Call McGarr Solicitors on: 01 6351580

The GDPR is not US Confederate money

Senator Mark Warner is the Democrat Vice Chairman of the US Senate Intelligence Committee.

He issued a policy paper, in some fashion, in July 2018.

It includes the redundant idea that the US should have a law “mimicking” the GDPR (or a watered down version of it). This suggestion was directed to the idea that internet users should be entitled to give or withhold their consent to the use of or access to their personal data.

What the Senator seems not to know is that his fellow countrymen already have, in many situations, the benefit of such a law – the GDPR itself.

See this earlier post, adjunct to the topic, HERE.

We don’t have to read his paper to get some value from it. Clearly, it is predicated on the proposition that US citizens have no rights, in US law, with regard to their personal data (other than, presumably, rights in the law of contract). Good luck with that.

Facebook’s Foundations

Here is a report from the New York Times dated 3rd June 2018. It reports that Facebook has current deals with many “device
manufacturers” and that under the deals the manufacturers were given access to the personal data of Facebook users.

The important elements of that story are as follows:

1. The report is of current events, i.e., events after the EU General Data Protection Regulation (“GDPR”) came into force on 25th May 2018.

2. The Facebook users (like the New York Times reporters and the newspaper’s readers) had no knowledge that the “sharing” was going on. (Reputedly, the US Senate is looking into it.)

3. Those Facebook users had not given their consent to the “sharing”.

4. In the absence of explicit consent the sharing was a breach of Article 6 GDPR (and probably Article 9 GDPR).

5. Article 3 GDPR has the effect of extending the GDPR jurisdiction globally.

6. Article 26 GDPR defines “joint controllers”, a definition which on known facts embraces Facebook Inc. and Facebook Ireland Ltd.

7. Consequently, the benefits of the GDPR extend to and
are available to any Facebook user affected by the “sharing” by Facebook of the personal data. Those Facebook users can be resident anywhere (including the USA) because Facebook Inc. and Facebook Ireland Ltd. jointly control the personal data of every Facebook user in the world.

8. The relevant regulatory authority to address any complaint arising is the Irish Data Protection Commission. The Commission is a body empowered to apply fines of up to €20 million or 4% of global turnover, whichever is largest.

9. If point 6 above applies, the fine would be levied with regard to the turnover of Facebook Inc. and Facebook Ireland Ltd.

What are Facebook’s users going to do?

Sir Cliff Richard

There are two matters (at least) worth noting in Sir Cliff Richard’s deserved win in the English High court.

Firstly, it is heartening that a group of ordinary [women] citizens were sufficiently integrated as persons that they were immune to the effects of the smear attaching to Sir Cliff as a result of the disgraceful lynching of him by the BBC. Those citizens supported Sir Cliff by cheering for him outside the court on the delivery of the judgment.

Secondly, we in Ireland have seen something similar happen here. The similarity to the events in the UK at the house of Sir Cliff and, previously, in Ireland comes from one common feature; the actions of the police force in each jurisdiction.

The BBC clearly received advance notice of the planned raid on Sir Cliff’s house. That could only come from the UK police.

On 30th September 1996, in Dublin, the Garda Síochána executed a raid on the offices of Michael E. Hanahoe & Company, solicitors. In a subsequent High court action the court found as a probability that the Garda Síochána leaked the news of the impending raid to the Irish media. The Irish Times was to the fore in taking advantage of that leak and sent reporters and a photographer to cover the raid.

As it happened, the Dublin solicitors sued the Irish state rather than the Irish Times and were awarded substantial damages.

What the BBC should do now is identify the UK police officer(s) that leaked the information to them.

The Facial Images on the PSC are Biometric Data

Mock PSC

Contention:

That images of people’s faces which allow or confirm the identification of a person are biometric data and therefore data controllers and processors require a lawful basis under both Article 6 and Article 9 of the GDPR to process that data.

Evidence:

1) The GDPR

Article 4(14) of the General Data Protection Directive defines biometric data as follows; (emphasis added)

‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;

2) Irish Data Protection Commission

The Data Protection Commission has issued an information notice on Biometrics within which it helpfully sets out a number of different forms of data which meet the definition of Biometric data in the Commission’s opinion.

To quote the first type as described is sufficient for our purpose;

1.2 Types of biometric data.

There are three principal types of biometric data

Raw Images, consisting of recognisable data such as an image of a face or a fingerprint, etc

3) Article 29 Working Party

Opinion 3/20123 set out two forms of Biometric data, as agreed by the Working Party of all of the EU’s Data Protection Authorities. (emphasis added below). This definition was also cited in the Article 29 Working Party’s Opinion on Facial Recognition:

Biometric data can be stored and processed in different forms. Sometimes the biometric information captured from a person is stored and processed in a raw form that allows recognising the source it comes from without special knowledge e.g. the photograph of a face, the photograph of a finger print or a voice recording. Some other times, the captured raw biometric information is processed in a way that only certain characteristics and/or features are extracted and saved as a biometric template

4) Caselaw

Although the GDPR has not yet been litigated before the CJEU, a number of national and EU cases have addressed the definition of facial images as sensitive or biometric personal data.

ECJ C-291/12, Schwarz v. Bochum, 20135 set out in Article 1.2 COUNCIL REGULATION (EC) No 2252/20046 is entitled “security features and biometrics in passports and travel documents issued by Member States” (emphasis added) 

Passports and travel documents shall include a storage medium which shall contain a facial image. Member States shall also include fingerprints in interoperable formats.

Case Number LJN BK63317 Dutch High Court, 23 March 2010: specifically confirmed that images of faces alone were sensitive personal data, as they revealed sensitive data, such as ethnicity.

CASE OF S. AND MARPER v. THE UNITED KINGDOM

The European Court of Human Rights, which has an appreciation of the EU’s Data Protection Regime, but whose findings are not directly congruent with the CJEU’s on this matter, recognised nonetheless in Paragraph 81 of its judgment that facial records were on a par with fingerprint records and voice samples (which are not disputed to be biometric data)

The applicant’s fingerprint records constitute their personal data (see paragraph 68 above) which contain certain external identification features much in the same way as, for example, personal photographs or voice samples

Use the GDPR to find who has advertised to you on Facebook, and get them to delete your details

This is a simple post. Sometimes you get ads on Facebook and you are just not interested in what they’re selling. This is a way to find out who has uploaded your email address into facebook to target ads at you, and then- if you’re in the EU- how to use the new General Data Protection Regulation to get those advertisers to delete you from their system.

So, here we go.

First, get a copy of all your data from Facebook.

For this you; (deep breath)

Login to Facebook

Go to the little arrow in the top right hand corner of the Facebook screen, then select ‘Settings’ Here's where the settings menu on Facebook is

Then, on the left hand menu, select ‘Your Facebook Information’

 

Then select ‘Download a copy of your Facebook information to keep or to transfer to another service’

Now click the big green ‘Download Archive’ button

Now it’ll ask you to put your password in. Finally, it’ll tell you that it’ll email you when the archive is ready to download. When the email comes and you click on the link it contains, you will eventually download a zip file. Unzip it and you will end up with a folder containing something like this: 

Choose ‘Index’. Then your browser will open a mostly white page with your profile detail showing. On the bottom left side of the screen, you’ll find a menu.

Choose ‘Ads’

Now, scroll down the (likely) very long list until you reach the last section- headed, ‘Advertisers who uploaded a contact list with your information’. These people and bodies all have your data- they must, because they uploaded it into Facebook, to show you ads.

And, if you’re in the EU, under the GDPR, you can invoke your right under Article 17.1(b) to withdraw consent for these companies to hold your data or process it in any way. Just email them these words any time after the 25th May 2018:

Dear [entity name]

I am currently within the EU and I have learned from Facebook Ireland Ltd that you have in the past uploaded a contact list to the Facebook platform which included my information.

I wish to invoke my right of erasure of that data and any other data you may hold relating to me under Article 17.1(b) of the General Data Protection Regulation. I also wish you, as per Article 17.2, to take steps, including technical measures, to inform controllers which are processing the personal data that I, as the data subject, have requested the erasure by such controllers of any links to, or copy or replication of, my personal data.

Please confirm you have completed this task within one month of the date of sending of this email.

Yours faithfully

[Your name]

If you’re feeling particularly feisty, you can even build an email mail merge by cutting and pasting the whole list into a spreadsheet, finding the contact emails for each of the bodies and then scheduling the message to be automatically sent on the 26th May 2018, one day after the GDPR comes into effect.

Office Notice: Closed due to Storm Emma, reopening Monday

Four Courts Dome in snow

For the safety of our staff and clients, our office is closed today, Friday 2nd March, due to the snowstorm.

We will reopen on Monday 5th March as usual.

In the meantime, we’re still contactable by email on [email protected]

USA -v- Microsoft Supreme Court hearing, Digital Rights Ireland and ORG Amicus Brief

US Supreme Court building from the front portico

USA -v- Microsoft is an important ongoing case, listed for hearing today before the US Supreme Court.

Microsoft have been very firm that the US government’s efforts to make domestic court orders effective outside of the US is not based on a correct interpretation of US law. While lower courts sided with the US, the Federal Appeals Court of the 2nd Circuit found in favour of Microsoft. You can read the amicus brief submitted by Digital Rights Ireland, Liberty and the Open Rights Group in that earlier hearing.

However, as the case centres around the means by which NY law enforcement are seeking to access data of an email account which resides in Dublin, this Supreme Court hearing is also crucially significant to Ireland and the rest of the EU. For that reason, Digital Rights Ireland instructed us to file an Amicus Brief in the US case, in conjunction with the global law firm of White & Case, who have acted pro bono in their representation. Owen Pell of White & Case’s New York Office has been the lead counsel in the preparation of this Supreme Court brief and we would like to extend particular thanks to him for his collegiality and his expertise.

Given the significance of the case for the wider EU, the Open Rights Group in the UK have joined Digital Rights Ireland as amicus on this brief. We hope it will be of aid to the US court in assessing the significance of the order being appealed by the US government for EU citizens and European states, in the light of the existing US and EU Mutual Legal Assistance Treaty.

You can read the Brief here:

Digital Rights Ireland and Open Rights Group Supreme Court Amicus Brief by Simon McGarr on Scribd

The Data Sharing Agreement re the Public Services Card

It’s a requirement that public bodies sharing personal data, and relying on the provisions of the Social Welfare Consolidation Act 2005 to do so, have an agreement in place first.

I wrote in 2014 about the (eventually)  fatal consequences for Irish Water’s attempts to rely on the 2005 Act in the absence of that Ministerial agreement. (It was illegal, and the hundreds of thousands of PPSN records Irish Water collected were subsequently scrapped.)

So, having read through a good deal of documentation on the Public Services Card, I knew that the Department of Social Protection were claiming that they were the Data Controller for the National biometric ID Database which the Card is linked to.

Despite this, for reasons the Dept has chosen to never explain (I could hazard a guess) they have passed the storage and management of that database to the Department of Public Expenditure and Reform.

So I FOI’d the Agreement which underpins that relationship.

You can read it yourself below.

There are striking things about this 2014 document, but one thing stands out above them all.

It’s an agreement between two Ministers, but it’s neither signed by them or on their behalf. Though the opening text recognises that what is needed is that the Ministers make this Agreement, it is eventually signed by Departmental Officials. It isn’t signed for and on behalf of the respective Ministers either. Rather, it’s signed For and On Behalf of the two Departments.

Leaving us with the entire PSC Database lacking the underpinning of a completed Agreement between the relevant Ministers.

(Oh, and unless it was renewed before 17th February 2016 the Agreement, insofar as there may have ever been one, has lapsed.

The Public Services Card- An ID database and ID card

There is an excellent article by Elaine Edwards online (but not in the paper) regarding a pensioner whose pension payments have been stopped because she declined to submit to the biometric scanning and so on involved in being given an Public Services Card.

This card has been, to be charitable, inaccurately referred to as voluntary by Minister Pascal Donoghue.

However, if you don’t agree to submit to the carding process (which involves a biometric scan of your face, as well as a system to associate that ID record with your mobile phone) you currently can have any and all your social welfare payments (pension, free travel, children’s allowance, maternity benefit, paternity benefit…) cut off.

In addition, you cannot get a new driving licence, you cannot get a replacement passport if it has been lost or stolen, you cannot get your first passport or be made a citizen.

That’s the list of consequences for not volunteering so far. You can read the ambitious list of planned uses on the Department’s own website. I’ve reproduced it below, for ease of reference. Here’s an excellent piece by Loughlin O’Nolan and Elaine Edwards on just how voluntary this system is.

So, what we have here is a national ID card system which has never been debated by the Oireachtas, isn’t based on any primary legislation and has been introduced (where there is any legal justification for it cited at all) by wilfully forcing a new interpretation onto old legislation.

The Legal Basis that wasn’t there

I’d like to just rattle through some of that claimed legal justification, simply to demonstrate how shaky it is. Anyone who has read my previous pieces on the Health Identifiers Act 2014 and the Primary Online Database may notice some familiar themes emerging.

Here’s what the Department of Social Welfare cites as the legal basis for cutting off the pensions of old ladies who refuse to comply with the demand they get an ID card:

The Social Welfare Consolidation Act 2005, as amended, viz.
– Section 247C(1) of the Act provides that the Minister may require any person receiving a benefit to satisfy the Minister as to his or her identity;
– Section 247C(2) of the Act specifies the consequences of failure to satisfy the Minister in relation to identity as required, specifically that a person shall be disqualified from receiving a benefit;
– Section 247C(3) of the Act specifies the manner in which the Minister may be so satisfied; in effect, this Section describes the process for registering a person’s identity

The first two of those provisions simply say that a person who refuses to satisfy the Minister as to his or her identity may have their payments stopped until their identity has been confirmed. This is a completely reasonable and laudable requirement, necessary to make sure money is going to the right person.

But here, the Department hasn’t said that the lady whose pension they’ve stopped isn’t who she says she is. They’re not denying her identity at all- they know who she is. An official even visited her at her house and was shown her marriage cert. The lady has produced her passport- the document which Ireland expects every other country in the world to be an acceptable proof of identity at their borders.

Again, they know who she is. That’s not why they’ve cut her off. They’ve stopped her pension because she refuses to comply with the biometric carding process.

And for that, they’re relying on Section 247C(3) of the Social Welfare Consolidation Act 2005. The actual provision was only brought in in 2013 in the Social Welfare and Pensions (Miscellaneous Provisions) Act 2013

The problem for the Department is that, though Section 247C(3) describes a visit to a Social Welfare office, showing some documents and having your picture taken and giving a copy of your signature as being the Minister’s preferred method of you proving who you are, it doesn’t say that the purpose of doing so is to have your data entered onto the national Public Services Card register, with all the subsequent data sharing and processing that involves.

The Act sets out, in a clause not cited by the Department, that this attendance and these records can only be lawfully used for one purpose. Section 247C(1):

“to satisfy the Minister as to his or her identity”

Once that’s done, there is no lawful basis for any further use of that data. No legislative requirement to be placed on an ID register. No basis for sharing the data collected with other government agencies (as envisioned by Section 8 of the Health Identifiers Act, for example).

Joan Burton, when she was Minister for Social Protection, acknowledged that building an ID database was something which couldn’t simply be treated as an administrative act. It has serious and permanent consequences for the relationship between the citizen and the state.

The question of the introduction or otherwise of a national identity card was not part of SAFE’s remit. The matter of establishing a national identity index and producing a national identity card is a wider issue. It would require due consideration by the appropriate agencies before any policy decisions could be formulated by Government and would require the development and implementation of legislation to support any such policy. (source)

Now, you can issue a person with an ID card without a legal basis, if they consent to it. Of course you can. The problem is, in order for that consent to be valid under EU law, it can’t have been compelled. It can’t have been extracted on pain of penury at the loss of your pension, of the child benefit you rely on or your unemployment benefit.

And a person can’t give consent if they haven’t been clearly told to what purposes the data they are agreeing to hand over will be put.

Until we have a full and open debate on the merits of a national ID card (and the identity index database those cards extend from) we cannot decide if we are happy with the consequences of such a plan or (as happened in the UK) whether we decide it is a dangerous and illiberal step.

If the Government wants to legislate for an ID card, let it first propose the plan and see it through the Oireachtas.

Personal data is legitimately gathered and used by the state on the basis that it is a safe guardian of citizens’ fundamental data and privacy rights. Without trust that the state will do the right thing, the legitimacy of that collection breaks down.

If the state won’t even admit to what it is doing, how does it expect citizens to trust that it will do the right thing?

Roadmap for mandatory requirements for the Public Services Card

Painful Pincers at the Border

Photo by: Magnus Norden

The UK government has issued the outlines of a new Data Protection Bill. It will be a substantial piece of work because it will replicate the General Data Protection Regulation (GDPR). The GDPR is EU law and is directly effective in all Member States including the UK, on 25th May 2018. The UK Brexit plan requires “replication” rather than “supplementation” because the UK has no intention of cutting itself free of EU “red tape”, if it is in the form of the GDPR.

The UK Brexit plan also, it seems, has set the UK on a race to implementation of its new Data Protection Bill on or before the coming into force of the GDPR. So, it will introduce the Bill to parliament in September next, where there is the narrowest of time slots to do so.

We now know, from the UK Information Commissioner (ICO), that she intends to levy fines equivalent to those provided for in the GDPR, on persons, organisations and companies that breach the new Data Protection law.

Any miscreant Irish company doing business in the UK will be exposed to those fines if the ICO applies the UK Data Protection law, rather than the GDPR. That will be a major problem for cross-border firms doing business with Northern Ireland. Whatever about any [mistaken] assumption those firms may harbour that the Irish Data Protection Commissioner will not apply high fines for GDPR breaches, they can readily believe the ICO will apply those fines.

What are the limits to the fines? There are two categories of fines:

A. Fines up to €10 million or 2% of annual global turnover;

B. Fines up to €20 million or 4% of annual global turnover;

Consider the recent Swedish data breach involving the Swedish Transport Agency and IBM. On available information they would each have faced a fine from category B if the breach had occurred after 25th May 2018.