Month: September 2010

Did you friend the Department of Social Protection?

Over on the Irish Computer Society’s data protection blog yesterday, Daragh O’Brien wrote about the news that the Department of Social Protection is monitoring Facebook when investigating suspected welfare fraud.

Daragh discusses the data protection principle of fair obtaining in this context. He notes section 8(b) of the Data Protection Acts 1988 and 2003, which suspend the restrictions in the Acts for the purposes of the investigation or prosecution of offences and in the case of collecting or assessing monies due to the State. However, the section 8(b) exemption only applies where processing of personal data (which would include getting it from Facebook) is required for the purposes of investigation, etc. The provision is, as yet, untested, but the wording certainly suggests that it is not open to the Department to process personal data obtained from Facebook merely as an aid to investigation.

© Brian Solis — After all, this guy doesn't believe in privacy.

This morning, the Irish Independent followed up on the story with surprising statements from Facebook itself, primarily that:

“Facebook protects people’s right to privacy but in the same way officials investigating a case can access post office details or phone records, accessing Facebook profiles would be the same kind of thing,” a spokesman said.

It comes as a surprise to me* that the Department could access post office details (and: what are those details?) and phone records without a court order or the consent of the data subject, but Facebook apparently believes this is the done thing. It’s an important point because Facebook’s privacy policy purports to allow the company to hand over your information.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards.

It is not known from the news reports whether Facebook has facilitated the Department of Social Protection or handed over information or access to profiles to the Department. If not, it is difficult to see how the Department has accessed any meaningful information from the site, unless it has taken advantage of data which has inadvertently been made public or, alternatively, if the Department has obtained the data by deception.

From the comments made by Facebook to the Irish media, it appears that Facebook has an off-hand attitude to the specifics of Irish law on this point and its privacy policy suggests that the company will err on the side of caution in assisting a State agency. It won’t surprise many that Facebook might not rush to defend your privacy.

The incident is certainly worthy of investigation by the Data Protection Commissioner.

* I’m not an expert on the Social Welfare Acts and they are labyrinthine, but anyone with more knowledge on the powers of the Department in this area might comment below. I understand certain information can be shared by some State agencies for the purposes of making a decision on whether to provide social welfare or grants, but I don’t believe that extends to investigations by the Department.

Rage against the machine

The march of the machines is irresistible, with technology providing a range of opportunities for businesses to reduce the need for human input. There is a legal limit to such progress, but how many people know about it?

Section 6B of the Data Protection Acts 1988 and 2003 provides:

a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct

Photo licensed under Creative Commons Attribution-Share Alike 3.0 Unported license. — Four musicians invoke section 6B against the machine.

There are, as ever, exceptions to the ban, the most straightforward being consent. I have yet to see a set of terms and conditions containing such consent.

The widest exception concerns decisions made for the purposes of considering whether to contract with the data subject or in the course of performing such a contract. A further exception may arise where automatic decision making is required or authorised by law.

The contractual exception appears to strip the ban of much of its force. However, any exception to the ban on automated decision making only applies if the request for the entering into or the performance of the contract is granted or if there are suitable measures to safeguard the subject’s legitimate interests. Therefore, if the result of an automated decision is to not grant what the data subject requested, that decision will have to be reviewed by a human being.

A glaring question remains: what happens when section 6B is breached? As is often the case with data protection law in Ireland, the answer is unknown but it is likely that some enforcement proceeding might be engaged in by the Data Protection Commissioner.

PS.

Section 6B, which implements into Irish law Article 15 of the EU Data Protection Directive, appears to be ambiguously drafted (due to poor formatting), arguably making the contractual exemption wider than intended. I have, however, gone with the intention of the Directive on this point.
The real Rage Against the Machine.

Another storm brewing for the legal profession?

Solicitors in the UK appear to be going through a similar insurance crisis to that which hit their Irish colleagues last year. The Lawyer reports that this year’s renewal process, now in its final stages, will be “tougher than ever.” Ironically, it seems part of the difficulty has stemmed from the Irish Financial Regulator’s administration of Quinn Insurance, which had been aggressive in its attempts to into capture some of the UK market.

Meanwhile, the SMDF recently reported a deficit of €15.9 million for 2009. Last year, the Law Society told solicitors that the SMDF insured over 60% of the market. Accordingly, emergency measures were taken to support the SMDF and to avoid the bulk of the profession facing a lack of cover.

Today, the Law Society informed solicitors that XL, a new entrant to the insurance market in 2009, captured 28% of the market for 2010 (1% more than the SMDF). Therefore, it would seem that the SMDF has lost over half of its customer base in one year, most of them being lost to XL.

It had been hoped that the changes made to the PI insurance system last year would lead to greater stability this year, but it remains to be seen what effect the dramatic loss in customers will have on the SMDF.

Use of registered trade marks in secondary branding

My case note on the Irish Supreme Court decision in Danone v. Glanbia has been published in the Journal of Intellectual Property Law & Practice. I summarise the significance of the decision as follows:

The use of trade marks as non-primary branding is increasingly a feature of consumer product marketing and it will be of reassurance to companies engaged in such marketing to note Macken J’s observation that she does ‘not consider there is anything in law which prevents an ingredient from being part and parcel of the marketing or promotion of the product of which it is an essential component’.

Our Country, Our Call

Tomorrow, the winners of the bizarre Your Country, Your Call competition will be announced. Apart from a few isolated incidents, the media has avoided serious scrutiny of the competition and its organiser, An Smaoineamh Mór.

The following are some questions that might reasonably be asked:

Who is An Smaoineamh Mór?
Given that one of its stated aims is to lobby the Government for legislative change, has it registered with the Standards in Public Office Commission?
Why has it accepted donations which exceed the limit allowed in respect of donations for political purposes?
Why does the Government feel the need to make a significant cash donation to assist An Smaoineamh Mór in such lobbying, at a time of massive cutbacks in public spending?
Why does the Department of Enterprise not want to know about these questions?

These and more have been explored in more detail over on Tuppenceworth.ie, also the best source for future updates.

PS. Yesterday’s big news story was the 2009 report of the Comptroller & Auditor General. The C&AG is, as pointed out by Simon in the comments below, a member of the Standards in Public Office Commission with which it appears An Smaoineamh Mór should be registered.

Two of the high level comments by the C&AG in his press release, relating to “administrative matters that may merit consideration” are surely relevant to the existing or proposed provision of funding by the Department of Enterprise, Trade & Innovation to An Smaoineamh Mór:

The need to improve the capacity of departments to evaluate costs and benefits of proposed programmes so that evidence-based information and analysis is available to underpin decision making

The need to ensure that, where the State uses third parties to deliver programmes, there is an adequate control and inspection process to guarantee the regularity of expenditure and the correctness of the charge to public funds

Delay down the line: Legal Aid Board to take over criminal legal aid scheme

The announcement by the Minister for Justice that he intends to transfer the operation of the criminal legal aid system to the Legal Aid Board might seem like it makes sense, but is likely to result in delays and possibly higher costs.

Currently, the Legal Aid Board administers the civil legal aid scheme and deals almost exclusively with family law matters. It meets clients and assesses their means. Often the Board handles the client’s case itself from one of its law centres. In some cases, the Board refers the client to a private solicitor and issues a certificate to cover costs (with the Board paying the solicitor’s fees according to set rates). Due to increased demands on the system (as noted by the Minister himself), it appears to be increasingly common for the Board to refer clients to private solicitors.

The criminal legal aid scheme is administered by the Courts Service, with an application being made to the judge who first deals with an accused person. The assessment of means is done by the judge and can often be far less formal than that applied by the Board. For example, if the judge is told that the accused is not working and has no significant assets, (s)he may issue a certificate immediately to cover the costs of the defence. (There is no connection between the State funded legal aid schemes and the volunteer-led Free Legal Advice Centres.)

Having the two systems in operation may seem an unnecessary duplication, but there are differences in the demands made of each. Generally, criminal cases will move faster and involve more urgency. The Minister says the change is aimed at cutting costs and improving efficiency, so it is interesting to read the reaction of Frank Brady, director of legal aid at the LAB:

“There is no expertise and very little knowledge of criminal legal aid [in the Legal Aid Board]. The two systems are fundamentally different, and the board will face a difficult learning curve. Nevertheless, the board would welcome the opportunity to play a lead role in the future development of the criminal legal aid service.”

In the long run, streamlining the two schemes might make sense, but this story does not engender optimism. Rather, it appears we are faced with a rash decision to be rushed through the Oireachtas, followed by a period of disruption and delay.

Young solicitors: the Law Society is looking out for you!

The Law Society of Ireland, the hybrid regulator, representative body and educator of solicitors, has not forgotten the legions of unemployed young solicitors. They have appointed a career development adviser, who provides the following advice: get out of law and do something else.

An article in the current Law Society Gazette (p. 10) confirms young solicitors need not despair and suggests alternative career options available:

taoiseach;
Bord Gáis director;
multi-millionaire;
solicitor (?);
Prime Time presenter;
comedian.

Apparently, solicitors can break into these careers if they can just escape their “blinkered mentality”.

© Life Magazine — An un-blinkered young solicitor, unlikely to be our next taoiseach.

Further suggestions are provided in a box headed “Alternative areas to think about” which lists a diverse range of possibilities, some of which seem non-existent and most of which are another word for “solicitor”.

The final suggestion, “commission of inquiry”, is interesting. While I thought the Society might be eager to dispel any public perception that tribunals are gravy trains for lawyers, one hopes the forthcoming information evenings will advise on how best to encourage the Government to establish some more such inquiries.

Blog birthday

I started this blog a year ago today, with a tentative and fairly dull post about television licences. It has developed from there and is, I hope, less dull at times.

To “celebrate”, I joined some colleagues at 7 am this morning for a paper day. This sounds innocuous, but basically involves rooting out endless boxes of dormant files and dumping them into a large room where they can be reviewed and marked for shredding, if appropriate. So paper day involves a good deal of heavy lifting and results in a physical manifestation of the next item on the agenda: sorting through all these files.

There is an upshot to this type of admin work, like coming across the thirty year old file of a client you talked to yesterday. For someone at the junior end of the profession, it’s a lesson in client care.

Also, some souvenirs, like this piece of nameplate: relic of the long-gone Foynes sub-office.

Solicitors still have branch- and sub-offices, but these days they tend to be reasonably far apart. From the 1950s-80s, when car ownership was less common, many solicitors had a sub-office in a number of towns surrounding the home base and one afternoon of each week would be spent in Askeaton, another in Foynes (each of which only about 20 minutes from Newcastle West).

I’ll keep an eye out for the unusual and interesting for future posts in this second blog year.

Transfers of EU citizens’ data to Israel

[Update: The European Commission decided on 31 January 2011 that the State of Israel is considered as providing an adequate level of protection for personal data. This permits data transfers in relation to automated processing only and excludes the exchange of data for national security purposes. It is mostly relevant to intra-company transfers; for example where an EU multinational has a place of business in Israel which might provide back-office services to the EU parent (eg. payroll processing or CRM).]

The Irish media yesterday gave prominence to the unexpected decision of the European Commission to halt a procedure under which Israeli data protection law would be recognised in the European Union. The Irish Times and RTÉ news reports on Thursday evening both opened with almost the exact same sentence:

The European Commission has halted a proposal to allow Israel access to potentially sensitive data on European Union citizens following concerns expressed by the Irish Government.

To me, this sentence suggests that the Israeli government would somehow have access to personal data about EU citizens. This is not the case. The proposal would merely have simplified cross-border transfers of personal data which can and do already occur. The failure of the Commission to approve Israel does not mean that such transfers cannot take place, only that they require extra paperwork.

It’s a technical legal issue, but one which has been simplified to a disappointingly misleading extent. (Today’s print report from the Times was a little more accurate.)

The use of bogus Irish passports by assassins and the suggestion that a stash of personal data was en route to Israel, but for the efforts of Dermot Ahern, makes for an exciting story. Unfortunately, reality is more mundane.

Transfers abroad

The Data Protection Directive imposes obligations on data controllers (holders) and data processors (users) of personal data. The Directive is implemented in Irish law by the Data Protection Acts 1988 and 2003, section 11 of which provides:

The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data …

The question of whether or not a country ensures an adequate level of protection for privacy and fundamental rights is primarily determined by the European Commission, which can approve countries for that purpose. The Commission has approved Switzerland, Canada, Argentina, Guernsey and the Isle of Man. The Commission has also approved certain transfers to the US, once they fall under the Department of Commerce Safe harbor Privacy Principles or the Bureau of Customs and Border Protection Air Passenger Name Record system.

So, the default position is that personal data cannot be transferred from the EU to an unapproved country. However, this is not an absolute prohibition on such transfers: section 11(4) of the DPA provides that the restriction does not apply in certain circumstances, which can be summarised as follows:

if the transfer required or authorised by law;
if the data subject has consented to the transfer;
if the transfer is necessary for contractual reasons in the interests of the data subject;
if the transfer is necessary for reasons of substantial public interest;
if the transfer is necessary for the purposes of obtaining legal advice;
if the transfer is necessary in order to prevent injury or other damage to the health or property of the data subject;
if the transfer is of part only of personal data on a public register;
if the transfer has been authorised by the Data Protection Commissioner; or
the transfer is made on terms of a kind approved by the Commissioner.

This represents a variety of ways in which the section 11 prohibition on transfers abroad can be worked around, though guidance on using these exemptions means that they are not as wide as they may seem at first.

Nevertheless, these exemptions are frequently used to facilitate cross-border data transfers. The most common examples of such transfers are those between group subsidiaries or transfers to service providers, usually for back-office services (finance, customer support, etc).

The most frequently used exemptions to section 11 are data subject consent, contractual necessity and transfers on terms approved by the Commissioner. This latter category involves the use of European Commission-approved model contracts which must be entered into by the transferor and transferee, or the use of binding corporate rules in the case of multinationals. These pass through EU data protection standards and obligations to the recipient of the data transfer.

The Israel incident

The European Commission websites do not appear to have any details of the recent developments in relation to Israel, but it is assumed that the proposal before the European Commission was to approve Israel as a country which ensures an adequate level of protection for privacy and fundamental rights.

If approval had gone through (and it seems that it may yet), transfers of personal data could have been made to Israel from the EEA without having to put in place additional measures like data subject consent or inter-party contracts. However, the transferor would still be subject to domestic data protection legislation and an Irish transferor would, for example, still be liable to data subjects.

The proposal would not have given anyone, as of right, access to the personal data of EU citizens. Neither does the failure of the proposal prevent the transfer of such data from the EEA to Israel: such transfers will just have to continue to operate under the exemptions listed above.