The High Court is seeking submissions from the parties to the Digital Rights Ireland case. See the Pleadings HERE.

The Court is seeking suggestions as to the form of questions to be submitted to the European Court of Justice. DRI has, in its Statement of Claim, suggested a form of question or questions to be submitted. Clearly, the High Court is not convinced that the form of question suggested by DRI is exactly right (or is seeking the assent of the State to DRI’s form of question). The hearing next Wednesday will show us which is the case.

DRI’s case is brought in its own name, but it is an action with implications for every citizen of Ireland, whether they know it or not.

For this reason McGarr Solicitors have published DRI’s pleadings on the Web since 2006. This is reasonable; the Respondents are, in effect and name, the State. The issues are public law issues and there can be no prevailing claim to privacy on those issues from these Respondents. It is worth noting that it is not common, to put it at its lowest, to see pleadings of current proceedings published but there is usually an exception to every rule and we have one here.

Between now and next Wednesday we will re-formulate the questions to go to the ECJ. These questions will form part of the Order of the Court making the reference to the ECJ. We currently estimate a two year wait to get a hearing in the ECJ. Delay is inevitable; every Member State of the EU has a right to intervene and be heard in the matter. That implies that every Member State must receive a copy of the Questions and the parties’ submissions.

The UK mobile phone operator T-Mobile has reported the theft of its customers’ personal information. T-Mobile (and the UK Information Commissioner) say the employee(s) received substantial payments for the information.

If this happened in Ireland the employee would be guilty of an offence under The Public Bodies Corrupt Practices Act 1889, as extended by The Prevention of Corruption Act 1916.

The payment is a bribe.

There is good reason to say that Governments have little concern about the protection of personal data, as previously posted HERE.

In a similar critical mind, the House of Lords has proposed, as reported HERE, the criminalization of abuse or recklessness with respect to personal data.

The problem is considerable even at the level of mere carelessness as seen HERE.
An equally serious problem is abuse by State agencies and quangos; an example HERE.

As can be seen from the terms of the Regulation of Investigatory Powers Act 2000, to treat dog fouling or the like as a suitable cause to authorize surveillance is to act disproportionably to minor problems such as, well, dog fouling.

A zealot is never a reasonable person and seems capable even of shooting-oneself-in-the-foot behaviour, as seen HERE.

Christine Lagarde, the French finance minister is on record as saying that France will use the presidency of the Council of Ministers in the EU to, effectively, change Ireland’s low corporate tax rate.

The Irish Government says this cannot happen: Ireland has a veto and will use it, therefore the Irish position is safe.

Mr. Barroso has made placatory noises on the same issue. (In fact he has started the process of undermining the Irish “veto”).

What is the reality?

It is to be found in the occasion when Ireland used its veto and was ignored.

This happened on 15th March 2006. The issue was the adoption by the Council of Ministers of what became Directive 2006/24/EC. Ireland voted against its adoption, casting a veto thereby. Ireland’s veto was effective if, as was Ireland’s view, the issue fell within “the 3rd Pillar�. Otherwise it was not.

The issue was driven by Charles Clarke, the UK minister. His brief in the UK was police and security. He tied the issue to the bombing of London. Issues such as that are 3rd Pillar issues. The Council adopted the proposal as a 1st Pillar issue, basing it on Article 95 of the EC Treaty. Ireland disagrees with this and its opinion is shared by the European Data Protection Supervisor.

Ireland has challenged the legal base for the adoption of Directive 2006/24/EC in the European Court of Justice. The case is pending. If Ireland is successful the Directive will be struck down.

(Mr. Barroso was president of the Commission in 2006).

Surely tax is more important than privacy?

Wrong question.

In 2006 the question was, is Ireland more important than the UK?

Now the question is, is Ireland more important than France?

Words matter.

Mr. Barroso’s definition of a veto is not a veto in Europe. Therefore it is not a veto.

I do not think anyone ever defined “3rd Pillar” and we now see the consequences of allowing woolly speech where precision was required.

Barack Obama is a US citizen. This can be inferred from the fact that he is a candidate for nomination to run for President and, now, information that he applied for, and presumably got, a US passport (he is not from US Samoa).

The power to grant that passport lies with the US Government. That power connotes the power to keep the applicant’s personal details on file. That file, it can be inferred, is electronic. This can be inferred because the evidence that the file was accessed, and accessed unlawfully, consists of the IT record generated by each access. A person accessing the record must use a personal login code.

Unlawful access is no big deal.

This can be inferred from the fact that, although there are criminal penalties for wrongful access of records, nobody is being prosecuted for the wrongful accessing of Barack Obama’s file. The applicable legislation is the Privacy Act 1974.

The relaxed attitude to the accessing of his file may be accounted for in several ways; firstly, the accessing was done under authority; secondly, anyway, as is known, the passport itself is not secure. (The modern US passport is biometric and contains an RFID chip. The chip can be read at a distance. The passport is supposedly shielded to prevent this but it is doubtful if it is effective.) Thirdly, so what? What is he complaining about? What can be in his passport file that he is anxious to hide?

I suggest the true reason is very deep; candidate or no, Barack Obama is, essentially, on the wrong side of an asymmetric relationship. The State has and owns the information it took from him and feels no obligation to him for that. In short, the Privacy Act 1974, like all such provisions anywhere, is a sop.

(As I have maintained HERE, the “State” is an abstraction. Its wrongful acts are the acts of its agents who should always be made answerable for those acts.)

In Ireland the equivalent provisions are found in the Data Protection Act 1988 and the Data Protection (Amendment) Act 2003. The latter was passed supposedly to transpose the provisions of Directive 95/46/EC.

These provisions are toothless. Essentially, they provide for the establishment of a regulator, the Data Protection Commissioner. If he (it has always been a he) receives a complaint he may investigate it. He is not obliged to prosecute an offender.

He may not have the resources to prosecute; he is, generally, dependent on the Government for resources. At least once in the recent past those resources dried up to almost nothing. (Arguably, the Commissioner is of a category of regulator as the Information Commissioner, but without the independence she has. The Government has been resolute in whittling away at her authority, mainly through the provisions of the Freedom of Information (Amendment) Act 2003)).

If Barack Obama were to lodge his complaint with the Irish Data Protection Commissioner there is every reason to expect he would be met by a Michael Mukasey response;

I don’t want to speculate but if somebody walked in here with a box full of evidence, they wouldn’t be turned away.”

Tea and sympathy?

WHAT ARE YOU LOOKING AT?, originally uploaded by nolifebeforecoffee.

There is a suggestion in the Irish Times that Facebook Inc may be considering locating a European base of operations in Ireland. In that context it may be useful to consider the current situation regarding Facebook, its attendant applications and their use of Irish and

European users’ Personal Data. The main question is whether all of Facebook’s behaviour is in compliance with Europe’s Data Protection Law, and the extent to which that law may apply to either Facebook Inc or any of the controllers of the Applications which rely on its systems.

This discussion is intended to be readable by a non-lawyer but it is inescapable that some law has been quoted. Please bear with us though the legislative turbulence.

Data Protection’s Roots
The EU’s Data Protection Directives were introduced to eliminate potential inhibitions to trade arising from differing degrees of Data Protection in Member States. Directive 95/46 explicitly recognises the right to privacy contained in EU law and in the European Convention on Human Rights (ECHR). Breaches of that general right to Privacy are only acceptable if justified under the exceptions allowed for in Article 8 of the ECHR. See this informative posting by Thomas Otter for more background.

The Directives and the implementing Acts are intended to protect the personal data of EU citizens in a uniform manner across the EU. Personal Data is defined by Directive 95/46 Art 2(a) as

any information relating to an identified or identifiable natural person

What is the meaning of Processing in the context of the Directives?

Directive 95/46 defines it as including, but not being limited to

collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction

Directive 95/4 Art (3)(2)(e) allows an exception for

processing of data carried out by a natural person in the exercise of activities which are wholly personal or domestic, such as correspondence and the holding of addresses.

It should be clear that a PR person dealing with their address book falls outside this exemption, but that it allows for private people to keep a gmail address book, and even perhaps to check it against membership of Facebook, provided that action is entirely personal or domestic. If a person is in a business where networking or keeping connections was required for their work, it is likely that this would fall outside the remit of the above exemption.

Part of The Establishment
Directives are high level legislation which set out what each member state must ensure is law in their jurisdiction. It is up to each member state to bring their laws into line with those aims in whatever form is most suitable for their legal system. In Ireland, the Data Protection Acts set out to whom their provisions apply. In Section 3B, they include entities established in the state. Facebook seems to fall within one of the definitions of an entity established in Ireland. (Section 3B (a)(ii))

makes use of equipment in the state for processing the data otherwise than for the purpose of transit through the territory of the State

I think one such piece of equipment, given the earlier quoted definition of processing as including “dissemination or otherwise making available” personal data, is sitting on my desk.

Facebook Inc already has an office in London. This also puts them within the alternate definition of “establishment” ( in the UK) in Section 3A (a) as having

an office, branch or agency through which he or she carries on any activity

But, one of the difficulties for transnational companies is that the Directive doesn’t allow them to pick just one EU country and comply with its Data Protection laws. Directive 95/46 Recital 19 puts an onus on a Data Controller established in multiple territories to fulfill the obligations of all those states.

One of Ireland’s obligations is that if a data controller is outside the EEA (which Facebook Inc is) and the data is processed inside this state (which, we’ve suggested above, happens with Facebook data) they must “designate a representative established in the State” (per the Data Protection Acts Section 3B(c)). I have not been able to find if Facebook has designated anyone as their representative in Ireland.

Consent by the person whose personal data is processed does not remove the duty to register as a data Controller or Processor.

Safe Harbour?
Thomas Otter, whose excellent article on Facebook and Data Protection I linked to above, refers to Facebook Inc as claiming “safe harbour” status. This is a method by which companies and organisations working in countries which have not been deemed to have adequate protection for data may export the data of European citizens to those countries. In effect these organisations pledge to meet the requirements of the Data Protection Directives themselves.

US Companies who want this status must register with the US Department of Commerce and have a Privacy Policy which complies with the terms of the Data Protection Directives. The problem for Facebook Inc is that they seem to have grown so quickly that their systems haven’t caught up with their compliance requirements in this area. For example, as reported by Channel Four News late last year, Facebook will resist requests to delete the Personal Data it holds when asked to do so by the data subject. Alan Burlison was the source of that report, and he outlines on his blog the responses he got from Facebook, and then, following his complaints, from the UK Information Commissioner and from Truste, a 3rd party who certifies compliance with European Safe Harbour requirements.

Here’s the response he initially received;

If you deactivate, your account is removed from the site. However,
we save all your profile content (friends, photos, interests, etc.), so
if you want to reactivate sometime, your account will look just the
way it did when you deactivated.

After Channel Four News came and interviewed him, he received a follow-up email;

We have permanently deleted your account per your request. We do
not retain any information about your account once it is deleted,
and thus deletion is irreversible.

This shows that compliance with the Data Protection principle that a person has a right to have information stored about them amended or erased is technically possible. It just isn’t policy. Which would put Facebook’s real data handling policies at odds with the claim to be a Safe Haven. Which in turn would raise the question of whether it is lawful for it to pass that data outsi0de EEA borders. Which, of course, is exactly what it potentially does every time a developer for the Facebook Platform creates an application.

Failure to comply with the provisions of the Data Protection Act is a criminal offence. If European users suffer a loss arising from unlawfully held personal data they would have grounds for an action against Facebook Inc. Facebook’s privacy policy shows that it is aware of the Data Protection Directives. This potential financial risk is something which they will know or ought reasonably to know about, it can be presumed. I can’t speak for Californian law, but here the common law burden of Director’s duties to their companies may leave those directors personally liable for losses which arise from a breach they ought to have reasonably avoided.

Applications, Complications

In all of this discussion, I’ve treated the Facebook Inc database as a single, unitary item. But, of course, pieces of it are passed to third parties when a Facebook member agrees to install an application. This agreement in total consisting of not unselecting a tickbox beside the statement “Allow [Application Name] to access my information.” It is arguable that this wouldn’t, by itself, be enough to constitute genuine consent.

Where are these third parties based? Certainly some of them are in Europe. We’re not privy to the terms of any given agreement between Facebook and an Application controller. Nonetheless, questions need to be raised about the data protection standards of the entities or people controlling these applications. Are they registered with the local Data Protection Commissioner in each state they are established? Are they all registered as Safe Harbours if they are based in the US? If not, what liability may attach to the developers or their employers arising from these applications in the case of any future claims?

Endnote
Data Protection law is a relatively new field. There is not a great deal of caselaw clarifying these matters. This puts anyone trying to apply it to a real world situation in the unhappy position of attempting to interpret the legislation- a task best left to judges. Nothing I say here should be taken as legal advice.

THE VIEWS AND COMMENTS EXPRESSED HEREIN ARE THOSE OF, AND PERSONAL TO, THE WRITER, AND ARE INTENDED FOR GENERAL DISCUSSION PURPOSES ONLY. THEY ARE NOT INTENDED TO BE RELIED UPON BY ANY PARTY. NO REPRESENTATION OR WARRANTY IS GIVEN AS TO THE ACCURACY OR CORRECTNESS OF SAME, NOR ARE THEY REPRESENTED AS CONTAINING (OR AS A SUBSTITUTE FOR) LEGAL ADVICE OR ASSISTANCE. NO LIABILITY WHATSOEVER (WHETHER IN CONTRACT, NEGLIGENCE, NEGLIGENT MISSTATEMENT OR OTHERWISE AT ALL) IS ACCEPTED TO ANY PERSON ARISING OUT OF ANY RELIANCE ON THESE VIEWS.

The British NHS proposes to establish a central database of patients’ medical records. Tens of thousands of staff will have access to the information, including non-medical social welfare staff. The total number of patients will be in the millions. Luckily the British medical profession (general practitioners, in fact) are sceptical. They are so sceptical that only 11% say they will deliver the information to the NHS. Presumably those somewhat dense practitioners will deliver the information by means of the aptly named courier, TNT