Planning Time Limits Restart

All planning time limits that were temporarily suspended due to COVID are now running again as and from 24 May. This means that any judicial reviews against planning decisions need to filed within eight weeks at the latest. Please contact us if you have any questions about the new deadlines

Image: Licensed under creative commons (https://www.geograph.ie/photo/5700218)

Does a phone company have to tell you whether or not the police has accessed your data?

In a recent decision the Data Protection Commission confirmed that a telephone company had to tell a subscriber whether or not details of his phone usage had been accessed by the police unless it could actually demonstrate that there would be prejudice to a criminal investigation or prosecution.

A redacted copy of the decision has been posted on www.datasubject.ie with the permission of the data subject.

This is an important decision which opens the door to greater transparency around police access to telecoms subscriber information retained under the Communications (Retention of Data) Act 2011. Under this regime there is limited oversight via the Complaints Referee – who crucially can neither confirm nor deny whether an access request unless there has been unlawful access.

This new decision of the Data Protection Commission now confirms that individuals can look for confirmation of whether an access request has been made by a state agency under the 2011 and this request can only be refused if a phone or internet company can show that it would be prejudicial to a criminal or related matter for the request to be answered.

In this particular case we acted for the data subject who had asked the telecom provider, Eir, to say whether or not a state agency had requested access to his information which Eir retained under the 2011 Act. Eir refused to answer the request citing provisions of the 2011 Act and a general policy concerning access to retained data.

The Commissioner found that this request was a valid subject access request and that Eir had failed to answer it within the prescribed time. In addition the Commissioner found that the generic policy relied on by Eir did not constitute a valid statement of reasons and in addition Eir had not informed the data subject about his right to complain to the Data Protection Commissioner.

Once the complaint was lodged Eir sought to rely on section 5(1)(a) of the Data Protection Acts 1988 to 2003 which restricts the right of access in relation to personal data “kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders …. , in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid

Ultimately Eir admitted that it could not show that any of the listed matters would likely be prejudice and that it could not rely on this restriction to the right of access.

Click here to access a copy of the decision.

Court of Appeal clarifies concept of “environmental information”

Aerial view of Kilcooley estate, Co Tipperary

The Court of Appeal this morning handed down its judgment in Redmond v Commissioner for Environmental Information [2020] IECA 83 which was an appeal against a decision of the High Court upholding a decision of the Commissioner for Environmental Information that details of the sale by Coillte, the State Forestry Company, of a leasehold interest in 402 hectares of land at Kilcooley Abbey Estate in Co Tipperary was not environmental information for the purposes of the Access to Information on the Environment Regulations (the “AIE Regulations”).

In reaching its decision the Court adopted and applied the now well-established interpretative principles from the NAMA and Minch decisions.

Importantly the Court agreed with the approach of the English Court of Appeal in Department for Business, Energy and Industrial Strategy v Information Commissioner [2017] EWCA (Civ) 844 that the definition does not mean that the information itself must be intrinsically environmental. The defining aspect is that the information is on a measure or activity that affects or is likely to affect the environment.

The Court also went on the hold that the Commissioner did not need to establish the probability of a relevant environmental impact since that would lead to an overly narrow definition. On the other hand something more than a remote or theoretical possibility is required because this would sweep too widely.

The effect of this decision consolidates the requirement for decision makers to apply a purposive interpretation to the AIE Regulations and building on Minch confirms that the scope of the right of access extends beyond information that is intrinsically environmental to include any information on measures or activities that are likely to affect the environment.

FP Logue acted for the Appellants in the Court of Appeal.

Open Letter to the Law Society of Ireland

Dear President, Director General

I am contacting you to ask you to ensure that the Law Society does all it can to encourage the Courts Service to introduce as a matter of the utmost urgency a system of electronic filing of documents, in particular for issuing new proceedings.

This needs to happen as soon as possible since it looks very likely that we are going to go into a state of severe lock-down within weeks if not days. The staff in the High Court Central Office and presumably other court offices are already being put in a compromising position in terms of their own health and that of the community by being forced to operate a public counter for filings of physical documents. I can see no need for this when we have electronic systems that can be used just as easily.

While there is a drop-box system in the High Court and the usual system of postal filing there are a several issues with this.

First a drop-box or postal filing requires a visit to a post office or court office which are public places. This is incompatible with the idea that we should avoid all unnecessary contact with others.

Second there is no guarantee in relation to deadlines or a way to use this system for more urgent filings (e.g. where there is a statute of limitations or a court direction). If there is a defect in a document there is no way to correct it and keep the filing date.

Third most documents still require physical stamping and signing. Paying stamp duty for most practitioners requires a visit to a court office because a physical stamp is required. There are similar issues with the requirement for an in-person witness to affidavits.

I am asking you as the leaders of our profession to ensure that we can still operate if and when there is a total lock down.

The following measures (at a minimum) can and should be put in place as soon as possible:

  1. Requirement for a physical stamping of documents to be waived and ideally all court fees waived for the duration of the crisis
  2. Requirement for in-person swearing of affidavits to be waived – a statement of truth signed electronically by the deponent to suffice.
  3. Proceedings may be initiated by filing papers using electronic means , e.g. by email, with confirmation of record number, return date etc by email or phone within one working day.
  4. Rules permitting service by email and/or download link as default
  5. Courts service to guarantee service levels in terms of turn around time, call back etc.

For all concerned these measures are urgently needed to protect our health, those of Courts Service officials and the wider community. For many practitioners these measures could be crucial to the survival of their firms.

I am therefore asking for you to commit to working with the Courts Service to put in place a fully electronic filing system as quickly as possible.

We have the technology, we just need the will to do it.

Many thanks

Fred Logue

Irish Circuit Court finds Courts Service breached data protection law

This week the Irish Circuit Court upheld a decision of the Data Protection Commissioner which found that the Courts Service breached the Data Protection Acts when it inadvertently uploaded a copy of a judgment naming a party whose identity was protected by Court Order.

In reaching this conclusion the Court considered the Wirtschaftsakademie and Jehovan todistajat decisions of the CJEU and found that the Courts Service was a data controller. The decision dismissed the idea that the original judge was the sole data controller but left open the possibility that in certain circumstances the judiciary and the Courts Service could be joint controllers.

You can read a copy of the judgment below or download it here.

Approved-judgment-3.2.2020

FP Logue acted for the data subject in this case.

If you mean Data Protection, don’t say Privacy

Image: Alessandro Vasaturo/CC BY 2.0

The word “privacy” is fast becoming a global term for laws and issues concerning personal data. There is a growing community of privacy professionals, with privacy certifications, part of an international privacy sector and talking about data privacy.

As a result, it is increasingly common to see “privacy” or “data privacy” being used in Europe to refer to data protection. We are also seeing Data Protection Day (28 January) being renamed internationally as Data Privacy Day, even though the date marks the anniversary of the Council of Europe’s Convention 108, a key milestone in the development of data protection.

But here’s the thing. Whatever about other parts of the world, in the European Union data protection and privacy are two separate laws with different functions. Using privacy as a catch-all or substitute for data protection is misleading and wrong. It is important to use these terms correctly in the European Union to avoid public and regulatory confusion about legal obligations and rights and dilution of what data protection really means.

Data Protection means the protection of individuals with regard to the collection, use and other processing of personal data. In this context, personal data is any information relating to an identified or identifiable individual, regardless of whether the information is private, professional, or even publicly available. The General Data Protection Regulation (GDPR) sets out obligations for parties processing personal data, including the legal bases for processing, data protection principles, and accountability measures. It also defines rights for individuals, including rights of access and erasure.

Privacy on the other hand means an individual’s right to maintain control over and be free from intrusion into their private life, family life, home and communications. The law derives from the European Convention on Human Rights, the EU Charter of Fundamental Rights, the ePrivacy Directive, as well as various national laws.

Of course, data protection and privacy are not completely unconnected issues in practice. Where the GDPR requires a risk-based approach, where processing of personal data infringes the GDPR, or where there has been a personal data breach, one of the possible risks to individuals is an invasion of privacy. However, the GDPR is not a privacy law and its scope is not limited to data that is private, rather it sets out obligations for those who process people’s personal data (notably, lawfulness of processing and accountability), rights for individual data subjects, and powers for supervisory authorities and courts to monitor and enforce compliance.

As the reframing of “privacy” and “data privacy” to mean or include data protection is increasingly common in the European Union, it is important to reclaim the meaning of data protection and apply it correctly. This is not about semantics. In the European Union, data protection and privacy have specific legal meanings, and it is essential to use the terms in the correct way to avoid confusion and misunderstanding about legal obligations and rights.

And if you have a data protection problem, then you need a data protection professional – not a privacy professional – or at least someone who can tell the difference between the two.

FP Logue – 2019 Highlights

Image: Public domain

As we look at closing the door on 2019 for a well-earned break I thought it would be good to reflect on some of the highlights of the year.

  1. Fred Logue featured in the TG4 documentary, Uchtú, helping broadcaster Evanne Ní Chuilinn access information about her adoption and early life
  2. We highlighted issues with widespread police access to personal data and the responsibilities of data controllers when approached by the police
  3. Throughout the year we reminded everyone that data protection is not necessarily about privacy.
  4. In May we succeeded in ensuring that a social welfare claimant got their benefit without having to register for the Public Services Card.
  5. Finally you can read about the many ground breaking cases that we were involved in and about the coverage of our work in the media

Looking forward to more of the same in 2020!

Government fined more than €5 million by European Court for decade-long environmental law breach

Ireland was sanctioned by the Court of Justice of the European Union because of a failure to carry out an environmental impact assessment of a wind farm development in Derrybrien, Co Galway. Ireland was ordered to conduct an assessment by the court in 2008 but has yet to comply with the European court’s directions in the ten years which followed. The European Commission then took Ireland back to court resulting in serious fines.

European Law states that an environment impact assessment must be carried out before  permission is granted for any project which is likely to have significant effects on the environment . No assessment was carried out before the construction of Derrybrien despite the clear European law on the matter. Construction of the wind farm in 2003 caused a massive landslide which killed thousands of fish and severely damaged the surrounding environment. Following this, Ireland was taken to court in 2008 and lost.

Ireland was then given two months to do an environmental impact assessment on the land. The State came up with a draft plan to carry out a non-statutory assessment but even this came to nothing. Ireland was granted extra time by the EU with December 2016 as the  final deadline but still no action was taken.

The CJEU this year took the Ireland back to court, on grounds that Ireland had not made any significant effort to carry out an environmental impact assessment of the project nor made any concrete plans to do so. They decided that the delay in complying could not be justified and there was no excuse for the inaction.

Ireland argued that they had had no power to direct the company (which is publicly owned) in ownership of the land to carry out the assessment, citing that a judgement cannot affect third parties when they are not heard in proceedings. They also argued that the measures that Ireland was required to take were never specifically identified, meaning that their steps toward a non-statutory assessment technically complied with the 2008 judgement. However, the court rejected these arguments and decided in favour of the European Commission.

A large financial penalties was imposed on Ireland to prevent the recurrence of similar infringements on EU law. The court found that the best way to do this would be t with a lump sum, followed by a significant daily amount as long as the breach continued. This was done to encourage Ireland to carry out the long-awaited environmental impact assessment. The final amount decided on by the courts was a lump sum of €5,000,000 followed by a periodic penalty payment of €15,000 per day from the date of delivery of the present judgement until the date of compliance with the 2008 judgement.

It is clear that all of the expense could have been avoided if Ireland ensured that the wind farm operator, which it owns, met its responsibilities and conducted an environmental impact assessment.

This post was authored by Daire Murray, a TY student from Loreto Kilkenny, who spent the week working with us.

Transparency for political advertising – will it all end in tears?

(Public Domain)

Against the backdrop of the International Grand Committee on Disinformation and ‘Fake News’, which convened this week in Dublin, the government has approved a proposal to Regulate Transparency of Online Political Advertising. The legislation aims to increase transparency around paid advertising and impede the electoral process from being captured by a narrow range of interests that align themselves with harmful content and electoral interference. The proposed regulation, which is essentially a stopgap until a Statutory Electoral Commission is established to oversee a wider reform of the electoral process.

It’s old hat by now that the electoral process has proven to be especially vulnerable to certain interest groups’ desire to wedge their way into social platforms and manipulate the spread potentially harmful information. Platforms themselves are divided on how they manage political content; Facebook has decided to take an entirely hands off approach, while Twitter has announced a ban on all political advertising.

Both positions have their detractors – the unequivocal refusal to regulate and thus tacitly condoning the spread of contentious content, versus the decision to become the arbiter of political content in your feed. Following the Twitter ban, the Taoiseach voiced his reservations regarding the disabling of a significant channel for political representatives to reach voters. He also expressed his concern that such a ban could act as a contagion for a ban on political advertising across all media, including billboards and newspapers.  

While such a view has more than a whiff of scaremongering, it reflects the inherent tension in regulating political content online. Apart from a consensus that ‘something must be done’ there is very little agreement on where to draw the line, nor a sense of how easy it will be to police once drawn. Watch this space.