a company based in Ireland, the Danish
authorities would have to implement a decision by the Irish data protection
body, something that is both legally and politically difficult
Tuesday, 20 May 2014
Europe struck wrong balance on ‘right to be forgotten’ ruling, says Google boss
The Journal, 15th May 2014
AFTER THE EU Court of
Justice’s (ECJ) ruling earlier this week, Google’s Executive Chairman Eric
Schmidt has said the European court struck the wrong balance when it made its
decision on personal privacy.
Responding to a question asked
at the company’s annual shareholder meeting, Schmidt said the case reflects a
“collision between a right to be forgotten and a right to know,” and that the
company believed “the balance that was struck [by the ECJ] was wrong.”
He said that since Google
isn’t a media company, it is not protected under European data protection law
and could have serious implications for the company.
Google’s Chief Legal Officer,
David Drummond, told investors that it was still analysing the decision and the
impact it could have for the search engine, but described it as
“disappointing,” and said it “went too far.”
The ruling by the ECJ will
force Google to remove links to content about a person, under certain
conditions, if they submit an application
to have it removed. The company would then have to weigh up whether that
information is in the public interest and whether it should stay.
Google currently dominates the
search engine space in Europe, claiming more than 90 per cent of search and vastly
outperforming rivals like Bing and Yahoo.
Thursday, 15 May 2014
European Court Ruling Bolsters Right To Be Forgotten
ECJ ruling calls search
engines data ‘controllers’ and provides data subjects with a means to prompt
search engines to delete links even if the provider has published them lawfully
Companies can no longer hide behind their servers
being based in California or anywhere else in the world.
May 13, 2014
By Jedidiah Bracy, CIPP/US,
CIPP/E
In what many are calling an
historic decision, the European Union’s
highest court has ruled that Google
must provide users, in certain instances, with a right to delete links about
themselves, including in some cases, public records.
The European Court of Justice
(ECJ) said the automatic indexing of information that contains personal data
“must be classified as ‘processing of personal data’” and that “the operator of
the search engine must be regarded as the ‘controller’ in respect to that
processing…” Additionally, “the operator of a search engine is obliged to
remove from the list of results displayed following a search made on the basis
of a person’s name links to web pages, published by third parties and
containing information relating to that person,” even “when its publication in
itself on those pages is lawful.”
An individual’s fundamental
rights, the court also ruled, override “the economic interest of the operator
of the search engine but also the interest of the general public” in having
that information. The exception would be the role played by the subject in
public life and if the general public’s right to access the information is
justified.
On leave from her role as
European justice commissioner, Viviane Reding said, “Companies can no longer hide behind their servers being based in
California or anywhere else in the world” and that “the data belongs to the
individual, not the company.”
In comments provided to The
Privacy Advisor, German Green Member of Parliament and architect of the
proposed data protection regulation Jan Philipp Albrecht said the ruling “is
the right decision” and that it “clarifies that European data protection law is
applicable as soon as a data controller is operating on the European market.”
He also stressed the importance of adopting “a uniform and consistent data
protection regulation in order to strengthen the enforcement of such rights in
all areas of the law and throughout the EU” and that governments “must finally
deliver on this issue at the next Justice and Home Affairs Council in June.”
Viviane Reding, European
Justice Commissioner
For some, however, the fact
that existing legislation provides for the right to be forgotten puts in
question the need for a new regulation at all. Richard Cumbley of Linklaters
told The New York
Times, “Given that
the EU has spent two years debating this right as part of the reform of EU
privacy legislation, it is ironic that the ECJ has found it already exists in
such a striking manner.”
But Wilson Sonsini’s
Christopher Kuner said this ruling could actually provide further impetus to
pass the proposed General Data Protection Regulation, as it more clearly spells
out the Right-to-be-Forgotten concept and is more uniform in its application.
Right now there are 28 different countries with 28 different privacy regimes.
“If I were a company,” he said, “I’d say bring on the regulation because at
least there’s a specific article on this, but today’s ruling is based on
multiple articles” from the Directive.
Calling the decision “a real
game-changer,” privacy expert Eduardo Ustaran, CIPP/E, told The Privacy
Advisor, “As a result, search engines operating in Europe will now have to
deploy measures to deal with the obligations and rights attached to the
personal information revealed in searches.”
Operationally, this will “put
search engines in the extremely onerous position of having to take a view on
how to comply with potentially millions of individual requests.” In a 2012
article for The Privacy Advisor, a number of experts detailed some of the technical problems companies
may face in implementing such controls.
The case goes back to a 2009 incident involving
a Spanish citizen who objected to having a Google search of his name include a
1998 Spanish newspaper article that reported on his financial debts and the
forced sale of his property. The plaintiff said he had resolved the financial
issue and demanded that the local newspaper delete the links to the story. When
it refused, the plaintiff asked Google to do the same. The case made its way to
the Spanish data protection authority, which ordered Google to remove the
links. Google challenged the DPA’s ruling and the case was finally referred to
the ECJ.
The most recent ruling
contrasts with a preliminary
ruling in June 2013 by the ECJ’s
Advocate General Niilo Jääskinen, who decided Google did not need to delete the
links because it was not the “controller” of data and that information should only
be deleted when the personal information is either incomplete or inaccurate.
In the past, Google has argued
that the right to be forgotten amounts to censorship. A Google spokesman told Wired, “This is a disappointing ruling for search
engines and online publishers in general. We are very surprised that it differs
so dramatically from the advocate general’s opinion and the warning and
consequences that he spelled out. We now need to take time to analyse the
implications.”
The ECJ ruling has some up in
arms about potential freedom of expression and censorship concerns. Ustaran said, “Whilst the
court does not go so far as letting people share their online persona without
taking freedom of expression into account, it allows some form of tailor-made
censorship.”
George Mason University’s Adam
Thierer went further, arguing, “Right-to-be-forgotten efforts are
well-intentioned and seductive, but ultimately, they will require onerous
censorial controls that place serious pressure on free speech, journalistic pursuits
and net freedom more generally.”
As legal experts begin parsing
out the legal ramifications of the ruling—Patrick van Eecke takes an initial
swing in this post for The
Privacy Tracker—ultimately,
commenters agree, the ripples will be felt for some time.
Technologically speaking,
Prof. Joel Reidenberg points out that algorithms are at play here as well.
Kuner said there remain a lot of unanswered questions and that this
ruling “opens the door to many unintended consequences.”
Beyond Google, what other
companies will this apply to? If your website has a Google search bar in it,
does that make you a co-controller? He also said the ripple effect will not
only place an administrative burden on search engine companies, but on the
courts and data protection authorities as well. Will they have the resources to
deal with a flood of complaints?
“In summary,” Ustaran concluded,
“this decision could have very serious implications for the way in which we all
access information on the Internet.”
Tuesday, 13 May 2014
Woman’s medical records disclosed to an insurance company
Irish Times, 12th May 2014
The Data Protection Commissioner’s office dealt with 1,507 valid data
breach notifications, including the largest such breach it had ever dealt with
– the breach by the Ennis-based company Loyaltybuild (above), which processed
holiday loyalty schemes on behalf of companies all over Europe, including
Supervalu and Axa in Ireland.
The disclosure by a GP of a
woman’s medical records to an insurance company and the sending of an email
containing a patient file by another GP to an incorrect address were among the
case studies highlighted in the 2013 annual report.
Notification was also received
by the Data Protection Commissioner’s office from a medical practitioner that
their computer system had been compromised by ‘ransomware’ and that they were
unable to access their patient files.
They had received a demand for
€ 5,000 in return for the reinstatement of the data but they had informed
gardaí and had not paid the ransom. Five months worth of patient files were
lost as the practitioner also discovered the back-up files had been infected
with the rogue software.
Case studies highlighted also included a complaint against Carphone
Warehouse, after a trainee employee gave out a customer’s home
address in an “isolated” area to two individuals who claimed to have found her
mobile phone and wanted to return it to her after it was stolen and seeking a
reward for finding it.
The report said the disclosure
of the woman’s address to strangers resulted in “considerable distress”.
Regardless of the fact that the employee concerned was a trainee, this
disclosure should not have happened.
Electric Ireland
was the subject of a complaint over its ‘Feet on the Street’ marketing campaign
after a sales agent called to a former customer’s home and was in possession of
their personal details.
The Data Protection
Commissioner told Electric Ireland its processing of the information was
unlawful.
Mr Hawkes said companies
needed to “tread carefully” in the space of win-back marketing campaigns as
“without the prior marketing consent of the former customers concerned, there
is no legal basis to process marketing lists using such retained personal
data”.
It was also “disappointing”
that the telecommunications sector remained a cause of complaint given the
number of prosecutions taken against that sector in recent years for marketing
offences.
Prosecutions were taken during
the year against Eircom,
Meteor,
Telefonica
(O2) and Vodafone
for such offences.
The office dealt with 1,507
valid data breach notifications, including the largest such breach it had ever
dealt with – the breach by the Ennis-based company Loyaltybuild,
which processed holiday loyalty schemes on behalf of companies all over Europe,
including Supervalu
and Axa in Ireland.
Some 61 per cent of data
breaches were the result of postal mailing breaches. The annual report said
that while a number of these were the result of mail merge issues at the
printing stage, “an unacceptably high” percentage were the result of human
error.
Complaints about unsolicited
direct marketing text messages, emails, phone calls and fax messages were 22.4
per cent of the total.
Bad customer service was
increasingly the driving force behind people making requests under the Data
Protection Acts to get access to their personal data, the commissioner’s office
said.
The 517 complaints concerning
access requests accounted for some 56.8 per cent of the total of 910 complaints
opened by the Data Protection Commissioner’s office in 2013. This was the
highest number ever received by the office in this category.
Mr Hawkes said this pointed to
the extent of the difficulties being experienced by individuals in their
efforts to exercise their rights and the barriers that some data controllers
place in their way.
“Data protection has to be a
corporate concern, a boardroom concern, with the clear direction coming from
the top of every organisation whether that’s in the public or private sector.”
Audits were carried out on 40
organisations last year, including LinkedIn Ireland, Siptu,
AA
Ireland, the Health and Safety Authority,
Irish Life,
An Post,
IBRC, Carlow Institute
of Technology, Advanced Laser Light and several credit unions.
Subscribe to:
Posts (Atom)