Escolar Documentos
Profissional Documentos
Cultura Documentos
The talk brought two academic doctors from the UK, Tom
Fisher of Privacy International and John Welford of anti-
database group NO2ID, together to discuss their own take
on the Irish situation.
Welford, who has spent much of his retirement fighting the
establishment of the National Entitlement Card in Scotland,
was particularly strident.
I was highly motivated to come here today, Im horrified by
whats going on in Ireland, he said.
Whats going on in Scotland is bad, but Ireland is 10 times
worse.
Scotlands National Entitlement Card (NEC) was first
introduced in 2006.
This new bus pass was brought in 2006. Thats what people
call it, thats what they still call it. But the card itself doesnt
say what it is, said Welford.
He said that the NEC was first intended to replace the
existing bus pass, with the larger plan being to then link the
card to a citizens data account.
The pattern is always the same, he said, that is: a card with
an innocuous title, the gradual change of what the card is
primarily intended to be used for (mission creep), and then
the coercion of citizens into using it whether they wish to do
so or not (the need for someone to have a PSC in order to
apply for a passport for example).
Apart from anything else, he said, in the era of cyber crime
its suicide to create these large government databases.
It just gives criminals something to aim at.
Welford also found time to take a swipe at Minister for
Social Protection Regina Dohertys by-now notorious
declaration that the PSC is mandatory but not compulsory:
There will be confusion over whether a card is voluntary or
mandatory cards are often issued on a voluntary basis at
the start to make them less threatening.
Its not about who you trust now
Fisher, meanwhile, suggested that the introduction of
powerful databases are not a question of who you trust
now.
Its about who you can trust in 30 or 40 years. Who will be
in power then? Trump is a perfect example. You dont know
whos going to be in charge, he said.
These are things that should be debated officially if theyre
going to be introduced.
Garda Surprised Their Illegal Mass Surveillance Of Public Not A Bigger Story:
http://waterfordwhispersnews.com/2017/10/09/gardai-surprised-their-illegal-mass-
surveillance-of-public-not-a-bigger-story/
There has been a large rise in Garda surveillance activities in the last year.
Photograph: The Irish Times
Privacy groups have expressed concern about a large rise
in surveillance activities by garda in the last year.
There has been a 150 per cent rise in the use of listening
and vehicle tracking devices by garda since 2015. It
understood much of this relates to intensive Garda
operations targeting the Kinahan and Hutch crime gangs
whose feud has claimed eleven lives so far.
Garda are believed to have invested heavily in
surveillance equipment and training over the last 18
months, particularly for members of the National
Surveillance Unit.
Under the Criminal Justice (Surveillance) Act 2009 the
use of such devices requires the permission of a District
Court judge. However, in emergency situations garda
can rely on temporary permission from a senior officer.
The use of this emergency provision, which circumvents
the court, has also increased in recent years from once in
2014 to five last year.
According to the latest report from Mr Justice Brian
McGovern there were 129 intrusive surveillance
operations between 2015 and July 2016. This compares
to 51 from the proceeding 12 month period.
Man and woman found dead at house in Co Fermanagh
O'Sullivan may go before special sitting of committee over
Templemore
Charleton tribunal appoints two investigators
This use of vehicle tracking devices increased
substantially from 12 to 83.
The vast majority of operations were carried out by
garda. Revenue officials used tracking devices on 26
occasions and military intelligence used a bugging device
once.
The regime governing the use of listening and tracking
devices is separate from the legislation governing live
phone-tapping operations, although both are reviewed
annually by a judge.
Antoin O Lachtnain of Digital Rights Ireland said the
rise is concerning because Ireland is not in line with
international best practice when it comes to surveillance
oversight.
Citizens should feel assured that their phones and
computers wont be interfered with except for a good,
lawful reason. Irish law does not provide them with the
protection they should expect. It falls way short of
international best practice, he said.
https://www.irishtimes.com
/news/crime-and-
law/concern-over-sharp-
rise-in-garda-surveillance-
activities-1.3084663
Huh, just look at that, you just never know with these things, do you? mused
Minister for Justice Flanagan, who figured at the very least hed have to resign
over this or the Garda would face fresh pressure to give in to reforms.
Like it says it right there in the report, that it basically amounts to the mass
surveillance of everyone in the country, added a garda spokesperson, who
cant get his head around what constitutes a major scandal anymore.
Falsify breath tests? Theyre mad as hell. Garda can access all the electronic
communications you have without a warrant? Ah, youre grand dont worry
about it. Im confused, confirmed the garda spokesperson.
Flanagan, along with other government officials held several crisis meetings
over the ongoing scandal, hoping to quell any clamour for further, wide scale
investigations and at the worst, fallout that could lead to the collapse of the
government.
Turns out it was a massive waste of time, no ones really all that fussed. Ha,
Flanagan said, the relief in his voice was clear as day.
Both the garda and the government confirmed the news was an opportunity
to contemplate what they could really get away with if they tried in earnest.
http://waterfordwhispersnews.com/2017/10/09/gardai-surprised-their-
illegal-mass-surveillance-of-public-not-a-bigger-story/
Google offered to provide
cyber training for Irish
judges
Records show sustained lobbying by tech giants ahead of
new digital interception laws
Mon, Oct 9, 2017, 01:31
Ciarn D'Arcy
Share to Pinterest
Share to Reddit
Share to Google+
AddThis Sharing Buttons
Share to Facebook
Share to Twitter
Share to Pinterest
Share to Reddit
Share to Google+
Share to Twitter
https://www.irishtimes.com/opinion/state-s-approach-to-data-
privacy-is-a-national-scandal-1.3246055
The former chief justice warned that safeguards in place for state
authorities to access retained data could be undermined by those agencies
believing they are entitled to the data if it is deemed useful by them.
"The potential threat to fundamental rights and freedoms arising from the
statutory rights of access to retained data by state investigatory
authorities is especially concerning."
Under proposals released by the Irish Minister for Justice and Equality
Charlie Flanagan on Tuesday, the disclosure of data to the Garda Sochna
and other agencies would only occur after judicial authorisation is
acquired; however, the proposals also allow for the minister to unilaterally
extend the categories of data being retained.
"It is important that Ireland's data retention laws remain robust and are
updated in line with evolving case law coming from the ECJ," Flanagan
said. "The ECJ has identified difficulties with the model that EU member
states use to manage law enforcement access to communications data.
After four militant attacks in Britain killed 36 people this year, senior
ministers have repeatedly demanded internet companies do more to
suppress extremist content and allow access to encrypted
communications.
"I do not accept it is right that companies should allow them and other
criminals to operate beyond the reach of law enforcement," Rudd said.
"We must require the industry to move faster and more aggressively. They
have the resources and there must be greater urgency."
"We will take advice from other people, but I do feel that there is a sea of
criticism for any of us who try and legislate in new areas who will
automatically be sneered at and laughed at for not getting it right," the
BBC reported Rudd as saying.
"I don't need to understand how encryption works to understand how it's
helping ... the criminals."
For its part, the tech industry says it wants to help governments remove
extremist or criminal material but also has to balance the demands of state
security with the freedoms enshrined in democratic societies.
http://www.zdnet.com/article/former-irish-chief-justice-slams-data-retention-
as-mass-surveillance-and-threat-to-fundamental/
https://curia.europa.eu/jcms/upload/docs/application/pdf/2014-
04/cp140054en.pdf
Google Home
Mini flaw left
smart speaker
recording
everything
Google has released a firmware update
to fix a Home Mini bug that made the
device a privacy threat.
October 11, 2017
http://www.zdnet.com/article/google-home-mini-flaw-left-smart-speaker-
recording-everything/
Russakovskii has posted a video on YouTube showing the Home Mini
activating and recording when it detects almost any sound.
Google Home Mini self-triggering
Assistant over and over
Note: the sound is coming from Step Up movie playing nearby (not from the Sonos
speaker next to it). Want to sponsor the next Android Police video? Get in touch:
videosponsor@androidpolice.com.
https://www.youtube.com/watch?v=0hQPv6lyFtM
Google Home Mini touch controls
behaving incorrectly
Update
The good news is you get the same functionality using your voice.
Say "Ok Google" or "Hey Google" instead of pressing and holding the top of Mini to
start a request.
Say "Ok Google" or "Hey Google <pause/play/stop>" instead of tapping the top of
Mini to control music, alarms, and timers.
Volume control
Mini's volume controls haven't changed. You can still control volume by side touch and voice.
Original issue
The Google Home team is aware of an issue impacting a small number of Google Home Mini devices
that could cause the touch control mechanism to behave incorrectly. We immediately rolled out a
software update on October 7 to mitigate the issue.
Who is affected: People who received an early release Google Home Mini device at recent Made by
Google events. Pre-ordered Google Home Mini purchases arent affected.
My Activity: We take user privacy very seriously. We've removed any activity/queries that were
created by long pressing the top of a Google Home Mini between October 4 and October 7, when the
software update was rolled out. That information will no longer be listed on your My Activity
page. You can also always go to your My Activity page and delete any past activity from your
account.
Next steps: If you're still having issues, please contact Google Home Support at 1-855-971-9121 to
get a replacement Google Home Mini.
https://support.google.com/googlehome/answer/7550221
Minister for Justice Charlie Flanagan accepted there were difficulties with the
current legislation but denied it was unconstitutional. Photograph: Brian
Lawless/PA Wire
A report by the former chief justice John Murray has
found that current data-retention legislation amounts to
mass surveillance of the entire population of the State.
Mr Murrays 190-page review was published on Tuesday,
recommending a series of changes to the current
statutory framework, which he says is in breach of
European law.
The judge said the Communications (Retention of Data)
Act 2011 involves the retention and storage of historic
data pertaining to all electronic communication.
This includes communication via fixed line and mobile
telephone, internet communication and text messages
and is being done without the consent of those affected.
Mr Justice Murray said the arrangement is universal and
indiscriminate in application and scope. He said it
affects the retention and storage of journalists
communications data.
In relation to journalists, the judge said data pertaining
to the time, date, location, destination and frequency of a
journalists telephone calls is available and can identify
sources.
For example, location data linking a journalists
telephone calls with those of another caller in the vicinity
of, say, Leinster House before or after a sensitive
meeting in which that person was known to have been
involved, might well be thought crucial in this regard,
he said.
Not unconstitutional
Minister for Justice Charlie Flanagan accepted there
were difficulties with the current legislation but denied it
was unconstitutional.
Steps finally being taken to change shameful data
retention law
Restricting seizure of computer evidence could have huge
consequences
Google offered to provide cyber training for Irish judges
Mr Flanagan said he accepted Mr Murrays
recommendation that the law should be repealed and he
produced the heads of a replacement Bill, which makes
no reference to journalists.
Mr Justice Murray recommended the data of journalists
should not be accessed by any State agency unless he or
she is the subject of a criminal investigation and cannot
be accessed for the purpose of investigating an offence
committed by another person.
That data should only be granted with the permission of
a High Court judge, and the journalist should be notified
of the request and its outcome, he said.
https://www.irishtimes.com/news/politics/irish-data-law-amounts-to-mass-
surveillance-says-ex-chief-justice-
1.3243354?utm_source=dlvr.it&utm_medium=twitter
EU Parliament Workshop
on Community Networks
and Telecom Regulation
Date:
Tuesday, October 17, 2017 -
9:00am to 12:00pm
netCommons is proud to announce that it is co-organising
with Commons Network a workshop on Community
Networks at the European Parliament on October 17th,
2017. Here is the programme:
EU Parliament Workshop on
Community Networks and Telecom Regulation
17 October 2017 - 9h00-12h00 Room 5G315
European Parliament - Bt. Altiero Spinelli
60, rue Wiertz - B-1047 - Bruxelles
Community Networks (CNs) are a growing movement of
organizations that operate local communication
infrastructures, most of which give free or affordable access
to the global Internet. There are more than 150 of these
organisations across the EU, currently providing broadband
connectivity to tens of thousants of EU residents. These
networks are operated as a commons: Rather than being
driven by for-profit motives, their key focus is on providing
access to telecommunications while striving for democratic
governance, social inclusion, education, and human rights
with respect to digital technologies.
But despite their stunning achievements, policy-makers at
the national and European levels have so far mostly
neglected their existence and specific regulatory needs.
Worse, regulation is often hampering these initiatives, and
the draft of the European Electronic Communications
Code (EECC) risks worsening the situation. This workshop,
co-sponsored by MEPs Miapetra Kumpula-Natri (S&D) and
Julia Reda (Greens/EFA), will gather CN practicioners,
policy-makers and researchers to discuss the way in which
EU policy can help European CNs thrive.
Due to space constraints, the event is on-invitation only.
9h00-9h15 : Introductory remarks by Miapetra Kumpula-
Natri (MEP, S&D) and Renato Lo Cigno (netCommons)
9h15-10h15 : Assessing the work of Community Networks in
light of EU broadband policy
Chair: Mlanie Dulong de Rosnay (CNRS)
Rural areas - Leandro Navarro (UPC)
Social inclusion - Jurgen Neumann (Freifunk)
Education on ICT & innovation - Leonardo Maccari (Ninux)
Discussant: Alexandre Polvora (European Commission,
Joint Research Centre)
10h15-11h45: Overcoming regulatory hurdles for the
telecom commons
Chair: Flix Trguer (CNRS)
EU broadband policy and CNs - Maria Michalis (University
of Westminster)
Legal liability - Christian Heise (Freifunk)
Landline networks and the commons - Ramon Roca (Guifi)
Amending the EU Code of Telecommunications -
Benjamin Bayart (FFDN)
State surveillance:
disturbing revelations
Department of Justice has allowed a range of surveillance
practices that are in clear breach of European law
Sat, Oct 7, 2017, 00:05
A report by former chief justice John Murray has found that the State is
operating a system of data-retention that amounts to mass surveillance of the
entire population. Photograph: Pawel Kopczynski/Reuters
The finding by former chief justice John Murray that the
State is operating a system of data-retention that
amounts to mass surveillance of the entire population is
extremely disturbing. His report published this week is a
damning indictment of the Department of Justice for
allowing a range of surveillance practices to develop that
are in clear breach of European law. It is entirely
unacceptable that this situation has arisen, and
successive governments must be held accountable for
allowing it to develop unchecked.
In his 190-page review of the data protection system,
which was presented to the Government in April but
only published on Tuesday, Murray is unequivocal in his
finding that the current statutory framework breaches
European law. The Communications (Retention of Data)
Act, which was passed as recently as 2011, involves the
retention and storage of historic data including fixed-
line and mobile telephone, internet communication and
text messages, and is being done without the consent of
those affected.
Murray discovered that the arrangement is universal and
indiscriminate and, as such, also affects the retention
and storage of journalists communications data. He
pointed out that data relating to the time, date, location,
destination and frequency of a journalists telephone
calls is available and could be used to identify sources.
Steps finally being taken to change shameful data
retention law
Restricting seizure of computer evidence could have huge
consequences
Google offered to provide cyber training for Irish judges
The current law forces telephone companies to log
details of everyones communications and store that
information for up to two years. It means that
information relating to the activities of most of the
population is retained without the consent of those
affected, covering private and professional
communications.
The report says that the system, by providing for
universal rather than targeted surveillance, fails to meet
the standards set out in a number of recent judgments
from both the European Court of Justice, which governs
EU law, and the European Court of Human Rights.
Another serious problem is that the law allows
communications data to be accessed by garda without
court approval and without any protections for
journalists sources.
Maybe Doherty is trying to waste more of our money that her pal Fat Phil Hogan or her Co Meath
neighbour Noel "E-voting Machines" Dempsey? But just remember Regina - this is not like your
failed business ventures. This is OUR money, so stop wasting millions on your silly ID card and do
something useful .. like providing homes for the 3000 homeless children in hotel rooms.
States approach to data
privacy is a national scandal
So deep are the problems that actions for damages may
be brought and convictions quashed
Fri, Oct 6, 2017, 01:00
TJ McIntyre
In almost every regard the Irish system fails to meet standards articulated in a
number of recent judgments by the European Court of Human Rights and the
European Court of Justice. Photograph: iStock
Its not every day that a Minister for Justice issues a
report describing their department as operating a
universal, indiscriminate and illegal system of mass
surveillance. Yet that is precisely what happened last
Tuesday with the publication of a damning report by
retired chief justice John Murray, which found that Irish
surveillance practices fail to comply with European law.
The background dates from January 2016, when it
emerged that Gsoc had been accessing journalists phone
records (without a clear legal basis) in order to identify
their sources within An Garda Sochna. In response,
then Minister for Justice Frances Fitzgerald appointed
the former chief justice to examine the legal framework
around State access to journalists communications data
- a remit he interpreted widely to include the underlying
data retention law.
That law the Communications (Retention of Data) Act
2011 forces telephone companies and ISPs to log
details of everyones communications and movements
and to store that information for up to two years. In
Murrays words it constitutes a form of mass
surveillance of virtually the entire population of the
State, involving the retention and storage of historic
data, other than actual content, pertaining to every
electronic communication, in any form, made by anyone
and everyone at any time In essence this means the
retention of all communication data not going explicitly
to content: in other words, data pertaining to such
matters such as the date, time and location of a
telephone call.
Vast store of personal info
The impact on the privacy of individuals is clear. As the
report puts it, a vast amount of private information
pertaining to the personal communications of virtually
everyone in the State is now retained without the
consent of those affected Although routinely referred
to in anodyne terms as data or retained data, this vast
store of private information touches every aspect of an
individuals private and professional communications
profile over a lengthy period.
Ive seldom seen a report so directly contradict the minister who commissioned it.
udge Sofra O'Leary, BCL (University College Dublin), PhD (European University Institute) was
sworn in as a Judge at the European Court of Human Rights in July 2015.
Prior to joining the European Court of Human Rights, Judge OLeary worked for 18 years at the
Court of Justice of the European Union, where she served as a rfrendaire and Chef de cabinet
for Judges Aindrias Caoimh, Fidelma Macken and Federico Mancini. She later ran part of that
Courts Research Directorate.
Judge OLeary has been a Visiting Professor at the College of Europe in Bruges for many years
where she has taught LLM courses on EU law and the individual, EU Social Law and Policy and
now a judicial workshop.
She has, in recent years, been a member of the Editorial Board of the Common Market Law
Review and is now a member of both its Advisory Board and the Board of the Irish Centre for
European Law. In 2016 she was elected an Honorary Bencher of the Honorable Society of Kings
Inns.
Before joining the Court of Justice of the European Union, Siofra OLeary was the Assistant
Director for the Centre of European Legal Studies at the University of Cambridge and a Fellow of
Emmanuel College. She was previously a Visiting Fellow at the Faculty of Law, University
College Dublin, a Postdoctoral Fellow at the University of Cdiz, Spain and a Research Associate
at the Institute for Public Policy Research in London.
She is the author of two books entitled The Evolving Concept of Community Citizenship (Kluwer,
1996) and Employment Law at the European Court of Justice (Hart Publishing, 2001) and has
published extensively in academic journals and monographs on the protection of fundamental
rights, EU employment law, the free movement of persons and services and EU citizenship.
http://www.ucd.ie/law/newsandevents/events/walshlecture2017/
Public Meeting on Public Sector Cards and Biometric Database - 11am 11 Oct
Irish Council for Civil Liberties and Digital Rights Ireland will be hosting a public meeting on the
introduction of public service cards and the national biometric database. The meeting will take
place between 11am 1pm on Wednesday, 11th October 2017 at Buswells Hotel,
Molesworth Street, Dublin 2.
The meeting is aimed at drawing together leading experts from Ireland and abroad with a view
to identifying the key human rights issues arising from the introduction of the Public Service
Card scheme. Through a set of panel discussions, participants will be encouraged to agree on
the steps required to advance the protection of these human rights.
Karlin Lillington, journalist with The Irish Times will chair the meeting and panel speakers will
include:
Simon McGarr McGarr Solicitors
Dr TJ McIntyre University College Dublin and Digital Rights Ireland
Dr Maria Murphy Irish Council for Civil Liberties
Dr Tom Fisher Privacy International
Dr John Welford NO2ID
Elizabeth Farries International Network of Civil Liberties Organisations
Further details and information about the Irish Council for Civil Liberties are available here.
Registration for this is event is free, but places are limited and we request anyone
interested to please contact Roisin Giles at ICCL at info@iccl.ie
For Press Queries contact: David ODonnell, DHR Communications, Tel: 01-4200580 /
086-1081139
Given how central internet and phone evidence is to many prosecutions, the only
surprise is that it's taken this long for these challenges to be brought and no
doubt more will come. Unfortunately it is possible that at least some convictions
will be overturned as a result - and the blame for this will lie squarely with the
Department of Justice and successive ministers.
Ministers Dermot Ahern, Alan Shatter and Frances Fitzgerald in particular have
questions to answer.
Dermot Ahern knew in 2011 that data retention was on very shaky ground. By
then data retention laws had been struck down in Bulgaria (2008), Romania
(2009) and Germany (2010) - and the Irish challenge was pending before the
High Court which had decided that the case raised "important constitutional
questions". At this point the Irish law should have been reformed to provide
for data preservation and include adequate safeguards identified by those cases,
such as a requirement for a judge to approve access to data. Instead the law
adopted in 2011 was equally flawed.
Alan Shatter and Frances Fitzgerald are equally if not more at fault. It was clear
from the Advocate General's opinion in December 2013 that the Data Retention
Directive would be struck down. But instead of replacing the
2011 law implementing the Directive both ministers adopted the ostrich position.
There has been nothing but radio silence from the Minister for Justice since the
Data Retention Directive was invalidated just under a year ago. It may be that she
hopes by ignoring the problem it will go away. But by doing so she is only
ensuring that many more prosecutions and convictions will be put at risk. As I
previously predicted, "by continuing to keep its head in the sand the State is only
storing up problems for the future".
In essence, the Bill requires telecommunications companies, internet service providers, and
the like, to retain data about communications (though not the content of the communications);
phone and mobile traffic data have to be retained for 2 years; internet communications have
to be retained for one year. This is better than it could have been, in that the Directive would
have allowed 2 years for all traffic data; but it is a lot worse than the minimum of 6 months
allowed by the Directive. This will impose significant costs on those obliged to retain and
secure the data, and those costs will be passed on to their already hard-pressed customers.
And it is likely to drive international telecommunications and internet companies to European
states which have introduced far less demanding regimes.
Traffic data retention (like any example of pre-emptive and widespread surveillance) is simply
a bad idea; it is a massive invasion of privacy; it is founded on the illiberal and anti-democratic
suspicion that someone somewhere might be doing something; and it is not good enough to
reply that if you have nothing to hide, you have nothing to fear from surveillance. As the
prolific and challenging AC Grayling argues in his new book Liberty in the Age of Terror: A
Defence of Civil Society and Enlightenment Values (Bloomsbury, 2009; reviewed by The
Economist here), this pernicious assertion is one of the most seductive betrayals of liberty
dangerous viruses have infected NHS computers in the last year, overloading networks, and
massively compromising large amounts of personal data.
It is appropriate to restrict individual privacy provided that there is a good reason to do so,
and the restrictions do not good too far. In the context of this Bill, the prevention of crime is a
good reason, but the restrictions seem to go very far indeed, especially in the absence of
proper protections and oversight. In S and Marper v UK 30562/04 [2008] ECHR 1581 (4
December 2008) one of the reasons given by the European Court of Human Rights for
holding that the UKs retention of innocent peoples DNA records on a criminal register
infringed their right to privacy was the lack of sufficiently strong safeguards. I am a Director
of Digital Rights Ireland; this is one aspect of our ongoing challenge to Irelands data retention
regime; and this flawed Bill does nothing to alleviate these concerns.
(Cross-posted from Eoin ODells blog, cearta.ie)
https://www.digitalrights.ie/thoughts-on-the-new-data-retention-bill/
https://www.digitalrights.ie/public-services-card-mandatory-access-
state-services/
http://www.irishstatutebook.ie/eli/2005/act/26/enacted/en/pdf
What will future Irish data protection law look like? Many of the
decisions have already been made in Brussels and Strasbourg, but the
EU General Data Protection Regulation still leaves quite a bit of
discretion to individual Member States. The Department of Justice and
Equality has just published a draft Heads of Bill giving effect to aspects
of the GDPR,
http://www.justice.ie/en/JELR/General_Scheme_of_Data_Protection_Bil
l_(May_2017).pdf/Files/General_Scheme_of_Data_Protection_Bill_(Ma
y_2017).pdf
http://www.irishexaminer.com/ireland/gardai-will-keep-accessing-details-despite-warnings-
460274.html
Former Irish Chief Justice slams data retention as mass surveillance and threat to fundamental
rights
On the plus side, at least Irish authorities will have to get
juridical approval to access retained data under proposed
government amendments.
October 4, 2017
Former Chief Justice of Ireland John L Murray has warned that retained
telecommunications data poses a threat to "fundamental rights and
freedoms" in a searing report [PDF] released on Tuesday alongside
proposed amendments by the government to Ireland's data retention
laws.
The former chief justice warned that safeguards in place for state
authorities to access retained data could be undermined by those agencies
believing they are entitled to the data if it is deemed useful by them.
"The potential threat to fundamental rights and freedoms arising from the
statutory rights of access to retained data by state investigatory
authorities is especially concerning."
Under proposals released by the Irish Minister for Justice and Equality
Charlie Flanagan on Tuesday, the disclosure of data to the Garda Sochna
and other agencies would only occur after judicial authorisation is
acquired; however, the proposals also allow for the minister to unilaterally
extend the categories of data being retained.
"It is important that Ireland's data retention laws remain robust and are
updated in line with evolving case law coming from the ECJ," Flanagan
said. "The ECJ has identified difficulties with the model that EU member
states use to manage law enforcement access to communications data.
After four militant attacks in Britain killed 36 people this year, senior
ministers have repeatedly demanded internet companies do more to
suppress extremist content and allow access to encrypted
communications.
"I do not accept it is right that companies should allow them and other
criminals to operate beyond the reach of law enforcement," Rudd said.
"We must require the industry to move faster and more aggressively. They
have the resources and there must be greater urgency."
"We will take advice from other people, but I do feel that there is a sea of
criticism for any of us who try and legislate in new areas who will
automatically be sneered at and laughed at for not getting it right," the
BBC reported Rudd as saying.
"I don't need to understand how encryption works to understand how it's
helping ... the criminals."
For its part, the tech industry says it wants to help governments remove
extremist or criminal material but also has to balance the demands of state
security with the freedoms enshrined in democratic societies.
further use of this law means investigations will fail, convictions will be overturned, and state
exposed to claims.
The bill also ignores this recommendation for an independent monitoring body:
The bill doesnt appear to give special treatment to journalists at all, and the general protections
fall short of the Murray recmndtns.
Particularly troubling is the attempt to put the new retention regime beyond challenge by
keeping secret whats retained and how long.
Dept of Justice site playing up? Here are mirrors of the data retention report and bill:
https://www.docdroid.net/UsyPY4B/general-scheme-communications-retention-of-data-bill.pdf
Unclear whether the Bill at
Heads of Bill give Minister discretion re which data to retain and for how long. This will be the
key battleground:
High Court asks ECJ to
examine Facebook case
Max Schrems case may have huge implications for EU
data privacy rights, says judge
Tue, Oct 3, 2017, 11:08 Updated: Tue, Oct 3, 2017, 14:13
Mary Carolan, Elaine Edwards
Justice Minister Charlie Flanagan will propose new laws to restrict the
ways garda and other state agencies can monitor citizens
communications, including the type of data they can hold.
Government sources say the long-awaited Murray report into
the accessing of communication data of journalists phones by the Garda
Sochna Ombudsman Commission (GSOC) will be published while the
stricter data laws are also brought to Cabinet.
It is understood changes proposed will look at which firms or groups can
access data as well as the current method whereby applications are
made to a judge to monitor communications.
The 190-page Murray report is expected to highlight concerns about
how garda and other state agencies are obtaining the traffic data of
citizens generally.
The inquiry, conducted by former chief justice John Murray, is also
understood to raise concerns about Irelands adherence to the European
Convention on Human Rights (ECHR).
Legal sources have indicated this could have repercussions for current
and future prosecutions.
Unlike other forms of surveillance in Ireland which require either a
judicial or ministerial authorisation requests by garda, GSOC and
other agencies to access traffic data from mobile phone and internet
companies do not need any external permission.
In January 2016, the Government tasked Mr Justice Murray to conduct
an inquiry after concerns were raised about the legal basis for GSOCs
accessing of journalists phone records in the course of an inquiry.
The Murray report was submitted to the Department of Justice last April
and will be presented to Cabinet today alongside revised detention of
data legislation.
It comes amid growing legal concerns in Ireland about the system,
including submissions from the Irish Human Rights and Equality
Commission last year.
The Department of Justice said that officials were considering both the
report and legal advice on it.
Communication or traffic data includes extensive details of phone calls
(but not content) as well as use of websites and email.
It is understood the Murray report has expressed concerns about the use
of the power by garda and others and its compliance with the ECHR.
The UN Special Rapporteur on Privacy, speaking in Ireland last April,
said access to communication data should require a warrant.
The previous November, the IHREC said, ideally, law enforcement
agencies should have to seek a court order for such information.
In the current issue of the Irish Criminal Law Journal, Shane Kilcommins
and Eimear Stain of the School of Law at the University of Limerick
question the legal basis for GSOCs use of the powers and oversight of
them.
http://www.irishexaminer.com/ireland/new-laws-to-protect-data-of-citizens-460177.html
Interestingly, the US seems to be rejecting a number of MLATs on 1st amdt grounds
ECJ ruling on jurisdiction over Internet defamation coming 17th October. The first para of the
AG opinion is superb
http://curia.europa.eu/juris/document/document.jsf;jsessionid=9ea7d0f130d5315eaf0e8ddd437d8c
bfd08a91e78419.e34KaxiLc3eQc40LaxqMbN4PaN8Re0?text=&docid=192713&pageIndex=0&d
oclang=en&mode=lst&dir=&occ=first&part=1&cid=907456
The vast majority of politicians still do not understand, in depth or breadth, the
data protection and privacy issues that lie at the heart of a functional,
transparent democracy. Photograph: Pawel Kopczynski/Reuters
Karlin Lillington
Thu, Sep 21, 2017, 06:10
The Government has published its legislative programme for Autumn 2017.
Included in the high-priority legislation for publication in the current Dil session is
the Data Protection Bill. What's remarkable is the number of other bills in the
programme which relate to large scale personal data processing, including: *
Criminal Records Information Systems Bill * National Claims Information
Database Bill * Data Sharing and Governance Bill * Communications (Retention
of Data) Bill * Adoption (Information and Tracing) (No. 2) Bill * Cyber Security Bill
* Health Information and Patient Safety Bill * Road Traffic (Master Licence
Record) Bill * Vehicle Registration Data (Automated Searching) Bill
Remarkable no. of bills relating to large scale personal data processing in Dil legislative prog
LEGISLATION PROGRAMME AUTUMN SESSION 2017
https://merrionstreet.ie/en/ImageLibrary/20170919_Legislative_Programme.pdf
PSC is up in Dail next week. Make your TDs
aware and ask them to make contact woth
@DRIalerts on this issue. Right now! Send an
email.
Proposed EU rules on TV & internet will violate free speech. Liberties policy note explains &
offers rights solution
Events
o Walsh Lecture 2017
o The Common Law and Brexit: A New Frontier?
o Algorithmic Consumers
o UCD Institute of Criminology Lecture
o Rest Here Installation
o Professional Regulation Workshop
o Human Rights NI Seminar
o Inaugural Lecture Professor James Devenney
o Constitutional Law
o JM Kelly Annual Lecture 2017
o Consumer Protection and Competition Policy in a Changing World
o 2016 Adjudication Advocacy Course Nov 3
o Competition Law and Enforcement Priorities
o CEAM Arbitrational Tribunal Secretaries Course
o FATF Workshop
o The Workplace Relations Act 2015 - One Year On
o Stetson Advocacy Training
o School of Law to host four events including Brexit Debate
o McDowell Purcell Distinguished Guest Lecture
o JM Kelly Annual Lecture 2016
o Business Contracting Seminar with Max Abrahamson
News
Liberties has published a policy note analysing the changes to the Audiovisual Media
Services Directive (AVMS Directive) that are reaching their final stages of
negotiation between the European Parliament and national governments in the
Council. Directives are used to create common minimum rules across the EU so that
companies and individuals only have to comply with one single standard when they
work in different EU countries, instead of 28 different standards from individual
countries.
This particular piece of legislation sets out certain rules that companies and
governments have to obey when providing and regulating television and similar
services passing from one EU country to another. The AVMS Directive only creates
rules about certain aspects of the media, such as advertisements, protection of
children, promotion and distribution of European-made TV programmes,
broadcasting of major events, like big football matches, accessibility for people with
disabilities and hate speech.
Our paper points out a number of problems with the current reforms that are being
debated. Certain proposals violate the right to freedom of expression, which the EU
and its member countries are obliged to protect, according to the EU Charter of
Fundamental Rights. Our paper also suggests how these problematic provisions could
be altered to make sure governments and the EU comply with their legal obligations.
But it is left up to these companies to decide what amounts to hate speech. Liberties
warns decision makers against this solution. The problem is that it can be hard to
identify hate speech. Often people share controversial ideas that can shock or annoy
parts of the public but these are important to democratic debate and do not amount to
hate speech. Companies are very likely to be overly cautious in order to avoid the
possibility of fines. This is because businesses tend to be guided by the desire to
maximise profit rather than serve democracy by promoting a balanced public debate.
For business, the protection of human rights is not of primary importance. Instead of
putting these important decisions in the hands of companies, governments should
allow existing legal procedures to do their job. That is, allow the courts to decide what
kind of content should be taken down from websites.
Fourth, the Directive extends the scope of the term harmful content.
According to the European Commissions proposal, video-sharing
platforms should take measures to protect children from programmes
with harmful content. This solution would require video-sharing
platforms to label and even censor online content.
This is bad because companies will use filtering software, which will not be able to
distinguish between information that might be helpful from information that can be
harmful. For example, children might look for information about sex education or for
support dealing with sexual harassment on the internet. But this is likely to be blocked
by filtering software that is trying to prevent children accessing violent content. Just
to give you one ludicrous example: Essex city homepage was blocked by filtering
software because it contains the word sex.
https://www.liberties.eu/en/news/audiovisual-media-services-directive-avms-
liberties-policy-paper/12946
A group of privacy and data protection experts has written to Minister for
Justice Charlie Flanagan about the Public Services Card.
A group of academics specialising in privacy and data
protection law have said they are not aware of any legal
requirement for people in receipt of social welfare
payments to register for the public services card (PSC).
Eleven experts have written to Minister for Justice
Charlie Flanagan expressing concern about the
Governments card project after it emerged that a
woman in her 70s had her State pension cut off because
she refused to register for a card.
She has not been paid her pension for 18 months
because she refused to go through the registration and
identity-verification process as requested by the
Department of Social Protection. As a result she is owed
about 13,000.
The woman said she felt bullied following several
letters from the department inviting her to register. No
one had been able to demonstrate that the card was
mandatory, she added.
In a letter sent on Friday, the academics noted what they
said was the intent to turn the PSC, which was
originally intended to be used for specified public service
purposes only, into a general purpose identity card to be
used in a wide variety of contexts under the Social
Welfare and Pensions Bill 2017.
It would appear that the time has now come where a
national identity card is essentially on the table, and it is
time for policy decisions in relation to this matter, they
wrote.
They said that to date, there had been no public
engagement in relation to the development of policy for
a national identity card.
Our concern is that as a result, we are sleepwalking into
developing a national identity index and national
identity card in all else but name, and that we have not
considered the very important implications before doing
so.
They called on the minister to engage with the public
for the development of policy on this matter, and for
there to be a real debate on the issue.
Letter to Minister for Justice Re Public Services Card August 25 2017
A group of privacy and data protection experts has written to Minister for
Justice Charlie Flanagan about the Public Services Card.
https://assets.documentcloud.org/documents/3969352/Letter-to-
Minister-for-Justice-Re-Public.pdf
They asked that the minister recommend that further expansion of the
card be delayed and that the provision in the recent Social Welfare and
Pensions Bill extending its use not be enacted until the matter had been
aired and policy considered in depth.
The group also noted that in 2015, then minister for social protection Joan
Burton said the question of introducing a national identity card had not
been part of the remit for the so-called SAFE scheme to register welfare
recipients.
Ms Burton said in the Dil that such a measure would require due
consideration by the appropriate agencies before any policy decisions could
be formulated by Government and would require the development and
implementation of legislation to support any such policy.
The academics said it was now being made effectively compulsory to have
the PSC in order to carry on ordinary business in our society (for example
to get a driving licence or a passport).
They noted the Department of Social Protection was now writing to social
welfare recipients stating that registration for the card was now a legal
requirement for people in receipt of social welfare payments (including
Child Benefit) or free travel entitlements.
We are not aware of any such legal requirement, they said.
The group includes Dr Stephen Farrell of Trinity College Dublin, Dr Alan
Greene of Durham Law School, Prof Steve Hedley of UCC, Dr Rnn
Kennedy of NUI Galway, Prof Maeve McDonagh of UCC, Dr TJ McIntyre of
UCD, Dr Maria Helen Murphy of Maynooth University, Dr Patrick
OCallaghan of UCC, Dr Darius Whelan of UCC and Prof Robert Clark,
UCD emeritus professor, who wrote the first Irish book on data protection.
The Data Protection Commissioner said it had strongly conveyed its
views on the public services card project on numerous occasions to the
Department of Social Protection that there was a pressing need for
updated, clearer and more detailed information to be communicated to the
public and services users regarding the mandatory use of the PPSN and
PSC for the provision of public services.
Fianna Fil Seanad spokeswoman on social protection Catherine Ardagh
said it was essential that both houses of the Oireachtas were provided
with an opportunity to debate and consider the possible human rights
and/or data protection implications of introducing such a system of
national ID cards.
Any measure or initiative designed to effectively establish a State database
of citizens information requires a comprehensive debate, and the fact that
a public services card will soon be required for all passport applications,
driving licences and driver theory tests means that this debate needs to
happen once the Oireachtas returns, Ms Ardagh said.
The card was introduced to replace the old social welfare card and some
other cards used for State services and about 2.75 million have been issued
to date.
The Department of Social Protection has a target of 3 million cards to reach
by the end of this year.
It said on Friday the card did not have any of the typical characteristics of a
national identity card in that people were not required by law to register
for one and it was not compulsory or mandatory for individuals to hold or
carry one.
It said An Garda Sochna was specifically precluded from requesting an
individual to produce a PSC as proof of identity.
The public services card is exactly that a card is designed for the
purpose of safely, securely and efficiently providing public services.
https://www.irishtimes.com/news/social-affairs/privacy-law-experts-write-to-
minister-for-justice-over-public-services-cards-1.3199487
It appears that the public service card framework provides for the collection of
further information including PPSN, date of birth, fingerprint and iris scans.
AddThis Sharing Buttons
Share to Pinterest
Share to Reddit
Share to Google+
AddThis Sharing Buttons
Share to Facebook
Share to Twitter
Share to LinkedIn
Lost votes
Blunkett resigned and was replaced by Charles Clarke in
2004, but the new Home Secretary insisted he would press
ahead with the ID card plan: legislation continued to make
its way through parliament.
Labour suffered several defeats on the legislation in the
House of Lords in 2006. In one such vote, Tory and Liberal
Democrat peers managed to strike down plans to link the
card to passport applications insisting the government
was trying to bring in compulsory ID cards by stealth.
Lady Kennedy, a human rights lawyer and Labour party
rebel, had argued that the measure amounted to introducing
compulsory ID by the back door. The legislation would
have required all passport applicants to enter their details
on a national identity register.
Labour ministers had warned the peers they ought to follow
parliamentary convention and green light the measure, as it
had featured in the governments election manifesto.
Opponents, however, said that the manifesto had promised
a voluntary scheme, whereas the one being proposed would
have to be accepted by anyone applying for a passport.
By the end of the year Tony Blair was still insisting the
identity card scheme should go ahead for reasons of
modernity. At a press conference, he also stressed the
personal benefit of having an ID card, saying it would do
away with the need to produce other documents to prove
your identity.
Foreign Nationals
After a 2006 compromise that allowed the bill to pass
through the Lords, the rollout began in 2008 as ID cards
became compulsory for foreign nationals.
A trial plan to make the cards mandatory for pilots and
airside staff at London City and Manchester airports was
dropped the following year, after union opposition.
Alan Johnson, who had by then taken over as Home
Secretary, conceded that the cards should not have been
sold as the panacea for tackling terrorism and said that
had been a factor in messing up the debate.
People who worked airside were resenting the fact there
was compulsion involved, Johnson said although he
insisted the ID scheme was still very much alive.
As the BBC reported at the time, the government had always
envisaged that the scheme would eventually be compulsory.
It had always insisted, however, that the cards would not be
made compulsory without MPs being allowed to vote on the
issue and it was never proposed that it would actually be
mandatory to carry one at all times.
Not compulsory
A year after they were rolled out for foreign nationals, the
final design of the card was unveiled to the public in 2009
and they were offered at first to members of the public in
Greater Manchester.
The cards, which were available from 30, would be
launched nationwide in 2011 or 2012, the government
announced. Home Secretary Alan Johnson helmed the
regional launch in July 2009, saying:
The introduction of ID cards today reaches another
milestone, enabling the people of Manchester to prove and
protect their identity in a quick, simple and secure way.
Given the growing problem of identity fraud and the
inconvenience of having to carry passports, coupled with gas
bills or six months worth of bank statements to prove
identity, I believe the ID card will be welcomed as an
important addition to the many plastic cards that most
people already carry.
The opposition described it as a colossal waste of money
and civil liberties campaigners said it was as costly to our
pockets as to our privacy.
The end
As the rollout continued, the scheme was extended across
the North West and to 16- to 24-year-olds in London in
2010.
By May of that year there were around 15,000 cards in
circulation.
The same month, David Cameron became Prime Minister
following a general election and his Home Secretary Theresa
May announced she was scrapping the cards. A separate but
similar scheme for foreign nationals would continue.
The entire project was estimated to have cost 5 billion
although the London School of Economics estimated at the
time that the true cost could be far higher.
http://news.bbc.co.uk/2/mobile/uk_news/politics/8175139
.stm
What is the Public Services
Card?
The Public Services Card will include facial imaging software to help
detect and prevent welfare fraud. What else do we know about this new
ID card?
May 9th 2012
The Public Services Card (PSC) helps you to access a range of public
services easily. Your identity is fully authenticated when it is issued so you
do not have to give the same information to multiple organisations. It was
first introduced in 2011 and was initially rolled out to people getting social
welfare payments. It is now being rolled out to other public services.
The front of the card holds a persons name, photograph and signature,
along with the card expiry date. The back of the card holds the persons
PPS number and a card number. It also holds a magnetic stripe to enable
social welfare payments such as pensions to be collected at post offices
If the person holding the card is entitled to free travel, the card will display
this information in the top left-hand corner. If FT-P is written on the card
the holder is personally entitled to free travel. If FT+S is written on the card
the holder can travel with their spouse, partner or cohabitant. If FT+C is
written on the card the holder can have a companion (over 16) travel with
them for free (because they are unable to travel alone for medical
reasons).
Why do I need a PSC?
The PSC is currently a requirement for the following;
Access to Social Welfare Services (including Child Benefit and
Treatment Benefits)
First time adult passport applicants in the state
Replacement of lost, stolen or damaged passports issued prior to
January 2005, where the person is resident in the State.
Citizenship applications
Driver Theory Test Applicants
Access to high value or personal online public services, e.g. Social
Welfare and Revenue services, via MyGovId, the mechanism for
accessing public services online. To learn more about MyGovID
click here.
How do I get a PSC?
Face-to-face registration for a Public Services Card is called SAFE
(Standard Authentication Framework Environment) registration.
SAFE registration takes about 15 minutes to complete (once all documents
are presented). During this appointment your photograph will be taken and
your signature recorded for your new Public Services Card, which will be
posted to you. You will also be asked for the answers to some security
questions.
You must bring certain documents with you to your appointment to prove
your identity and address. You should also bring your mobile phone, if you
have one. Having your mobile phone with you when you are SAFE
registered means that we can pair that mobile phone number with
you. This makes it much easier for you to verify your MyGovID account
which is required should you wish to access public services online in the
future.
Ordinarily, to get a PSC, a person must attend a face to face interview at a
DEASP Office. However in certain circumstances and subject to a
persons consent a PSC can also be issued based on information provided
to another state body, such as in a drivers licence
application. Accordingly this Department intends to write to certain
persons who have renewed their licence since March 2014 and in doing so
has provided the Road Safety Authority with personal information and a
photograph. These people will be offered the opportunity to complete the
SAFE registration process without attending a DEASP office. See Privacy
Impact Assessment on the use of RSA Driving Licence data here.
A PSC is usually issued to adult applicants for PPS numbers.
If you dont yet have a PSC you can make an appointment to get one
either by using MyWelfare.ie or by calling into your local Intreo Centre or
social welfare local office. Details of the Department of Employment
Affairs and Social Protections offices can be found here:
http://www.welfare.ie/en/Pages/Intreo-Centres-and-Local-and-Branch-
Offices.aspx
Documents to bring to your SAFE registration
appointment
1.Evidence of identity:
The Department can confirm that it has never piloted or used facial image scanning cameras in its
local offices and has no intention of so doing. Additionally, the Department does not and has no
plans to collect fingerprints. Finally, there are no security passwords or biometric facial scans held
electronically on the PSC. Any of these would require primary legislation and the accompanying
public debate.
SAFE 2 registration requires a photo of the customer. This photo is run through software to check
against other photos that have been taken during other SAFE 2 registrations. The purpose is to
detect and/or prevent duplicate registrations.
The photograph is a part of the Public Service Identity (PSI). Section 262 of the Social Welfare
Consolidation Act, 2005 (as amended) provides for the PSI including its use and sharing. Sharing
of the PSI is restricted to public service bodies specified in law or their agents. It can only be used
by a specified body in relation to authenticating an individual with whom it have a transaction and
in performing its public functions insofar as those functions relate to the person concerned.
The Department of Social Protection would like to restate that the use of the identity verification
processes used by the Department and the Public Services Card (PSC) are underpinned by
legislation as set out in the Social Welfare Consolidation Act 2005 (as amended). This legislation
limits the usage of the PSC to specified public bodies only.
Section 247C(3) of the Social Welfare Consolidation Act 2005, as amended, specifies the manner
in which the Minister may be satisfied as to a persons identity. In effect this Section describes the
process for registering a persons identity this is the SAFE 2 registration process. A PSC is
issued to a person who is SAFE 2 registered in accordance with Section 263 of the Act. It is a
token which proves that a person has had their identity verified to a substantial level of assurance
in accordance with the SAFE 2 standard.
The Public Services Card is not a national identity card. The Public Service Card is a card for
accessing public services only.
The Public Services Card does not have any of the typical characteristics of a national identity
card in that
1) It is not compulsory or mandatory for individuals to hold or carry a Public Services Card. There
is no law in Ireland requiring a person to carry any form of ID card (other than a driving licence
when driving).
2) You are not required by law to provide it to a member of the police force at their request. An
Garda Sochna is specifically precluded from requesting an individual to produce a PSC as proof
of identity. It is an offence for an organisation or a member of an organisation that is not a
specified body in the Act to request the PSC. An Garda Sochna is not a specified body (except
in respect of its own members). This deliberate exclusion is a clear signal as to the purpose of the
PSC.
3) Bodies not specified in the legislation in either the public or private sector may not request the
PSC or may not be required to use it in any transactions.
The Public Services Card is exactly that a card is designed for the purpose of safely, securely
and efficiently providing public services.
For further information on the Public Services Card please see our previous statement
here http://www.welfare.ie/en/pressoffice/Pages/pr250817.aspx
ENDS
http://www.welfare.ie/en/pressoffice/pdf/pr290817.pdf
The Public Services Card (PSC) is precisely that, a card for accessing
public services. It helps customers access a range of public services
easily. The users identity is fully authenticated when it is issued so they do
not have to give the same information to multiple organisations. It was first
introduced in 2011 and was initially rolled out to people getting social
welfare payments. It is now being rolled out to other public services.
The PSC is currently a requirement for the following;
Access to Social Welfare Services (including Child Benefit and
Treatment Benefits)
First time adult passport applicants in the state
Replacement of lost, stolen or damaged passports issued prior to
January 2005, where the person is resident in the State.
Citizenship applications
Driver Theory Test Applicants
Access to high value or personal online public services, e.g. Social
Welfare and Revenue services, via MyGovId, the mechanism for
accessing public services online.
The Department of Social Protection makes it clear to customers in receipt
of social welfare payments that they do need to register to SAFE 2 to
access, or continue to access, a social welfare entitlement.
Customers in receipt of a social welfare entitlement are written to and
invited to make an appointment to complete the SAFE 2 registration
process -which results in them being issued with a Public Services Card.
The process takes about 15 minutes to complete, once all required
documents are presented. The Department also issues reminder letters to
customers, if required.
The majority of our customers accept the importance of, and need for the
robust SAFE 2 identity verification process when in receipt of a social
welfare entitlement and c2.77m Public Services Cards have been issued to
date.
The decision to suspend or stop a payment is never made lightly.
However, where a customer does not satisfy the Minister in relation to
identity as per the legislative requirements outlined below, a payment can
be stopped or suspended.
Legislative Basis for disqualification from receipt of benefit where
identity is not authenticated
In 2005, the Government approved a rules based standard for establishing
and authenticating an individuals identity for the purposes of access to
public services. This standard is known as the Standard Authentication
Framework environment or SAFE. A Public Services Card (PSC) is
issued to an individual who has successfully completed a registration
process to a substantial level of assurance this is known as SAFE 2.
In the case of the Department of Social Protections own services, the
legislation governing the validation of identity for access to these is
contained in the Social Welfare Consolidation Act 2005, as amended, viz.
Section 247C(1) of the Act provides that the Minister may require any
person receiving a benefit to satisfy the Minister as to his or
her identity;
Section 247C(2) of the Act specifies the consequences of failure to
satisfy the Minister in relation to identity as required, specifically
that a person shall be disqualified from receiving a benefit;
Section 247C(3) of the Act specifies the manner in which the Minister
may be so satisfied; in effect, this Section describes the process
for registering a persons identity - this is the SAFE 2 Process.
In other words, this legislation requires a person to satisfy the Minister as
to their identity and allows disqualification from receipt of a benefit in the
event that it is not done. It is not possible for a person to satisfy the
Minister as to his or her identity without being SAFE 2 registered.
Legislative basis for usage of PSC by other public bodies
The legislation governing the production of the PSC and its usage by other
public bodies is set out at Section 263 of the Social Welfare Consolidation
Act 2005. Section 263 also sets out how it is an offence for bodies not
specified in the legislation to seek or use the PSC. As an Garda Sochna
is not a specified body in the legislation (except in respect of its own
members), it would therefore be an offence for a Garda to ask someone to
present a PSC
Is a Public Services Card a national Identity Card?
The Public Service Card is a card for accessing public services only. It is a
token which proves that a person has had their identity verified to a
substantial level of assurance in accordance with the SAFE 2 standard. It
is governed in that context by legislative provisions in the Social Welfare
Consolidation Act 2005 (as amended), which limit its usage.
The Public Services Card does not have any of the typical characteristics
of a national identity card in that
You are not required by law to register for a Public Services Card. It is
not compulsory or mandatory for individuals to hold or carry a Public
Services Card. There is no law in Ireland requiring a person to carry
any form of ID card (other than a driving licence when driving).
You are not required by law to provide it to a member of the police force
at their request. An Garda Sochna is specifically precluded from
requesting an individual to produce a PSC as proof of identity. This
deliberate exclusion is a clear signal as to the purpose of the PSC.
Bodies not specified in the legislation in either the public or private sector
may not request the PSC or may not be required to use it in any
transactions.
The Public Services Card is exactly that a card is designed for the
purpose of safely, securely and efficiently providing public services.
PSC and Data Protection
The design of the card was discussed with the Office of Data Protection
Commissioner which, in its Annual Report of 2010, advised that The
Public Services Card will include a photograph, signature and electronic
chip, as well as featuring the PPSN of the individual on the back of the
card. The incremental nature of the rollout of the Public Services Card is
welcome as is the active engagement of the Department of Social
Protection with all stakeholders including our Office to try to ensure that all
relevant issues are addressed. It has already completely taken on board a
number of points which we have made, which I very much welcome.
The personal information on the card is deliberately restricted to avoid
misrepresentation or identity fraud in circumstances where the card has
been lost or stolen. Lost or stolen cards are replaced without charge.
PSC and Security
Given the value of a Public Services Card, its design includes a number of
advanced physical and technical security features that meet the highest
international standards of data security. Importantly, all data contained on
the PSC chip is encrypted. Only paired card readers specifically
programmed to accept Public Services Cards can read the encrypted
personal data which is held on the card.
Free Travel Variant of the Public Services Card
Free Travel customers include those over 66 years of age, and customers
in receipt of Disability Allowance, Blind pension, Invalidity payments,
Carers payments and those participating in the Make Work Pay scheme
who can retain their free travel entitlement for a period of five years after
they return to work. The Free Travel variant of the PSC holds a separate
contactless chip which allows it to interact with the Integrated Ticketing
System operated by the National Transport Authority. No personal
information on a customer is made available to any transport operator
either inside or outside of the jurisdiction when the PSC is used to interact
with the ticketing system.
Have the Public Been informed about this ?
The Department has always been open about its plans to invite all
customers in receipt of social welfare payments to register to SAFE 2. The
Department has also produced explainer videos in both English and Irish
relating to the PSC card and it use; these are available on the
Departments website. www.welfare.ie/psc
The legislation underpinning the Departments application of the SAFE
registration process and use of the PSC has been published and debated
in the Oireachtas. Since the launch of the PSC in 2011, the Department
has answered a considerable amount of questions both in the Dil and in
the Irish media.
ENDS
Department of Social Protection
25th August 2017
Your Personal Public Service Number (PPS number) is a unique reference number that helps you
access social welfare benefits, public services and information in Ireland.
Before you can be allocated a PPS number, you must show that you need one for a transaction
with a specified body. For example, if you are taking up employment, you need a PPS number to
register with the Revenue Commissioners. However, looking for work is not a transaction with a
specified body and employers should not look for your PPS number when recruiting. An employer
should only seek a PPS number if you are actually taking up employment with the organisation.
You can find a list of State agencies that use PPS numbers to identify individuals on
the Department of Employment Affairs and Social Protection's website.
The PPS number was known as the Revenue and Social Insurance (RSI) number. If your number
is the same as your spouse's number but your number has a W at the end, you may need a new
PPS number - see 'Phasing out of W numbers' below for more information.
Before 2000 when some women got married they had to use the same PPS number as their
husband, but with a W at the end of the number. This W number was issued by Revenue to
identify spouses in a jointly assessed relationship. The W number was linked to the PPS number
of the assessable spouse (which is the term used in Revenue for the spouse who is charged tax
on the income of both spouses).
These numbers are being slowly phased out and W numbers have not been issued since 1999.
If your PPS number is the same as your husbands PPS number but the last letter is W, you must
get a new PPS number in these circumstances:
If you have a PPS number ending with W and you cannot access the Local Property Tax online
system using this number you may need to request a new number.
If you were issued a PPS number after 1979 and before you married, the Department may re-
issue you with your original number on request.
If you are changing your W number for a new PPS number you do not need to go through the
same application process as everyone else. To get your new number or to be re-instated with your
old number contact the Client Identity Section in the Department of Employment Affairs and Social
Protection (DEASP). The phone number is (071) 967 2616 or Lo-call 1890 927 999.
When you get your new number from the DEASP, you should inform any organisations that may
hold your old number. For example, your employer, your bank, the National Driver Licence
Service, the HSE and Revenue you can inform Revenue using the Revenues online Jobs and
Pension Service or contact your local tax office.
You cannot apply for a PPS number before you arrrive in Ireland. You must be living in Ireland to
apply for a PPS number. Before you can be allocated a PPS number, you must show that one is
required for a transaction with a specified body.
You will be asked to produce documentary evidence of identity and residence in Ireland. Different
documentary evidence will be required, depending on your nationality. A complete list of
documents required as evidence of your identity is available.
I am not resident in Ireland but I need a PPS number - how do I get it?
In some cases people who are not resident in Ireland may need a PPS number. For example,
someone who is a beneficiary under an Irish will may need to supply a PPS number before a grant
of probate can issue.
The DEASP's Client Identity Services (CIS) provide a service for non-resident applicants who
cannot attend at a designated PPS Registration Centre and who need a PPS number. If you want
to use this service, you must show documentary evidence that you need a PPS number for a
transaction with a specified body. You cannot use this exceptional application process if you are
living in or intend to relocate to Ireland for any period of time. Audits of PPS applications are
carried out periodically and you may be asked for additional information.
If you are living in Northern Ireland or the United Kingdom and are working in the Republic of
Ireland (a frontier worker) you apply for a PPS number in the normal way at a designated PPS
Registration Centre.
Occasionally a PPS number may be required for a deceased person, usually when dealing with
grant of probate.
In such cases, you should send a copy of the death certificate and details about why the PPS
number is required to the DEASP's Client Identity Services - the address is below.
Rules
To get a PPS number, you will need to fill out an application form in the PPS number centre,
provide evidence of your identity and evidence of why you need a PPS number allocated. You
must also provide proof of your address.
http://oireachtasdebates.oireachtas.ie/Debates%20Authoring/WebAttach
ments.nsf/($vLookupByConstructedKey)/dail~20141209/$File/Daily%20B
ook%20Unrevised.pdf?openelement
Unemployment Data
Unemployment Data
http://oireachtasdebates.oireachtas.ie/
Debates%20Authoring/WebAttachmen
ts.nsf/($vLookupByConstructedKey)/d
ail~20141209/$File/Daily%20Book%20
Writtens%20Unrevised.pdf?openelem
ent
Their argument for suppressing the DPCs concerns?
Commissioner feared
potential for form of
national ID card
Department believed release of Dixons email would
misinform about public services card
Tue, Sep 5, 2017, 21:00
Elaine Edwards
1
Shane Phelan
September 5 2017
Currently, the law only allows for the card to be used in dealings with around 120 "specified bodies"
and it is an offence for a private entity to request that someone produce it. Garda are prohibited from
asking people to show the card as proof of identification.
But the new legislation would allow cardholders get their date of birth printed on their PSC and use it
as a substitute to the Garda Age Card.
Cardholders would also be given the discretion to voluntarily produce their PSC to private entities to
verify their name and age.
In a statement to the Irish Independent, the department said: "Customer opinion is that they should be
allowed to volunteer the card to non-specified bodies if it suits them to do so, for the purpose of ID and
age verification. Many customers often report that private companies insist on a passport or driver's
licence, which they might not have and which are costly, whereas the PSC is free."
However, the department said that while it would no longer be an offence for
a private entity to accept the card, it would remain an offence for one to
require someone to produce the PSC. Taoiseach Leo Varadkar has insisted the
PSC would not morph into a national ID card.
http://www.independent.ie/irish-news/politics/dohertys-officials-cant-back-
up-their-claim-that-the-public-want-to-use-pscs-as-id-cards-36100783.html
While authorities may push ahead with plans which ignore concerns about
privacy and data protection, the law will eventually catch up with them, usually
at significant cost to the taxpayer.
The growth of the public services card as a de facto
national ID card has attracted a lot of media attention
recently, with special credit due to Elaine Edwards of
this newspaper for her persistence in excavating the facts
on which most of the later reporting has been based.
The issue continues to rumble on, and the Data
Protection Commissioner has asked the Department of
Social Protection to explain the legal basis for the claim
that the card is mandatory. One month later, despite
repeated promises, the department has not yet done so.
More could be written about the public services card,
and the varying and sometimes contradictory claims put
forward to support it. But if we focus on the card we risk
missing the wider picture, which is that the card is not
an aberration but exemplifies a systematic disregard for
privacy and data protection throughout the State.
Consider the Department of Health. In a remarkable
statement to the Dil earlier this month, Minister for
Health Simon Harris admitted that Ireland remains in
breach of both European Union and national data
protection legislation by keeping a database of blood
samples from newborn children without the consent of
their parents. Following a complaint in 2009, the Data
Protection Commissioner ordered that these samples be
destroyed. However, the Department of Health has
failed to comply and is instead proceeding with plans to
retain the database and to open it up for research and
possible other uses.
Ignore with impunity
This defiance of the law raises significant questions for
the independence of the Data Protection Commissioner,
who has taken no enforcement action against this
challenge to her statutory authority. The message to the
State is that it can ignore data protection law with
impunity.
Since 2014, the Department of Health has also been
involved in developing health identification numbers
and electronic health records schemes, which present
significant issues of privacy and confidentiality. For
example, by requiring the use of health identification
numbers these schemes tie together potentially leak-
sensitive information about an individuals medical
history, despite an earlier promise that use of these
numbers would be voluntary. It is hard to trust
assurances from the department on this issue given that
it is already, by its own admission, in deliberate breach
of data protection law.
In 2014, An Garda Sochna started using body-worn
cameras in an ad hoc way, without any legislation or
formal safeguards. The Garda five-year modernisation
plan says that the Garda will start taking video feeds
from the National Roads Authority, local authorities and
private car park operators to run automatic number
plate recognition systems creating a national database
of peoples travel to be stored for an unspecified period.
That plan also says that, from 2017, the Garda will start
using face-in-the-crowd and shape-in-the-crowd
biometrics to identify people on CCTV systems. Again,
all of this is to take place without any legal basis, in a
manner that appears to be contrary to data protection
law. It seems the Garda has not learned any institutional
lessons from the 2014 scandal around the recording of
calls to and from Garda stations, nor from the ongoing
concerns about abuse of the Pulse system.
Fundamental rights
The common pattern in these cases is that fundamental
rights are viewed as inconvenient obstacles. This is a
paternalistic view, in which the institution knows best
and public concern can be disregarded. However, this
approach merely stores up problems for the future.
There are lessons for Ireland from the UK, where many
of these issues have already been played out.
In 2002, the UK government launched a National Health
Service-wide electronic health records system which
failed to adequately address patient confidentiality. This
was eventually scrapped in 2011, in large part due to
concerns about privacy, and replaced with systems
which guarantee that patients can opt out of data
sharing. The ultimate cost was in the region of 10
billion.
The public services card has a parallel in the UK, where
ID cards and a National Identity Register were
introduced by legislation in 2006, only to be abandoned
and the data destroyed in 2011 following extensive public
opposition. Similar to the public services card, the UK ID
card had no clear rationale and was ultimately rejected
by the Tory/Lib Dem coalition government as wasteful,
bureaucratic and intrusive, at an eventual cost of about
5 billion.
The increasing Garda use of CCTV, facial recognition
and number-plate recognition also echoes the UK, where
both the information commissioner and the independent
surveillance camera commissioner have described
similar practices by UK police forces as intrusive,
disproportionate and illegal.
Significant cost
The message from these UK examples is clear. While
state authorities may push ahead with plans which
ignore concerns about privacy and data protection, the
law will eventually catch up with them, usually at
significant cost to the taxpayer. Fundamental rights are
factors which must be taken into account at the outset,
not reluctantly considered when a scheme is already
being implemented.
As the Data Protection Commissioner put it in her most
recent annual report: Public-sector bodies and
Government departments are in many cases slow to
adjust to the reality that data-protection rights cannot
simply be legislated away without sufficient necessity
and proportionality analysis and prejudice tests being
applied.
The failure of the State to accept these points has already
squandered public trust in areas such as the public
services card, and seems likely to do so in other areas
such as electronic health records.
Dr TJ McIntyre is a lecturer in the UCD
Sutherland School of Law, a solicitor with FP
Logue Solicitors and the chair of Digital Rights
Ireland
https://www.irishtimes.com/business/t
echnology/ireland-must-learn-from-uk-
data-protection-and-id-disasters-
1.3236139
Blistering writing by @klillington. Mr Justice Murray left no doubt that the existing law stank
Former chief justice John Murray: produced a damning report which draws
pretty much the same conclusions about Irish law that the ECJ did about the
EU directive. Photograph: Frank Miller
AddThis Sharing Buttons
Share to Pinterest
Share to Reddit
Share to Google+
AddThis Sharing Buttons
Share to Facebook
Share to Twitter
Share to LinkedIn
https://www.irishtimes.com/business/t
echnology/steps-finally-being-taken-
to-change-shameful-data-retention-
law-1.3252329#.Wd8ZVueGnk0.twitter
As DRI chairman TJ McIntyre pointed out here last week
Mr Justice Murray chose to interpret the review request broadly and
included a review of the data retention legislation.
In almost every regard the Irish system fails to meet standards articulated in a
number of recent judgments by the European Court of Human Rights and the
European Court of Justice. Photograph: iStock
Its not every day that a Minister for Justice issues a
report describing their department as operating a
universal, indiscriminate and illegal system of mass
surveillance. Yet that is precisely what happened last
Tuesday with the publication of a damning report by
retired chief justice John Murray, which found that Irish
surveillance practices fail to comply with European law.
The background dates from January 2016, when it
emerged that Gsoc had been accessing journalists phone
records (without a clear legal basis) in order to identify
their sources within An Garda Sochna. In response,
then Minister for Justice Frances Fitzgerald appointed
the former chief justice to examine the legal framework
around State access to journalists communications data
- a remit he interpreted widely to include the underlying
data retention law.
That law the Communications (Retention of Data) Act
2011 forces telephone companies and ISPs to log
details of everyones communications and movements
and to store that information for up to two years. In
Murrays words it constitutes a form of mass
surveillance of virtually the entire population of the
State, involving the retention and storage of historic
data, other than actual content, pertaining to every
electronic communication, in any form, made by anyone
and everyone at any time In essence this means the
retention of all communication data not going explicitly
to content: in other words, data pertaining to such
matters such as the date, time and location of a
telephone call.
Vast store of personal info
The impact on the privacy of individuals is clear. As the
report puts it, a vast amount of private information
pertaining to the personal communications of virtually
everyone in the State is now retained without the
consent of those affected Although routinely referred
to in anodyne terms as data or retained data, this vast
store of private information touches every aspect of an
individuals private and professional communications
profile over a lengthy period.
By providing for universal rather than
targeted surveillance the system falls at
the first hurdle
Despite the intrusiveness of this system, Murray found
that in almost every regard it fails to meet standards
articulated in a number of recent judgments by the
European Court of Human Rights and the European
Court of Justice.
Steps finally being taken to change shameful data
retention law
Restricting seizure of computer evidence could have huge
consequences
Google offered to provide cyber training for Irish judges
Some of the main problems can be summarised. By
providing for universal rather than targeted surveillance
the system falls at the first hurdle: the report noted that
European case law effectively sweeps the ground from
under wholly indiscriminate mass surveillance schemes
of the kind established by the 2011 Act.
In the same way, the report found that Irish law fails to
meet European standards by allowing for
communications data to be accessed based purely on
internal procedures within An Garda Sochna, without
any court approval and without any protections for
journalists sources. Even the basic matter of keeping
this sensitive data secure was flunked: according to the
report the approach to data security [under the 2011
Act] can, at best, be described as nonchalant.
Indeed, in a remarkable postscript, Murray said that
because many of the features of the [2011 Act] are
precluded by EU law, State agencies should consider
whether they should continue to access data pending
the final resolution of issues pertaining to the status of
the Act and/or any amending legislation conforming
with EU law and obligations under the ECHR.
Translated from the polite language of the judiciary, this
is a strong warning that Irish law is so deficient that it is
dangerous to rely on it any further.
Scandalous lag
The report was delivered to the Department of Justice in
April this year and its tone and implications clearly
spurred urgent action in the following months.
Alongside the report, the Minister has published a
general scheme of a Bill to replace the 2011 Act, which
addresses most (though not all) of the criticisms made
by the former chief justice.
While the Minister must be commended for producing a
draft Bill that genuinely engages with privacy issues, it is
scandalous that it has taken this long to do so. The
department has sought to spin its actions as a response
to recent evolving case law coming from Europe. It is
true that the European courts have become stronger on
privacy issues in recent years, particularly after the
Snowden revelations, but the reality is that the
fundamental rights problems with data retention
schemes have been clear for over a decade.
Irish journalists and citizens have been
exposed to illegal surveillance, and
prosecutions brought on the basis of
illegally obtained evidence
In 2005 the civil rights group Digital Rights Ireland
started High Court proceedings challenging Irish and
European data retention laws; in 2010 the High Court
agreed that the case raised important constitutional
issues; in 2014 Digital Rights Ireland succeeded in part
of that case before the European Court of Justice; and
the case has since returned to the High Court for a full
hearing. Each of these developments should have
prompted reform; instead, successive ministers
including Dermot Ahern, Alan Shatter and Frances
Fitzgerald adopted the ostrich position.
The result of this delay is that Irish journalists and
citizens have been exposed to illegal surveillance, and
prosecutions brought on the basis of illegally obtained
evidence. Unfortunately it is possible that claims for
damages may be brought against the State and
convictions may be overturned as a result. If so, the
blame for this will lie squarely with the Department of
Justice and successive ministers.
Dr TJ McIntyre is a lecturer in the UCD Sutherland
School of Law, solicitor with FP Logue Solicitors and
chair of Digital Rights Ireland
https://www.irishtimes.com/opinion/st
ate-s-approach-to-data-privacy-is-a-
national-scandal-1.3246055
Download
How Companies Use Personal Data Against People.
Automated Disadvantage, Personalized Persuasion, and
the Societal Ramifications of the Commercial Use of
Personal Information.
Working paper by Cracked Labs, October 2017. Author:
Wolfie Christl. Contributors: Katharina Kopp, Patrick
Urs Riechert.
Download as PDF
Abstract
Today, companies aggregate, trade, and utilize personal
information at unprecedented levels. Their unilateral and
extensive access to data about the characteristics,
behaviors, and lives of billions allows them to constantly
monitor, follow, judge, sort, rate, and rank people as they
see fit. Our previous report documented the massive
scale and scope of todays networks of digital tracking
and profiling. It investigated relevant industries, business
models, platforms, services, devices, technologies, and
data flows, focusing on their implications for people
whether as individuals, consumers, or citizens and
society at large.
This working paper examines how the corporate use of
personal information can affect individuals, groups of
people, and society at large, particularly in the context of
automated decisions, personalization and data-driven
persuasion. After briefly reviewing our previous
researchs findings and key developments in recent
years, this paper explores their potential to be used
against people in detail.
Systems that make decisions about people based on
their data produce substantial adverse effects that can
massively limit their choices, opportunities, and life-
chances. These systems are largely opaque,
nontransparent, arbitrary, biased, unfair, and
unaccountable even in areas such as credit rating that
have long been regulated in some way. Through data-
driven personalization, companies and other institutions
can easily utilize information asymmetries in order to
exploit personal weaknesses with calculated efficiency.
Personalized persuasion strategies provide the means to
effectively influence behavior at scale. As companies
increasingly and unilaterally shape the networked
environments and experiences that underlie and
determine everyday life, manipulative, misleading,
deceptive, or even coercive strategies can be automated
and customized down to the individual level.
Based on the examination of business practices and their
implications we conclude that, in their current state,
todays commercial networks of digital tracking and
profiling show a massive potential to limit personal
agency, autonomy, and human dignity. This not only
deeply affects individuals, but also society at large. By
improving the ability to exclude or precisely target
already disadvantaged groups, current corporate practices
utilizing personal information tend toward
disproportionally affecting these groups and therefore
increase social and economic inequality. Especially
when combined with influencing strategies derived from
neuroeconomics and behavioral economics, data-driven
persuasion undermines the concept of rational choice and
thus the basic foundation of market economy. When
used in political campaigns or in other efforts to shape
public policy, it may undermine democracy at large.
While this working paper does not directly offer
solutions, it examines, documents, structures, and
contextualizes todays commercial personal data
industries and their implications; further research will
build on this basis. Hopefully, it will also encourage and
contribute to further work by others.
The production of this report was supported by the
Open Society Foundations.
http://crackedlabs.org/en/data-against-
people
CORPORATE SURVEILLANCE IN
EVERYDAY LIFE How Companies
Collect, Combine, Analyze, Trade, and
Use Personal Data on Billions
http://crackedlabs.org/dl/CrackedLabs
_Christl_CorporateSurveillance.pdf
HOW COMPANIES USE PERSONAL
DATA AGAINST PEOPLE Automated
Disadvantage, Personalized Persuasion,
and the Societal Ramifications of the
Commercial Use of Personal Information
http://crackedlabs.org/dl/CrackedLabs
_Christl_DataAgainstPeople.pdf
Networks of Control A Report on
Corporate Surveillance, Digital Tracking,
Big Data & Privacy
http://crackedlabs.org/dl/Christl_Spiek
ermann_Networks_Of_Control.pdf
https://edri.org/dear-meps-we-need-you-to-protect-
our-privacy-online/
Boris Johnson's 350m lie exposed by the UK Statistics Authority
https://twitter.com/MariaMichalis
EU court to probe new Facebook data challenge Data privacy invalid bY EU and
US and UK
http://www.europe-v-facebook.org/sh2/HCJ.pdf
EU Internet Referral Unit (EU IRU) was set up in mid-2015 within the EU's
Hague-based police agency, Europol, to help inform the internet firms of
illegal content
https://www.europol.europa.eu/publications-documents/eu-internet-referral-
unit-year-one-report-highlights
The Irish High Court is referring the case to the European Court of Justice
because the data ... mass surveillance as ... Irish data commissioner ... Irish High
Court- Judgement on Facebook and US surveillance delivered on 3rd October
2017
http://europe-v-facebook.org/PA_Oct3.pdf
Irish High Court rules on Facebook surveillance case- Irish DPC has well
founded concerns over US surveillance of Facebook EU-US data transfer
complaint referred to European Court of Justice for a second time
http://www.europe-v-facebook.org/sh2/PA.pdf
Irish High Court hears DPC lawsuit against Facebook & Schrems February 7th
2017 the Irish High Court will hear a case brought by the Irish Data Protection
Commissioner (DPC) against Facebook Ireland Ltd and Mr Schrems over EU-US
data
http://www.europe-v-facebook.org/MU_HC.pdf
Privacy: Facebook to face the European Court of Justice (CJEU) Austrian Supreme Court
refers class action to Luxembourg
http://www.europe-v-facebook.org/sk/PA_OGH_en.pdf
US Government seeks to join European US mass surveillance case In an unusual
move the United States government has asked the Irish High Court today,
http://www.europe-v-facebook.org/PR_MC-US.pdf
Irish Data Protection Commissioner to bring EU-US data flows before CJEU again
Update:
http://www.europe-v-facebook.org/PA_MCs.pdf
The Irish High Court has decided that the Irish Data Protection Commissioner
has to investigate "Facebook Ireland Ltd" over alleged cooperation of "Facebook
Inc" with US spy agencies, such as under the NSA's "PRISM"
http://www.europe-v-facebook.org/MU_HC.pdf
letter of Complaint against Facebook Ireland Ltd 23 PRISM
http://www.europe-v-facebook.org/prism/facebook.pdf
http://www.europe-v-facebook.org/GA_en.pdf
Savage v. Data Protection Commissioner & Google Ireland
https://www.dataprotection.ie/documents/judgements/Savage_v_DPC_&_Googl
e_Ireland_Circuit_Court_judgment_11.10.16.pdf
Shatter v. Data Protection Commissioner - 21 January 2015
https://www.dataprotection.ie/documents/judgements/Shatter_v_DPC_Circuit_
Court_21.1.15.pdf
http://ec.europa.eu/justice/data-protection/article-
29/documentation/opinion-recommendation/files/2016/wp235_en.pdf
Safe_Harbours_Decision_CJEU_6.10.15 Court of Justice of the European Union
Schrems v. Data Protection Commissioner - 6 October 2015
https://www.dataprotection.ie/documents/judgements/Safe_Harbours_Decisio
n_CJEU_6.10.15.pdf
Austrian privacy activist Max Schrems has performed an important service to Irish and European
consumers that deserves acknowledgment. Yesterdays ruling in his favour in the European Court of
Justice (ECJ), on a clarification sought by the Irish High Court, in effect reprimands both Irelands
Data Protection Commissioner (DPC) and the European Commission for failing adequately to oversee
and protect European standards of data protection against the attentions of US intelligence agencies.
http://www.irishtimes.com/opinion/editorial/european-court-of-justice-
strikes-a-blow-for-the-little-guys-1.2381311?mode=sample&auth-failed=1&pw-
origin=https%3A%2F%2Fwww.irishtimes.com%2Fopinion%2Feditorial%2Feur
opean-court-of-justice-strikes-a-blow-for-the-little-guys-1.2381311
European Court of Justice Strikes EU-US Agreement on PNR Data BY FRANCESCA
BIGNAMI
European Parliament
and
(European Parliament and Council Directive 95/46, Art. 3(2); Commission Decision
2004/535)
(Art. 95 EC; European Parliament and Council Directive 95/46, Arts 3(2) and 25;
Council Decision 2004/496)
The fact that the personal data are collected by private operators for commercial
purposes and it is they who arrange for their transfer to a third country does not alter
such a conclusion, inasmuch as their transfer falls within a framework established by
the public authorities that relates to public security, and is not necessary for the
supply of services by those operators.
The agreement relates to data processing operations which, since they concern
public security and the activities of the State in areas of criminal law, are excluded
from the scope of Directive 95/46 by virtue of the first indent of Article 3(2) of that
directive.
ACTIONS for annulment under Article 230 EC, brought on 27 July 2004,
applicant,
supported by
intervener,
v
Council of the European Union, represented by M.C. Giorgi Fort and
M. Bishop, acting as Agents,
supported by
interveners,
and v
supported by
intervener,
having regard to the written procedure and further to the hearing on 18 October
2005,
Judgment
1 By its application in Case C-317/04, the European Parliament seeks the
annulment of Council Decision 2004/496/EC of 17 May 2004 on the conclusion
of an Agreement between the European Community and the United States of
America on the processing and transfer of PNR data by Air Carriers to the
United States Department of Homeland Security, Bureau of Customs and
Border Protection (OJ 2004 L 183, p. 83, and corrigendum at OJ 2005 L 255, p.
168).
Legal context
3 Article 8 of the European Convention for the Protection of Human Rights and
Fundamental Freedoms, signed in Rome on 4 November 1950 (the ECHR),
provides:
1. Everyone has the right to respect for his private and family life, his home
and his correspondence.
The Council shall, acting in accordance with the procedure referred to in Article
251 and after consulting the Economic and Social Committee, adopt the
measures for the approximation of the provisions laid down by law, regulation
or administrative action in Member States which have as their object the
establishment and functioning of the internal market.
6 The 11th recital in the preamble to the Directive states that the principles of
the protection of the rights and freedoms of individuals, notably the right to
privacy, which are contained in this Directive, give substance to and amplify
those contained in the Council of Europe Convention of 28 January 1981 for
the Protection of Individuals with regard to Automatic Processing of Personal
Data.
... the transfer of personal data to a third country which does not ensure an
adequate level of protection must be prohibited.
Scope
11 Article 6(1) of the Directive states:
(b) collected for specified, explicit and legitimate purposes and not further
processed in a way incompatible with those purposes. Further processing
of data for historical, statistical or scientific purposes shall not be
considered as incompatible provided that Member States provide
appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for
which they are collected and/or further processed;
(e) kept in a form which permits identification of data subjects for no longer
than is necessary for the purposes for which the data were collected or
for which they are further processed. ...
Member States shall provide that personal data may be processed only if:
(e) processing is necessary for the performance of a task carried out in the
public interest or in the exercise of official authority vested in the
controller or in a third party to whom the data are disclosed; or
Member States shall guarantee every data subject the right to obtain from the
controller:
(a) without constraint at reasonable intervals and without excessive delay or
expense:
(c) notification to third parties to whom the data have been disclosed of any
rectification, erasure or blocking carried out in compliance with (b), unless
this proves impossible or involves a disproportionate effort.
Member States may adopt legislative measures to restrict the scope of the
obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when
such a restriction constitutes a necessary [measure] to safeguard:
(b) defence;
(g) the protection of the data subject or of the rights and freedoms of others.
Remedies
1. The Member States shall provide that the transfer to a third country of
personal data which are undergoing processing or are intended for processing
after transfer may take place only if, without prejudice to compliance with the
national provisions adopted pursuant to the other provisions of this Directive,
the third country in question ensures an adequate level of protection.
3. The Member States and the Commission shall inform each other of cases
where they consider that a third country does not ensure an adequate level of
protection within the meaning of paragraph 2.
4. Where the Commission finds, under the procedure provided for in Article
31(2), that a third country does not ensure an adequate level of protection
within the meaning of paragraph 2 of this Article, Member States shall take the
measures necessary to prevent any transfer of data of the same type to the
third country in question.
5. At the appropriate time, the Commission shall enter into negotiations with
a view to remedying the situation resulting from the finding made pursuant to
paragraph 4.
Member States shall take the measures necessary to comply with the
Commissions decision.
(b) the transfer is necessary for the performance of a contract between the
data subject and the controller or the implementation of precontractual
measures taken in response to the data subjects request; or
(e) the transfer is necessary in order to protect the vital interests of the data
subject; or
20 It was on the basis of the Directive, in particular Article 25(6) thereof, that the
Commission of the European Communities adopted the decision on adequacy.
22 The 15th recital in the preamble to the decision states that PNR data will be
used strictly for purposes of preventing and combating terrorism and related
crimes, other serious crimes, including organised crime, that are transnational
in nature, and flight from warrants or custody for those crimes.
Article 1
For the purposes of Article 25(2) of Directive 95/46/EC, the United States
Bureau of Customs and Border Protection (hereinafter referred to as CBP) is
considered to ensure an adequate level of protection for PNR data transferred
from the Community concerning flights to or from the United States, in
accordance with the Undertakings set out in the Annex.
Article 2
Article 3
(a) where a competent United States authority has determined that CBP is
in breach of the applicable standards of protection; or
Article 4
2. The Member States and the Commission shall inform each other of any
changes in the standards of protection and of cases where the action of bodies
responsible for ensuring compliance with the standards of protection by CBP
as set out in the Annex fails to secure such compliance.
1. By legal statute (title 49, United States Code, section 44909(c)(3)) and its
implementing (interim) regulations (title 19, Code of Federal Regulations,
section 122.49b), each air carrier operating passenger flights in foreign
air transportation to or from the United States must provide CBP
(formerly, the US Customs Service) with electronic access to PNR data to
the extent it is collected and contained in the air carriers automated
reservation/departure control systems (reservation systems).
3. PNR data are used by CBP strictly for purposes of preventing and
combating: 1. terrorism and related crimes; 2. other serious crimes,
including organised crime, that are transnational in nature; and 3. flight
from warrants or custody for the crimes described above. Use of PNR
data for these purposes permits CBP to focus its resources on high-risk
concerns, thereby facilitating and safeguarding bona fide travel.
27. CBP will take the position in connection with any administrative or
judicial proceeding arising out of a FOIA [Freedom of Information Act]
request for PNR information accessed from air carriers, that such records
are exempt from disclosure under the FOIA.
29. CBP, in its discretion, will only provide PNR data to other government
authorities, including foreign government authorities, with counter-
terrorism or law-enforcement functions, on a case-by-case basis, for
purposes of preventing and combating offences identified in paragraph 3
herein. (Authorities with whom CBP may share such data shall
hereinafter be referred to as the Designated Authorities).
30. CBP will judiciously exercise its discretion to transfer PNR data for the
stated purposes. CBP will first determine if the reason for disclosing the
PNR data to another Designated Authority fits within the stated purpose
(see paragraph 29 herein). If so, CBP will determine whether that
Designated Authority is responsible for preventing, investigating or
prosecuting the violations of, or enforcing or implementing, a statute or
regulation related to that purpose, where CBP is aware of an indication of
a violation or potential violation of law. The merits of disclosure will need
to be reviewed in light of all the circumstances presented.
46. These Undertakings shall apply for a term of three years and six months
(3.5 years), beginning on the date upon which an agreement enters into
force between the United States and the European Community,
authorising the processing of PNR data by air carriers for purposes of
transferring such data to CBP, in accordance with the Directive.
47. These Undertakings do not create or confer any right or benefit on any
person or party, private or public.
(2) The European Parliament has not given an Opinion within the time-limit
which, pursuant to the first subparagraph of Article 300(3) of the Treaty,
the Council laid down in view of the urgent need to remedy the situation
of uncertainty in which airlines and passengers found themselves, as well
as to protect the financial interests of those concerned.
Having regard to the Undertakings of CBP issued on 11 May 2004, which will
be published in the Federal Register (hereinafter the Undertakings),
(1) CBP may electronically access the PNR data from air carriers
reservation/departure control systems (reservation systems) located
within the territory of the Member States of the European Community
strictly in accordance with the Decision and for so long as the Decision is
applicable and only until there is a satisfactory system in place allowing
for transmission of such data by the air carriers.
(3) CBP takes note of the Decision and states that it is implementing the
Undertakings annexed thereto.
(4) CBP shall process PNR data received and treat data subjects
concerned by such processing in accordance with applicable US laws
and constitutional requirements, without unlawful discrimination, in
particular on the basis of nationality and country of residence.
(7) This Agreement shall enter into force upon signature. Either Party may
terminate this Agreement at any time by notification through diplomatic
channels. The termination shall take effect ninety (90) days from the date
of notification of termination to the other Party. This Agreement may be
amended at any time by mutual written agreement.
32 According to Council information concerning the date of its entry into force (OJ
2004 C 158, p. 1), the Agreement, signed in Washington on 28 May 2004 by a
representative of the Presidency-in-Office of the Council and the Secretary of
the United States Department of Homeland Security, entered into force on the
date of its signature, as provided by paragraph 7 of the Agreement.
Background
34 The Commission entered into negotiations with the United States authorities,
which gave rise to a document containing undertakings on the part of CBP,
with a view to the adoption by the Commission of a decision on adequacy
pursuant to Article 25(6) of the Directive.
36 On 1 March 2004 the Commission placed before the Parliament the draft
decision on adequacy under Article 25(6) of the Directive, together with the
draft undertakings of CBP.
40 The Parliament also decided, on the same day, to refer to committee the
report on the proposal for a Council decision, thus implicitly rejecting, at that
stage, the Councils request of 25 March 2004 for urgent consideration of the
proposal.
41 On 28 April 2004 the Council, acting on the basis of the first subparagraph of
Article 300(3) EC, sent a letter to the Parliament asking it to deliver its opinion
on the proposal for a decision relating to the conclusion of the Agreement by 5
May 2004. To justify the urgency of that request, the Council restated the
reasons set out in its letter of 25 March 2004.
42 After taking note of the continuing lack of all the language versions of the
proposal for a Council decision, on 4 May 2004 the Parliament rejected the
Councils request to it of 28 April for urgent consideration of that proposal.
45 By letter of 9 July 2004, the Parliament informed the Court of the withdrawal of
its request for an Opinion, which had been registered under No 1/04.
46 In Case C-317/04, the Commission and the United Kingdom of Great Britain
and Northern Ireland were granted leave to intervene in support of the form of
order sought by the Council, by orders of the President of the Court of 18
November 2004 and 18 January 2005.
The first limb of the first plea: breach of the first indent of Article 3(2) of the
Directive
51 The Parliament contends that adoption of the Commission decision was ultra
vires because the provisions laid down in the Directive were not complied with;
in particular, the first indent of Article 3(2) of the Directive, relating to the
exclusion of activities which fall outside the scope of Community law, was
infringed.
53 The Commission, supported by the United Kingdom, considers that the air
carriers activities clearly fall within the scope of Community law. It submits that
those private operators process the PNR data within the Community and
arrange for their transfer to a third country. Activities of private parties are
therefore involved, and not activities of the Member State in which the carriers
concerned operate, or of its public authorities, as defined by the Court in
paragraph 43 of Lindqvist. The aim pursued by the air carriers in processing
PNR data is simply to comply with the requirements of Community law,
including the obligation laid down in paragraph 2 of the Agreement. Article 3(2)
of the Directive refers to activities of public authorities which fall outside the
scope of Community law.
54 The first indent of Article 3(2) of the Directive excludes from the Directives
scope the processing of personal data in the course of an activity which falls
outside the scope of Community law, such as activities provided for by Titles V
and VI of the Treaty on European Union, and in any case processing
operations concerning public security, defence, State security and the activities
of the State in areas of criminal law.
57 While the view may rightly be taken that PNR data are initially collected by
airlines in the course of an activity which falls within the scope of Community
law, namely sale of an aeroplane ticket which provides entitlement to a supply
of services, the data processing which is taken into account in the decision on
adequacy is, however, quite different in nature. As pointed out in paragraph 55
of the present judgment, that decision concerns not data processing necessary
for a supply of services, but data processing regarded as necessary for
safeguarding public security and for law-enforcement purposes.
58 The Court held in paragraph 43 of Lindqvist, which was relied upon by the
Commission in its defence, that the activities mentioned by way of example in
the first indent of Article 3(2) of the Directive are, in any event, activities of the
State or of State authorities and unrelated to the fields of activity of individuals.
However, this does not mean that, because the PNR data have been collected
by private operators for commercial purposes and it is they who arrange for
their transfer to a third country, the transfer in question is not covered by that
provision. The transfer falls within a framework established by the public
authorities that relates to public security.
60 Accordingly, the first limb of the first plea, alleging that the first indent of Article
3(2) of the Directive was infringed, is well founded.
62 The Parliament advances six pleas for annulment, concerning the incorrect
choice of Article 95 EC as legal basis for Decision 2004/496 and breach of,
respectively, the second subparagraph of Article 300(3) EC, Article 8 of the
ECHR, the principle of proportionality, the requirement to state reasons and the
principle of cooperation in good faith.
The first plea: incorrect choice of Article 95 EC as legal basis for Decision
2004/496
64 The Council contends that the Directive, validly adopted on the basis of Article
100a of the Treaty, contains in Article 25 provisions enabling personal data to
be transferred to a third country which ensures an adequate level of protection,
including the possibility of entering, if need be, into negotiations leading to the
conclusion by the Community of an agreement with that country. The
Agreement concerns the free movement of PNR data between the Community
and the United States under conditions which respect the fundamental
freedoms and rights of individuals, in particular privacy. It is intended to
eliminate any distortion of competition, between the Member States airlines
and between the latter and the airlines of third countries, which may result from
the requirements imposed by the United States, for reasons relating to the
protection of individual rights and freedoms. The conditions of competition
between Member States airlines operating international passenger flights to
and from the United States could have been distorted because only some of
them granted the United States authorities access to their databases. The
Agreement is designed to impose harmonised obligations on all the airlines
concerned.
65 The Commission observes that there is a conflict of laws, within the meaning
of public international law, between the United States legislation and the
Community rules and that it is necessary to reconcile them. It complains that
the Parliament, which disputes that Article 95 EC can constitute the legal basis
for Decision 2004/496, has not suggested an appropriate legal basis.
According to the Commission, that article is the natural legal basis for the
decision because the Agreement concerns the external dimension of the
protection of personal data when transferred within the Community. Articles 25
and 26 of the Directive justify exclusive Community external competence.
66 In addition, the Commission submits that the initial processing of the data by
the airlines is carried out for commercial purposes. The use which the United
States authorities make of the data does not remove them from the effect of the
Directive.
67 Article 95 EC, read in conjunction with Article 25 of the Directive, cannot justify
Community competence to conclude the Agreement.
73 Given, first, the fact that the Community cannot rely on its own law as
justification for not fulfilling the Agreement which remains applicable during the
period of 90 days from termination thereof and, second, the close link that
exists between the Agreement and the decision on adequacy, it appears
justified, for reasons of legal certainty and in order to protect the persons
concerned, to preserve the effect of the decision on adequacy during that same
period. In addition, account should be taken of the period needed for the
adoption of the measures necessary to comply with this judgment.
Costs
3. Orders the Council of the European Union to pay the costs in Case
C-317/04;
http://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?isOldUri=true&uri=CELEX:62004CJ0317
Proposal for a Regulation (EURATOM, EC) of the European Parliament and of the
Council on the transmission of data subject to statistical confidentiality to the
Statistical Office of the European Communities
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:52006PC0477&from=EN
Headquarters agreement between the EFTA Court and the Grand
Duchy of Luxembourg
http://www.eftacourt.int/fileadmin/user_upload/Files/Headquarters_Agreeme
nt/Headquarters_Agreement_English.pdf
http://www.europe-v-facebook.org/sk/PA_EuGH_en.pdf
Lawsuit filed
http://www.europe-v-facebook.org/sk/sk_en.pdf
On 27 June 2012, EMI Records (Ireland) Ltd, Sony Music Entertainment Ireland Ltd,
Universal Music Ireland Ltd and Warner Music Ireland Ltd secured a court order in
the Commercial Court quashing a notice issued by the Data Protection
Commissioner (the "Commissioner") directing eircom to cease using the "three
strikes" system which is aimed at preventing the illegal downloading of music.
Under that agreement, eircom subscribers would lose their internet access for a
week after three copyright infringements and lose access completely after four
infringements. The music companies challenged the Commissioner's enforcement
notice of 5 December 2011, which sought to ban the three strike policy on privacy
and data protection grounds following a complaint by a subscriber who had been
wrongly notified of a copyright infringement on his account due to an error by eircom.
The Enforcement Notice stated, amongst other grounds, that eircom was breaching
data protection law by (i) surveilling traffic data and not erasing it when it was no
longer needed, and (ii) processing personal data in a manner incompatible with
which it was obtained and without the proper and informed consent of
subscribers. Eircom was given a 60 day period to cease all processing relevant to
the GRS and destroy any such personal data.
Michael McDowell SC, appearing for the companies, argued that, in issuing the
notice, the Commissioner had acted in excess of his powers, irrationally,
disproportionately and in a manner prejudicial to the companies' interests. The
companies claimed the notice would effectively unwind their agreement with eircom
and argued it was an unlawful attempt to reopen data protection issues already
determined by the courts in their favour. Mr McDowell SC added that the
Commissioner had failed to give reasons for his decision to issue a notice.
Decision
The Court found that the notice was invalid due to the failure by the Commissioner to
give reasons as to why it had been issued. The reasons which appeared to support
the notice, to the extent they could be ascertained, also "involved a misconstruction
of the relevant law", according to the Court. The case, therefore, turned on the
Commissioner's failure to give reasons and so the Court did not analyse in any great
detail the data protection issues surrounding the three strikes policy.
The judgment means that eircom can now continue its three strikes policy and
suspend or disconnect internet access to users who illegally download music.
Appeal
The content of this article is intended to provide a general guide to the subject
matter. Specialist advice should be sought about your specific circumstances.
Kevin was named the 2017 Outsourcing Lawyer of the Year in Corporate LiveWire's Global
Awards, a publisher of legal guides, and received the elite "leading lawyer" designation for
outsourcing in 2016 and 2017 from Legal 500. His practice is concentrated in customer-
side transactions and includes business process and information technology outsourcing.
His recent experience includes the outsourcing of HR, information technology, revenue
cycle, finance and accounting, and benefit plan administration services.
Kevin's cybersecurity and data privacy practice includes developing compliance programs,
cross-border data transfers, and responding to breaches, with extensive experience
counseling clients on compliance with HIPAA and the HITECH Act. He is a member of the
International Association of Privacy Professionals (IAPP).
Kevin has served as vice chair of the Health Information Technology Practice Group for
the AHLA and on the advisory boards for the Healthcare Outsourcing Congress and the
Privacy2000 conference series.
Kevin has served on the boards of directors for the National Healthcare, Research and
Education Finance Corporation and the Contemporary American Theatre Company.
Anand's cases include matters involving the Foreign Corrupt Practices Act, False Claims
Act, antitrust claims, class action defense, contract disputes, securities claims, and white
collar criminal defense. His practice extends to privacy and data security matters as well.
In addition to handling data breach responses for clients, Anand represents companies
facing privacy and security-related litigation and government regulatory inquiries and
conducts enterprise-wide privacy and information security assessments.
Anand maintains an active pro bono practice. He represents children facing immigration
proceedings in state and federal courts and volunteers at legal clinics sponsored by the
Dallas Volunteer Attorney Program.
Anand also serves as coach of SMU's undergraduate Mock Trial Team. He is the editor-in-
chief of Jones Day's Global Privacy & Cybersecurity Update.
Margaret Lyle defends class actions and represents businesses in complex litigation and
appeals, including intellectual property, data privacy, contract, and internet-marketing
claims.
She has successfully defended consumer and mass tort class actions claiming fraud,
unjust enrichment, conspiracy, products liability, medical monitoring, and toxic exposure,
as well as those brought under the Fair Credit Reporting Act, the Magnuson-Moss
Warranty Act, the Driver's Privacy Protection Act, the Credit Repair Organizations Act,
RICO, and state consumer statutes. Her appellate representations in state and federal
courts include SAS, Sercel, Experian, R.J. Reynolds Tobacco Company, and other industry
leaders.
Margaret has defended Computer Sciences Corporation in class litigation over its
insurance software, Interstate Battery in class warranty litigation, the Washington
Division of URS Corp. in class litigation over New Orleans flooding following Hurricane
Katrina, and Experian in data privacy and consumer class actions. She represented R.J.
Reynolds Tobacco Company in more than 30 proposed class actions across the country,
including cases of first impression in Nevada and Oregon, where the state supreme courts
rejected a medical monitoring tort.
Margaret serves as a programming chair for the ABA's Class Action and Derivative Suits
Committee and as editor-in-chief of the ABA's The Woman Advocate. A Dallas Bar
Foundation Fellow, she is a member of Attorneys Serving the Community and the Texas
Law Parents Leadership Association. She has served as a practitioner contributor
to Black's Law Dictionary, was a founding director of Marshall Lawyers Care, and has
served on the boards of community arts and historical organizations.
November 2015
September 2017
Jones Day is defending Deutsche Bank AG, New York Branch in litigation brought by Tera
Group, Inc., a swap execution facility (SEF) operator, which alleges that the defendants
boycotted it to prevent it from gaining traction as an exchange for credit default swap
(CDS) exchanges.
Minister for Public Expenditure and Reform Paschal Donohoe said it would be
compulsory for all passport applicants to hold a public services card.
Photograph: Eric Luke
A former minister for justice in the government that
decided to introduce public services cards for citizens
has said he was against national identity cards and
remained opposed to them.
Senator Michael McDowell said, however, he did not
know whether the public services card (PSC) card being
issued by the Government actually does amount to an
identity card.
The Irish Council for Civil Liberties (ICCL) said on
Monday the Government should clarify the position on
the introduction of PSCs, which have been issued to over
2.3 million citizens to date.
All citizens applying for a passport and a driving licence
will in future have to first obtain the State-issued card.
The decision to introduce the cards was taken in 2004
when Mr McDowell, then a member of the Progressive
Democrats, was in government with Fianna Fil led by
Bertie Ahern.
Privacy campaigners concerned over national ID card by
stealth
State faces 60m bill for public services cards by end of
year
Passport applicants will have to have States public services
card
I was always against [a national ID card] and I made it
clear at the time that I was against identity cards and
that the only circumstance in which I would contemplate
going along with the idea would be that if as a result of
the Good Friday agreement that the British introduced
them in the North and that we had to follow suit, Mr
McDowell told The Irish Times.
Dropped
The English Labour Party was very keen to do it and it
was dropped in the UK. Im against it on liberal
ideological grounds. I dont know whether this card
actually does amount to an identity card.
Mr McDowell said he believed ID cards alter the
citizens relationship with the State because in the end it
will become more and more mandatory to have it and
carry it and all the rest of it.
Liam Herrick, executive director of the ICC, said that if
the Government wished to introduce mandatory national
ID cards, they should propose such a measure through
primary legislation and facilitate a national debate on
such a measure.
Ineffective
In such a debate ICCL would argue that ID cards are an
ineffective, expensive and intrusive mechanism to
advance the stated public policy objectives. We note that
plans to introduce a national ID card system in the UK
were abandoned in 2010 for these reasons, Mr Herrick
said.
Dr TJ McIntyre, a UCD law lecturer and chairman of the
privacy advocacy group Digital Rights Ireland, said on
Sunday these measures marked the introduction of a
national ID card by stealth and he believed it was being
done in a way which appears to be illegal.
Labour Party TD and spokesman on enterprise Alan
Kelly said he believed the card was a good thing that had
major potential benefits, such as the revival of the rural
post office network.
I think the cards would be very helpful on issues of
identity and bringing multiple ID requirements on to
one platform. I am the person who brought in the Leap
[travel] card. I think the travel pass and the Leap card
can all be incorporated into this and in future you should
be able to do other services through it as well.
Minister for Public Expenditure and Reform Paschal
Donohoe confirmed that all passport applicants would
be required to have a PSC from the autumn, although he
insisted it was not and will not be compulsory for
citizens to get the card.
https://www.irishtimes.com/news/ireland/irish-
news/ex-justice-minister-michael-mcdowell-opposed-
national-id-card-1.3091892
Irish police made at least 10 applications for phone data of Garda who exposed "smearing" of
whistleblower:
First piece of legislation in this jurisdiction specifically and solely dedicated to dealing with
cybercrime
The first piece of Irish legislation dedicated specifically to dealing with cybercrime today
completed its passage through the Houses of the Oireachtas, where it received general,
cross-party support. The Criminal Justice (Offences Relating to Information Systems) Bill
aims to safeguard information systems and the data that they contain. The legislation
creates new offences relating to:
the use of tools, such as computer programmes, passwords or devices, to facilitate the
commission of these offences relating to information systems.
The term information system, as defined in the Bill, is deliberately broad, encompassing
all devices involved in the processing and storage of data, not only those considered to be
computer systems in the traditional sense. This reflects the range of modern
communications and data storage technology currently available, such as tablets and
smart phones.
The Bill establishes strong and dissuasive penalties for commission of the offences it
contains. The most serious offences could result in a term of imprisonment of up to 10
years.
The Tnaiste and Minister for Justice and Equality, Frances Fitzgerald TD, who brought
forward the legislation, commented: This Bill represents landmark legislation in this
jurisdiction as it is the first Irish statute specifically and solely dedicated to
cybercrime. There is an increased reliance on information and communications
technology in the modern world and it is clearly important that we seek to
protect vital infrastructures and to maintain users confidence in the safety and
reliability of such systems. This is clearly in the best interests of businesses, the
government sector and individual citizens alike.
The passing of the Bill follows in the wake of last weekends unprecedented global cyber
attack which involved some 200,000 systems in over 150 countries. The Tnaiste
added: This legislation is both welcome and timely. It is particularly important
given that Ireland has become a global cyber hub in view of the number of high
tech IT and internet-based companies that have major operations here.
The Bill provides significant new powers to facilitate the investigation and prosecution of
unlawful activities relating to information systems and their data. The Tnaiste concluded
by saying, I am sure that this legislation will make a significant difference in
combating cybercrime and prove of considerable benefit to the Garda Sochna in
their work in this area. It is undoubtedly an important addition to the Irish
Statute Book.
ENDS
Manchester.
The Tnaiste and Minister for Justice and Equality Frances Fitzgerald is meeting her EU counterparts in Luxembourg
today (Friday). Ministers discussed the European response to terrorism following the recent attacks in Manchester
and London.
The Tnaiste said: People who carry out these savage and appalling acts in any one EU State are attacking all of us
and the fundamental values of freedom that we share. But the responses of the people of London and Manchester
shows that terror cannot and will not stop our way of life. The democratic elections that took place in the United
Kingdom yesterday are a worthy affront to those who seek to impose their twisted will through murder and mayhem.
Enhancing information-sharing across Europe and making the best use of the available EU and Interpol resources
Like many other Member States, we are working hard to ensure best use is made of the existing resources available
to us but also to upgrade and accelerate our connectivity to every resource that can help keep us safe. I have
The protection of our borders is an absolute priority. My Department and An Garda Sochna continue to progress a
broad series of initiatives to strengthen border security. For example, since November 2016 an automated
connection to INTERPOLs Lost and Stolen Travel Documents database was rolled out to all international airports
and seaports and passengers are systematically checked against this database.
Later this year the Irish immigration authorities will begin to process Advance Passenger Information on flights into
the State from outside the EU and preparations are also under way to implement the EU Directive on Passenger
Name Records (PNR). These systems will provide further protection for our borders against crime, terrorism and
Countering radicalisation has been a strong focus of Ministers efforts over a number of years now and it will remain
Ireland supports the European Commissions proposal to establish a High Level Expert Group on Radicalisation to
consider further possible actions to be taken to counter radicalisation and also to consider whether and how there
might be established at EU-level a more permanent structure or framework to co-ordinate actions to counter
radicalisation.
Combating online violent radicalisation and the use of the internet by terrorist groups remains another priority area
and the EU Internet Forum to counter violent radicalisation has managed a sustained interaction with a number of the
global IT and social media companies. This improves partnerships, including with Europols Counter Terrorism
Centre, in identifying and taking down terrorist content. The Garda Authorities co-operate closely with service
providers here.
"Countering radicalisation will involve a whole of community approach nationally and locally. It requires a criminal
justice approach, the strongest legislation and intelligence sharing and a speedy identification of risk factors.
Concerns were expressed at the meeting by a number of countries at the speed at which some of those who have
The Government is committed to providing all necessary resources to An Garda Sochna to deal with the threats
they face, be it terrorism or organised crime. Significant extra funding and resources have been provided in the past
year and Government will not be found wanting in responding to any request for additional resources to continue to
Judicial Council and Judicial Appointments Commission Bills. Both are major
The Tnaiste said: The Irish judiciary is has been one of the great
political and economic threats to its existence and stability. The Irish
globally. These two Bills will underpin public confidence and guarantee the
Speaking about the Judicial Council Bill 2017, the Tnaiste said: The
need for a Judicial Council has long been recognised, both domestically and
internationally. The Bill provides for the establishment of a Judicial
Council which will promote and maintain excellence functions and high
established which will consider complaints against judges and refer them
will also prepare draft guidelines concerning judicial conduct and ethics
Speaking about the Judicial Appointments Commission Bill 2017, the Tnaiste
new Judicial Appointments Commission that will have a more substantial role
also include the Chief Justice and all of the Court Presidents directly
Both Bills are available on the Oireachtas website via the links below
http://www.independent.ie/irish-news/news/probe-
into-civil-servant-who-snooped-on-dozens-of-women-
for-curiosity-30514979.html
Serious concern over
exemption of public bodies
from data protection fines
Commissioner raises issues over proposals for
implementation of new EU regulation
Thu, Jun 15, 2017, 06:15 Updated: Thu, Jun 15, 2017, 08:23
Elaine Edwards
This post, composed immediately after judgment was handed down in this
important case on 21 December 2016, encapsulates my reaction to it. Its
possible implications for the Investigatory Powers Act 2016, for the other bulk
powers used by UK intelligence agencies and others, for the developing case
law of the European Court of Human Rights and indeed for any EU adequacy
determination directed to the UK post-Brexit, remain to be worked out over the
months and years ahead.
The Grand Chamber of the EUs Court of Justice (CJEU) gave judgment this
morning in the case brought in 2014 by David Davis MP and Tom Watson MP,
from which David Davis withdrew on his appointment to
Government. They challenged the powers to require the retention of certain
types of communications data not the content, but the who, where and when
of communications in the Data Protection and Investigatory Powers Act 2014
(DRIPA 2014).
The Court spelled out the requirements of EU law, specifically, the privacy
protections of the EU Charter of Fundamental Rights, in a manner which makes it
plain that DRIPA 2014 is incompatible with those requirements. In doing so, it
went further than the more pragmatic opinion of its own Advocate General
and further also than the existing case law of its sister court, the (non-EU)
European Court of Human Rights.
The CJEU considered that DRIPA 2014 exceeds the limit of what is strictly
necessary and cannot be considered to be justified, within a democratic society:
para 107. But it referred the case back to the English Court of Appeal for a
decision on the extent to which UK law is consistent with EU requirements (para
124). The battle will resume there in the New Year.
The case (Case C-698/15) was joined with a Swedish case brought by Tele2
Sverige AB (Case C-203/15). The judgment is here watson-judgment, and the
Courts own press release is here watson-press-release. A previous post in
which I set out the background is here.
Those powers have been exercised in the UK for many years. The EUs own
Data Retention Directive of 2006, a measure supported by the UK Government
which required such powers to be exercised EU-wide, was itself struck down by
the Court in 2014 (Digital Rights Ireland). Many Member States have continued
to exercise such powers under their own national law, and a number of them
(Czech Republic, Cyprus, Estonia, Finland, France, Germany, Ireland, Poland)
joined the UK in arguing in this case that the principles set out in Digital Rights
Ireland should not be treated as mandatory requirements in these circumstances.
The DRIPA 2014 power at issue in Watson is a relatively familiar and low-
tech one: contrast some of the bulk collection powers used by security and
intelligence agencies in the UK and other countries whose utility I reviewed in this
report of August 2016. (The Treaty on European Union states at Article 4(2) that
national security remains the sole responsibility of each Member State: the
scope of that carve-out remains to be definitively determined.)
Access to retained traffic and location data is however extremely useful to the
police and other law enforcement authorities, in the investigation not only of
serious crime but e.g. of reported disappearances where examination of the
phone records of the missing person may offer clues as to their contacts and so
help locate them. During my investigatory powers review of 2014-15, I was left in
no doubt as to its value.
Law enforcement figures cited at 7.50(c) showed that over a two-week period in
2012, 27% of requests for communications data in terrorism cases and 37% of
requests in sexual offence cases were for data more than six months old.
I also quoted Rob Wainwright, the (British) Director of Europol, who gave the
following evidence to the European Parliament in late 2014:
Ask yourself what the end of data retention would mean in concrete terms? It
would mean that communications data that could have solved a murder or
exonerate a suspect is simply deleted and no longer available.
The European Commission has been a strong supporter of universal retention of
communications data, noting in 2014:
The Court followed its Advocate General (the member of the court entrusted with
preparation of a preliminary opinion) in requiring that access to stored data
should be restricted to serious crime purposes (para 119) and subject to prior
independent authorisation (para 120). Those points were anticipated also by the
English High Court in its ruling of July 2015, though on grounds which
were doubted by the Court of Appeal in November 2015.
The wider significance of the Grand Chambers judgment is in its ruling that the
whole principle of what it called general and indiscriminate retention (para
97) is contrary to EU law specifically the Charter of Fundamental
Rights. Though some saw this bold conclusion prefigured in Digital Rights
Ireland, the High Court, the Court of Appeal and the CJEUs own Advocate
General all chose to avoid it in Watson. Indeed as Open Rights Group reminds
us, even Tom Watsons advocate, Dinah Rose QC, submitted that the
position later taken by the CJEU was wholly impracticable. Her case was,
rather, that a general retention obligation could be lawful so long as accompanied
by an access regime with sufficiently stringent safeguards.
The judgment of the CJEU was thus a genuinely radical one. The proven utility
of existing data retention powers, and the limitations now placed on those
powers, is likely to mean that it will be of serious concern to law enforcement both
in the UK and in other Member States. On the other side of the balance, not
everyone will agree with the Courts view that these powers constitute a
particularly serious interference with privacy rights, or that they are likely to
cause the persons concerned to feel that their private lives are the subject of
constant surveillance (para 100). A more rigorous analysis of
proportionality would have focussed on any actual harm that this useful power
might be shown to have caused over its years of operation, and sought to
avoid assertions based on theory or on informal predictions of popular feeling.
This may reflect what I have previously described as marked and consistent
differences of opinion between the European Courts and the British judges
which owe something at least to varying perceptions of police and security forces
and to different (but equally legitimate) conclusions that are drawn from 20th
century history in different parts of Europe (A Question of Trust, 2.24).
Geographical profiling?
The qualms expressed by the Court in relation to the principle of universal data
retention did not extend to a retention obligation based on objective evidence
which makes it possible to identify a public whose data is likely to reveal a link, at
least an indirect one, with serious criminal offences . Indeed the CJEU
advised (para 111) that:
Such limits may be set by using a geographical criterion where the competent
national authorities consider, on the basis of objective evidence, that there exists,
in one or more geographical areas, a high risk of preparation for or commission of
such offences.
Did the Court mean by this that it could be acceptable to perform general and
indiscriminate retention of data generated by persons living in a particular town,
or housing estate, whereas it would not be acceptable to retain the data of
persons living elsewhere? Such geographical profiling could prove wholly
impracticable, in the phrase of Dinah Rose QC. If attempted, it would certainly
raise extremely sensitive legal and ethical issues. Those issues were not
touched upon in the judgment.
Impact on the Investigatory Powers Act 2016
DRIPA 2014 expires anyway at the end of 2016: but the judgment has
significance for the Investigatory Powers Act 2016, which received Royal Assent
on 29 November and provides for data retention powers similar to (indeed in
some respects more extensive than) those contained in DRIPA 2014.
The precise impact of the judgment will have to be worked out over the weeks
and months ahead, with the assistance of the Court of Appeal which referred
questions to the CJEU for a preliminary ruling and to which the answers have
now been returned (para 124). But its consequences are likely to have to include
the amendment of the Investigatory Powers Act 2016, either by further primary
legislation or by a statutory instrument (secondary legislation) under the
European Communities Act 1972.
The UK remains bound by decisions of the CJEU, including this one, until such
time as it has left the EU.
But even after Brexit, it will not be possible to ignore its data protection
judgments altogether. The sharing of personal data with non-EU countries, in
particular, is subject to certification by the EU that their data protection standards
are adequate. In the 2014 case of Schrems, the CJEU held that this required the
non-EU country to provide for a level of protection of fundamental rights
essentially equivalent to that guaranteed in the EU legal order. The implications
of this for countries such as the USA and Canada (and in due course, no doubt,
the UK) were explored with admirable clarity by Jemima Stratford QC and
Graham Smith in this recent seminar. See, to similar effect, para 118 of last
weeks House of Lords EU Committee Report.
Further Debate
This important judgment is bound to feature in law exams across Europe this
summer. If I were setting a question, it would be this one:
Lives are ruined by crime, not by the properly safeguarded use of general
data retention to fight crime. Discuss.
That question will continue to be debated in many forms and for many years. It is
to be hoped that those debates will generate light as well as heat. For this to
happen, the participants legislators, courts, NGOs, academics and students
need to avoid trading prejudices, and instead make productive use of the
increasing evidence base relating to both the harm and the utility of bulk data
retention.
I have just heard that in June 2017, the Investigatory Powers Tribunal in a
different case (chaired by Burton J, with Mitting J and three others on the panel)
stated orally its intention of making a further reference to the CJEU in order to
seek clarification of the Watson/Davis judgment. A hearing was fixed for late July
for the purpose of finalising the questions. It remains to be seen what those
questions will be, and how they will be disposed of by the CJEU.
https://www.daqc.co.uk/2017/04/11/cjeu-judgment-in-watson/
Wow: IPT has decided to make a further reference to #CJEU on the meaning of Watson/Davis
daqc.co.uk/2017/04/11/cje . QQ to be decided end July.
https: //www. u-judgment-in-watson/
The Members States may not impose a general obligation to retain data
on providers of electronic communications services
https://www.daqc.co.uk/wp-content/uploads/sites/22/2016/12/Watson-
press-release.pdf
Brexit- future UK-EU security and police cooperation
https://publications.parliament.uk/pa/ld201617/ldselect/ldeucom/77/77.pdf
Brexit: Security, surveillance and home affairs
https://www.youtube.com/watch?v=iVegn-khidQ
UKs data protection legislation during and after Brexit. Stratford explained that
the General Data Protection Regulation (Regulation (EU) 2016/679), which
replaces the Data Protection Directive (Directive 95/46/EC) from May 2018
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
http://www.legislation.gov.uk/ukpga/2016/25/enacted/data.pdf
overview
Jemima Stratford QC is widely recognised as a leading litigator in EU, competition and public
law/human rights.
Jemimas EU and competition expertise range from FRAND licensing to pharmaceuticals, and
from free movement to financial services. She has appeared in more than 50 cases in the General
Court and Court of Justice in Luxembourg. Her domestic practice includes competition law cases
in the CAT, Commercial Court and Patents Court. She was part of the team for the OFT in the
bank charges litigation, and is currently instructed for claimants (Ericsson and Unwired Planet) in
significant telecommunications litigation against Apple, Samsung and Huawei.
Jemima's public law and human rights work have taken her to the Supreme Court and to the Grand
Chamber of the ECtHR. Before taking silk, she was a member of the Attorney Generals A
Panel. She acts for both claimants and defendants across a wide range of cases, some of which
also have a connection with EU law. Jemima also advises both States and international
organisations on immunities from jurisdiction, dealing with both public international law and
human rights arguments before the ECtHR, the High Court and Employment Tribunals.
Contributor to "Competition Litigation: UK Practice and Procedure" (OUP, 2010)
Author of "Striking the Balance: Privacy v Freedom of Expression under the European
Convention on Human Rights", published in "Developing Key Privacy Rights" (Hart, 2002)
Co-author of "Competition: Understanding the 1998 Act" (Palladian, 1999)
Jemima has excellent judgement, is very responsive, highly proactive and incredibly hard-
working." (Chambers & Partners 2017)
"She is able to cut through a lot of dry and academic material with ease and is extremely user-
friendly." (Chambers & Partners 2017)
"She is extremely hard-working and never misses deadlines. She is always well prepared for any
case and her advice is very measured and thorough." (Chambers & Partners 2017)
"She is a very capable leader of a team and gives good direction." (Chambers & Partners 2017)
"Extremely knowledgeable and passionate." (The Legal 500 2016)
"Brings real depth to her submissions while keeping judges firmly on board." (The Legal 500
2016)
"A client-friendly silk with superb analytical skills." (The Legal 500 2016)
"She is phenomenal - really thorough, personable and a brilliant advocate. She can relate well to
her clients and they have full confidence in her." (Chambers & Partners 2016)
"I have never known her to be less than 110% prepared. She is very thoughtful and succinct and
always goes out of her way to help." (Chambers & Partners 2016)
"Very clever and a great strategist." She is "fantastically knowledgeable." (Chambers & Partners
2016)
"Absolutely excellent; she is very knowledgeable in a wide range of EU law matters because she
does the human side of EU law as well." (Chambers & Partners 2016)
"Jemima has depth of knowledge and she's a very clear advocate, particularly in European courts."
"She is known for being intellectually strong." (Chambers & Partners 2016)
Extremely knowledgeable and passionate. (The Legal 500 2015)
A strong advocate; thorough and good with clients. (The Legal 500 2015)
Extremely competent and calm. (The Legal 500 2015)
"She is excellent, and charming with it." (Chambers & Partners 2015)
"She has very strong, clear and accessible ideas, and the ability to boil things down to the nub
without making you feel stupid." (Chambers & Partners 2015)
"Impressive, thorough and down to earth. She's a good team player." (Chambers & Partners 2015)
"An extremely talented and dedicated lawyer, and a fount of all knowledge on EU law and
regulations." (Chambers & Partners 2015)
http://www.brickcourt.co.uk/people/profile/jemima-stratford-qc
High Court hands down landmark FRAND judgment
05/04/17, EU/Competition
Mr Justice Birss today handed down a landmark judgment in Unwired Planet International Ltd v
Huawei Technologies Co Ltd in which he ruled for the first time on the obligation to license
standard essential patents on fair, reasonable and non-discriminatory (FRAND) terms and the
interrelationship between FRAND and EU competition law. The judgment is also the first outside
Germany to consider the application of the judgment of the Court of Justice of the European
Union in Huawei v ZTE.
Unwired Planet acquired a portfolio of standard essential patents from Ericsson in 2013 and, after
unsuccessful attempts to license those patents consensually, commenced patent infringement
proceedings against Huawei, Samsung and Google in March 2014. In addition to challenging
validity and infringement of the patents, each of Huawei, Samsung and Google brought
counterclaims against Unwired Planet alleging that Unwired Planets conduct was not FRAND
and that it was in breach of EU competition law. The claims against Google were settled in May
2015 and the claims against Samsung were settled shortly before trial in July 2016. The claims
against Huawei went to trial over 7 weeks in November and December 2016.
In a judgment which will be welcomed by those seeking to license patents relevant to global
standards, Mr Justice Birss found that it was FRAND for a patent holder to insist on a global
licence (and conversely that it was not FRAND for a prospective licensee to insist on licensing on
a country-by-country basis). He proceeded to determine the FRAND rate for Unwired Planets
portfolio.
Huaweis competition law counterclaims were dismissed, including the argument that Unwired
Planet was in breach of the principles laid down by the Court of Justice in Huawei v ZTE for
commencing proceedings before making a FRAND offer.
Since Huawei had refused to enter into a licence on terms that the Court had determined to be
FRAND, and Unwired Planet was not in breach of competition law, Mr Justice Birss considered
that it was appropriate to grant a final injunction against Huawei to restrain infringement of
Unwired Planets patents in the UK.
The judgment is here.
Sarah Ford QC appeared for Unwired Planet, instructed by Enyo Law.
Jemima Stratford QC, Sarah Abram, Michael Bolding and David Bailey were instructed at an earlier
stage of the proceedings.
Daniel Piccinin acted for Ericsson, instructed by Freshfields Bruckhaus Deringer, prior to a
compromise being reached.
Robert ODonoghue QC appeared for Google, instructed by Bristows, prior to a compromise being
reached
Nicholas Saunders appeared for Google and Samsung, instructed by Bristows, prior to a compromise
being reached.
This can be accessed until 6 October 2017 (included), anyone interested in becoming an
arbitrator and fulfilling the requirements set out in the Federal Register notice may submit
an application to the address indicated therein.
http://ec.europa.eu/newsroom/just/item-
detail.cfm?item_id=604382&utm_source=just_newsroom&utm_medium=Websit
e&utm_campaign=just&utm_content=Selection%20of%20arbitrators%20for%2
0the%20Arbitration%20Panel%20under%20the%20EU-
US%20Privac&utm_term=Data%20protection&lang=en
concerning the adoption of the work programme for 2017 and the financing for the
implementation of the Rights, Equality and Citizenship Programme
http://ec.europa.eu/justice/grants1/programmes-2014-
2020/files/rec_2017_awp_commission-implementing-decision_en.pdf
European Parliament and of the Council of 17 December 2013 establishing a Rights,
Equality and Citizenship Programme for the period 2014 to 2020 Text with EEA relevance
http://eur-lex.europa.eu/legal-
content/EN/TXT/PDF/?uri=CELEX:32013R1381&from=EN
EU-U.S. Privacy Shield
http://ec.europa.eu/justice/data-protection/files/factsheets/factsheet_eu-
us_privacy_shield_en.pdf
Human rights watchdog
seeks details on foreign
surveillance
ICCL and other bodies ask governments to disclose
details of arrangements for sharing data
Tue, Jun 13, 2017, 15:15
Elaine Edwards
The Irish Council for Civil Liberties has asked for details of how the State
shares foreign intelligence information.
A leading human rights watchdog has asked the
Government and the States policing and defence
agencies to release details of how they share intelligence
surveillance with other governments.
The Irish Council for Civil Liberties (ICCL) on Tuesday
submitted requests under the Freedom of Information
Act to the Department of Justice, An Garda Sochna
and the Defence Forces seeking information on the
States information sharing agreements with other
countries.
It informed the agencies that the arrangements
dramatically implicate the privacy of every person, both
nationals and non-nationals.
However, to date those arrangements are largely
shrouded in secrecy, it said in correspondence to all
three bodies.
The requests were submitted as part of a global public
information campaign aimed at uncovering international
information-sharing agreements between intelligence
agencies.
The campaign is being coordinated through the
International Network of Civil Liberties Organizations
(INCLO), of which ICCL is a member.
The group says international information-sharing
agreements between intelligence agencies potentially
allow those agencies to sidestep domestic legal
constraints by funnelling surveillance data into a
transnational intelligence network.
Mass leaks
The Snowden files and other mass intelligence leaks
have yielded crucial information about the mechanics of
domestic state surveillance. They also revealed more
about intelligence cooperation through the Five Eyes, the
post-war surveillance alliance established between the
United States, the United Kingdom, Canada, Australia
and New Zealand, the ICCL said.
However, surveillance regimes now operate on a global
scale, extending far beyond Western democracies.
We still know very little about the Five Eyes and other
information-sharing relationships between
governments, including intelligence alliances in the
global south. By submitting requests for information in a
geographically diverse array of states, INCLO hopes to
expose these undisclosed alliances and learn more about
their exact practice.
Eight member organisations filed freedom of
information requests with their governments today, in
what they said was an attempt to shine a light on this
critical seam of the global surveillance regime.
https://www.kildarestreet.com/wrans/?id=2017-06-
01a.131&s=cybercrime#g132.q
Simon Harris signed the commencement order for the Individual Health Identifier yesterday
Individual Health Identifier -
Progress
HSE and eHealth Ireland welcome the commencement order in relation
to the Individual Health Identifier (IHI)
IHI will now become operational throughout Ireland
The HSE and eHealth Ireland welcome the commencement order for the
Individual Health Identifier (IHI) signed by the Minister of Health Mr Simon
Harris yesterday, Tuesday 30th May 2017. This allows for the operational use
of the IHI throughout the Irish healthcare system in line with the terms of the
Health Identifiers Act 2014.
An Individual Health Identifier is a number that identifies each person who has
used or may use a health or social care service in Ireland. Each individual will
be assigned their own personal number which is unique to them. The main
benefit of having an Individual Health Identifier is to uniquely identify each
service user and therefore, improve patient safety by reducing errors that
might happen, such as ensuring patients receive the correct medication,
vaccinations, and treatment.
Richard Corbridge, HSE Chief Information Officer and CEO of eHealth Ireland
said This is a fundamental block in building a better health service through
the availability of digital solutions. The IHI allows us to work with GPs,
hospitals, digital partners, patients, and service providers, to make the IHI
available in as many care settings as possible. This will be done
incrementally, with the patients interests at the centre of every decision along
the way.
Minister for Health Simon Harris said, "The bringing into operation of the
relevant provisions in the Health Identifiers Act and the making of Regulations
on accessing the National IHI Register and using the IHI, represent further
tangible steps in my commitment to enhancing patient safety and developing
the eHealth agenda necessary for a modern patient-centred health service."
The Health Identifiers Act, 2014, provides the legislation for the Individual
Health Identifier. In September 2015 a delegation order was commenced to
allow the HSE to develop and operate the IHI on behalf of the Minister for
Health.
An IHI (number) has been created and assigned to Irish residents who have
used or may use the health and social care services within Ireland. People do
not need to know their IHI to access services. For more information on the IHI
project and its progress visit www.ehealthireland.ie/IHI
(Published 01/06/2017)
Progress towards the delivery of the Individual Health Identifier (IHI) has
continued since the announcement of the programme on 11 March 2015.
In July 2015, a proof of concept version of the infrastructure was created and
a data cleansing and the matching process was completed, with over 90%
success match rate against existing HSE Primary Care Reimbursement
(PCRS) records.
The proof of concept solution was made available to a number of systems so
that they could begin to understand how clinical benefit can be
gained from local systems by deploying access to the IHI. Access to this
system was not against real data. The HSEs own development team carried
out this early review with volunteer suppliers, Slainte Healthcare, Socrates
Healthcare Informatics and Helix Health.
In September 2015 a delegation order was commenced to allow the HSE to
develop and operate the IHI on behalf of the Minister for Health.
A Public Consultation for the draft IHI Privacy Impact Assessment published
on January 28, 2016, was conducted in March 2016 and extended to 8th April
2016 due to the volume of interest.
The outcomes for the Public Consultation and the IHI Privacy Impact
Assessment itself was published on 10/08/2016.
On November 8th 2016, a Memorandum of Agreement was signed with the
Department of Social Protection for the provision of Public Service Identify
Records for the population and maintenance of the IHI Register allowing for
the population of the IHI Register with 6.2 million approx. records for known
residents of Ireland.
IHI numbers were generated and assigned to these records.
(published 01/12/2016)
Future decisions regarding which Health Service Provider systems will have
access to the IHI will be agreed within the Health Identifiers Programme
based on evaluation of candidate systems against criteria relating to clinical
benefit and patient safety rather than being technology led. For example, the
New Born and Maternity system is already high on the list of systems to
consider to ensure that the IHI is available to babies from birth.
https://www.digitalhealth.net/2016/02/ireland-consults-public-on-identifier/
The HSE said the Department of Health would examine the impact of
legislative changes on the health identifier project following a major EU ruling.
Photograph: Thinkstock
Health authorities are examining the possible impact of a
major EU court ruling on their work to date on a plan to
give every person in the State a unique health identifier.
http://www.irishtimes.com/news/health/eu-court-ruling-may-impact-health-identifier-
plans-1.2407367?mode=sample&auth-failed=1&pw-
origin=https%3A%2F%2Fwww.irishtimes.com%2Fnews%2Fhealth%2Feu-court-
ruling-may-impact-health-identifier-plans-1.2407367
ENFORCEMENT
DELAYED FOR HEALTH
PLAN IDENTIFIER
REGULATIONS
November 3, 2014
http://ncvhs.us/wp-
content/uploads/2014/10/
140923lt5.pdf
IHI Service Data Protection Policy
Information in the form of data is at the core of the Health Service Executives
(HSE) activities. The security and privacy of this data, especially patient and
client personal data, is of the upmost importance to the HSE. In order to
maintain public confidence in the HSE and the delivery of our services to the
public, the HSE and its staff, agents, representatives, contractors and data
processors must ensure they process and protect this data in accordance with
the relevant legislation and the HSEs policies, procedures and guidelines.
In 2014, the Health Identifiers Act was enacted and this allowed for the
creation and operation of a unique Individual Health Identifier (IHI) for any
person using a health or social care service in Ireland and the establishment
of a national IHI register. The Minister for Health delegated the authority to
establish and operate the IHI to the HSE and the HSE IHI Business Service is
responsible for this. As the IHI includes an individuals personal data, the HSE
is legally required to ensure that all personal data is processed in accordance
with the Health Identifiers Act, the Data Protection Acts, the GDPR (when
effective) and other statutory and legal obligations.
The purpose of this policy is to provide HSE staff, agents, representatives,
contractors and data processors and others with clear guidance and
instruction on the appropriate, safe and legal way in which they can make use
of the information stored on the IHI register. This policy has been approved by
the HSE Director General and the HSE leadership team
Click here for the full IHI Service Data Protection Policy
Memorandum of Agreement between Department
Of Social Protection, Department of Health and
the Health Service Executive in respect of
Utilisation and Sharing of Public Service Identity
(PSI) Dataset in the Context of the Health Identifiers
Act 2014
On November 8th 2016, a Memorandum of Agreement was signed with the
Department of Social Protection for the provision of Public Service Identify
Records for the population and maintenance of the IHI Register allowing for
the population of the IHI Register with 6.2 million approx. records for known
residents of Ireland.
The Department of Social Protection is the data controller for the Public
Service Identity Dataset.
The Health Identifiers Act 2014 was introduced to provide for the assignment
of a unique number to an individual to whom a health service is being, has
been or may be provided. Individual Health Identifiers (IHI) can be used in
both the public and private sector. For operational reasons, the Health
Identifier Act 2014 provides for the delegation of certain functions to the
Health Service Executive (HSE). The HSE will operate the Health Identifiers
Register on behalf of the Minister of Health. Notwithstanding the delegation
of function, Section 26 of the Health Identifiers Act 2014 provides for the
functions continue to be vested in the Minister concurrently with the HSE and
the delegation does not remove or derogate from the responsibility of the
Minister.
On receipt of the data from the Department of Social Protection, the HSE will
become responsible for the personal data which it has received, i.e. it is the
data controller for information received from that point.
Click here for the full Memorandum of Agreement.
http://www.ehealthireland.
ie/Library/Document-
Library/IHI-
Documents/PC-PIA-
IHI.pdf
Electronic Health Record ...
Another example can be found in research on health ... Initial evaluation of patient interaction with
the Electronic Health Record
https://www.scribd.com/d
ocument/312286237/Bran
ds2004-PwC-ehealth-
doc-pdf#
https://www.gs1ie.org/Download_Files/Events-Conferences/HSE-GS1-HUG-
Presentation-Richard-Corbridge.pdf
eHealth-Interoperability-standards-consultation
https://www.hiqa.ie/sites/default/files/2017-08/eHealth-Interoperability-
standards-consultation.pdf
Consultation on the Privacy Blueprint for the Individual Electronic Health Record
Submission to the Australia National E- Health Transition Authority
https://www.oaic.gov.au/images/documents/migrated/migrated/sub_nehta_08
08.pdf
Your Movements Shall Be Traced- The New EU Regulation on Cross-Border
Portability
http://data.consilium.europa.eu/doc/document/PE-9-2017-INIT/EN/pdf
Share to Reddit
Share to Google+
Share to Twitter
Share to LinkedIn
The Competition and Consumer Protection Commission
cannot examine all 100,000 emails of a senior executive
of cement giant CRH copied by it following a dawn raid
as part of an investigation into alleged anti-competitive
practices, the Supreme Court has ruled.
The commissions search was lawful and it is entitled to
lawfully proceed with its investigation but may only
examine such emails of Seamus Lynch as are relevant to
that investigation, Mr Justice Peter Charleton ruled.
There was no need for the commission to hold on to
irrelevant material and it might consider developing a
code of practice for future similar cases, he added.
The emails were among materials taken by officers of the
commission after its unannounced early morning raid at
the plant of Irish Cement Limited, a subsidiary of CRH,
at Platin, Co Meath, on May 14th, 2014.
The search was carried out under a warrant granted by
the District Court under the 2014 Competition and
Consumer Protection Act. The commission sought the
warrant after saying it had formed the opinion ICL, from
January 2011 to the date of the warrant, may have
engaged in abuse of a dominant position in relation to
the supply of bagged cement in the State.
ICL, CRH Plc and Seamus Lynch later took proceedings
alleging commission officers were not entitled to seize,
retain or trawl through any electronic files within a
crh.com email account of Mr Lynch unrelated to the
business and activity of ICL. Mr Lynch left ICL in 2011 to
join CRH and, at the time of the search, was managing
director of CRH Europe (Ireland and Spain).
The plaintiffs argued the warrant only entitled the
commission to seize documents related to ICL. By
seizing other data, the commission breached their
privacy and other rights under the Constitution, Article 8
of the European Convention on Human Rights and the
Charter of Fundamental Rights of the EU, they argued.
The commission denied those claims but undertook not
to go through the material until the courts decided the
matter.
In the High Court last year, Mr Justice Max Barrett
found certain materials seized fell outside the scope of
the search warrant and granted injunctions restraining
the commission accessing, reviewing or making use of
the material seized. He also held, if the commission
sought to access, review or use the documents, that
would breach Article 8.
Three judgments
In three separate judgments on Monday, the five-judge
Supreme Court dismissed the commissions appeal over
the High Court decision.
Mr Justice Charleton said the search was lawful and the
material seized could be taken off site. The focus of the
appeal was on the emails of Mr Lynch, he said. While
this was a business email address, the problem was the
scope of seizure of an entire email account of thousands
of mails without justification for such ample and
undifferentiated seizure.
While the seizure of the computer was proportionate and
the need to examine what was on it was justified by the
nature of the investigation, the commission and
CRH/Lynch side now needed to agree a procedure to
isolate private emails of Mr Lynchs from any emails
relevant to the commissions investigation, he said.
Outlining a number of recommendations as to how that
might be done, he said CRH and Mr Lynch might
identify what private material of his has been copied by
the commission and set out why that is so sensitive as to
require protection of his privacy rights under Article 8.
He, the Chief Justice Susan Denham and Ms Justice
Elizabeth Dunne also endorsed Ms Justice Mary Laffoys
separate findings concerning Article 8. Ms Justice Laffoy
held, because the commission had not accessed the
emails, there was no breach of Article 8 rights.
In his judgment also dismissing the appeal, Mr Justice
John MacMenamin ruled the search was unlawful and
the commission was therefore not entitled to access any
of the materials seized. The commisison acted outside its
powers under the Competition and Consumer Protection
Act 2014 and breached the constitutional and Article 8
rights to privacy of CRH and Mr Lynch, he held.
The commission had also not acted in accordance with
its obligations under the European Convention on
Human Rights Act 2003.
https://www.irishtimes.com/business/manufacturing/supreme-court-limits-
investigation-s-access-to-emails-of-senior-crh-executive-1.3100526
protecting their privacy rights. In the recent case of CRH PLC, ... Competition and
Consumer Protection Act 2014 ... and Article 8 provides for protection of
https://www.algoodbody.com/media/Dawn-Raids-31May1.pdf
The Constitution
The Court held that each of the plain- tiffs enjoys a constitutional right to privacy which can only be
interfered with in a justifiable and proportionate manner.
However the Court was not prepared to grant a declaration that the CCPC had acted in breach of the
plaintiffs right to privacy under Article 40.3 of the Constitution.
The real difficulty arose with the CCPC determining what was to happen in respect of the materials
seized (other than legally privileged materials) which did not relate to the matter under investigation.
Barrett J. stated that if the CCPC was to trawl through the material and determine what it was entitled to
take away, it would quite literally be engaging in an entirely unwarranted not to mention egregious
transgression of the right to privacy of the plaintiffs in these proceedings. The Court concluded that
such an examination would contravene Article 40.3 of the Constitution.
The parties accepted that the dawn raid of the business premises and the copying of the records could
con- stitute an interference by a public authority with the private life of one or more of the plaintiffs,
contrary to Article 8(1) of the ECHR. So the sole issue for the court was whether such interference
occurred in accordance with law, and was necessary in a democratic society (i.e. proportionate to the
legitimate aim pursued) pursu- ant to Article 8(2).
businesses can violate the right to privacy guaranteed by Article 8 of the ECHR. For example, in
Niemetz v Germany (1993) 16 EHRR 97, the ECtHR held that a search of
the plaintiff lawyers office amounted to a breach of Article 8 because the warrant was drawn in such
broad terms that it ordered a search for
and seizure of documents without any limitation, and was disproportion- ate in the circumstances.
Also in Robathin v Austria (3rd July 2012) which concerned a search and seizure of electronic data
at a lawyers office, the ECtHR condemned general searches
of electronic documents which are not reasonably limited in their scope, and found the search warrant to
be couched in very broad terms which went beyond what was necessary to achieve the legitimate aim.
Further, in Vinci Construction v France (2nd April 2015), the ECtHR found France to be in violation of
the ECHR in respect of inspections carried out at business premises, as the seizures included the
entirety of certain employees professional email accounts, as well as correspondence exchanged with
lawyers.
Having clear internal procedures, well trained staff, and experienced counsel present during raids will
help organisations to find the correct bal- ance between cooperation and pro- tecting privacy rights.
Different regu- lators operate under different legisla- tive frameworks, but the following are some tips on
what to do when faced with a dawn raid:
have a dawn raid response pro- cedure in place so that everyone knows what to do;
contact external lawyers and key executives and directors immedi- ately;
check the warrant, authorisation or other formal document to en- sure that it correctly identifies the
business premises and the scope of the investigation;
if correspondence with lawyers is copied or seized, object and ask that it is kept separately from oth-
er documents copied or seized and that it is not reviewed until a determination has been made as to
whether it is legally privileged;
ifinvestigatorsattempttocopy or seize files or devices which contain material that is irrelevant to the
matter under investigation, object and ask that those files
or devices be put aside for your lawyers to discuss with the inves- tigators after the raid;
co-operatewiththeinvestigators and do not obstruct or impede the investigation at any time (which may
be an offence) whilst being mindful of your legal rights and the legal duties of the investiga- tors.
Some of the emails and attachments in the email box were almost certainly not caught by the terms of
the warrant, as they included documents relating to other companies within
the group as well as personal emails. This was not information that may be required in relation to a
matter under investigation as required by section 37 of the 2014 Act. The central issue before the court
was what was to be done about those emails which it was claimed that the CCPC did not lawfully have
in its possession.
The CCPC contended that it had the right to go through all the material it had seized to determine what
material it was entitled to take away. The plain- tiffs, on the other hand, claimed that for the CCPC to
review the material which it was not entitled to take away contravened the right to privacy, be it in the
form arising under the ECHR or the Constitution, or both.
Reliefs sought
The decision
The High Court said that the bulk seizure was outside the scope of the search warrant issued under
section 37 of the 2014 Act, and that examina- tion by the CCPC of the bulk data would constitute a
breach of the right to privacy under Article 40.3 of the Irish Constitution and Article 8 of the ECHR.
It therefore granted a declaration that certain materials seized by the CCPC during its dawn raid were
not covered by the terms of the applicable search warrant and were done without au- thorisation under
section 37 of the 2014 Act.
The Court noted that there is nothing in the 2014 Act to indicate what should be done regarding material
which has been seized but ought not to have been seized, as the material does not relate to a matter
under in- vestigation. It granted an injunction restraining the CCPC from accessing, reviewing or making
any use of the seized material pending any agree- ment that might be reached between the parties on
how to sift out the rele- vant and irrelevant material.
The Court also noted the existence
of a perfectly operable process in section 33 of the 2014 Act whereby material that is seized and which
is claimed to be legally privileged is vet- ted impartially with a view to determin- ing whether that
privilege has been correctly claimed, and thus whether the State should view that material. The Court
found that there was no reason why such a process could not have been voluntarily agreed between the
CCPC and the plaintiffs in this case.
The Court refused to grant declara- tions that the CCPC had breached the DPAs or Articles 7 and 8 of
the Char- ter. It also refused to grant a declara- tion that the CCPC had contravened Article 40.3 of the
Constitution or Arti- cle 8 of the ECHR, but it considered that if the CCPC was to proceed as
it intended (i.e. to go through all the material that it had taken away and determine what is the material
that it
was entitled to take away), that those provisions of the Constitution and the ECHR would be breached.
Addressing each legislation in turn why did the Court find the CCPCs dawn raid was not contrary to
the DPAs, Charter, Constitution or ECHR?
The DPAs
The Court noted that section 8 of the DPAs contains exemptions regarding the processing of personal
data which is required for the purpose of investi- gating offences, or which is required under any
enactment or by order of the court. It found that there was a very wide breadth of information
including personal data that the CCPC was entitled to take away with it after the dawn raid, by virtue
of the combined effect of its search warrant and section 37 of the 2014 Act.
One of the judges noted that, to the extent that the CCPC was not entitled to any personal data being
sought, it was open to the party under investiga- tion in these proceedings to refuse to release that data
to the CCPC. Insofar as that party elected to release data to which the CCPC was not entitled, it is liable
as data controller for its breach of the DPAs, not the CCPC. However, once the data were disclosed to
the CCPC, it had a responsibility to pro- cess the data in accordance with the DPAs.
The Charter
Therefore no argument as to contra- vention of the Charter could succeed in these proceedings.
The Competition and Consumer Protection Commission (the "CCPC") recently lost
its appeal against a decision of the High Court, which concerned a search it had
carried out at the premises of Irish Cement Limited ("ICL") in May 2015.
The Supreme Court found that the CCPC had breached the right to privacy of ICL,
CRH Plc ("CRH") - ICL's parent company and a senior executive within the CRH
group (together "the Respondents"), under both Irish law and under the European
Convention on Human Rights, due to the way in which it carried out the search.
The Supreme Court decision will undoubtedly impact on search and seizures carried
out by the CCPC in future cases. It may also influence other regulators to take a
more refined approach to search and seizure powers granted under different
legislation.
Background
The CCPC was investigating whether ICL may have engaged in anticompetitive
practices between January 2011 and 12 May 2015, on foot of allegations that it was
using exclusive purchasing arrangements, rebates or other inducements to
distributors of bagged cement, which had the effect of excluding competitors from the
Irish market. The allegations concerned only ICL's activities within the State and not
elsewhere.
In May 2015, the CCPC conducted a search of ICL's premises under section 37 of
the Competition and Consumer Protection Act 2014 (the "Act"). This gave the CCPC
broad search and seizure powers, including allowing it to take copies of, and/or
seize, records which it found at the premises when investigating potential competition
law breaches. As required by the Act, the CCPC had obtained a search warrant from
the District Court prior to conducting the search.
One of the central issues in the case was whether the CCPC was entitled to copy the
entirety of Mr. Seamus Lynch's email account, a former managing director of ICL, but
who is now a managing director of Ireland and Spain for CRH Europe. The material
copied included correspondence with CRH subsidiaries in other European locations.
The Respondents argued that documents relating to Mr. Lynch's functions and
activities which were separate and unrelated to ICL were outside the scope of the
search warrant and should not be reviewed by the CCPC. The High Court agreed
with this position and the CCPC appealed that decision to the Supreme Court.
Criticisms
The Supreme Court dismissed the CCPC's appeal and was critical of the search
procedure which it adopted in this case at the outset. It noted that the search warrant
was couched in broad and unspecific terms and did not identify the suspected
offence or the suspected persons. Although the Respondents' lawyers were shown a
copy of the search warrant on the day of the search (and ultimately given a copy of
it), the Supreme Court found that in the absence of any specific information regarding
the scope of the investigation on the warrant, the Respondents' lawyers were unable
to make any meaningful observations to the CCPC officials as the search took place.
The Supreme Court also stated that at the time of the search, the CCPC had
information available to it, which would have enabled it to conduct a more focused
search. This was due to the relatively narrow scope of the investigation, the
methodology of search (involving electronic data which is often susceptible to key
word search) and the specific nature of the offences being investigated. It noted that
the search was pre-planned and that the pre-search procedure was not a focused
one, in identifying any specific email data by reference to the time, place or identity of
the writers, or addresses. The Supreme Court remarked that when the CCPC seized
all of Mr. Lynch's email account, it must have been aware that it would inevitably take
large quantities of material outside the scope of its investigation and was critical of
the fact that the CCPC did not take any steps to avoid such an event. It implied that a
better approach may have been for the CCPC to do a keyword search on site, which
would have narrowed down the material which was copied. The Supreme Court
noted that in some situations it may not be possible to have a more narrowly defined
search warrant or search (e.g. in relation to more serious types of crime where the
scope of the warrant must be broader and there was an urgent need for searches)
but it said that those considerations did not apply in this case.
Decisions
The Supreme Court dismissed the CCPC's appeal and found that the CCPC had
acted outside of the powers contained in section 37 of the Act, in breach of the
Respondents' constitutional right to privacy and in breach of their rights under Article
8 of the European Convention of Human Rights (which also relates to privacy). The
Supreme Court granted an injunction preventing the CCPC from reviewing any
material or any of the data "which were the fruits of this unlawful search." The
Supreme Court noted that although the Act provided a mechanism whereby
privileged legal material which was seized could not be reviewed by the CCPC, it did
not address what would transpire if material which was not covered by the search
warrant was seized. It noted that this was a matter for the Oireachtas, but said in the
absence of any such legislative provision dealing with the issue, it was for the CCPC
to try and reach agreement with the Respondents as to how any seized material
which was alleged to be outside the scope of the warrant, would be dealt with. Mr.
Justice Charleton suggested some steps which could be taken to resolve the issue
(this included the Respondents specifying what material should not have been
seized, the parties using key word searches to identify relevant material and the
destruction by the CCPC of any irrelevant material).
Comment
The Supreme Court has made clear that save in exceptional circumstances, search
warrants by the CCPC will need to be more precise so as to enable the subject of the
search to understand what is being investigated and presumably therefore to make
informed objections if necessary, about any data being seized. It is also evident, that
in competition law cases, the Supreme Court expects the CCPC to conduct more
pre-planning in relation to searches so as to limit the amount of irrelevant material
being seized.
Aside from the CCPC, other regulators have broad powers of search and seizure.
The Supreme Court ruling should serve as a cautionary note to them, to show
restraint when exercising their powers, as the excessive seizure of material will be
open to challenge.
The content of this article is intended to provide a general guide to the subject
matter. Specialist advice should be sought about your specific circumstances.
Being supervised by a right to privacy extends to companies
labyrinth of regulators, organisations in Ireland face a very real and present risk
of a regulatory investigation or dawn raid. Although regulators have wide- reaching search and seizure
powers (including the ability to conduct unan- nounced inspections), organisations benefit from certain
safeguards under privacy laws. In addition, the European Court of Human Rights (ECtHR) exercises a
close scrutiny over whether such safeguards are applied in a practi- cal and effective, rather than a
theoreti- cal and illusory, manner. Thus the chal- lenge for organisations is to understand how to deal
with unannounced inspec- tions and co-operate with investigators, whilst protecting their privacy rights.
In the recent case of CRH PLC, Irish Cement Ltd and Seamus Lynch v The Competition and Consumer
Protection Commission (CCPC) (5th April 2016), the Irish High Court determined that the seizure by
the CCPC of the entire contents of a professional email ac- count of an employee, containing docu-
ments unrelated to the investigation as well as personal emails, was unlawful.
Although the decision relates to the search and seizure regime under the Competition and Consumer
Protection Act 2014 (the 2014 Act), the case serves as a warning to other regulators to ensure that
they respect organisa- tions privacy rights when exercising their search and seizure powers during
dawn raids.
However, the right is not an unqualified right, and may be limited or restricted in the interests of the
common good, public order and morality.
In Digital Rights Ireland Ltd v Minister for Communications & Ors [2010] 3 IR 251, the High Court
confirmed that the
as legal entities, separate and distinct from their members as natural persons.
Article 8(1) of the European Convention on Human Rights (ECHR) guarantees the right to respect for
private and fami- ly life, for the home and for correspond- ence. Again, this right is not absolute. Article
8(2) of the ECHR provides that: There shall be no interference by a public authority with the exercise of
this right except such as [1] in accordance with the law and [2] is necessary in a democratic society [a]
in the interests of national security, public safety or the economic well-being of the country, [b] for the
prevention of disorder or crime, [c] for the protection of health or mor- als, or [d] for the protection of the
rights and freedoms of others.
The European Convention on Human Rights Act 2003 gives effect to the ECHR in Irish law. It requires
the courts to interpret Irish law insofar as possible in line with the ECHR, and requires public bodies
(such as regulators) to perform their functions in a manner compatible with the ECHR.
In Societes Colas Est v France (16th April 2002), the ECtHR confirmed that in certain circumstances,
the rights guaranteed by Article 8 of the ECHR may be construed as including the right to respect for a
companys registered office, branches or other premises.
Articles 7 of the EU Charter of Funda- mental Rights of the EU (the Charter) provides for the right to
respect for private and family life, and Article 8 provides for protection of personal data. Article 51 of the
Charter provides that the provisions of the Charter are addressed to Member States only when they are
implementing EU law.
In the course of that raid, the officers obtained a copy of the entirety of the email box of a (now former)
senior ex- ecutive,
Ms Sandberg doesnt specifically name any preferences she has for potential
successors in the documentation. She makes clear, however, that Facebook is
interested in who the appointment will be, and that whoever is appointed is a
strong candidate as Mr Hawkes was a hard act to follow.
She says in the documentation that she hopes whoever is appointed to the
position will be able to collaborate with Facebook and provide leadership on
the data protection issue in Europe.
Two days after the Davos meeting Ms Sandberg writes to Mr Kenny, and is
sure to warn how changes to taxation or privacy laws might lead Facebook to
consider different options for future investment and growth in Europe.
I also want to commend you once again for your leadership during your
Presidency of the EU. You made enormous progress. When it came to the
European Data Protection Regulation, you and your staff really internalised
our concerns and were able to present them in a reasonable way, which has
had a positive impact ...We hope we can rely on you for your continued
leadership on this regulation since we still have more work to do here. Along
the same lines, I was pleased to hear that you are so involved in the OECD
working group process on tax reform. These discussions will be very
complicated and important, and we hope to be helpful to you identifying the
implications with different options for future investment and growth in
Europe. We are keen to collaborate with your office on this, just as we have on
the DPR.
After the one-to-one meeting in Davos, Facebooks Senior Policy team,
comprising 15 executives from Washington, California, Dublin, and across
Europe, requested a personal meeting with the Taoiseach in Government
Buildings on February 6 2014.
Mr Kenny did not meet the delegation but instead sent his special adviser,
Paul OBrien, the Secretary General to the Government, Martin Fraser, and
two of the Taoiseachs experienced assistant secretaries with responsibility for
international economic matters, Lorcan Fullam and John Callinan.
They discussed the need for one tax regulator in the EU, and also the issue of
who would replace Billy Hawkes as Data Protection Commissioner. Mr
Hawkes was to retire on August 31 that year.
Mr Hawkes had refused the investigation on the legal grounds that Facebook
was entitled to send data from the EU to the US under EU Commission Safe
Harbour provisions. However, at the time when Ms Sandberg was being
granted personal access to the Taoiseach, a subsequent judicial review in the
Irish High Court had been initiated, which again threatened Facebooks
bottom line.
Two days after this June 2014 meeting, Ms Sandberg wrote to the Taoiseach
and invited him to open Facebooks new Nama-funded headquarters in Silicon
Docks in November that year.
The letter was used to again lobby the Taoiseach on taxation and Data
protection, and to warn about the consequences of disappointing Facebook,
which would involve the company having to revisit its investment strategies
for the EU.
We agree with you that to have a true Single Market approach, it is important
to have one regulator, whether on privacy or tax, to enable businesses and
benefit consumers across the EU. Without this, the risk is that companies will
revisit their investment strategies for the EU market. We hope you will
continue to play a leadership role on the Data Protection regulation since
there is still more work to do there.
It was helpful to hear how you are focused on finding a strong successor to
Billy Hawkes, as Data Protection Commissioner for Ireland. Billy will be a
hard act to follow and we are hopeful that his successor will be someone who
will establish a collaborative working relationship with companies like ours
and be able to lead on the important issue of data protection compliance in
Europe.
By June the following year the government had increased the funding for the
Data Protection Commissioner, according to a memo prepared after a meeting
between then Minister for Enterprise Jobs and Innovation, Richard Bruton,
and senior Facebook executives who had travelled to Ireland to discuss
building a 200m Data Centre in Clonee, County Meath on June 3 2015.
Minister Bruton outlined the economic work of the Government over recent
years, the appointment of a Minister of State for Data Protection, the fact that
we work closely with the EU on Data issues and that we recently strengthened
the office of the Data Protection Commissioner by allocating additional
resources," the document reads.
Investigation
In October 2015, the European Court of Justice declared that the Safe
Harbour provisions were invalid - a move which led to Hawkes successor,
Helen Dixon agreeing to investigate the claims against Facebook Ireland.
Ms Dixon reopened the investigation, and took a case asking the Irish High
Court to refer to the Court of Justice of the European Union the question of
whether so-called standard contractual clauses (SCCs) used by Facebook and
others to transfer data from the EU to the US, are valid. After 20 days of
evidence, judgment in the case was reserved in the Irish High Court in March
2017. A decision is still awaited.
Facebook appears to have won some concessions. The regulation does not
apply to the processing of personal data for national security activities or law
enforcement. However, the data protection reform package includes a
separate Data Protection Directive for the police and criminal justice sector
that provides robust rules on personal data exchanges at national, European
and international level.
Ms Sandberg will also have been pleased to note that under the new
regulation, there is to be a one-stop-shop for privacy complaints, where
businesses deal with the Data Commissioner in the country of their main
establishment.
In this case, this means Facebook will be dealing with Ms Dixon, the former
companys registrar and civil servant who is now Irelands Data Protection
Commissioner.
1
FaBrian Carroll
May 29 2017
cebook COO Sheryl Sandberg and Taoiseach Enda Kenny
Facebook chief, Sheryl Sandberg, personally lobbied the Taoiseach at one-to-
one meetings and in correspondence, on who would be appointed as Irelands
next Data Protection Commissioner.
Ms Sandberg doesnt specifically name any preferences she has for potential
successors in the documentation. She makes clear, however, that Facebook is
interested in who the appointment will be, and that whoever is appointed is a
strong candidate as Mr Hawkes was a hard act to follow.
She says in the documentation that she hopes whoever is appointed to the
position will be able to collaborate with Facebook and provide leadership on
the data protection issue in Europe.
Two days after the Davos meeting Ms Sandberg writes to Mr Kenny, and is
sure to warn how changes to taxation or privacy laws might lead Facebook to
consider different options for future investment and growth in Europe.
Mr Kenny did not meet the delegation but instead sent his special adviser,
Paul OBrien, the Secretary General to the Government, Martin Fraser, and
two of the Taoiseachs experienced assistant secretaries with responsibility for
international economic matters, Lorcan Fullam and John Callinan.
They discussed the need for one tax regulator in the EU, and also the issue of
who would replace Billy Hawkes as Data Protection Commissioner. Mr
Hawkes was to retire on August 31 that year.
Mr Hawkes had refused the investigation on the legal grounds that Facebook
was entitled to send data from the EU to the US under EU Commission Safe
Harbour provisions. However, at the time when Ms Sandberg was being
granted personal access to the Taoiseach, a subsequent judicial review in the
Irish High Court had been initiated, which again threatened Facebooks
bottom line.
Two days after this June 2014 meeting, Ms Sandberg wrote to the Taoiseach
and invited him to open Facebooks new Nama-funded headquarters in Silicon
Docks in November that year.
The letter was used to again lobby the Taoiseach on taxation and Data
protection, and to warn about the consequences of disappointing Facebook,
which would involve the company having to revisit its investment strategies
for the EU.
We agree with you that to have a true Single Market approach, it is important
to have one regulator, whether on privacy or tax, to enable businesses and
benefit consumers across the EU. Without this, the risk is that companies will
revisit their investment strategies for the EU market. We hope you will
continue to play a leadership role on the Data Protection regulation since
there is still more work to do there.
It was helpful to hear how you are focused on finding a strong successor to
Billy Hawkes, as Data Protection Commissioner for Ireland. Billy will be a
hard act to follow and we are hopeful that his successor will be someone who
will establish a collaborative working relationship with companies like ours
and be able to lead on the important issue of data protection compliance in
Europe.
By June the following year the government had increased the funding for the
Data Protection Commissioner, according to a memo prepared after a meeting
between then Minister for Enterprise Jobs and Innovation, Richard Bruton,
and senior Facebook executives who had travelled to Ireland to discuss
building a 200m Data Centre in Clonee, County Meath on June 3 2015.
Minister Bruton outlined the economic work of the Government over recent
years, the appointment of a Minister of State for Data Protection, the fact that
we work closely with the EU on Data issues and that we recently strengthened
the office of the Data Protection Commissioner by allocating additional
resources," the document reads.
Investigation
In October 2015, the European Court of Justice declared that the Safe
Harbour provisions were invalid - a move which led to Hawkes successor,
Helen Dixon agreeing to investigate the claims against Facebook Ireland.
Ms Dixon reopened the investigation, and took a case asking the Irish High
Court to refer to the Court of Justice of the European Union the question of
whether so-called standard contractual clauses (SCCs) used by Facebook and
others to transfer data from the EU to the US, are valid. After 20 days of
evidence, judgment in the case was reserved in the Irish High Court in March
2017. A decision is still awaited.
Facebook appears to have won some concessions. The regulation does not
apply to the processing of personal data for national security activities or law
enforcement. However, the data protection reform package includes a
separate Data Protection Directive for the police and criminal justice sector
that provides robust rules on personal data exchanges at national, European
and international level.
Ms Sandberg will also have been pleased to note that under the new
regulation, there is to be a one-stop-shop for privacy complaints, where
businesses deal with the Data Commissioner in the country of their main
establishment.
In this case, this means Facebook will be dealing with Ms Dixon, the former
companys registrar and civil servant who is now Irelands Data Protection
Commissioner.
http://www.independent.ie/irish-news/revealed-how-
facebook-chief-sheryl-sandberg-lobbied-taoiseach-enda-
kenny-over-data-protection-role-and-taxation-
35765139.html?utm_content=bufferab267&utm_medium
=social&utm_source=twitter.com&utm_campaign=buffer