Tag: Data Protection

DPC finds DEASP has been unlawfully processing child benefit data

Since 2008 the Department of Employment Affairs and Social Protection (DEASP) has issued child benefit beneficiaries with “eligibility certificates” which are, in fact, forms demanding personal information about the children involved in order to prove that they are still entitled to receive payments. The certificates are part of the Department’s “control measures”, aimed at ensuring fraudulent claims for social welfare payments are detected and that payments are not being continued for people who are no longer eligible, for one reason or other.

Such control measures might, under certain circumstances, be an appropriate and prudent measure to detect fraud and ensure that taxpayer funds are correctly distributed. I was consulted, however, by a client who had been receiving these forms repeatedly for a number of years, despite no change in circumstances.  (Note: my client is satisfied that non-identifying elements of this case are disclosed.)

The forms demanded that that the client provide the following information:

  1. For each of your children aged between 5 and 18 years, please insert details overleaf of the school or college they attend including full school name, address and phone number of the school.
  2. For children under 5 years old, please insert details overleaf of the doctor they attend or details of the playschool/créche they attend if applicable.

Initially, my client returned the forms. When they continued to arrive on an annual basis, my client wondered how the provision of this information was necessary, what it proved to DEASP and what they might do with the information to confirm entitlements. My client wondered whether this was an excessive request for personal information about children and whether DEASP was entitled to request it. The information provided in the forms sent by DEASP did not provide answers to any of these questions.

On querying this DEASP relied on various provisions of the Social Welfare Acts that regulate child benefit payments and in particular a provision that states that the Minister can require information to be furnished by a beneficiary where the Minister forms the opinion that the furnishing of that information would assist in deciding (among other things) whether a beneficiary is entitled to continue to receive child benefit.

My contention was that those provisions were not an adequate legal basis for the processing that was being carried out and that insufficient information was provided to beneficiaries about the use of the information obtained. DEASP did not accept this and so a complaint was made to the (then) Data Protection Commissioner. (This complaint was made, and dealt with, under the pre-GDPR rules established by the Data Protection Acts 1988 and 2003.)

Following a lengthy investigation and consideration of the complaint, the Commissioner has now issued a lengthy, detailed decision which finds:

  • DEASP’s stated rationale for processing the personal data involved is limited to a general description of policy objectives and control measures, and does not provide a detailed justification for the specific processing operations performed.
  • The forms issued by DEASP do not, of themselves, account for the necessity of the specific processing operations performed by the Department in this context.
  • The limited information supplied by DEASP regarding its processing is insufficient to conclude that such processing was necessary.
  • DEASP did not comply with the fairness principle because the Department selectively emphasised positive outcomes for child benefit recipients when describing the purposes of processing, which did not reflect the fact that the purpose of the processing was, to a substantial extent, the identification of persons who were no longer eligible to receive child benefit.
  • Because its information requests were mandatory and because of the types of information obtained, a significant duty of transparency fell on DEASP to explain the further processing which it intended to perform in relation to the information obtained.
  • DEASP should have provided at least information on its acknowledged “data-matching initiatives”, and specifically, information on the categories of personal data that may be processed in the course of data-matching initiatives, the purposes of processing for such data-matching and the identities of third party data controllers engaged in data-matching initiatives with DEASP.

The Commissioner notes the mandatory nature of the information requests and the fact that DEASP can suspend or terminate payments. In fact, DEASP repeatedly threatened to terminate my client’s payments and earlier this year, suddenly took the step of suspending the payments despite the fact that the Commissioner’s investigation was then at an advanced stage. Following objections, DEASP lifted the suspension pending the decision of the Commissioner.

The decision is very welcome and represents a significant challenge to the extensive and comprehensive data-gathering activities of DEASP and, indeed, other statutory bodies. It highlights the fact that the mere existence of a statutory provision or function is not sufficient to justify demands for personal data which go beyond that provision or which are not adequately explained or justified. While the decision concerns child benefit eligibility certificates in particular, it has relevance beyond those forms to many data-gathering activities of DEASP and other State bodies.

As mentioned, this is a pre-GDPR investigation and decision. The Commissioner did not refer to any intention to utilise the enforcement provisions in the pre-GDPR rules, but because DEASP continued to send out these forms and sent one to my client in 2019 (after the GDPR had come into force) that request for information by DEASP will now be considered by the (now) Commission under its GDPR complaint procedures. It is worth noting that the core data protection principles have not substantially changed, however, while the enforcement provisions have changed substantially.

Lights, camera, action?

I am not alone in wondering what the status of Limerick City & County Council’s Smart CCTV surveillance system is. County councillors have been asking what the delay with the system is and it appeared some weeks ago that the provision of legal advice to the Council was imminent but, as far as I can see, it has not been presented to councillors for consideration.

(See my previous post for some background on community surveillance and Limerick.)

The Data Protection Commission had told me last month that their office was not going to investigate complaints against the Limerick scheme because a national study on public CCTV was to commence within weeks, part of which would look at the Limerick scheme. However, the Commission also told me that it was their “understanding that the CCTV systems … are not in operation.” They did not state where that understanding came from. Somewhat unusually, the Commission does not appear to have made any public statement about its national study other than what was reported in the Irish Times in March.

So, I asked Limerick City & County Council if the cameras were recording. This request was made under section 3 of the Data Protection Acts 1988 and 2018, which allows individuals to see if an organisation is processing personal data. The Council have today told me that the surveillance system is active and recording footage. They say, however, that the footage is not currently being accessed because the cameras are being tested.

The Council’s position on this is that the system is in a “transitional” status and not a “live” or “operational” one because the footage is not being monitored. They say that the system is not not yet “live” because the Council is finalising its CCTV policy in line with the GDPR and data protection legislation. However, it is clear that the cameras are recording and the Council is, therefore, processing personal data (see Article 4 GDPR for the definition of “processing”). It is not clear what is being done with the footage recorded or what the testing of it involves.

A notable aspect of the Limerick scheme is that it has been authorised by the Garda Commissioner under section 38 of the Garda Síochána Act 2005, which provides for authorisations of community surveillance only for public order. The then Acting Commissioner confirmed to me in January that the authorisation granted was “for the sole or primary purpose of securing public order and safety in public places by facilitating the deterrence, prevention, detection and prosecution of offences.” The Council tell me that the primary purpose of the scheme is public order and safety “including” the following:

I was particularly interested in the reference to the “perception of safety” – the Council’s own statistics in the report that lead to the surveillance system show a significant drop in reported crime in many areas, including Newcastle West.

The Data Protection Commission will have to decide, in the first instance, whether or not the purposes to which the Council wishes to put its surveillance network are a justified and proportionate infringement on the privacy rights of individuals.  The remarkably vague reference to “open data” gives rise to further concern and it is again astonishing that a privacy impact assessment does not appear to have been done in advance of planning such a system.

It remains to be seen how piggybacking these additional purposes on the surveillance system is compatible with the section 38 authorisation granted by the Garda Commissioner. The Commissioner has not yet confirmed the position on that point but the previous Acting Commissioner confirmed to me that they had not, for example, authorised ANPR or tourism cameras.

Whatever results from the national study, it will be interesting to see where the Data Protection Commission obtained the understanding that Limerick’s surveillance system was not in operation and how the Council’s continuing preparations for the full operation and monitoring of the system will interact with the Commission’s national study.

Community surveillance & Limerick’s Smart CCTV scheme

A Smart CCTV installation in The Square, Newcastle West

I have had a draft blog post lingering for many months addressing some of the issues and concerns with community surveillance, particularly in light of Limerick’s “Smart CCTV” scheme which, I believe, will be a model for a national network of community surveillance.

Quite a lot has since been written (and spoken) about the issue so I include links below to various reports and discussions about the scheme, and some other schemes around the country.

The Data Protection Commission is about to conduct an examination of public sector CCTV schemes nationally. The results of this will be interesting, particularly if one is to interpret anything from the recently-published proposed list of activities that will require a data protection impact assessment under the GDPR (I suggest that one should).

Given the commencement of the GDPR and Data Protection Act 2018, and the forthcoming examination by the DPC, one would think that they State authorities might pause these systems so that a national approach to them could be put in place before expanding their scope further. The opposite seems to be the case.

Media coverage

Other background information

Litigation disclosure of personal data

Photo © Convert GDPR
Photo © Convert GDPR https://www.convert.com/GDPR/

Litigation solicitors often request and disclose too much information about clients when representing them in court cases. The imminent data protection reforms in the GDPR are bringing data protection issues into focus on a daily basis, not least the routine things many businesses and professionals do and have always done which might not be acceptable under the GDPR or even existing data protection law.

Respecting privacy, and the GDPR, requires that we all consider and reconsider what personal data should be collected and what can or should be done with it. Solicitors owe a duty to their own clients, for example, not to unnecessarily disclose personal data.

What is the issue

This often arises when dealing with requests for information or documentation from “the other side” in a case. If you sue someone there is certain information you must provide the other side with, and some information they are entitled to ask for.  I’m going to use the example of personal injury cases, as they are the most relevant in this context.

In those cases the injured party (the plaintiff) has to give certain basic information like their name, address, PPSN, details of special damages and negligence alleged. The person being sued (the defendant) can ask the plaintiff for some additional information such as about previous personal injuries, claims and treatments where relevant and, if asked, the plaintiff must answer. These questions are put in what is called a “notice for particulars”, a document sent by the solicitor for the (usually) insurance company defending the claim. If the plaintiff refuses to answer the notice with “replies to particulars”, the defendant can ask for a court order compelling the plaintiff to answer.

That does not, however, mean that all questions must be replied to. The purpose to particulars is so that the defendant knows what case they have to meet at trial and to prevent them being surprised with unexpected allegations. It is not a means of a defendant getting advance details of the evidence that will be presented at trial, nor is it an opportunity for a fishing expedition for information about the plaintiff. It is, however, often treated as just that and defendants often ask all sorts of questions about the plaintiff’s family and domestic circumstances, personal and employment history and medical affairs whether or not they have a bearing on the case.

The (non-data protection) law on particulars

Mr Justice Hogan delivered a significant judgment (Armstrong v. Moffatt) on replying to notices for particulars in 2013. The judgment provides a good run-through of the law on particulars but Hogan J was notably critical of the practices which had developed in recent years of defendants seeking a huge range of information, and of plaintiff solicitors going along with these requests.

Not least in personal injury cases, the particulars sought in many cases had reached something of an art form. Quite often no possible detail or dimension of a [claim] remained unexplored at the hands of pleaders who at times seemed to revel in this glorious new art form. It was by no means uncommon to find notices for particulars stretching to twenty or more paragraphs, often replete with individual sub-paragraphs. Most litigants (or, perhaps more accurately, their solicitors and junior counsel) simply yielded dutifully to these requests, as it was often more convenient and expedient to do so rather than to take a stand on principle. In retrospect, the courts should, perhaps, have been more prepared to strike out many of the pre-rehearsed requests as oppressive and, in some cases, as constituting quite simply an abuse of process …  [M]any of the requests in this and similar cases are either irrelevant or not permissible in law as particulars are nonetheless steadfastly advanced shows that many pleaders have simply gone astray in their enthusiasm to interrogate every possible detail of their opponent’s claim.

While the judgment did not mention and was not based on data protection law it was, in effect, a call to action addressed to solicitors on both sides: stop requesting so much information in notices for particulars, and stop acquiescing to excessive requests.

Unfortunately, it has not been heeded. The practice certainly varies from solicitor to solicitor but some insurance defence solicitors continue to issue lengthy notices for particulars, often with very surprising questions about the plaintiff’s personal life and family circumstances that do not appear to have any bearing on the case. Moreover, judges have not always accepted arguments against providing replies to particulars on the basis of Hogan J’s judgment.

A similar issue arises in the context of voluntary discovery, which involves the handing over of full records rather than just replying to questions. I would  hope that solicitors are generally more restrictive when it comes to discovery, but solicitor Dervila McGirr quite rightly criticises the reliance on discovery “on the usual terms”, particularly in relation to extensive requests for highly sensitive medical records, and the impact on client privacy. There should be little if any basis for operating “on the usual terms”. Each request for information or documentation should be considered on its own terms.

It is important to note that in these situations, a solicitor acts as the “agent” of her/his client. I won’t digress into the field of agency law but a solicitor acting as agent of the client has a certain amount of latitude to do things on behalf of a client with their authority (whether explicit or implied). Delivering replies to particulars is one of those things, but how far does a solicitor’s authority go? Surely not to hand over personal data wholesale. However, in personal injuries cases at least, the client must swear an affidavit of verification confirming the accuracy of the information in the replies to particulars so the client necessarily has to have reviewed what is in the document. You could, therefore, argue an express authority to hand over the information (after all, the client confirmed the contents), but does it end there?

Which is where data protection comes in

Quite simply, if a defendant is not entitled to certain information in the course of obtaining further and better particulars, what right does a plaintiff’s solicitor have to provide the information? The obligations of the Data Protection Acts (and the GDPR/Data Protection Bill) mean that a solicitor should consider whether the defendant is entitled to the particulars sought. If not, the information (which will often be sensitive personal data) should not be disclosed to the defendant.

A client may have reviewed the contents of replies to particulars and confirmed them in an affidavit of verification, but have they consented to the release of the personal data or expressly authorised it? Consent is notoriously problematic in data protection, and for sensitive personal data (which many replies to particulars in personal injuries cases are) it must be explicitly given. If a solicitor puts draft replies to particulars in front of a client, asks that they be checked for accuracy and that an affidavit of verification be sworn, at what point was the client given a clear explanation of the processing involved (the disclosure to the other side)? The key explanation should involve advice as to whether or not the client is required to disclose the particulars. And this is, I suspect, where many would fall into difficulty.

What is the consequence?

This issue does not appear to have been the subject of a judicial decision or complaint to the Data Protection Commissioner (yet), but this is true of many persistent issues in data protection.

A possible explanation is the lack of serious consequence to date. There has, possibly, been too much deference to exemptions and exceptions in the Data Protection Acts relating to litigation and connected services. And while the Acts (section 7), impose a duty of care to data subjects under the law of torts, the utility of that provision was almost entirely hollowed out by a High Court decision in 2013 (Collins v. FBD). Section 7 was never satisfactory and the Collins decision made it worse, requiring that  a plaintiff had to show specific loss in order to claim damages – i.e. the fact that the duty of care owed to them was breached in some way alone was not enough to obtain compensation. Eoin O’Dell’s excellent paper on compensation for GDPR breaches expertly outlines the issues with Collins, forcefully concluding:

the decision … in Collins is quite simply wrong – as a matter of principle, as a matter of national law, and as a matter of European law

In addition, judges sometimes order that replies to particulars be given which should not be ordered – many plaintiff personal injuries solicitors will probably have had this experience in the past. While, under the Acts, this may cure data protection issues for the plaintiff’s solicitor (because there is now a legal obligation to disclose the personal data) the GDPR, again, changes the landscape.

Which is where the GDPR comes in

Mr Justice Frank Clarke (Chief Justice) has recently commented in a number of forums about the challenges the GDPR raises for the judiciary and the need for privacy training among judges. Future disputes about particulars and discovery are likely to involve increased reliance on data protection concerns and the GDPR when before the courts. All of this should mean a more restrictive disclosure regime than has often existed in Ireland, despite the decision in Armstrong v. Moffatt on particulars and the changes in relation to discovery outlined by McGirr.

In the context of voluntary particulars and discovery, while O’Dell points out that the decision in Collins would not survive further challenge, it will be made redundant by the GDPR which requires that someone whose rights under the Regulation have been infringed must be entitled to seek compensation for both material and non-material rights (section 112 of the Data Protection Bill 2018 purports to implement this).

It is difficult to see how a solicitor is fairly processing personal data by unnecessarily disclosing it in these circumstances. This has been the case for many years, but a key change with the GDPR is that breach of data protection rights will no longer be mere technical, regulatory breaches but actionable ones that could give rise to compensation.

And, legal provisions aside, there is a very obvious and natural objection that someone might have to sending out all manner of personal information (including information about other family members or cohabitees) to third parties where it is not necessary to do so. Defence solicitors need to be robustly challenged on notices for particulars, or plaintiff solicitors may find themselves struggling to justify the unnecessary disclosure of their client’s personal data to insurance companies.

Employers can’t spy on employees

Copyright nolifebeforecoffee (Flickr)Court judgments, often complex and difficult to translate into a soundbite (or, these days, clickbait), are frequently misreported. This is particularly the case with European court judgments, whether from the ECJ, where Advocate General opinions are usually reported as “rulings”, or the European Court of Human Rights, where the consequences of decisions are frequently misstated. And that’s before you even get to the difference between the ECJ and the ECHR, another source of confusion.

This week the ECHR gave judgment on a case involving a Romanian engineer (Barbulescu v. Romania) who was disciplined for using Yahoo! Messenger during work hours. A key point here is that the Y! Messenger account was set up by the employee on the instruction of the employer for work purposes. It was not a personal account. The employee argued that the employer had breached his right to privacy, but the ECHR decided that the actions of the employer were limited and proportionate.

Most headlines and some reports represented the decision as meaning that employers can now spy freely on employee communications. This is quite a dangerous misinterpretation or oversimplification of the decision.

Elaine Edwards has a very helpful article explaining the law and the judgment on the Irish Times.

In passing down the ruling, the judges stated that unregulated spying on employees would not be acceptable, and called on a set of polices to be drawn up by employers that would clearly state what information they could collect and how.

The judgment is not a surprise to employment lawyers. These cases are focused on whether the employee has a reasonable expectation of privacy in their communications. Whether a reasonable expectation arises largely depends on whether or not policies are in place governing the use of communication services or whether warnings have been given to employees that communications may be monitored. Even if covert surveillance might be used, and such surveillance is sometimes necessary, a policy should be in place so that employees are aware that they might be subjected to covert surveillance at some point. The Employment Appeals Tribunal (now the Workplace Relations Commission) has previously said:

Setting traps and ambushes for an employee is inappropriate behaviour for an employer.

One interesting point, noted in the UK Human Rights Blog, is that the warning given to Barbulescu that his employer might monitor his communications was of a general nature. Such a warning by an employer in the Irish context might not be sufficient.

Steve Peers notes:

Barbulescu definitely does not give employers carte blanche to put their employees under surveillance. There remain – as there were before this judgment – cases where such surveillance is justified, and cases where it is not … national courts, perhaps excited by the new Regulation, might insist that higher standards apply in national law. For the time being, though, employers should be aware that there is still a fine line between acceptable and unacceptable monitoring of their employees.

He alludes to an important point: the judgment does not displace Irish employment or data protection law. The Data Protection Commissioner published guidance on workplace monitoring years ago which notes the importance of balancing the legitimate interests of the employer against the privacy rights of the employee. It requires that monitoring, whether by CCTV or access to electronic communications, be done in a transparent manner. An interesting recommendation, often forgotten by organisations, is that “[e]mployers should consider whether they would obtain the same results with traditional measures of supervision”.

David Whincup put it well on the Squire Patton Bogs employment law blog:

[The] headline in the Mail : “Bosses free to spy on emails” should actually have read : “Bosses free to check that you are using their equipment to do what you are paid to do”. But where would be the news in that?

Mashable’s headline came close and was able to highlight the qualification in the judgment with the addition of three simple words.

Be kind, rewind: the dangers of covert CCTV

Copyright nolifebeforecoffee (Flickr) https://www.flickr.com/photos/nolifebeforecoffee/with/124659356/Cameras are everywhere these days, but CCTV systems have been popular since well before the advent of camera phones. For the most part CCTV cameras are positioned in fixed, known locations such as public offices, shops or streets. A variety of covert cameras are available which have been used for many years to detect theft and fraud in particular. Any such use of covert recording should only be undertaken with caution, in specific circumstances and on the basis of advice.

Capture

This week’s Limerick Leader carries a story of covert recording in the offices of a school. It appears from the report that the reason for covert recording was that sensitive files had gone missing from the school. The full circumstances of the case are not yet known. The use of covert CCTV systems raises one set of issues, the missing files another. Missing files indicates a security breach and while a loss of personal data (likely sensitive personal data) is not specifically governed in the Data Protection Acts 1988 and 2003 a duty of care arises and the Data Protection Commissioner has published a code of practice on dealing with such breaches.

In general terms, the main considerations in using CCTV systems are the individual’s constitutional right to privacy, the Data Protection Acts and employment law. The right to privacy is somewhat undefined as no specific privacy law has been enacted (a previous bill was abandoned). Data protection legislation does not specifically refer to recording equipment or CCTV but since cameras record images of individuals, the images themselves are personal data within the meaning of the Acts and the general rules therefore apply to them. It is crucial that the collection of personal data by recording images is justified. Security would be an obvious justification but the Data Protection Commissioner is very clear that security does not justify indiscriminate recording of employees, for example.

[U]sing a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.

Cameras should not ordinarily be put in locations where occupants and visitors would have a reasonable expectation of privacy. Particular sensitivity might be required in a school, for example, which is obviously frequented by minors. In addition, the Acts require that people are provided with information about the data collected about them and who has collected it. In the context of CCTV, therefore, notices should be displayed indicating that recording is taking place, who is responsible for the recording and why it is being carried out.

Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose.

Of course, there are situations in which these rules will neither work nor be appropriate and the Acts do allow for this. Indeed, the collective EU grouping of data protection regulators accepts that employers may have to resort to covert recording in order to address fraudulent or criminal behaviour and that national laws may permit this. Employment law has long recognised that covert recording might sometimes be justified. But it is clear that specific consideration must be given on a case-by-case basis to the use of covert CCTV recording. Case studies of the Commissioner demonstrate the factors which must be borne in mind.

For data protection purposes, covert recording can be justified generally only with the involvement of the Gardaí. Covert recording may be justified in the case of criminal offences, but not for performance-related monitoring.

The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies that a written specific policy be put in place detailing the purpose, justification, procedure, measures and safeguards that will be implemented with the final objective being, an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).

Where CCTV footage is recorded, whether covertly or not, obligations continue to govern its retention and access to it. It is common for operators of CCTV systems to refuse to provide copies of their recordings to anyone other than Gardaí. It should be noted that, because camera footage is the personal data of the people recorded on it, those people have a right of access to it under the Acts. Again the Commissioner is quite clear:

Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.

The Circle (a rare book review)

The CircleSam Seaborn (or Aaron Sorkin) said it in 1999: “The next 20 years will be about privacy.” So it’s not surprising that serious authors will tackle the issue, as Dave Eggers has now done in The Circle.

The eponymous company in The Circle is quite obviously Google, or a successor to it. It dominates the internet and begins to dominate the world. Its name is apt, for the purposes of a book if not a real company: the Circle is closing in on us, one ring to rule them all, as it were.

Much discussion of the book has consisted of a misguided complaint that it lacks authenticity. Critics have made the absurd argument that because Eggers is not an insider it is not a valid portrayal. The complaint appears to be that he has not faithfully represented the internet, or Silicon Valley, as they exist (or are perceived to exist) today. This Wired review misses the point entirely.

In his desire to create a world where The Circle rules all, Eggers creates so many extremely unlikely or outright impossible scenarios that happen simply because he needs them to happen. As they stack up through the course of the book, it gets harder and harder to take it seriously even as satire until finally it becomes outright fantasy, with only a tenuous connection to reality as we know it.

It is true, to an extent, that some things happen because Eggers needs them to happen. Call it artistic licence or call it deus ex machina: an author is entitled to move a plot forward. Wired want a book about technology, which The Circle is not. Neither is it quite true that the book strays into the realm of fantasy; but even if it did, is that not a valid way of exploring the issues raised?

The Guardian, less obsessed with fidelity to the tech industry, struck the right note:

It’s not clear whether The Circle is intended as a satire of the present or a dystopian vision of the near future. Eggers’s writing is so fluent, his ventriloquism of tech-world dialect so light, his denouement so enjoyably inevitable that you forgive the thin characterisation and implausibility of what is really a clever concept novel.

The quality of the prose is not quite as the Guardian would have you believe and certainly does not match his earlier works. The Circle is patchy and clumsy in places (never in literature was a shark jumping pun more deserved). It is Crichtonesque and notably screenplay-friendly, but it fails to meet the standards set by either Crichton or Eggers himself. The Wall Street Journal sums it up well:

The Circle is not great literature. But it is a great warning—one that you’ll be hearing a lot more about.

The book is not interesting because of its prose or its authenticity: it is an allegorical tale, “a clever concept novel”. The allegory is not subtle and the tale is not particularly inventive, but nevertheless, even where the plot seems to overstretch, such as in the messianic monologues of The Wise Men, one does not have to go far to find similar statements and ideas already out there.

The Circle aims for “completion”, a state of complete “transparency” in society which effectively eliminates private spaces. Everyone has full access to everyone and everything else. That critics view this eventuality as being far fetched is astounding. For years now influential figures have formulated a philosophy of voluntarily limited privacy. In this profile of Mark Zuckerberg published by the New Yorker in 2010, a media and communications specialist at Microsoft Research outlined a key element of Zuckerberg’s views on privacy:

This is a philosophical battle. Zuckerberg thinks the world would be a better place—and more honest, you’ll hear that word over and over again—if people were more open and transparent.

In The Circle, it is as if Eggers has taken this quote and run with it. The book merely ties together a few strands that are already hanging out there today and develops them to a reasonably logical conclusion: how would people behave following a period of sustained erosion of privacy, cataloging of all information and aggressive privitisation or outsourcing of public services?

Zuckerberg, according to some, doesn’t believe in privacy. His response?

Zuckerberg defended the change — largely intended to keep up with the publicness of Twitter, saying that people’s notions of privacy were changing.

There are, generally, two primary ways the situation is currently viewed. In Zuckerberg’s articulation we have voluntarily modified our behaviour and our expectations of privacy. On the opposite end of the spectrum, as recently articulated by Eugene Kaspersky at the Dublin Web Summit, privacy can never be guaranteed online so you modify your behaviour accordingly. Either way there is grim inevitability.

“There is less and less privacy now. Fifty years ago, if governments and private companies were watching peoples every move there would have been huge protests,” he added.

A speaker at the same event pointed out that, despite the Snowden revelations, “nobody seems to care”, a view which arguably supports Zuckerberg’s vision of privacy.

In The Circle, the ability to modify behaviour and maintain privacy is challenged as the Circle closes in on everyone. Mercer, the totemic refusenik of the book, tries to live outside of the Circle and, in partly comic fashion, it closes in on him too.

Google’s long-stated aim has been to make the world, not just the internet, searchable. This can be achieved only by putting more information online and Google have been active in digitising libraries and cultural institutes to that end. Add in years of your emails and documents and they range of analyses they can perform are significant. The book addresses the issues raised by the digitisation of old information.

In Ireland, we are finally getting around to introducing a law on “spent convictions”. According to Remy Farrell SC:

as time passes the relevance of a person’s previous convictions diminishes to the point that they should be ignored.

Should a similar principle be said to exist in relation to information? Data protection law already requires that personal information should not be kept for longer than necessary; but how long is that? If you set up a Bebo account in 2005 which is now dormant but you have never deactivated it, at what point should there be an obligation on Bebo to shut it down and remove your photos from public view? At present, the European Union is preoccupied with “right to be forgotten” which, in The Circle, becomes the stated “right to disappear” of a high profile objector.

The Circle addresses, but does not fully confront, the manner in which the new global surveillance society is coming about: as a trade-off. You exchange your personal information for useful “free” services. You exchange your personal liberties for useful security services. The book presents the ultimate trade-off: what would you trade to stop child abduction?

Elements of The Circle that seem fanciful, such as politicians and individuals becoming “transparent” by voluntarily wearing webcams which broadcast at all times, seem less preposterous as technologies like Google Glass emerge. Adrian Weckler, reporting on the Web Summit, recently ran into Robert Scoble roaming the RDS wearing Google Glass. He mentioned, in jest, that you could not be sure if he was recording you or not.

These technologies initially take off due to their “cool” factor. They gain critical mass and then the trade-off comes: why don’t you want to be transparent? What are you hiding? Eric Schmidt has already made outstanding statements:

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.

The “nothing to hide, nothing to fear” argument is Orwellian, oppressive, ridiculous and easily debunked. But it persists. Schmidt suggests privacy is some personal foible or luxury that you might unreasonably insist on, not a basic human right which, by the way, is enshrined in numerous laws.

An interesting aspect to corporate attitudes to privacy is the reaction of Google and others to the Snowden revelations. Google and Facebook believe you should be transparent, that you should put as much as your life online as possible and open that up to as many people as possible while also allowing them to analyse the information and your interactions with others. But when it is revealed that the NSA may be carrying out some analyses of their own by using backdoors to their systems, it’s a different matter.

“We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide,” he said.

“We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”

So, Google’s chief legal officer says they don’t provide access to their systems. But just a few years ago, pre-Snowden, Google’s then-CEO warned that information retained by Google could be made available to the authorities. They want to ensure that your data is protected from others, but not themselves.

What is particularly confusing and contradictory about the current erosion of privacy is the extent to which corporate, institutional and governmental secrecy is on the rise. We are told to accept limits on our personal freedoms in exchange for security while also being told to accept limits on the transparency of organisations for the same reason. Glenn Greenwald is the cause célèbre:

I really urge everyone to take note of, and stand against, what I and others have written about for years, but which is becoming increasingly more threatening: namely, a sustained and unprecedented attack on press freedoms and the news gathering process in the US. That same menacing climate is now manifest in the UK as well, as evidenced by the truly stunning warnings issued this week by British Prime Minister David Cameron.

Attacking press freedom attacks the citizen’s ability, and right, to know what is going on. Transparency is for Us, it seems, but not for Them.

The Boston Globe’s review of The Circle begins:

When I finished reading Dave Eggers’s chilling and caustic novel, The Circle, I felt like disconnecting from all my online devices and retreating for a while into an unplugged world. I gather that’s what he had in mind.

I didn’t have that reaction. Rather, I was angry at the reaction of publications like Wired who so easily dismiss it. We have already sleepwalked into an era of eroded privacy and astounding information storage. It is not at all unlikely or impossible that the trend will continue. There have been a number of horrific privacy breaches over the past years that should make people question the extent to which they engage with online services or which might have led to changes in those services, but it hasn’t happened. Sometimes a work of fiction is needed to allow people to think about these issues outside of the dense worlds of tech and law.

Instagate

InstagramInstagram has courted controversy this week by announcing changes to its terms and conditions. There are clauses in Instagram’s new terms which are likely to cause them difficulty with privacy and advertising regulators but the most controversial new terms are that:

  • Instagram will have a full licence to use your photographs, including to sub-licence or transfer use of them; and
  • customers of Instagram (that’s advertisers, not you) can pay to have your name or photos (along with other information) displayed in advertising messages, without paying you or even notifying you.

Changes to intellectual property terms on free online services have long been a source of controversy, not least because when services like Instagram are involved many of the users are involved in creative industries. Even if a user is not a creative professional, the service involves the creation of intellectual property. Mess with those users’ rights at your peril.

Of course, blame for these changes is being laid firmly at the door of Facebook who famously paid through the nose to acquire Instagram. While the new terms are not surprising, given the involvement of Facebook, whoever owned Instagram was always likely to attempt such a change in order to monetise the business.

If the online reaction is anything to go by, the changes are a boon for Flickr. The death knell of that service had been sounding for some time but it, and its new app which has launched with serendipitous timing, could see a significant return of dormant users. I have noticed a surge in activity in the past few days as Instagram users have returned to Flickr and began uploading photos for the first time in months while also seeking out contacts from the Instagram universe.

But what do Flickr’s terms say?

With respect to … Content you elect to post to other publicly accessible areas of the Services, you grant Yahoo! the royalty-free, perpetual, irrevocable, non-exclusive and fully sub-licensable right and licence to use, reproduce, modify, adapt, publish, translate, create derivative works from, distribute, perform and display such Content (in whole or part) worldwide and/or to incorporate it in other works in any form, media, or technology now known or later developed.

The difference between this and what Instagram’s terms will say is not clear to me, apart from the fact that Instagram are more explicit in what they plan to do with your photos. Neither is it clear if a Flickr account which is set to private constitutes a “publicly accessible area of the Services”.

Strangely, this does not appear to be the situation in the US, where their local version of the Yahoo!/Flickr terms are limited and provide a licence “solely for the purpose for which such content was submitted or made available.” This limitation does not appear in the terms applicable in Ireland. So is there any difference between Instagram and Flickr?

Yet another Toyota recall

I wrote twice before on product recalls by Toyota and the apparent legislative oversight which meant that there was no legal provision allowing Toyota to obtain records of Toyota owners from the vehicle licensing authorities.

At the time I wrote those posts, the most recent legislation on the issue was the Finance Act 1993 (Section 60) Regulations 2005. Now that Toyota are undertaking another product recall, I discover the  Finance Act 1993 (Section 60) Regulations 2009, which took effect on 25 September 2009 but which, oddly, were not available on the Irish Statute Book when I wrote my posts in 2010 and 2011.

At any rate, the 2009 Regulations revoke and replace the 2005 Regulations and designate specified manufacturers and distributors as being entitled to obtain vehicle licensing records, rather than the generalised category stated in the 1996 Regulations.

So, it appears that I was mistaken, but had no way of knowing it at the time.

The strange, hypocritical attitude of the Irish Government to copyright, the internet and citizens

[Updated, at end] The introduction yesterday of an amendment to the Copyright & Related Rights Acts has been in the works for a long time (posts here, here and here). The issue has generated quite a bit of heat on both sides and the Government would do well to observe that opponents to the law have not held a monopoly on intemperate comment.

The amendment was destined to be introduced by statutory instrument and the concerns of any critics were always going to be ignored but the attitude of Séan Sherlock, junior Minister for Research & Innovation, to the issue is strange and contradictory.

His announcement of the new law contains a significant dig at those who opposed the statutory instrument the Government has just introduced.

I urge all interested parties on all sides to come together and work in a constructive and realistic way to the benefit of all.

This is a boggling statement. Like any campaign there was a lunatic fringe that fired off ill-informed comments. But most opponents were relatively well organised and the Minister met with representatives of some of them (read Michele Neylon’s account here). So, at least some “sides” came together. The Stop Sopa Ireland campaign was up and running in a very short time and, unlike most campaigns of opposition, actually proposed alternative wording to the Minister.

A key paragraph in that alternative wording would have included an obligation on a court to carry out a balancing act when considering whether or not to grant an injunction to a copyright owner.

In considering an application for an injunction under this subsection, the court shall have due regard to the rights of any person likely to be affected by virtue of the grant of any such injunction (including the freedom to conduct business, the right to protection of personal data and the right to receive or impart information) and the court shall give such directions (including a direction requiring that persons likely to be affected be notified of the application) as the court considers appropriate in all of the circumstances.

It appears that Minister Sherlock considers such a proposal to be non-constructive and part of a campaign of setting the “dogs” on him. However, a few weeks ago the Minister bizarrely “welcomed” the decision of the European Court of Justice in Sabam v. Netlog with the following comment:

[T]his decision … reiterate[s] that, in the context of measures adopted to protect copyright holders, national authorities and courts must strike a fair balance between the protection of copyright and the protection of the fundamental rights of individuals who are affected by such measures …

I welcome today’s decision from the European Court of Justice. This will provide further clarity to Irish courts in adjudicating such matters.

What would also have provided clarity to Irish courts in adjudicating such matters is a clause like the one included in the alternative wording submitted to Minister Sherlock.

Instead, a bare-bones statutory instrument has been used to amend the Copyright & Related Rights Acts providing none of the clarity that the Minister otherwise appears to favour.

[Update 7 March 2012] A recent press release by Minister Sherlock’s party colleague, Phil Prendergast MEP demonstrates what appears to be quite a different attitude to citizen engagement with copyright reform.

Commenting on the referral of the Anti-Counterfeiting Trade Agreement to the Court of Justice of the European Union, Ms Prendergast says:

This extraordinary u-turn by the European Commission, who had up until now dismissed legitimate concerns, demonstrates that engaged citizens and civil society groups can have a decisive impact on politics, especially when fundamental freedoms are at stake.

Not under Labour in Ireland, it would seem.