Tag: Data Protection

The new Revenue data protection regime in the Finance Bill 2011

The Finance Bill 2011 seems to have become the key to Ireland’s salvation and our parliamentarians fear allowing democracy to run its course without first passing it.

When the Green Party withdrew from Government yesterday, Eamon Ryan suggested that a scaled-down bill could be passed quickly and that the balance of the provisions could be enacted by the next government. This seems a strange proposition and one might wonder why the next government couldn’t just do the whole job.

Nevertheless, the opposition have taken up that argument with Leo Varadkar memorably suggesting this morning that a “bikini bill” be passed: one which covers the bare essentials. Minister for Finance Brian Lenihan has difficulties with this, as some of the new provisions in the published bill address anti-avoidance measures and their publication has advertised opportunities to exploit tax loopholes. If they are not closed quickly, he argues, further taxes will be lost.

The list of items in the Bill published by the Department of Finance helpfully categorises them as measures which were announced in Budget 2011 and those which are new in the Bill. These type of provisions are often housekeeping and do not address strictly budgetary matters. One which caught my eye is that concerning taxpayer confidentiality.

Section 73 of the Bill would insert a new section 851A to the Taxes Consolidation Act 1997 to provide that taxpayer information held by the Revenue Commissioners is confidential and may only be disclosed in certain circumstances. The Department explains that this

addresses the current lack of a specific tax-related provision governing the confidentiality of taxpayer information provided to Revenue.

An offence of knowingly providing confidential information is included and can be punished by a fine of up to €10,000.

This section is surprising in light of the fact that the data security breach aspects of the Data Protection Acts 1988 and 2003 are currently under review. Indeed, the statement that it “addresses the current lack of a specific tax-related provision governing … confidentiality” suggests that the extensive provisions of the Data Protection Acts are insufficient. The proposition that these insufficiencies could be remedied by a single section in the Taxes Consolidation Act 1997 is implausible.

In 2009, the Data Protection Commissioner undertook a detailed audit of the Revenue Commissioners and the results were generally positive.

The Inspection Team considered that there exists a very high organisational awareness of data protection principles in Revenue. In particular, the presence of a dedicated Data Protection Unit, with designated contact points in the event of any issues arising was considered by the Team to be a very appropriate structure for a public sector entity in possession of high volumes of personal data. There is very clear evidence that a detailed approach has been taken by Revenue to identifying and setting out, via policy documents etc, its responsibilities under data protection legislation. This thorough approach is to be welcomed.

The Commissioner made a number of compliance recommendations and recommend that Revenue undertake a privacy impact assessment of any proposal to extend its investigative powers. Given that the report was overwhelmingly positive it is unclear where the impetus for section 73 lies (though TJ McIntyre speculates that it may have something to do with recent alleged wrongdoing by Revenue officials, uncovered by internal audits).

There are a number of aspects of the Data Protection Acts that could benefit from reform; not least the fact that the Acts do not provide for a straightforward offence of breaching data security, as is now proposed for Revenue data. Rather, it is an offence:

  • to ignore a notice issued by the Data Protection Commissioner in respect of personal data;
  • for a data processor to disclose personal data without the authority of the relevant data controller;
  • to gain access to personal data held by a data controller and to disclose it to another person.

This last offence does not apply to an employee of the data controller and so section 73 would seem to catch Revenue employees where the Data Protection Acts would not. However, the penalties in the Data Protection Acts reach a maximum of €100,000, in contrast with the €10,000 maximum fine envisaged in the Finance Bill. In the UK, the maximum fine is £500,000.

The Data Protection Acts are lacking in enforcement teeth to deal with willful data security breaches. Instead, they provide for a system of co-operation and escalated engagement with data controllers. Nevertheless, the decision of the Department of Finance to go it alone on this issue is disappointing and section 73 of the Finance Bill once again fragments Irish law on a particular area rather than seeking to improve the general law that applies to everyone.

If citizens deserve to have such a protection in place in respect of Revenue data, why not health or employment data?

  • Update: It was reported today (25/01/11) that a Donegal civil servant allegedly accessed personal data at the Department of Social Protection in Letterkenny and passed that data to a private investigator who subsequently sold it to insurance companies. This is precisely the type of data security breach that section 73 is aimed at, but section 73 will be limited to the Revenue Commissioners and so will not cover the Department of Social Protection. As I asked yesterday, if a protection like section 73 is necessary for Revenue data, why not for other data?

TJ McIntyre looks at some other IT law aspects of the Finance Bill here and here. From a practical perspective, it is also noteworthy that the Bill (section 75) proposes to allow payment of taxes by credit card. While this may facilitate the Revenue Commissioners, it would not appear to be a prudent move for indebted taxpayers who might avail of the facility.

Strike One?

This week’s big intellectual property news was the judgment of Mr. Justice Charleton in EMI & ors v. UPC. The case was the latest plank in the record industry‘s campaign to force the introduction of a graduated response to online copyright infringement.

Charleton J’s judgment is long and there is a lot to get through.  I haven’t had the opportunity to read the judgement fully but a few highlights already stand out:

  • Evidence was adduced by the plaintiffs to justify claims that many thousands of tracks are illegally downloaded. Justin Mason looks at some of those claims and finds that, by the same logic, an album he invented on the spot has been downloaded 24,752 times. This evidence, which appears to be highly flawed, has already been represented as fact in the Seanad.
  • In 2009 Charleton J granted an order requiring eircom to block access to The Pirate Bay. As noted by TJ McIntyre at the time, the judgment was of limited value as it was not opposed by eircom and was delivered ex tempore. Simon McGarr points out that Charleton J now finds he was incorrect in granting that order. According to his latest judgment:

I regret that my previous judgement in the matter was wrong. The legislative basis enabling me to act in that way does not exist in Irish law as it exists in other European jurisdictions.

  • If eircom had contested that order, Charleton J may have been in a position to reach the decision now indicated in the UPC judgement. It’s an important point, as he also gave judgment clearing data protection concerns raised by the Data Protection Commissioner in relation to the graduated response settlement. That case was similarly unopposed and the Commissioner did not appear due to cost concerns.
  • Charleton J has repeatedly characterised online copyright infringement as theft and anyone engaged in downloading files in breach of copyright to be in the criminal sphere. Eoin O Dell draws attention to interesting posts on the question of whether or not copyright infringement is theft.

Why people care about The Record Industry v. The Customer

Cory Doctorow makes some good points on the use and abuse of copyright law, in response to some pretty churlish criticism recently directed his way. I particularly liked this:

… I don’t care if you want to attempt to stop people from copying your work over the internet, or if you plan on building a business around this idea. I mean, it sounds daft to me, but I’ve been surprised before.

But here’s what I do care about. I care if your plan involves using “digital rights management” technologies that prohibit people from opening up and improving their own property; if your plan requires that online services censor their user submissions; if your plan involves disconnecting whole families from the internet because they are accused of infringement; if your plan involves bulk surveillance of the internet to catch infringers, if your plan requires extraordinarily complex legislation to be shoved through parliament without democratic debate; if your plan prohibits me from keeping online videos of my personal life private because you won’t be able to catch infringers if you can’t spy on every video.

Via Adrian Weckler.

If you didn’t friend the Department of Social Protection, one of your “friends” snitched

The stories about the Department of Social Protection’s use of Facebook to detect fraud raised more questions than they answered.Someone talked! So, I requested details from the Department of its use of social networking.

Here’s the relevant part of the response:

Social networking sites, such as Facebook, are not a systematic part of the Department’s on-going targeted fraud and error control activities.

Circumstances, however, may give rise to a member of staff examining publicly available information on the internet, for example following receipt of a report from a member of the public making reference to relevant information on social networking sites.

Information from such sources is not used as evidence to terminate a claim in payment but may result in a review of entitlement by the Department.

On a point of information, at the end of August 2010 (latest figures available)

  • over 7,200 anonymous reports were made to the Department’s Central Control Division. (Reports are also made directly to scheme areas and public offices which are not included in that figure).
  • 500,000 reviews approx. were completed by the Department. Investigations which refer to social networking sites would be negligible in an overall context.

As only information which is publicly available on social networking sites is accessed in such investigations, the cooperation of the operators of such sites is not needed. The Department has not accessed, or sought to access, information on social networking sites which is not available to the public at large.

The above doesn’t necessarily get the Department around the requirements of the Data Protection Acts and it is not clear what the Department does with data submitted to it by members of the public which is not publicly available online.

Did you friend the Department of Social Protection?

Over on the Irish Computer Society’s data protection blog yesterday, Daragh O’Brien wrote about the news that the Department of Social Protection is monitoring Facebook when investigating suspected welfare fraud.

Daragh discusses the data protection principle of fair obtaining in this context. He notes section 8(b) of the Data Protection Acts 1988 and 2003, which suspend the restrictions in the Acts for the purposes of the investigation or prosecution of offences and in the case of collecting or assessing monies due to the State. However, the section 8(b) exemption only applies where processing of personal data (which would include getting it from Facebook) is required for the purposes of investigation, etc. The provision is, as yet, untested, but the wording certainly suggests that it is not open to the Department to process personal data obtained from Facebook merely as an aid to investigation.

© Brian Solis
After all, this guy doesn't believe in privacy.

This morning, the Irish Independent followed up on the story with surprising statements from Facebook itself, primarily that:

“Facebook protects people’s right to privacy but in the same way officials investigating a case can access post office details or phone records, accessing Facebook profiles would be the same kind of thing,” a spokesman said.

It comes as a surprise to me* that the Department could access post office details (and: what are those details?) and phone records without a court order or the consent of the data subject, but Facebook apparently believes this is the done thing. It’s an important point because Facebook’s privacy policy purports to allow the company to hand over your information.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards.

It is not known from the news reports whether Facebook has facilitated the Department of Social Protection or handed over information or access to profiles to the Department. If not, it is difficult to see how the Department has accessed any meaningful information from the site, unless it has taken advantage of data which has inadvertently been made public or, alternatively, if the Department has obtained the data by deception.

From the comments made by Facebook to the Irish media, it appears that Facebook has an off-hand attitude to the specifics of Irish law on this point and its privacy policy suggests that the company will err on the side of caution in assisting a State agency. It won’t surprise many that Facebook might not rush to defend your privacy.

The incident is certainly worthy of investigation by the Data Protection Commissioner.

* I’m not an expert on the Social Welfare Acts and they are labyrinthine, but anyone with more knowledge on the powers of the Department in this area might comment below. I understand certain information can be shared by some State agencies for the purposes of making a decision on whether to provide social welfare or grants, but I don’t believe that extends to investigations by the Department.

Rage against the machine

The march of the machines is irresistible, with technology providing a range of opportunities for businesses to reduce the need for human input. There is a legal limit to such progress, but how many people know about it?

Section 6B of the Data Protection Acts 1988 and 2003 provides:

a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct

Photo licensed under Creative Commons Attribution-Share Alike 3.0 Unported license.
Four musicians invoke section 6B against the machine.

There are, as ever, exceptions to the ban, the most straightforward being consent. I have yet to see a set of terms and conditions containing such consent.

The widest exception concerns decisions made for the purposes of considering whether to contract with the data subject or in the course of performing such a contract. A further exception may arise where automatic decision making is required or authorised by law.

The contractual exception appears to strip the ban of much of its force. However, any exception to the ban on automated decision making only applies if the request for the entering into or the performance of the contract is granted or if there are suitable measures to safeguard the subject’s legitimate interests.  Therefore, if the result of an automated decision is to not grant what the data subject requested, that decision will have to be reviewed by a human being.

A glaring question remains: what happens when section 6B is breached? As is often the case with data protection law in Ireland, the answer is unknown but it is likely that some enforcement proceeding might be engaged in by the Data Protection Commissioner.

PS.

  1. Section 6B, which implements into Irish law Article 15 of the EU Data Protection Directive, appears to be ambiguously drafted (due to poor formatting), arguably making the contractual exemption wider than intended. I have, however, gone with the intention of the Directive on this point.
  2. The real Rage Against the Machine.

Transfers of EU citizens’ data to Israel

[Update: The European Commission decided on 31 January 2011 that the State of Israel is considered as providing an adequate level of protection for personal data. This permits data transfers in relation to automated processing only and excludes the exchange of data for national security purposes. It is mostly relevant to intra-company transfers; for example where an EU multinational has a place of business in Israel which might provide back-office services to the EU parent (eg. payroll processing or CRM).]

The Irish media yesterday gave prominence to the unexpected decision of the European Commission to halt a procedure under which Israeli data protection law would be recognised in the European Union. The Irish Times and RTÉ news reports on Thursday evening both opened with almost the exact same sentence:

The European Commission has halted a proposal to allow Israel access to potentially sensitive data on European Union citizens following concerns expressed by the Irish Government.

To me, this sentence suggests that the Israeli government would somehow have access to personal data about EU citizens. This is not the case. The proposal would merely have simplified cross-border transfers of personal data which can and do already occur. The failure of the Commission to approve Israel does not mean that such transfers cannot take place, only that they require extra paperwork.

It’s a technical legal issue, but one which has been simplified to a disappointingly misleading extent. (Today’s print report from the Times was a little more accurate.)

The use of bogus Irish passports by assassins and the suggestion that a stash of personal data was en route to Israel, but for the efforts of Dermot Ahern, makes for an exciting story. Unfortunately, reality is more mundane.

© Life Magazine
Israel: All your base are belong to us?

Transfers abroad

The Data Protection Directive imposes obligations on data controllers (holders) and data processors (users) of personal data. The Directive is implemented in Irish law by the Data Protection Acts 1988 and 2003, section 11 of which provides:

The transfer of personal data by a data controller to a country or territory outside the European Economic Area may not take place unless that country or territory ensures an adequate level of protection for the privacy and the fundamental rights and freedoms of data subjects in relation to the processing of personal data …

The question of whether or not a country ensures an adequate level of protection for privacy and fundamental rights is primarily determined by the European Commission, which can approve countries for that purpose. The Commission has approved Switzerland, Canada, Argentina, Guernsey and the Isle of Man. The Commission has also approved certain transfers to the US, once they fall under the Department of Commerce Safe harbor Privacy Principles or the Bureau of Customs and Border Protection Air Passenger Name Record system.

So, the default position is that personal data cannot be transferred from the EU to an unapproved country. However, this is not an absolute prohibition on such transfers: section 11(4) of the DPA provides that the restriction does not apply in certain circumstances, which can be summarised as follows:

  • if the transfer required or authorised by law;
  • if the data subject has consented to the transfer;
  • if the transfer is necessary for contractual reasons in the interests of the data subject;
  • if the transfer is necessary for reasons of substantial public interest;
  • if the transfer is necessary for the purposes of obtaining legal advice;
  • if the transfer is necessary in order to prevent injury or other damage to the health or property of the data subject;
  • if the transfer is of part only of personal data on a public register;
  • if the transfer has been authorised by the Data Protection Commissioner; or
  • the transfer is made on terms of a kind approved by the Commissioner.

This represents a variety of ways in which the section 11 prohibition on transfers abroad can be worked around, though guidance on using these exemptions means that they are not as wide as they may seem at first.

Nevertheless, these exemptions are frequently used to facilitate cross-border data transfers. The most common examples of such transfers are those between group subsidiaries or transfers to service providers, usually for back-office services (finance, customer support, etc).

The most frequently used exemptions to section 11 are data subject consent, contractual necessity and transfers on terms approved by the Commissioner. This latter category involves the use of European Commission-approved model contracts which must be entered into by the transferor and transferee, or the use of binding corporate rules in the case of multinationals. These pass through EU data protection standards and obligations to the recipient of the data transfer.

The Israel incident

The European Commission websites do not appear to have any details of the recent developments in relation to Israel, but it is assumed that the proposal before the European Commission was to approve Israel as a country which ensures an adequate level of protection for privacy and fundamental rights.

If approval had gone through (and it seems that it may yet), transfers of personal data could have been made to Israel from the EEA without having to put in place additional measures like data subject consent or inter-party contracts. However, the transferor would still be subject to domestic data protection legislation and an Irish transferor would, for example, still be liable to data subjects.

The proposal would not have given anyone, as of right, access to the personal data of EU citizens. Neither does the failure of the proposal prevent the transfer of such data from the EEA to Israel: such transfers will just have to continue to operate under the exemptions listed above.

A known unknown in eircom’s “three strikes” system

Adrian Weckler has published a copy of the intended notification to be issued by eircom to its customers when accused of unlawful filesharing by the Irish recording industry (represented by IRMA). It is, as warning letters go, extremely polite.

I mentioned last month that this “three strikes” system agreed between IRMA and eircom was approved by the High Court (for data protection purposes) on the basis that IRMA would not know “that the infringer is a particular person living in a particular place in Ireland”. In fact, Charleton J. said that all IRMA will “know is that a particular IP address has been involved in the downloading.” However, it appears that DtecNet, who will collect IP addresses for IRMA, has the capability to collect more information than just IP addresses. Whether such capabilites are to be used as part of the IRMA/eircom system is not known.

My suspicions were raised by eircom’s statement on their website that IRMA will send notifications to eircom “containing among other things the IP addresses of individuals”. Such suspicions could be unfounded; for example, IRMA might be sending eircom a list of shared files along with the IP addresses and that information might not be personal data.

However, the template letter reproduced by Adrian says:

Some of the details of the notification supplied by IRMA are set out below …

Is it not strange that eircom repeatedly notes that IRMA will be supplying them with more details than are apparently necessary for the purposes of the three strikes system.

What are those details?

Details of eircom’s 3-strikes system, but who will know what?

The graduated response system to tackle unlawful filesharing online, agreed as part of an out-of-court settlement between the Irish recording industry and eircom, was approved by the Irish High Court last month. Mr. Justice Charleton’s judgment concluded that the “parties can … lawfully proceed to implement the settlement”, though his judgment relates only to the specific question of compatibility with the Data Protection Acts 1988 and 2003.

© Time Magazine
Strike 1 to the record industry

eircom has now implemented the graduated response system on a pilot basis and details are available on its website. The FAQs say that IRMA will supply eircom with IP addresses which eircom will match to its customers, who will then receive warnings about alleged unlawful downloading. If warnings are ignored, service may be suspended for 7 days and the customer will not be charged for those 7 days of lost service. On a subsequent alleged infringement, service will be withdrawn for 12 months. If a customer disputes an allegation that their service has been used for unlawful downloading, they can appeal to the eircom, who “will consider all customer appeals on a case by case basis.”

The concerns about graduated response primarily arise out of disconnection on the basis of complaint, rather than court order, and that the sanction affects an entire household, rather than the individual alleged infringer. The latter point has gathered steam as the internet has taken on utility status. IRMA’s attitude to this is clear:

The European Parliament has been talking about internet access as a basic human right. It absolutely is not.

Dick Doyle, IRMA Director General

eircom emphasises that customer data will not be shared by eircom with any other party.

Under no circumstances will eircom be handing over customer details to any third party.

It is also stated that eircom won’t monitor network usage and that “[t]here are strict privacy laws that prohibit eircom from monitoring the online activities of individual customers.” Monitoring will be done by DtecNet on behalf of IRMA.

However, in the overview, eircom states:

IRMA will send eircom notifications containing among other things the IP addresses of individuals they have detected as engaging in illegal file sharing in breach of copyright.

One wonders what those “other things” might be. Charleton J. said:

Neither DtecNet, or any similar service of detection, nor any of the plaintiffs whose copyright material is being infringed would ever know through this process that the infringer is a particular person living in a particular place in Ireland. What they do know is that a particular IP address has been involved in the downloading.

However, DtecNet’s website states:

DtecNet’s solutions will automatically secure evidence against the infringer(s) and generate Cease & Desist letters that can be sent to the infringer(s) asking for immediate removal of the content.

This is a capability of their systems, not a detail of the IRMA/eircom agreement. But nevertheless, it appears that IRMA may be capable of gathering more than just IP addresses of alleged infringers. eircom might not share customer data with any other party, but it is not clear what data will be shared with it.

Blawg Review #264

Today is National Famine Commemoration Day, which marks the Great Famine in Ireland. It is more a day of sombre reflection than celebration, but forms the hook on which I hang this: my first time hosting Blawg Review.

Ed in Toronto's Ireland Park
The ever-dedicated Blawg Review editor marked the day with a visit to Toronto's Ireland Park

The Great Famine looms large in Irish history. It remains an issue, evidenced by the report in today’s Irish Times that there were “raised eyebrows at the absence of any representative from the British embassy” at a commemoration ceremony. Recently, controversy also erupted over plans to hold an auction of Famine artefacts. The collection to be auctioned appears to have survived thanks to the document retention policies of Irish lawyers.

The collection was held by Stewart and Kincaid, a Dublin law firm that acted on behalf of landlords in the 1840s. Thousands of letters were sent to the law firm by rent collectors and sub-landlords explaining why their tenants had not paid, and by clergymen asking for compassion to be shown to starving parishioners. The documents were stored at another Dublin law firm until a decade ago when it is said they decided to throw them out as they were not relevant to the business.

The auction takes place tomorrow and while there are demands that the Irish government purchase the collection, the State’s current financial position suggests the papers might be more likely to cross the Atlantic.

Silver screen law

While Hollywood has occasionally concerned itself with the bellicose aspects of Irish history, there has been little dramatisation of the Great Famine. There is, however, Death or Canada, a docudrama which aims to tell “the compelling tale of how in 1847, the British Colony of Canada gave refuge to tens of thousands of Irish famine victims, who in turn were responsible for the building of North America as we know it today.” I missed it when it was broadcast on RTÉ but, having viewed the website, the IP lawyer in me can’t help but wonder if the logo used constitutes a State emblem and, if so, whether government consent was sought for its use.

On the topic of intellectual property and the movies, it seems that Iron Man 2 is “the most expensive movie ever made about an intellectual property dispute.” Maxwell Kennerly argues that the armoured suit at issue is not patented, but rather the subject of a trade secret. Unfortunately, I can’t read either post as I have yet to see the film and don’t want to prejudge the dispute.

Constitutional moments

Here in Ireland, there currently appears great interest (at least in media circles) in new constitutions and Second Republics. The debated deficiencies in the Irish constitution make an interesting contrast with that of the UK, which is thought to have worked well in producing a government from the “hung parliament” that the British electorate returned.

Fiona de Londras argues that calls for a new Irish constitution are misguided and that, really, what we need is greater awareness of the 1937 Constitution, along with amendments to it.

Instead of ushering in a ‘new republic’ or ‘renewed republic’ by means of a new Constitution, we ought, I [say], to try to re-imagine our relationship with the State and to become more deeply engaged with the Constitution that we have.

However, Ferdinand Von Prondzynski disagrees and sees our constitution as being tainted by:

undercurrents of 1930s fascism, or at any rate the Mediterranean version of it as found in Salazar’s Portugal with state-sponsored corporatism; the particular ethos of the Roman Catholic church at the time (which was anything but progressive or liberal); the kind of rural idyll for what de Valera called a ‘frugal society’; and a view of women that saw them as homemakers subservient to the male population.

The UK doesn’t have a written constitution, but constitutional and rights-related issues are equally topical in that jurisdiction since the Conservative/Liberal Democrat government announced its coalition agreement. Charon QC says that the British “system of law and justice is creaking, underfunded, under developed and is not really meeting the needs of all in society”, but that the new coalition government has not got off to a bad start, with their programme for government including many law reform elements, such as a “freedom bill”. Henry Porter is more forthright:

One of the great pleasures of last week was hearing Jack Straw speaking on the Today programme in that patient, reasonable way of the true autocrat, and suddenly realising that I never have to pay attention to him again. Nor for a very long time will I have to listen to Mandelson, Campbell, Clarke, Smith, Reid, Falconer, Blunkett, Woolas or Blears: they’re history and the New Labour project to extend state control into so many areas of our lives is incontestably over.

The coalition results from what they refer to as a “hung parliament” in the UK. This is the default arrangement in Irish politics, where coalitions are an established and often unfortunate part of governance. Now that the UK is flirting with European-style coalition government, it might also consider the introduction of a written constitution.

Of course, written constitutions do not necessarily result in fewer troubles: the unresolved issues of blasphemy and abortion in the Irish Constitution receive attention from Eoin O’Dell and Brook Elliott-Buettner, respectively.

Quis custodiet?

The Guardian has launched a new legal section including an already-excellent selection of blog posts from its Guardian Legal Network. It has devoted a good deal of attention to a big US story combining law and politics: President Obama’s nominee for a vacant Supreme Court seat. It is unfortunate that the sexuality of the nominee is an issue but, more so, it is quite bizarre that a photograph of the young Elena Kagan appears to have sparked such speculation.

Elena Kagan
The face that launched a thousand blawg posts

The incident, which has shades of The Contender, highlights to Irish eyes the level of scrutiny, professional and political, which surrounds judicial appointments in the US. The highly politicised appointment process may be alien to Irish lawyers, but there is something impressive about the fanatical examination of a nominee’s record on particular legal issues.

Our judicial appointments system is superficially independent but remains political and although the process is far less politicised than in the US, it is still “shrouded in mystery“. Edward McGarr discusses one of the long-running issues in the Irish judiciary: the lack of independent oversight. It seems a judicial council might finally be on the way, but:

What complaints will it receive? Possibly not all it should.

Though I don’t hold such lofty aspirations as a seat on the Irish Supreme Court, I am glad to know that, should the opportunity ever present itself, my humble undergraduate results are unlikely to be pored over by the blawggers at the Wall Street Journal, of whom Jess Bravin informs us that Kagan got her worst grade, a B- in torts.

She did marginally better in Criminal Law, with a B, and managed a B+ in Administrative Law. For the rest, it was all A or A-, except for passing ungraded courses in Accounting and Copyright.

A tenuous Irish theme got me the job of hosting this Blawg Review, so, given my Limerick location, I can hardly miss the opportunity to throw in another such theme by reproducing Madeleine Begun Kane‘s Kagan limerick.

Obama’s What???

“Obama’s Katrina,” they say.
“Obama’s H. Miers,” they pray.
To the wingnuts give thanks
For reminding the ranks
Of the many ways Bush went astray.

The future is … ?

The rather terrifying way in which we may be sleepwalking into a potential dystopian future was highlighted by two issues covered in blawgs this week: Facebook’s privacy practices and the rise of “personal genomics”.

David Post, in response to an op/ed in the New York Times by Bernard Kouchner entitled “The battle for the internet”, writes that

the Net is an astonishing achievement with the potential, only partly but tantalizingly realized to date, to become a true milestone in the history of human communication and a possibly unstoppable force for the spread of liberty and freedom around the globe.

He says that the internet is “under siege” and that work must be done to keep it open. He differs, however, with Kouchner as to what the threats to the internet are. It is clear that, like Google, Facebook now intends to become “the internet” for many of its users and as ever, the threat may come from governments and large corporations rather than extremist groups.

The manner in which it changes privacy policies and settings has come under fire and the EU’s Article 29 Working Group (Brussels-speak for the European group of privacy regulators) says that these changes are unacceptable. However, Benn Parr argues that protecting privacy is up to users, not Facebook; though he does agree that the changes should have been better communicated. He is surprised that the media has “pile[d] up” on Facebook over the privacy issue, but surely such pressure merely reflects the fact that the site has gained such critical mass that, like Google, it has become the establishment and must expect such critiques.

(By the way, like everything these days, the Irish National Famine Memorial Day has a Facebook page.)

Google’s CEO, Eric Schmidt, famously said:

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place.

Which sounds suspiciously like the “innocent have nothing to fear” defence, excellently filleted by Eoin O’Dell.

Businesses scared of the internet might be tempted to shut down access to social media sites like Facebook, but David Donoghue gives some advice to them about adopting a realistic social media policy. This may be of interest to Irish journalists, who recently underwent a period of public introspection when the unconfirmed death of one of the country’s most popular radio presenters became the subject of twitgossip (twossip?). The controversy resulted in plans to introduce a social media policy in the country’s largest broadcaster.

While the online sphere is increasingly regulated by private enterprise, it is refreshing to see this creative workers’ rights protest, staged in the lobby of a hotel, proceed without being shut down or silenced by the hotel’s management (though one expects they were taken by surprise by this all-singing-all-dancing troupe of protestors) (from Waging Nonviolence).

21st Century privacy concerns won’t be online-only: Dan Vorhaus outlines recent developments in direct-to-consumer genetic testing and asks whether regulation is on the way. He says that the debate has long existed as to whether “individuals are capable of handling their own genetic information” and concludes:

Tests once predominantly available only to early adopters capable of seeking them out online will now begin to appear on the shelves of thousands of neighborhood drugstores nationwide. To a greater degree than ever before, genetic testing will soon be available to mainstream America (and subject to the impulse buy). And that, for better or for worse, may be all that it takes to convince some regulators that the time for action is finally at hand.

As with Facebook, there is a gap between theory and reality, between policy and consumer action. These products, whether they be Facebook’s instant personalisation service or chemist shop genetic tests, are flooding the market. Thought as to how they should be regulated struggles to keep up. Meanwhile, Ted Hennessy discusses the scarily-titled Genetic Information Non-Discrimination Act 2008 in the context of employment law. On this side of the pond, we similarly regulate the use of genetic data, but have tucked such regulation away in less exciting secondary legislation.

Of course, genetic discrimination is merely a veiled, sophisticated form of old-fashioned discrimination, in relation to which Bill Egnor makes some very good points as he notes the difference between immigrants of colour in the US and Irish illegals, who might pass below the radar.

It is the obvious problem with uneven enforcement that makes this law so pernicious. Who does an immigrant look like?

Such double standards are not unknown in Ireland, where Eastern European and non-European immigrants are called “non nationals”, but English, French, American and German residents are referred to by their nationality. And here, of course, Irish immigrants in the US are known as “undocumented“.

IFSC Famine Memorial
Still undocumented?

Blawg Review has information about next week’s host, and instructions how to get your blawg posts reviewed in upcoming issues.