Archive for the 'Data Protection' Category

Yet another Toyota recall

I wrote twice before on product recalls by Toyota and the apparent legislative oversight which meant that there was no legal provision allowing Toyota to obtain records of Toyota owners from the vehicle licensing authorities.

At the time I wrote those posts, the most recent legislation on the issue was the Finance Act 1993 (Section 60) Regulations 2005. Now that Toyota are undertaking another product recall, I discover the  Finance Act 1993 (Section 60) Regulations 2009, which took effect on 25 September 2009 but which, oddly, were not available on the Irish Statute Book when I wrote my posts in 2010 and 2011.

At any rate, the 2009 Regulations revoke and replace the 2005 Regulations and designate specified manufacturers and distributors as being entitled to obtain vehicle licensing records, rather than the generalised category stated in the 1996 Regulations.

So, it appears that I was mistaken, but had no way of knowing it at the time.

New data protection rules on cookies & mandatory data breach reporting for electronic communications providers

 

From George Eastman House

Not those kind of cookies.

Last week, the Minister for Communications, Energy and Natural Resources signed a group of statutory instruments into law which transpose the EU telecommunications reform package.

Among those regulations are the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011.

The Regulations are lengthy but the Data Protection Commissioner already has a guidance note online outlining the changes introduced, the most significant being:

  • Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
  • More stringent requirements for user consent for the placing of “cookies” on electronic devices
  • Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls

I previously wrote about mandatory reporting of data breaches in the context of general data protection law (rather than sector-specific rules).

Leo Moore (William Fry) points out that the new rules on cookies do not provide for a lead in time, as was the case in the UK. This will put pressure on operators subject to the rules to get their house in order quickly. He notes:

Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.

For more, try following Ronan Lupton (ALTO), TJ McIntyre (UCD/DRI), Leo Moore (WF) & David Cullen (WF) on Twitter.

Privacy and the press

I wrote a short article for last week’s Sunday Business Post on the super-injunctions story and the conflict between freedom of speech and privacy. It appeared in the Computers and Business magazine and is available here.

It’s a difficult topic to tackle in a short article and some more thoughts on the issue are in my earlier rambling blogpost. However, Karlin Lillington dealt with the issue expertly in last Friday’s Irish Times by contrasting the UK super-injunctions saga with the Irish experience of data protection and retention laws.

PRIVACY HAS two definitions. There is the definition that applies if you are wealthy, or a celebrity, or a corporation or organisation, and you wish carefully to protect from the public eye your infidelities, personal peccadilloes, ethically questionable activities, illegal doings or other foibles that might damage your income, reputation or bottom line.

Then, there is the definition that applies if you are just an ordinary citizen and a bank, an insurance company, an electronics manufacturer, a telecommunications company, a law enforcement agency, a government department or other organisation holds or would like to view lots of potentially sensitive information about you.

If you are in the former, elite group, lucky you. You will find you are entitled to all sorts of perks and privileges when it comes to your special definition of privacy. Your national government may come up with laws specifically to protect your version of privacy.

Justice systems may invent special protections that mean not only is no one allowed to mention whatever it is you or your company is said to have done, but no one is even allowed to mention that such a legal protection is there in the first place.

Social media and internet companies may, despite public statements about valuing their users and freedom and democracy, relinquish information about the people who might have said something annoying about you, your company or your government, the better to enable the justice system to get these aggravating people off your back.

If you are in the second group, your privacy is too often a commodity.

The surprising reason given for the change to HSE policy on providing patient lists to clergy

This morning’s Irish Times reports on a change to a Health Service Executive policy I never knew existed. Until now, Irish hospitals provided members of the clergy with access to patient admission records. This practice, the article reports, “has been stopped by recent data protection legislation.”

I was surprised by the reference in the article to “recent data protection legislation” and “new legislation”. The main Irish legislation in this area is the Data Protection Act 1988. It was amended in 2003. There are a number of regulations affecting those Acts but the most recent relates only to the Director of Corporate Enforcement.

So, is the new legislation referred to the 8 year old act or the 23 year old one?

The truth is, one might reasonable speculate, that the consequences of long-standing legislative requirements have recently been considered by the HSE and they changed their policy accordingly. [I since found that the Offaly Independent reported on this story last Friday, without any indication that the legislative requirement which led to the policy change was new or recent.]

Information on an individual’s health is sensitive personal data for the purposes of the Acts and is the category of personal information that is subject to the strongest protections.

The Data Protection Commissioner has published a guidance note on the application of the Acts to the health sector. That note begins with the following, non-legislative point:

The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care.

It goes on to say that

Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data.

This recent, very much belated, change of policy by the HSE suggests that the organisation may have some distance to travel in this regard.

Irish data retention law now in force

There has been so much political uncertainty in recent weeks that one wonders what business of Government has gone on unnoticed. One such item of business, I discovered from the A&L Goodbody legislative FAQ referred to earlier, was the passing by the Oireachtas of the Communications (Retention of Data) Act 2011.

This controversial piece of legislation is not available,  as yet, in its final form as none of the Department of JusticeHouses of the Oireachtas or Irish Statute Book have published it.

The President signed the Act into law on 26 January 2011 but, as far as I am aware, this has not been reported on anywhere. The commencement date is not known but the latest draft available does not contain a commencement clause so, if one was not inserted before it was passed by the Oireachtas, it is now in effect.

[Update: I wasn't correct in stating that the introduction of the Act hasn't been reported on. I had missed Eoin O'Dell's reference to its passing on his blog and Karlin Lillington's coverage in the Irish Times. She also covered the Seanad debates on twitter. However, it is still noteworthy that this news has been confined to analysis pieces and has not been headline news, by contrast with other rushed legislation recently signed by the President.]

According to the Internet Service Providers Association of Ireland:

ISPs providing Internet services to the public are now obliged to retain certain data, as set out in the Act, identifying the occurrence of a communication (but not about the content of the communication itself). This must be done for every user, whether they are a private or business customer. In the case of Internet communications the ISP must keep the data for a period of one year … [The] ISPAI regrets [the passing of the Act] despite the trojan efforts of non-government Senators who argued the amendments (which were defeated) aimed at giving greater clarity to the legislation and particularly to minimise its potential to put Ireland at a cost disadvantage to our EU neighbours for Internet based business.

Digital Rights Ireland summarised the effect of the legislation when it was first put before the Oireacthas as follows:

In essence, the Bill requires telecommunications companies, internet service providers, and the like, to retain data about communications (though not the content of the communications); phone and mobile traffic data have to be retained for 2 years; internet communications have to be retained for one year … This will impose significant costs on those obliged to retain and secure the data, and those costs will be passed on to their already hard-pressed customers. And it is likely to drive international telecommunications and internet companies to European states which have introduced far less demanding regimes.

The Irish Council for Civil Liberties made submissions to the Department of Justice about the legislation. Digital Rights Ireland took a constitutional challenge against the legislation and that challenge is en route to the European Court of Justice (the Act implements the EU data retention directive).

Privacy & Human Rights in Europe

Privacy InternationalPrivacy International have published their latest study reviewing privacy and human rights in Europe.

I contributed to the Irish chapter of the report, along with TJ McIntyre and Colin Irwin. It gives a good overview of current Irish law on privacy and data protection.

The report concludes that, while Europe is the world leader in privacy rights, there remains much work to be done in the field.

The Directive on Data Protection has been implemented across EU member states and beyond, but inconsistencies remain. Surveillance harmonisation that was once threatened is now in disarray. Yet there are so many loopholes and exemptions that it is increasingly challenging to get a full understanding of the privacy situations in European countries. The cloak of ‘national security’ enshrouds many practices, minimises authorisation safeguards and prevents oversight.

The report includes a report card in its key findings, the highlights of which for Ireland include criticisms that Ministerial warrants can override privacy law protections and that powers allowing for interception of VoIP calls are ambiguous.

For more on international privacy law, Morrison Foerster have a very useful library which acts as an online sourcebook.

Another recall: on what legal authority will Toyota get access to owner details?

Toyota announced another recall today.

wrote about car recalls last year. Car manufacturers don’t have ownership details of all cars sold and, in the event that a safety issue arises, needs to get that data from vehicle licensing authorities.

From the US National Archives

Access to this data would normally be prohibited under the Data Protection Acts 1988 and 2003 but was previously facilitated by a set of regulations published by the Department of Finance. The Data Protection Commissioner criticised the unqualified access provided under those regulations and sought their review. I don’t know whether the Commissioner’s comments influenced the Department of Finance, but in 2005 a new set of regulations were published which removed the reference to car manufacturers.

Therefore, in so far as I can tell, the law no longer provides for the provision of car registration data by vehicle registration authorities to car manufacturers. Unless Toyota is otherwise entitled to that data (and I have argued that they are not), the disclosure by the vehicle registration authorities is contrary to the Data Protection Acts.



Follow

Get every new post delivered to your Inbox.

Join 3,124 other followers