Cyclists may breach data laws with on-board cameras

Irish Examiner 02-08-2016

If a cyclist or homeowner uses footage from these cameras, beyond a personal capacity, then they may be in breach of data-protection law.

“If an individual is using CCTV or a body-worn camera and processing personal data beyond what is a ‘personal or household activity’ then they may assume the role of a data controller and as such they would be required to comply with data protection legislation,” a spokesperson from the DPC’s office said.

The issue came up in the commissioner’s annual report for 2015, published in June, listing it as one of three major data protection matters that arose.

The spokesperson from the commissioner’s office stated however, that where an individual processes data from such cameras for their own personal affairs or keeps it for recreational purposes, this is exempt from the data protection law.

However, even if the activity is exempt a person such as a neighbour might object to it and take a civil action.

“Though outside the remit of this office, it may be the case that even where this exemption does apply, an individual who objects to the recording, for example a neighbour who objects to images of his or her property being recorded, may be able to take a civil action based on the constitutional and common law right to privacy,” said the spokesperson.

The commissioner’s report also made an audit finding on the excessive use of body-worn cameras.

“Our general guidance in this area is that we would consider that body-worn cameras should only be activated in extreme cases in response to specific pre-defined criteria, where it could be justified for security and safety purposes,” reads the report.

Tinder violates data protection rules: EU lawmaker

Tinder violates data protection rules: EU lawmaker

The Indian Times, 4^th August 2016

An EU lawmaker says dating app Tinder breaches the bloc's data protection rules because it uses personal data without explicit consent and should be investigated by the European Commission.

The dating app, owned by website operator Match Group Inc, imposes unlawful conditions on users, pushing them to consent to unclear clauses that allow the company to use their data even after they close their accounts, socialist lawmaker Marc Tarabella said in a statement.

"Once you subscribe, the company can do whatever it wants with your data. It can show them, distribute them to whomever or even modify them. The lack of transparency cannot be the rule," Tarabella said.

The Belgian politician , who in 2014 was among the leading European parliament members calling for a break-up of Google 's search engine from its commercial services, also accused dating app Happn and jogging app Runkeeper of violating EU data protection rules.

Tinder representatives were not immediately available for comment.

A Commission spokeswoman said it was up to national authorities to enforce EU rules on data and consumer protection. However, the Commission has conducted such investigations in the past.

"The problem is always the lack of transparency and the notion of consent," Tarabella said, adding that companies often sell users' data to third parties without consumers being aware or having explicitly consented to it.

EU rules protect consumers who no longer want their data to be used. Companies are also required to provide "easy-to-understand information" and to obtain an explicit consent from users to process personal data.

Privacy Shield: The new EU rules on transatlantic data sharing will not protect you

Irish Times, 12 July 2016

The European Union’s data protection laws are intended to ensure that we can entrust personal data to our devices and online services without fear of privacy violations. To make sure that this European standard is not undermined, it is essential to clarify under which circumstances personal data can be transferred to other countries – ones that may not have the same privacy protection laws.

The European Commission will today adopt the so-called Privacy Shield, which will allow companies to transfer personal data from the EU to theUnited States. It follows the European Court of Justice ruling that the previous system for the transfer of data to the US, called Safe Harbour, violated fundamental rights to privacy.

Does Privacy Shield protect the privacy of European users when their data is sent to the United States? Various indicators suggest it does not.

With regard to the private sector, it is painfully obvious that the rules give nowhere near the level of protection and principles afforded by the EU. For example, if you share your personal information with your doctor, you reasonably expect that he will only use this information for the purpose of curing you – not to gossip behind your back. This expectation is enshrined in EU law as “purpose limitation”.

Privacy Shield allows the sharing of your data for very broad and generic purposes, such as “for all services we may provide to you and others”. This undermines a very crucial protection. Many other data protection rules, such as the deletion of data or the sharing of data, are interlinked with this principle.

Privacy Shield is meant to be based on “notice and choice”, which sounds promising. However, Privacy Shield does not give users much “choice”. It actually gives companies a general blanket approval to use the personal data of any person under the sun. Only in two specific cases can users object.

They would first have to know which US company was using their data, and then contact the company and actively “opt out”. This gives US companies a significant competitive advantage over European firms. Under the European “opt-in” system, companies typically have to ask customers for consent.

In addition, the rules for legal redress are rather complex. If European customers believe their rights have been violated, they have to first contact private US arbitration bodies and their national authorities, who in turn contact the US authorities, in order to be finally able to address concerns with a “privacy shield board”.

No guarantees

None of this guarantees that the person responsible for oversight will be empowered to actually review the practices of any company and, for example, review servers and software. None of the options available are directly enforceable by a customer. In sum, even if a company violates the fundamental rights of a customer, it is very unlikely there will be any real consequences.

The rules concerning personal data in the public sector are equally worrisome. In its Safe Harbour ruling, the European Court of Justice strongly criticised mass-surveillance laws in the US, which have not changed in the meantime. While US citizens enjoy certain protection against surveillance measures, “non-US persons” are specifically exempted.

Not only does the final Privacy Shield use the exact same wording on mass surveillance laws as Safe Harbor, but the US now even admits that it will continue to collect personal data stemming from Europe in bulk.

Blanket mass surveillance without any reasonable suspicion is contrary to the principles of European human rights. European courts have consequently ruled clearly against blanket access to personal data for not being in line with the fundamental rights to privacy and data protection.

Legal redress against measures in the public sector is little more than a farce. An EU citizen may address an ombudsperson in the US, which is not a court or independent body, but an undersecretary of the US government.

Confirm nor deny

While the new ombudsperson can raise issues within the US government, the reply to the individual concerned will always contain the same two sentences: first, the US will not confirm or deny any surveillance; and, second, all US laws were adhered to, or any non-compliance was remedied.

This ombudsperson is not what the Europe Court of Justice meant when it asked for individual redress.

Privacy Shield needs to fulfil the criteria laid down in European Union law and by its courts, which have clearly stated that blanket data collection is not compatible with the fundamental right to data protection.

This is also a problem for European businesses that are obliged to meet EU data protection standards but which will, under Privacy Shield, face competition from US companies who face no such obligation. Nor does this new deal provide legal certainty for the industry that is so desperately needed.

The European Commission should hold off on activating Privacy Shield until more work is done on the US side. Given the countless insufficiencies, it is otherwise highly likely that the new Privacy Shield will share the history of the previous Safe Harbor and be invalidated by the European Court of Justice

Proposed legislation allowing snooping may not be in line with EU rulings

The Minister for Justice Francis Fitzgerald has obtained cabinet approval in relation to legislation that will allow Gardai to intercept emails and social media messages, which will include Facebook, Twitter, Whatsapp and other social networks. The move comes after Gardai investigating organised crime raised concerns that criminals were communicating online, outside the remit of surveillance laws. 

There is concern that the proposed legislation will not be in line with a ruling of the European Court of Justice which effectively through out a proposal for similar legislation. We cannot foresee the implications such legislation will have on privacy rights or data protection issues. Furthermore such legislation may not be in line with EU rulings. 

Private Investigator prosecuted by Data Protection Commissioner

Private Investigator James Cowley pleaded guilty to 13 charges under Section 22 of the Data Protection Act for unlawfully obtaining access to personal data and disclosing it to third parties without authorisation of the Department of Social Protection. He had been hired by Permanent TSB, Zurich, Alliance and the State Claims Agency to carry out surveillance on claimants. The prosecution has been welcomed by the Office of the Data Protection Commissioner. It was the third successful prosecution by the ODPC in the last two years in relation to offences committed by private investigators.

The Data Protection Commissioner, Helen Dixon said the following in relation to the prosecution, “This outcome is a strong signal to private investigators that they must fully comply with data protection legislation. As this case highlights, where private investigators fail to comply with the law they will be rigorously pursued and prosecuted for offending behaviour. It is also a timely reminder to all companies and businesses which hire private investigators of their responsibilities under the Data Protection Acts to ensure that all work carried out on their behalf by private investigators is done lawfully. I would urge public bodies and private sector organisations who appoint private investigators to review their terms of engagement, in order to satisfy themselves that any means of collection of personal data used by the investigators they hire are in line with the law."

Fintan Lawlor, Lawlor Partners Solicitors, was the first solicitor in Ireland to secure compensation for a data subject whose rights had been breached under the Data Protection Acts 1988 and 2003. The plaintiff in the case of Collins v FBD has been pursued by a private investigator. 

A New Parliamentary Investigation Unit Established

Lawlor Partners Solicitors welcome the commitment given by the government today in ‘a programme for partnership government’ that a new parliamentary investigation unit will be established to assist and improve the ability of the Oireachtas committees to conduct investigative work and inquiries.

Lawlor Partners has extensive experience in advising and representing clients at all stages of the inquiry process.

Please contact Fintan Lawlor for any further inquiries, telephone (01) 8725 255 or email: fintan@laworpartners.ie. For more information see our website : www.lawlorpartners.ie

CCTV images of illegal dumpers raise privacy concer

CCTV images of illegal dumpers raise privacy concerns

Tue, Apr 12, 2016, 01:00 Updated: Tue, Apr 12, 2016, 08:41

The Data Protection Commissioner has contacted Dublin City Council over its use of images of people captured on CCTV illegally dumping household waste.

The council last week erected a poster in a litter blackspot in the north inner city, showing 12 people caught on CCTV dumping rubbish on the street.

The faces are slightly blurred, due to the quality of the CCTV footage, but they would be able to identify themselves, as most likely would their neighbours, the council said.

The poster has been bolted to a wall behind a Perspex shield at Frankfort Cottages, near the Five Lamps, one of the city’s worst areas for illegal dumping. CCTV cameras were installed a number of weeks ago and they had some effect in reducing dumping.

However, within a day of the poster going up last week, the street was clear.

“It was remarkable. For the last 10 years we’ve had signage there warning people not to illegally dump, but every day we would have to clear up bags, and sofas and other furniture, and even builders’ rubble, but this poster has made such a difference,” said John McPartlan, public domain officer with the council.

Rights to privacy

However, yesterday morning the commissioner’s office contacted the council.

“Officials from this office have contacted the DCC in relation to the publication of CCTV stills.

“It should be pointed out that the processing of personal data must be done fairly, demonstrate proportionality and not be overly prejudicial to the fundamental right of the individual to data privacy.”

Mr McPartlan said he would be responding to the commissioner this week.

“We have to make a case that our use of the images is proportionate response to the issue, and our view is that it is, because illegal dumping leaves the city in a terrible mess.”

He added the council had published no names and no personal information.

The poster shows people dumping refuse sacks and smaller supermarket bags, as well as a woman dumping a suitcase and two young men dumping a sofa.

Litter blackspot

The council has been making concerted efforts to clean up the north inner city, but the area has languished near the bottom of the Irish Business Against Litter (Ibal) national survey, although it recently moved up from 39th to 37th most littered urban area.

The council in December 2013 announced a “blitz” on dumping black spots in the city where residents leave their rubbish in the streets instead of paying for waste collection.

It established a north inner city litter action group which has gone door to door asking people to provide proof they are disposing of their waste legally, and has had some success in persuading households to sign up to pay to have their bins collected.

However, no measure has had the instant effect of the poster. Local Independent councillor Nial Ring said he and other local councillors “fully endorsed” the measure.

“This is the nearest we can get to a name and shame policy. I would recommend that we get more CCTV cameras and put up more posters because it has got results.

“We don’t want to be in the Ibal relegation zone, we want to be the LeicesterCity of the litter league.”