Call McGarr Solicitors on: 01 6351580

One Year Plus One Month

There is a revolution coming; in fact it has arrived. The revolution is favourable to persons, to individuals.

A person is, in principle, entitled to control of her data. If government or commercial interests wish to use that data they must comply with the General Data Protection Regulation (GDPR).

The GDPR is current law and comes into effect on 25th May 2018. That date represents a cliff-edge. That edge has been made more severe due to Brexit.

Brexit, as the UK has expressed it to date, is in principle a wish to evade EU laws (including the GDPR).

However, every UK-based entity/undertaking, the UK itself, will be exposed to the GDPR, subject to its provisions and obliged to comply with those provisions while it is processing the data of EU citizens.

Contemporaneous with that, every Irish entity, the Irish state itself, must ensure that any data sent to the UK from Ireland, the process of sending it, is in compliance with the GDPR. That may result in the necessity of stopping data flows to the UK, in order to avoid triggering a breach of the GDPR in Ireland.

Breach of the GDPR will expose entities to considerable penalties in the form of fines. Undertakings are exposed to the possibility of being fined up to €20 million or 4% of annual global turnover, whichever is the higher.

Undertakings in Ireland, holding data, may not hold that data unless the data was obtained fairly. The concept of fairness carries the obligation to give detailed information about how data is processed, the grounds being used to justify processing data, (just holding data is “processing”), what rights individuals have to access, delete and “port” data, and object to processing.

There is a lot to do.

Brexit

“Brexit” is a neologism and a portmanteau word. It is one we have become familiar with in recent months. I doubt it is in any dictionary, being too new.

Nevertheless, looking things up in dictionaries can be useful, even though you can’t find the word you are searching for. In connection with Brexit, “nominalism” is worth a look, about which my dictionary commences – “… a denial of the existence of abstract entities of any kind…”.

Brexit is surely an abstraction, currently lacking a definition, but a complete refutation of nominalism.

Of lesser weight, but still significant, is a common error of grammar heard from Ernie Wise on the BBC in 1987; “Everyone got used to the image of Eric and I”.

Ernie was handicapped by the absence of helpful books on grammar in bookshops. There are books on grammar in bookshops but they are not helpful.

The New Yorker once featured a cartoon showing a cop writing a “traffic ticket”. The malefactor is driving a van with “ME AND WALLYS PRODUCE” on the side. The cop is saying; “Sorry, but I’m going to have to issue you with a summons for reckless grammar and driving without an apostrophe”.

Words matter.

Submission to the Oireachtas Committee on Health re Part 2 of the General Scheme of the Health Information and Patient Safety Bill

This submission was made today, slightly after the deadline of 3pm.

Nonetheless, I have submitted it for the consideration of the Oireachtas Committee on Health in response to their call for submissions.

I post it here for reference. Printable version can be downloaded here:

***

HEALTH INFORMATION AND PATIENT SAFETY BILL

Analysis of Part 2: PERSONAL DATA, PERSONAL HEALTH DATA AND PERSONAL HEALTH INFORMATION

By Simon McGarr, McGarr Solicitors

Section 5 (1)

“Nothing in this Act shall be construed as permitting the processing of personal data and personal health data in contravention of the Act of 1988 except to the extent provided by any provision of this Act.”

Comment: The Data Protection Acts are transposition of EU Law (Specifically, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 (the Data Protection Directive)) and any national legislative provision which purports to restrict, amend or create exemptions from same are ineffective. The State must be bound by the provisions of the Data Protection Directive and its national transposition in the Data Protection Acts. The Acts permit specific and limited infractions on a citizen’s data protection rights, but only when such a provision is both provided for by law and, and it is important to note that this is an additional requirement, only when such legal provision is necessary and proportionate. (See joined cases C-293/12 and C-594/12, Digital Rights Ireland and Seitlinger and Ors)

All of which is to say that, if there is any modification of the Data Protection Acts, which are not already in compliance with those Acts, then they are, by definition, not in compliance with Ireland’s duties to apply EU Law.

Section 6:

This right already exists in Section 6 of the Data Protection Acts. It is common, for example, for Plaintiffs in personal injury actions to make Data Access Requests for their Personal Data from medical providers and to nominate their solicitors to receive same on their behalf. Though it is couched in such a way as to create an additional right (the right to compel the delivery of medical records to a nominated third party), this right is already dealt with in the Data Protection Acts. This section appears to instead seek to create a parallel data access right to that already granted under Section 4* of the Data Protection Acts, but, in sub-Section (2), to purport to create additional requirements upon a data subject in making a request and in subsection (3) to create exemptions from the requirements to respond to Data Access Requests and in subsections (4) and (5) to create further exemptions from the requirement to provide records to a data subject on receipt of such a Request. It is not open to Ireland as an EU member state to create such a divergent data subject access system. Subsection (6), which states that subsections 2-5 of that heading is without prejudice to the rights under the Data Protection Acts simply recognises the legal reality while also rendering subsections 2-5 ineffective. Subsection 8 attempts to define a class of personal data records as not falling within the definition of health records. Again, it is not available to an EU member state to seek to redefine the definition of personal data or classes thereof.

It is not possible to restrict EU Law rights by national legislation, simply by asserting that such a restriction is without prejudice to the EU law rights.

Section 7

This seems sensible.

Section 8.

No comment on this section

Section 9

This section is to be welcomed. However, it is not clear that it is helpful to try to create a new category of data “personal health information”. It would be better to use the terms defined in EU law and caselaw- “Sensitive personal data” and “personal data”. Any domestic category will have to be interpreted at some point to identify which EU category it sought to embody.

Section 10

This is the section most impacted by the decision in the Bara and Digital Rights Ireland cases. This section simply is not in compliance with EU Law as interpreted by the CJEU and should be redrafted to bring it in line with same. In addition, Subsection (5) of this head is an infringement on the Independence of the Data Protection Commissioner, a right derived from the Charter of Fundamental Rights of the EU and the Data Protection Directive.

Section 11

This section is outside my competency to comment upon.

Section 12

Subsection (5) of this head is an infringement on the Independence of the Data Protection Commissioner, a right derived from the Charter of Fundamental Rights of the EU and the Data Protection Directive.

*originally, incorrectly, this cited Section 6

McGarr Solicitors representing Syrian refugees

UNHCR/Achilleas Zavallis

McGarr Solicitors is acting for a number of Syrian refugees being held in Greece including Ensaf, 13, and her father Bashar. They are challenging the decisions of the European Council that have led to them being kept apart from Ensaf’s mother Layali and her brother Riyad, 15, now safely resettled in Germany.

Last year their home in Syria was bombed, and the family’s priority was to use what little money they could scrape together to get their deeply traumatised son out of Syria. Layali and Riyad went ahead, and Ensaf and Bashar waited in Syria while Bashar recovered from a head injury from the bombing.

But the day Ensaf and Bashar arrived in Greece by rubber dingy was the 20th of March- the first day the EU-Turkey Agreement was implemented, mandating that “All new irregular migrants crossing from Turkey to the Greek islands as of 20 March 2016 will be returned to Turkey.” As a direct result of the decisions taken by the Taoiseach and the other members of the European Council unanimously voting for the EU-Turkey Agreement, Ensaf and Bashar are still stuck in Greece, waiting in an administrative limbo where they are unable to access their legal right to reunite with their waiting family in Germany.

EU Law

EU law recognises the importance of family reunion amongst refugees. The Dublin Regulation allows a family member arriving in a Dublin Regulation country (such as Germany) to apply for immediate family members to join them.

The EU was conceived in the midst of the greatest refugee crisis in European history. The 1948 Universal Declaration of Human Rights guarantees a ‘… right to seek and to enjoy in other countries asylum from persecution’ and in 1951 the Geneva Convention defined refugees’ specific rights, including the right not to be forcibly returned to countries they have fled.

On the 24th June 2016, our office issued proceedings naming the European Council, the European Union, Ireland and the Attorney General as defendants. All the defendants have now entered conditional appearances (nominated their legal representatives). We will be seeking to have the case referred to the Court of Justice of the European Union (CJEU) for a decision on the legality of the European Council’s actions that have left Ensaf and her family divided.


This case is being brought on behalf of familes in two different countries. But clearing the blockages to their reunification has the potential to bring resolution and reunifcation to many of the families similarly victimised, separated and trapped by the arbitrary actions arising from the unlawful EU-Turkey Agreement in European camps.

All of which is the sort of thing you’d expect to read about on a solicitor’s website, but doesn’t carry the emotional weight of listening to one 13 year old girl and her mother who just want to be together again.

Microsoft wins in US Warrant Case over data in Ireland

US 2nd Circuit Courthouse where Microsoft win their warrant appeal

As readers with long memories may recall, McGarr Solicitors and White and Case of NY represented Digital Rights Ireland, joined by Liberty and the Open Rights Group in their amicus application to the United States Court of Appeals for the Second Circuit in support of Microsoft’s appeal against an order in respect of a Warrant seeking certain data which was located in Dublin.

You can read about that, including the full text of the amicus brief as filed, at our post on the matter.

Today the result of the case came out, with two written judgments, both concurring that Microsoft should prevail and that the orders of the lower courts should be reversed and vacated.

Judgments

You can download and read the joint judgment of Judges Carney and Bolden here.
However, I would also suggest- if you are the sort of reader who is interested in these matters- that the concurring judgment of Mr. Justice Lynch is also well worth reading. He has made a special point of addressing the role of Congress in updating US law to take account of both privacy concerns and the concerns of other sovereign states.

He closes his judgment;

I fully expect that the Justice Department will respond to this decision by seeking legislation to overrule it. If it does so, Congress would do well to take the occasion to address thoughtfully and dispassionately the suitability of many of the statute’s provisions to serving contemporary needs. Although I believe that we have reached the correct result as a matter of interpreting the statute before us, I believe even more strongly that the statute should be revised, with a view to maintaining and strengthening the Act’s privacy protections, rationalizing and modernizing the provisions permitting law enforcement access to stored electronic communications and other data where compelling interests warrant it, and clarifying the international reach of those provisions after carefully balancing the needs of law enforcement (particularly in investigations
addressing the most serious kinds of transnational crime) against the interests of other sovereign nations.

The full concurring judgement can be read and downloaded as Microsoft Concurring Opinion 2d Cir at that link.

Application by EFF and DRI in DPC v Facebook and Schrems

On Friday 17th June 2016, McGarr Solicitors attended before Mr. Justice McGovern in the High Court on behalf of Digital Rights Ireland and the Electronic Frontier Foundation, a US non-profit. Counsel applied for leave to file papers to support applications by our clients to be joined as amici curiae in the case of Data Protection Commissioner -v- Facebook Ireland Limited and Maximillian Schrems.

The DPC is seeking a reference to the CJEU arising from Mr. Schrems’ complaint regarding the transfer of his data to the US by Facebook Ireland Ltd. She is seeking a decision of the CJEU on the compatibility of the “Standard Contract Clauses” mechanism with the Data Protection Directive, EU Treaties and the Charter of Fundamental Rights.

The application follows the prior decision by the CJEU last year arising from a case taken by Mr. Schrems against the DPC to strike down the ‘adequacy decision’ of the EU Commission underpinning the Safe Harbour system. Digital Rights Ireland had been joined by Mr Justice Hogan as an amicus party in those earlier proceedings.

Mass deportation is a mass breach of EU law

It is in Ireland’s interest (and the interest of the people of the EU) that the European Union endure.

It is possible that the European Council http://europa.eu/about-eu/institutions-bodies/european-council/index_en.htm (including Enda Kenny) made a major error on 18th March 2016 (two days ago), undermining the EU.

Reputedly, the European Council agreed the terms of a Joint Action Plan with Turkey. Currently, the exact terms of the Joint Action Plan have not been released to the public. Instead, the public has been issued a document called “EU-Turkey statement, 18 March 2016”.

For Turkey, Joint Action Plans are easily concluded. Like Ireland, (before it joined the EU) the government of Turkey is not open to challenge on legal grounds when it conducts its foreign policies. For the European Union, that is not the case. The EU institutions (the European Council is one) are bodies bound by law. The European Council cannot lawfully conclude agreements with non-EU countries on a discretionary basis, without reference to the legal constraints on the European Council. The “EU-Turkey statement, 18 March 2016” acknowledges this in some of its terms.

It provides for, among other things, mass returns of refugees, mostly Syrian, to Turkey, while denying that the returns will have that character.

The problem for the European Union (and the European Council) is that refugees have individual rights under EU and other law. Mass returns are a breach of those rights.

The “other law” includes the Convention Relating to the Status of Refugees (1951). http://www.unhcr.org/3b66c2aa10.html This is a UN convention and it is binding on
the EU (and its Member States). So too, is Article 4 of the 4th Protocol to the European Convention on Human Rights. http://www.echr.coe.int/Documents/Convention_ENG.pdf It prohibits collective expulsion of aliens.

It is possible to see in the Joint Action Plan a repetition of the situation faced by the Roman Empire in 378 AD, when a substantial body of Goths, fleeing the Huns, appeared on the north bank of the Danube and requested permission from the emperor to cross into the Empire. The results are commonly thought to have begun the collapse of the Roman Empire.

It is possible to criticise the European Council for being politically weak; the Syrian refugees, generally, want to remain in Syria. They will return when the conditions permit them to do so. Also, the EU can absorb, or provide for, even the numbers of refugees that are seeking shelter in the EU. Unfortunately, some European electorates (and governments) are moving to the political right and causing problems in some Member States.

However, these aspects of the matter pale into insignificance when the lack of legal basis of the European Council plan is considered. What can be done when the EU behaves illegally?

This is a known problem with a known solution. Bring the issue to the Court of Justice of the EU is the answer.

A common form of action to bring this about is the Preliminary Reference procedure. http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=URISERV%3Al14552

Under this procedure, a national court refers questions of EU law to the CJEU to determine the validity of the EU law or other act.

Dept of Health and Data Protection Commissioner files on Individual Health Identifiers

Seeing as everyone is very busy with the election, I thought I’d give you something a bit different to read.

So, thanks to an FOI request, please find below the documents details exactly what has and has not been agreed between the Department of Health and the Office of the Data Protection Commissioner in advance of the DPC receiving any complaints from the public.

The files raise issues about the appropriateness of the relationship between the Independent regulator and the State it is meant to regulate.

However, they also show that, close as they were, even the DPC weren’t happy with the HSE being put in charge of any IHI database. At the very first meeting, the minutes note;

Expressed concerns about any proposal to locate the Designated Issuing Authority in the HSE and in particular within PCRS, as currently operated; the DPC currently has a number of concerns about PCRS

Guess what? The HSE ended up as the IHI governing body.

The documents also make clear that ‘mission creep’ for the health identifiers was baked into the plan from the very start. The DPC is memo’d as

Questioned the intention to use the proposed Health Number in the administration of “rent allowance”.

Plenty of other interesting things for the curious reader below.

HSE-DPC Correspondence Re IHI FOI by Simon McGarr

How does the FTC know what data is being transferred from the EU to the US?

Seal of the US Federal Trade Commission

On the 8th January last, a report caught my eye.

At the Consumer Electronics Show in Las Vegas, one of the Federal Trade Commissioners was talking about the Schrems case and its potential economic impact.

Commissioner Brill said that the

“vast majority of data impacted by Safe Harbour decision is HR data, which impacts jobs on both sides of the Atlantic.”

I was struck by this assertion. It seemed unlikely, to say the least, that the volume of data transferred from the EU to the US on a daily basis was mostly HR data and not- say- the gigabytes of Facebook’s user data.

But what I also wondered about was how the FTC had somehow received intelligence which outlined the quantity and content of all the data being transferred, broken down by what the data was about.

So, I sent in a request under the US Freedom of Information Act.

I write further to the reported remarks of Commissioner Brill.

Commissioner Brill is reported to have stated “Vast majority of data impacted by Safe Harbor decision is HR data, which impacts jobs on both sides of the Atlantic.”

I wish to make a request under the US Freedom of Information Act for any and all documents, held in any format;

1) Which measure, assess or otherwise quantify the amount of data “impacted by the Safe Harbour decision” (which I have taken as a reference to the decision of the Court of Justice of the European Union in the case of Max Schrems v The Data Protection Commissioner)

And/or

2) which measure, assess or otherwise quantify the nature of the data “impacted by the Safe Harbour decision”, such that it’s purpose and use is ascertained

And/or

3) specifically, which measure, assess or otherwise quantify the proportion of the data “impacted by the Safe Harbour decision” which is HR data.

Please provide these documents to me in electronic format.

For clarity, I act as solicitor for Digital Rights Ireland, a notice party in the Court of Justice hearing in the Schrems case.

Yours faithfully,

Simon McGarr

McGarr Solicitors

Yesterday, I received a response from the FTC explaining that due to ‘unusual circumstances’ they couldn’t answer my query within the normal time limits because they had to consult with ‘another agency’ which had a ‘substantial interest in the determination of the request’.

The agency is not named.

You can read the full response below

Extension Letter FTC

UPDATE: Here’s 80 odd pages from the FTC of the 400ish they found, by way of a Partial Disclosure in response to this query. It’s pretty illuminating of the view of the US state machinery following the Schrems case.

FTC FOIA Release on Safe Harbour

The Privacy Shield: The deal on EU/US Safe Harbour data that wasn’t there

Cartoon of Safe Harbor wreakage

Yesterday the EU Commission and the US government announced that, having burst past the deadline of Sunday set by Europe’s Data Protection Authorities (collectively called the Art 29 Working Party because that’s how the EU is), they had secured an 11th hour deal on transfers of personal data across the Atlantic.

Safe Harbour (and Safe Harbor) was no more, they trumpeted, replaced by something that is spelled the same in English for both parties- The Privacy Shield.

EU-US Privacy Shield Logo

How can I say there isn’t a deal? It has its own logo!

These are some of my initial thoughts on the announcement, and why there is less to it than the two negotiating sides would hope you might think.

Firstly, and contrary to what the Commission and the US greatly desired to assert, this is not a deal done to replace Safe Harbour. It is not a deal at all. The EU Commission, as the clock ran out before the Art 29 meeting of tomorrow, simply agreed to take the US’ last negotiating position to the rest of the other players in the EU decision-making machinery.

Here, buried three quarters down the Commission press release is the description of what is actually agreed the EU will do.

The College has today mandated Vice-President Ansip and Commissioner Jourová to prepare a draft “adequacy decision” in the coming weeks, which could then be adopted by the College after obtaining the advice of the Article 29 Working Party and after consulting a committee composed of representatives of the Member States.

So the EU will spend ‘weeks’ drafting a text, and then they’ll try to bring the Art 29 Working Party on board with that text and then finally they’ll have to finalise it with all the Member States.

What we actually have here is a desperate PR effort to buy more time before the EU Commission and the US have to face the consequences of the legal incompatibility between the EU’s Charter of Fundamental Rights and the US’ commitment to mass surveillance.

And that’s it. That’s all the Privacy Shield is- a noisy trumpet blast aimed at just one audience, the Art 29 Working Party. It’s intended to persuade them to give the Commission more time (after, let us not forget, in excess of three years of fruitless negotiations with the US) before they start to actually enforce the law.

It’s pretty transparent- but it was worth the throw of the dice for the two negotiating partners. Without something to say at the end of Tuesday, some data flows between the US and the EU were going to be suspended by the close of business today.

Whether it will have its intended outcome (‘lets just keep going without a legal basis for data flows, eh?’) will depend on whether the Art 29 group are willing to spool the process out even further.

If not, the Privacy Shield could be the shortest-lived ‘deal’ in history, falling immediately into disuse if – after today’s meeting- one or more of the EU’s institutionally independent Data Protection Authorities finally decides that their job is to uphold the actual law, rather than to wait around for a new one to appear some day in the ever-receding future.