Thanks to Johnny Ryan from ICCL for making available the video from the Joint Oireachtas Committee on Justice GDPR hearing on 27 April 2021
DPC hearing at the Oireachtas (Irish Parliament) 27 April 2021 from Johnny Ryan on Vimeo.
Does a phone company have to tell you whether or not the police has accessed your data?
In a recent decision the Data Protection Commission confirmed that a telephone company had to tell a subscriber whether or not details of his phone usage had been accessed by the police unless it could actually demonstrate that there would be prejudice to a criminal investigation or prosecution.
A redacted copy of the decision has been posted on www.datasubject.ie with the permission of the data subject.
This is an important decision which opens the door to greater transparency around police access to telecoms subscriber information retained under the Communications (Retention of Data) Act 2011. Under this regime there is limited oversight via the Complaints Referee – who crucially can neither confirm nor deny whether an access request unless there has been unlawful access.
This new decision of the Data Protection Commission now confirms that individuals can look for confirmation of whether an access request has been made by a state agency under the 2011 and this request can only be refused if a phone or internet company can show that it would be prejudicial to a criminal or related matter for the request to be answered.
In this particular case we acted for the data subject who had asked the telecom provider, Eir, to say whether or not a state agency had requested access to his information which Eir retained under the 2011 Act. Eir refused to answer the request citing provisions of the 2011 Act and a general policy concerning access to retained data.
The Commissioner found that this request was a valid subject access request and that Eir had failed to answer it within the prescribed time. In addition the Commissioner found that the generic policy relied on by Eir did not constitute a valid statement of reasons and in addition Eir had not informed the data subject about his right to complain to the Data Protection Commissioner.
Once the complaint was lodged Eir sought to rely on section 5(1)(a) of the Data Protection Acts 1988 to 2003 which restricts the right of access in relation to personal data “kept for the purpose of preventing, detecting or investigating offences, apprehending or prosecuting offenders …. , in any case in which the application of that section to the data would be likely to prejudice any of the matters aforesaid“
Ultimately Eir admitted that it could not show that any of the listed matters would likely be prejudice and that it could not rely on this restriction to the right of access.
Click here to access a copy of the decision.
Irish Circuit Court finds Courts Service breached data protection law
This week the Irish Circuit Court upheld a decision of the Data Protection Commissioner which found that the Courts Service breached the Data Protection Acts when it inadvertently uploaded a copy of a judgment naming a party whose identity was protected by Court Order.
In reaching this conclusion the Court considered the Wirtschaftsakademie and Jehovan todistajat decisions of the CJEU and found that the Courts Service was a data controller. The decision dismissed the idea that the original judge was the sole data controller but left open the possibility that in certain circumstances the judiciary and the Courts Service could be joint controllers.
You can read a copy of the judgment below or download it here.
Approved-judgment-3.2.2020FP Logue acted for the data subject in this case.
Subject Access Requests
A clip from the TG4 Uchtú documentary where I discuss subject access rights with broadcaster Evanne Ní Chuilinn
What’s the difference between Privacy and Data Protection?
In Ireland, it’s increasingly common to see the term “privacy” being used interchangeably or as a substitute for “data protection”. This may be due to lack of awareness, the influence of U.S. terminology, or marketing preferences for a catchier term. Whatever the reason, it is important to understand the difference between the two terms in order to avoid confusion about legal obligations and rights.
Privacy is a broad term encompassing a number of rights, such as the right to be let alone and the right to respect for private and family life, home and communications. A useful description of privacy is from the UK’s Calcutt Committee report of 1990 as “the right of the individual to be protected against intrusion into his personal life or affairs, or those of his family, by direct physical means or by publication of information.” In Ireland, privacy rights derive mainly from the Constitution of Ireland (as an unenumerated personal right recognised by Article 40.3), Article 8 of the European Convention on Human Rights, and Article 7 of the EU Charter of Fundamental Rights.
Data Protection means the protection of individuals in relation to the collection, use or processing of personal data, i.e. information that relates to them as an identified or identifiable person. In Ireland, data protection is governed by the General Data Protection Regulation (GDPR) and the Data Protection Act 2018. Businesses and organisations have data protection obligations, including having a legal basis for collecting, using or processing personal data, compliance with data protection principles, and having technical and organisational measures in place to meet accountability requirements. Individuals have data protection rights, including information, access and erasure, as well as making a complaint to the Data Protection Commission or taking legal action where their rights have been infringed or they have suffered damage.
Where a breach of the GDPR is likely to cause risk or harm to an individual, one of the adverse impacts could of course also include a loss of privacy. However, the GDPR is not a privacy law. In fact, the word “privacy” does not appear anywhere in its articles or recitals.
It’s important to know the difference between privacy and data protection to avoid confusion and misunderstanding about legal obligations and rights. It is also essential for businesses and organisations to understand that they have data protection obligations, and individuals have data protection rights, in situations which often have nothing to do with privacy.
Common ground for GDPR and blockchain?
On 12 July 2019 the European Parliament released its report on Blockchain and the General Data Protection Regulation. The report aims to clarify the existing tensions between the rights of data subjects and blockchain technology and propose solutions, while reassuring its proponents that the EU institutions recognise the potentially game-changing applications for blockchain technology across multiple industries, as was addressed in a European Parliament Resolution of 3 October 2018.
The GDPR is principles-based and these principles inform everything that flows from their application, including its scope to be technology neutral, as is expressly mentioned in recitals, and thus future proof. Blockchain technology is built on blocks of digital information, or nodes, that are distributed across multiple data controllers. Each node builds on the last and, to maintain the integrity of the chain, cannot be modified or altered after each transaction is completed.
The challenges that blockchain’s presents to the GDPR framework are immediately apparent. The GDPR is built on the presumption of an identifiable data controller, or joint controllers, who is accountable for how personal data is processed. Moreover, the technical specificities of the blockchain model are not easily aligned with data subjects’ rights to rectification or erasure of personal data, or the right to be forgotten. As the technology creates a perpetual ledger, principles such as data minimisation and storage also fall foul.
The report also identifies various ways in which blockchain can be used to advance GDPR objectives; without the need for a single (or joint) data controller, it offers transparency over who has accessed data. Data subject rights of access and portability are facilitated by the technology. Ultimately, where blockchain technology has been in the processing of personal data, its compliance with GDPR should be assessed on a case-by-case basis taking into consideration factors such as the context (public v private) and whether the encryption of the data meets the threshold for anonymisation.
The above-mentioned EP resolution makes it clear that there is an explicit intention to support the adoption of blockchain technology across the EU. For GDPR compliance the report proposes regulatory guidance, codes of conduct and certification mechanisms to provide guidance. Alternately, research funding could made available for interdisciplinary research on blockchain protocols that could be ‘compliant by design’.
What is clear is that at present there is nothing concrete in the pipeline that will assuage the concerns of privacy advocates and the question remains – where there is a will can a way be found?