Summary report on the public consultation on the review of the ePrivacy Directive released

The public and the industry are divided on reform of privacy rules in the electronic communications sector according to the summary report on the public consultation on the evaluation and review of the ePrivacy Directive published today by the European Commission. Industry doesn’t see the need for increased scope of application and tighter rules on tracking while the public and civil society want to see broader scope and more control for users over how they are tracked and profiled by suppliers of electronic communications services.

There are big differences in opinion between the public and industry over the need to have special rules for the electronic communications sector to ensure the confidentiality of electronic communications. A majority of responding citizens and civil society organisations indicated such a belief as well as a need to regulate the use of traffic data which is commonly used to monitor and profile internet and mobile device users. Industry respondents were less enthused by such rules with less than a third seeing a need for them.

Similarly citizens and civil society organisations are worried about the limited scope of the ePrivacy Directive since it does not include IM, VoIP and email applications and want to have the right to access services on their devices without necessarily storing identifiers such as cookies.

The Commission in now carrying out a detailed analysis of the replies to the consultation and will publish a full synopsis in autumn 2016. The results will feed into the design and implementation of EU policy and prepare the way for the evaluation and review of the ePrivacy Directive.

Photo courtesy of http://nyphotographic.com/ 

ePrivacy review heralds big changes for online business

The results of a European Commission consultation on the evaluation and review of the ePrivacy Directive due to be published this week will be of interest to a wide range of online businesses due to the rapid evolution of online and mobile networked devices and services.

If European data protection supervisors get their way, operators of online services will be seriously constrained in how they profile their users’ behaviour.

Given the rapid changes in technology, new services have been developed which fall outside the scope of the directive even though they are functionally equivalent to traditional electronic communications services. For example, there are now a multitude of messaging apps and VoIP services equivalent to traditional telephone and SMS services. These services, while subject to general data protection, rules fall outside the scope of the more specific and detailed ePrivacy regime.

In a timely example, a recent study found that mobile phone battery status could be used to identify users and their devices.  In the case of the online transportation service, Uber, it has been suggested that it could adjust pricing customers with low batteries desperate to get a taxi before their phone died. It is clear from academic research that industry has moved far beyond cookies as the sole way of tracking user behaviour online.

The ePrivacy Directive was conceived in 2002 as the telecommunications sector switched from analogue to digital and from state monopoly to regulated market operation. Voice still dominated over data and the distinction between content and metadata was clear.

The directive forms part of the legislative basis for two long-standing aims of European integration: the internal market (through the free movement of personal data) and a high degree of protection of fundamental rights and freedoms of individuals.

In advance of the publication of the consultation results European data protection regulators acting through the Article 29 Working Party (A29WP) issued an opinion on the revision calling for an updated directive that offers the same level playing field and high degree of individual protection no matter what technology is used to deliver functionally equivalent telecommunications services.

To achieve this result the Article 29 Working Party recommends significant clarification to fundamental definitions and essential terms to, in effect, make ePrivacy rules technology neutral focusing on functionality and outcome.

The A29WP recommends a broad definition of “interception and surveillance” so that surveillance by any means falls within the scope of the ePrivacy directive. It also warns that the review should not be used to increase data retention powers. Anticipating new ways of profiling and monitoring users, the A29WP calls for strict controls on the non-core use of metadata:

The confidentiality of communication is a core right for a democratic society. Therefore, the confidentiality of communications and related metadata require stricter rules, especially because modern communication technologies enable massive collection of intrusive data with covert techniques, or at least techniques people are not fully aware of. The collection, processing and use of these data for other purposes than providing the communication must be exceptional and must only be allowed after users have been adequately informed and have provided consent. In order to better protect the secrecy of electronic communications, the Working Party therefore advises the EC to create a harmonized consent requirement for the processing of metadata such as traffic and location data. This consent requirement should apply to all traffic and location data, also when they are generated through sensors in a user device. The new rule should apply to all parties collecting and processing these data

If the A29WP recommendation is adopted Skype, Facebook and WhatsApp will be regulated under a revised directive in the same way as traditional telcos. Crucially operators of electronic communications services (including online and mobile services) will not be able to profile and monitor user behaviour without their knowledge or consent.

Photo credit: https://www.flickr.com/photos/g4ll4is/8521624548 

Data Protection – The Sheriff Comes to Town

Ireland has been described as the Wild West of European finance and yesterday the sheriff came to town. For the first time the US government looked to join Irish proceedings destined for the European courts in Luxembourg so that it can make the case for transferring personal data across the Atlantic. But it needs to be careful what it wishes for because if its application is successful it may have to provide details on oath to the Irish and European courts of surveillance by the US security services. Will this be the first time the world can really see what happens to their personal data which is held by the US internet giants? All will be revealed by the end of the month when Mr Justice Brian McGovern decides who can intervene in the Schrems II case.

This week in the Irish High Court an unprecedented ten parties applied to the to become amicus curiae, or friends of the court, in the Schrems II case – a case between the Irish Data Protection Commissioner and Max Shrems, an Austrian privacy activist, concerning transfers of personal data from Europe to the US by social network Facebook.

Proceedings had been taken by the Irish Data Protection Commissioner seeking to establish the legality of so-called Standard Contractual Clauses (SCCs), which are intended to legalise the transfer of personal data from Europe to the US. The Commissioner is asking the Court to refer questions concerning the legality of the SCCs to the Court of Justice of the European Union (CJEU).

An amicus curiae, although not party to the proceedings, has a strong interest in the matter at hand and acts to assist the court in its deliberation. A party must be a party to the Irish proceedings is it wishes to participate in a reference to the CJEU. The parties that applied to the Court include the US government; the Irish Human Rights and Equality Commission; Irish Council for Civil Liberties, American Civil Liberties Union, the Electronic Frontier Foundation and the Electronic Privacy Information Center. Also making applications were the Business Software Alliance, the Irish Business and Employers Confederation (IBEC), Digital Europe and data privacy campaigner Kevin Cahill.

The US government, acknowledged that this is an unusual case and the US is in a “unique and unprecedented position”. Counsel stated that the US has a bona fide interest in the proceedings and the US government’s expertise in US law is crucial. It was contended that it is critical that the Court, and the CJEU in the case of a referral, have the assistance of the US authorities. It was also contended that Facebook had not only consented to the joining of the US, but also stated that the US has the strongest case to be an amicus curiae. According to the US government Mr Schrems had no objection to the US joining provided that other civil society organisations were also joined and that the role of the US was strictly constrained by the court.

The Electronic Privacy Information Center submitted that it has expertise in US privacy issues and information technology. It also said that it has unrivaled experience in acting as an amicus in US courts.

Mr Justice McGovern is expected to give his ruling by the end of July.

We will then know if the truth will finally be told about the relationship between the US intelligence services and the internet giants.

Article written by Conor Fynes

Photo by Larry Lamsa

Information Commissioner and Commissioner for Environmental Information publishes 2015 annual report

The Information Commissioner and the Commissioner for Environmental Information, Peter Tyndall, launched his offices’ annual report today. The report is Mr Tyndall’s third since taking office and highlights the welcome improvement in his offices capacity against a backdrop of an increasing workload.

The report notes:

  • A 32% increase in applications to review FOI decisions of public bodies reflecting a 38% increase in requests.
  • A 20% increase of the number of applications for review disposed of within four months
  • The Commissioner’s intention to pay closer scrutiny to failures of public bodies to issue timely decisions
  • An 80% increase in appeals to the Commissioner for Environmental Information
  • The appointment of two investigators expressly for the purpose of conducting AIE appeals.

 

This firm advised on several key decisions made in 2015 which were highlighted by the Commissioner:

  • A decision that a new provision of the FOI Act 2014 prevented disclosure of Oireachtas members’ expenses (link)
  • The decision to order release of documents relating to lobbying on the Legal Services Regulation Bill (link)
  • Information on the usage of Garda aircraft, contract for the provision of fuel and an electricity bill were not environmental information (link).
  • That the Irish Fish Producers’ Organisation was not a public authority under the AIE Regulations (link)
  • NAMA v Commissioner for Environmental Information – judgment delivered by the Supreme Court in June 2015 – definition of public authority (link)
  • Minch -v- Commissioner for Environmental Information – judgment delivered by the High Court in February 2016 – definition of environmental information (link)

 

A copy of the report is available on the Commissioner’s website.

Data Protection: It’s a long way from Portarlington to Luxembourg

“Mr Nowak’s legal journey continues”

Thus concludes Mr Justice O’Donnell in delivering a seven-judge Supreme Court decision in Peter Nowak -v- Data Protection Commissioner [2016] IESC 18. The case concerned a claim by Mr Nowak that his exam script in a professional accountancy exam was personal data and therefore should be provided to him under data protection law.

Having began his journey at the Data Protection Commissioner’s office in Portarlington and stopping off at four (yes four!) levels of appellate court along the way Mr Nowak is off to Luxembourg for the final word on the issue.

Mr Nowak wanted to see the exam script from his failed attempt to pass one of four second level exams set by Chartered Accountants Ireland. Having been refused access under the Data Protection Acts he complained to the Data Protection Commissioner who took the view, without reviewing the script, that an exam script such as his could not be personal data. The Commissioner dismissed Mr Nowak’s complaint as being “frivolous or vexatious” since it had no foundation in law.

Three levels of appellate court agreed but the Supreme Court wasn’t sure and referred to question to the CJEU.

Following Schrems, this is the second time in less than two years that a complaint dismissed by the Data Protection Commissioner as hopeless has ended up in the highest court in Europe. A situation described by O’Donnell J as “incongruous”.

The underlying issue here, whether an examination script is ever capable of being personal data within the meaning of the Acts, and if so, whether this script is such personal data, is one of some difficulty and complexity that requires the analysis of a number of different texts and provisions. It might appear rather incongruous, therefore, that the Commissioner, while clearly respectful of Mr Nowak’s complaints, determined them to be frivolous and vexatious, and now maintains that this decision can only be reviewed through the mechanism of judicial review. This incongruity is highlighted by the fact that perhaps the most important data protection case to emanate from this jurisdiction, and which has resulted in a landmark decision of the Court of Justice of the European Union,  Schrems v. The Data Protection Commissioner (Case C-362/14), judgment of the Grand Chamber, 6th October 2015, to which Digital Rights Ireland was added as a party, concerned an issue which was determined by the Commissioner to be frivolous and vexatious under s.10(1)(b)(i).

 

Meanwhile and arguably more importantly, the Court finally put to bed a glaring anomaly in the rights of data subjects to appeal decisions of the Commissioner in the courts.

Arising out of Mr Nowak’s complaint the Circuit Court, High Court and Court of Appeal all held that where a complaint is dismissed as “frivolous or vexatious” by the Commissioner the data subject has no statutory right of appeal to the Circuit Court under section 26 of the Data Protection Acts. The only route available in that case is the costlier and less extensive remedy of judicial review in the High Court.

According to the Supreme Court this was not what the legislature intended in drafting the Data Protection Acts which provide for a Circuit Court appeal against all Commissioner decisions. It must be assumed, according to O’Donnell J, that the law is intended to make sense and to “achieve some purpose which is to be discerned from the words of the Act, its structure and the background against which it is enacted.”

O’Donnell J didn’t think the Commissioner was looking for a broad definition of “frivolous or vexatious” in order to avoid launching investigations since there was nothing stopping him from making preliminary decisions in any particular circumstance, thereby retaining the ability to filter out clearly misconceived complaints but always subject to appeal to the Circuit Court.

Substance over form

The Court reserved its position on the issue of what form such a statutory appeal would take until a more suitable case arises clearly signalling that it will hear such a case when and if once comes along.

Clarke J in his concurring judgment went a step further and criticised the legislature for not clearly defining the scope of statutory appeals generally, referring to his previous judgment in Fitzgibbon v. The Law Society of Ireland [2014] IESC 48.

The Court felt that the appeal was less than a full rehearing but more than judicial as was set out by a previous Supreme Court in Orange Communications Ltd v. The Director of Telecommunications Regulation and anor (No 2)  [2000] IESC 79 (a case in which O’Donnell J acted as a senior counsel). The Court hinted that even this test in the context of data protection law may need to need to considered again in the future if a suitable case comes along.

The decision on scope of appeal is a welcome one for data subjects who now have a more accessible appeal to the Circuit Court against all decisions of the Data Protection Commissioner even against decisions that a complaint does not come within the scope of data protection law at all.

It is likely that this finding will read across into other statutory appeals regimes, particularly where for costs reasons appeals on procedure and jurisdiction are less common such as those under the Freedom of Information Act 2014 and the Access to Information on the Environment Regulations.

Sunday Business Post 100 Hot Start-ups

The Sunday Business Post has published its list of 100 Hot Start-ups showcasing a cross section of the vibrant startup scene in Ireland. Aside from a curious inclusion of a Five Guys franchise as an Irish start-up, the publication is excellent and highlights innovative entrepreneurs and companies across a wide range of industry sectors.

Something that immediately strikes us as IP lawyers is the range of creative brand names for these ventures. No doubt some have put a huge amount of time and effort into ideating the brand names, and believe that they own them…

However, the only way for a start-up or emerging business to legally own a brand name is to register it as a trademark. Moreover, trademark registrations are territorial, meaning rights only extend to the geographical markets covered by any registrations. While company name registration, business name registration and domain name registration are all very important, none actually grants exclusive rights in the name. The only way to get exclusive legal rights in a brand name is to register it as a trademark.

A quick search on trademark registers for a representative sample of the brand names in the publication shows that a surprising number have not yet been protected as trademarks. In Europe registered trademark rights are obtained on a “first to file” basis. It’s important for start-ups and emerging companies to get this sorted early, and to secure legal ownership of the brand name by trademark registration, before someone else gets there first and causes a problem… At the very least get advice on it so you know where you stand. Any start-ups with questions about how to protect a brand name as a registered trademark efficiently and cost-effectively, do get in touch with us to discuss.

Information law: Privacy constraints on access to information seized under warrant

A recent judgment of the Irish High Court illustrates the fine balance that must be struck between privacy rights and the right of investigators to access information seized under warrant.

Opening his judgment like a whodunit, judge Max Barrett of the Irish High Court sets the scene for a thriller concerning the rights of the Irish Competition regulator (the CCPC) to access information seized during a dawn raid and exposes the dangers of not privacy-proofing search and seizure laws.

For those who want to skip to the end, let’s just say it doesn’t end well for the CCPC which had ventured into Terra Incognita to find that the only discernible feature in the otherwise desolate landscape consists of a rock and a hard place.

The facts are simple – in May 2015 the CCPC obtained a warrant to search the premises of Irish Cement Limited (ICL) at its factory North of Dublin. During the raid, the CCPC took copies of large amounts of electronic information including the entirety of the email box of a senior ICL executive. It transpired that the seized information included both personal and private information that was not covered by the CCPC warrant. Recognizing this, the CCPC indicated that it would review all of the seized information and that it would decide which information came within the scope of the warrant. Naturally ICL objected and proposed a procedure whereby an independent party would conduct the review and only hand over relevant information to the CCPC. The parties were unable to reach agreement and so ICL issued proceedings asking the court to determine the scope of CCPC’s right to access private and personal information falling outside of the scope of the search warrant.

Barrett J sets the scene:

One has arrived at a place that seems largely, if not entirely, ungoverned by law. The [CCPC] maintains, not that this provided anywhere in the 2014 Act, that the proper thing to be done is that it should go through of the materials it now possess … weeding out the wheat to which it is entitled from the chaff.

For its part ICL contended that such a process is a violation of the European Convention on Human Rights, the Charter of Fundamental Rights, the Data Protection Acts and the Irish Constitution.

Barrett J agreed firstly observing that while there was no illegality in the seizure of the information, the accessing of it by the CCPC would constitute a breach of the ECHR and Constitutional rights to privacy and while there were statutory protections for legally privileged information, no such protections were provided for private or personal information. The CCPC could not assume that it had carte blanche in respect of such information and, according to the court, that the only way to access any of the seized information was through negotiation and agreement with ICL.

This undoubtedly makes it difficult, if not impossible, for the CCPC to continue its investigation.

While the judgment may be appealed the law as it stands makes it virtually impossible for the CCPC to conduct an investigations since, with electronic information in particular, there is almost always an intermingling of personal and irrelevant private information in any seizure. Without a statutory framework for accessing seized information it is difficult to see how the CCPC can confidently gather evidence if it has to rely solely on the cooperation of the undertaking which is subject to investigation.

The case highlights the importance of privacy-proofing legislation. While the legislature saw fit to provide safeguards for legally privileged information, it doesn’t seem to have considered the possibility that a seizure would “hoover up” mixed information and didn’t provide similar protections for the privacy rights of individuals and corporates.

The judgment may be appealed but until a final decision is issued it seems that the CCPC is stymied and ultimately there may be a need for a statutory amendment to resolve the issue.

Thanks to TJ McIntyre for posting a copy of the judgment online.

Chief EU data protection regulator launches blog ushering in a new era of global data protection

April fool’s day is not the best day to launch a blog, but Giovanni Buttarelli, the European Data Protection Supervisor decided to put his digital pen to paper to launch a blog heralding the advent of a new era of data protection where European standards will be the “digital gold standard”

Buttarelli is referring to the General Data Protection Regulation which is expected to become law before the Summer.

Mr Buttarelli sees the two major strategic consequences of the GDPR which he describes as a “game changer” and at the core of our human dignity setting the standard for a generation:

The first consequence is that the GDPR sets up a genuine platform for global partnerships. This reflects the global nature of data flows, enabled by technologies and driven by creative, disruptive business models.Over half the countries in the world now have a data protection and/or privacy law, and most are strongly influenced by the European approach, a trend towards the ‘global ubiquity’ of data privacy. The regulation promises a wider scope for cooperation between authorities and data controllers both within the EU and internationally. It should galvanise efforts for a more consistent standard contractual clauses, speed up the validation process for binding corporate rules, and help them dovetail with similar arrangements elsewhere in the world. I hope that the new provisions for codes of conduct, seals, certification and accreditation processes will incentivise controllers inside and outside the EU to take the initiative in devising standards which are both business friendly and in the interests of individuals.

The second consequence is that data protection is no longer an optional extra. The Court of Justice of the European Union applies these rules strictly, interpreting them in the light of the EU Charter of Fundamental Rights, and favouring the rights and interests of the individual above corporate or business aims, however reasonable and legitimate. The EU cannot retreat from these core values. Data protection authorities will have to be vigilant in monitoring implementation of the GDPR, and applying the newly- amplified range of possible sanctions in case of violation.