This week the Irish Circuit Court upheld a decision of the Data Protection Commissioner which found that the Courts Service breached the Data Protection Acts when it inadvertently uploaded a copy of a judgment naming a party whose identity was protected by Court Order.
In reaching this conclusion the Court considered the Wirtschaftsakademie and Jehovan todistajat decisions of the CJEU and found that the Courts Service was a data controller. The decision dismissed the idea that the original judge was the sole data controller but left open the possibility that in certain circumstances the judiciary and the Courts Service could be joint controllers.
You can read a copy of the judgment below or download it here.
The word “privacy” is fast becoming a global term for laws and issues concerning personal data. There is a growing community of privacy professionals, with privacy certifications, part of an international privacy sector and talking about data privacy.
As a result, it is increasingly common to see “privacy” or “data privacy” being used in Europe to refer to data protection. We are also seeing Data Protection Day (28 January) being renamed internationally as Data Privacy Day, even though the date marks the anniversary of the Council of Europe’s Convention 108, a key milestone in the development of data protection.
But here’s the thing. Whatever about other parts of the world, in the European Union data protection and privacy are two separate laws with different functions. Using privacy as a catch-all or substitute for data protection is misleading and wrong. It is important to use these terms correctly in the European Union to avoid public and regulatory confusion about legal obligations and rights and dilution of what data protection really means.
Data Protection means the protection of individuals with regard to the collection, use and other processing of personal data. In this context, personal data is any information relating to an identified or identifiable individual, regardless of whether the information is private, professional, or even publicly available. The General Data Protection Regulation (GDPR) sets out obligations for parties processing personal data, including the legal bases for processing, data protection principles, and accountability measures. It also defines rights for individuals, including rights of access and erasure.
Privacy on the other hand means an individual’s right to maintain control over and be free from intrusion into their private life, family life, home and communications. The law derives from the European Convention on Human Rights, the EU Charter of Fundamental Rights, the ePrivacy Directive, as well as various national laws.
Of course, data protection and privacy are not completely unconnected issues in practice. Where the GDPR requires a risk-based approach, where processing of personal data infringes the GDPR, or where there has been a personal data breach, one of the possible risks to individuals is an invasion of privacy. However, the GDPR is not a privacy law and its scope is not limited to data that is private, rather it sets out obligations for those who process people’s personal data (notably, lawfulness of processing and accountability), rights for individual data subjects, and powers for supervisory authorities and courts to monitor and enforce compliance.
As the reframing of “privacy” and “data privacy” to mean or include data protection is increasingly common in the European Union, it is important to reclaim the meaning of data protection and apply it correctly. This is not about semantics. In the European Union, data protection and privacy have specific legal meanings, and it is essential to use the terms in the correct way to avoid confusion and misunderstanding about legal obligations and rights.
And if you have a data protection problem, then you need a data protection professional – not a privacy professional – or at least someone who can tell the difference between the two.
Ireland was sanctioned by the Court of Justice of the European Union because of a failure to carry out an environmental impact assessment of a wind farm development in Derrybrien, Co Galway. Ireland was ordered to conduct an assessment by the court in 2008 but has yet to comply with the European court’s directions in the ten years which followed. The European Commission then took Ireland back to court resulting in serious fines.
European Law states that an environment impact assessment must
be carried out before permission is granted
for any project which is likely to have significant effects on the environment .
No assessment was carried out before the construction of Derrybrien despite the
clear European law on the matter. Construction of the wind farm in 2003 caused
a massive landslide which killed thousands of fish and severely damaged the
surrounding environment. Following this, Ireland was taken to court in 2008 and
Ireland was then given two months to do an environmental
impact assessment on the land. The State came up with a draft plan to carry out
a non-statutory assessment but even this came to nothing. Ireland was granted
extra time by the EU with December 2016 as the final deadline but still no action was taken.
The CJEU this year took the Ireland back to court, on
grounds that Ireland had not made any significant effort to carry out an
environmental impact assessment of the project nor made any concrete plans to
do so. They decided that the delay in complying could not be justified and
there was no excuse for the inaction.
Ireland argued that they had had no power to direct the
company (which is publicly owned) in ownership of the land to carry out the
assessment, citing that a judgement cannot affect third parties when they are
not heard in proceedings. They also argued that the measures that Ireland was required
to take were never specifically identified, meaning that their steps toward a
non-statutory assessment technically complied with the 2008 judgement. However,
the court rejected these arguments and decided in favour of the European Commission.
A large financial penalties was imposed on Ireland to prevent
the recurrence of similar infringements on EU law. The court found that the
best way to do this would be t with a lump sum, followed by a significant daily
amount as long as the breach continued. This was done to encourage Ireland to
carry out the long-awaited environmental impact assessment. The final amount
decided on by the courts was a lump sum of €5,000,000 followed by a
periodic penalty payment of €15,000 per day from the date of
delivery of the present judgement until the date of compliance with the 2008
It is clear that all of the expense could have been avoided if Ireland ensured that the wind farm operator, which it owns, met its responsibilities and conducted an environmental impact assessment.
This post was authored by Daire Murray, a TY student from Loreto Kilkenny, who spent the week working with us.
It’s old hat by now that the electoral process has proven to be especially vulnerable to certain interest groups’ desire to wedge their way into social platforms and manipulate the spread potentially harmful information. Platforms themselves are divided on how they manage political content; Facebook has decided to take an entirely hands off approach, while Twitter has announced a ban on all political advertising.
Both positions have their detractors – the unequivocal refusal to regulate and thus tacitly condoning the spread of contentious content, versus the decision to become the arbiter of political content in your feed. Following the Twitter ban, the Taoiseach voiced his reservations regarding the disabling of a significant channel for political representatives to reach voters. He also expressed his concern that such a ban could act as a contagion for a ban on political advertising across all media, including billboards and newspapers.
While such a view has more than a whiff of scaremongering, it reflects the inherent tension in regulating political content online. Apart from a consensus that ‘something must be done’ there is very little agreement on where to draw the line, nor a sense of how easy it will be to police once drawn. Watch this space.
The General Data Protection Regulation (GDPR) restricts how personal data may be processed by a data controller. In particular, personal data may not be used for a purpose incompatible with the purpose for which the data was initially collected.
One exception to this is Section 41(b) of the Data Protection Act 2018. This allows a data controller operating in Ireland to disclose personal data to a third party to the extent that this is “necessary and proportionate for the purposes of preventing, detecting, investigating or prosecuting criminal offences.“
Typically, this arises following a request from An Garda Síochána or another law enforcement body for disclosure of information containing personal data. Such requests are common in sectors such as financial services and insurance, although it is up to each company to handle such requests in a legally compliant manner.
However, data controllers in other sectors might be alarmed to receive a request from the Gardaí seeking disclosure of information under Section 41(b). This might be for various information relating to named individuals or for a copy of CCTV footage. The request might be marked urgent, refer to serious criminal allegations, or be broad or exploratory in nature. You might feel under pressure to comply with the request.
The most important thing to know is that you are under no obligation to comply with a request if it is made under Section 41(b) of the Data Protection Act 2018. However, the catch is that if you choose to comply with such a request in full or in part, you bear the risk as the data controller. This means being satisfied that disclosing the personal data is necessary and proportionate for the purpose of preventing, detecting, investigating or prosecuting criminal offences. This places a high burden on you as the data controller, including keeping appropriate records to justify your decision and to demonstrate accountability under GDPR. You also have other obligations, including transparency to data subjects, data minimisation, facilitating data subject rights, and ensuring appropriate data security.
If information concerning particular individuals or video footage is that important for a criminal investigation, the Gardaí can (and often will) get a District Court order or even a search warrant. And if this is served on you, there will be a legal obligation to provide the information, and you will have protection as a result. Depending on the circumstances, this may be preferable to complying voluntarily with a request made under Section 41(b) and taking on the risk and potential liability of getting it wrong.
And if you choose not to comply with a disclosure request that is made under Section 41(b), which you are entitled to do in the absence of any other legal or statutory obligation, bear in mind that the communication received will likely contain sensitive or confidential information which should not be retained unless there is a specific reason to do so.
Earlier this month Minister for Health, Simon Harris, launched a Vaccine Alliance – a network of healthcare professionals, policy makers, patient advocates, students and representatives from groups most affected by vaccine hesitancy – to boost the uptake rate of childhood vaccines. Recently four European countries, including the UK, lost their measles-free status and there are fears Ireland could follow suit. The decline in vaccine uptakes has been linked to the spread of misinformation – or “fake news” – on social media platforms. Minister Harris threw down the gauntlet to social media companies to “decide which side they want to be on” and take decisive action to help reverse this trend.
The challenge of regulating tech
companies in the public interest, particularly social media platforms, has been
explored in depth. Proposed measures become entangled in overlapping areas of
tech, policy, piracy, free speech and platform liability. Differentiating between illegal speech and
‘opinions I don’t agree with’ (like vaccine disinformation) presents serious
challenges to freedom of expression and plurality; at the same time making
social media platforms the arbiters of truth is manifestly undesirable.
Regulatory overreach would likely be detrimental to the free access to the services
that modern society has come to rely upon as well as stifle innovation.
On the other hand the algorithms
that drive the social media companies’ traffic favour provocative content that
engages users and prolongs their time on the platform, providing a captive
audience for targeted ads. In effect, social media has become weaponised to
serve advertisers – disinformation is a profitable business.
Across the board the response has been a patchwork of work-arounds. In 2018, the European Commission published its report on a ‘Multi-dimensional Approach to Disinformation’, which opted for a co-regulatory Code of Practice and promotion of media literacy. Companies themselves have taken initiatives to manage misinformation – the broad consensus around the potential harm caused by vaccine misinformation has assisted this agenda. Facebook works with third-party checkers to reduce the distribution of stories that have been flagged as misleading. Instagram has said it would hide hashtags that have a “high percentage” of inaccurate vaccine information with mixed results. Twitter is launching a new tool that directs users to credible public health resources. In February this year, YouTube announced that is demonetising anti-vaccination content. This month, Google adjusted its search algorithm to boost original journalism.
Clearly, a degree of self-regulation
has already been adopted by these tech giants. But private entities, that are change
agents in the areas of privacy, competitiveness, freedom of speech and national
security and law enforcement, operating without oversight run the risk of the
tail wagging the dog.
As part of its remit to transpose
the Audiovisual Media Services
Directive (EU) 2018/1808 (AVMSD) into Irish
law for September 2020, the Broadcasting Authority of Ireland (BAI) will
effectively become EU-wide watchdog for video on-demand services that are based
in Ireland. Under the Directive, providers will require age verification,
parental controls and a ‘robust’ complaints mechanism. The BAI would become a
statutory regulator with legally enshrined enforcement power to police social
media sites’ video content.
The UK government published its Online
Harms White Paper on 26 June 2019 which proposed both government and
industry-led initiatives including developing a regulatory framework and
independent regulator, user redress and a statutory duty of care imposed on
social media companies which focuses on a set of desirable outcomes that it
would leave to the companies to decide how to implement, not unlike the
implementation regime for GDPR. Apart from the measures to be adopted as part
of its duties with respect to the AVMSD, the Irish government has not proposed
any parallel regime, despite the obvious and pressing need to do so in light of
Ireland’s unique position as EU country of incorporation for a large number of global
social media companies. Until it does, government talk about the onus being on social
media companies to decide which side they want to be on, is cheap.
In Ireland, it’s increasingly common to see the term “privacy” being used interchangeably or as a substitute for “data protection”. This may be due to lack of awareness, the influence of U.S. terminology, or marketing preferences for a catchier term. Whatever the reason, it is important to understand the difference between the two terms in order to avoid confusion about legal obligations and rights.
Privacy is a broad term encompassing a number of rights, such as the right to be let alone and the right to respect for private and family life, home and communications. A useful description of privacy is from the UK’s Calcutt Committee report of 1990 as “the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.” In Ireland, privacy rights derive mainly from the Constitution of Ireland (as an unenumerated personal right recognised by Article 40.3), Article 8 of the European Convention on Human Rights, and Article 7 of the EU Charter of Fundamental Rights.
Data Protection means the protection of individuals in relation to the collection, use or processing of personal data, i.e. information that relates to them as an identified or identifiable person. In Ireland, data protection is governed by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Businesses and organisations have data protection obligations, including having a legal basis for collecting, using or processing personal data, compliance with data protection principles, and having technical and organisational measures in place to meet accountability requirements. Individuals have data protection rights, including information, access and erasure, as well as making a complaint to the Data Protection Commission or taking legal action where their rights have been infringed or they have suffered damage.
Where a breach of the GDPR is likely to cause risk or harm to an individual, one of the adverse impacts could of course also include a loss of privacy. However, the GDPR is not a privacy law. In fact, the word “privacy” does not appear anywhere in its articles or recitals.
It’s important to know the difference between privacy and data protection to avoid confusion and misunderstanding about legal obligations and rights. It is also essential for businesses and organisations to understand that they have data protection obligations, and individuals have data protection rights, in situations which often have nothing to do with privacy.