Tag: european union

DPC finds DEASP has been unlawfully processing child benefit data

Since 2008 the Department of Employment Affairs and Social Protection (DEASP) has issued child benefit beneficiaries with “eligibility certificates” which are, in fact, forms demanding personal information about the children involved in order to prove that they are still entitled to receive payments. The certificates are part of the Department’s “control measures”, aimed at ensuring fraudulent claims for social welfare payments are detected and that payments are not being continued for people who are no longer eligible, for one reason or other.

Such control measures might, under certain circumstances, be an appropriate and prudent measure to detect fraud and ensure that taxpayer funds are correctly distributed. I was consulted, however, by a client who had been receiving these forms repeatedly for a number of years, despite no change in circumstances. (Note: my client is satisfied that non-identifying elements of this case are disclosed.)

The forms demanded that that the client provide the following information:

For each of your children aged between 5 and 18 years, please insert details overleaf of the school or college they attend including full school name, address and phone number of the school.
For children under 5 years old, please insert details overleaf of the doctor they attend or details of the playschool/créche they attend if applicable.

Initially, my client returned the forms. When they continued to arrive on an annual basis, my client wondered how the provision of this information was necessary, what it proved to DEASP and what they might do with the information to confirm entitlements. My client wondered whether this was an excessive request for personal information about children and whether DEASP was entitled to request it. The information provided in the forms sent by DEASP did not provide answers to any of these questions.

On querying this DEASP relied on various provisions of the Social Welfare Acts that regulate child benefit payments and in particular a provision that states that the Minister can require information to be furnished by a beneficiary where the Minister forms the opinion that the furnishing of that information would assist in deciding (among other things) whether a beneficiary is entitled to continue to receive child benefit.

My contention was that those provisions were not an adequate legal basis for the processing that was being carried out and that insufficient information was provided to beneficiaries about the use of the information obtained. DEASP did not accept this and so a complaint was made to the (then) Data Protection Commissioner. (This complaint was made, and dealt with, under the pre-GDPR rules established by the Data Protection Acts 1988 and 2003.)

Following a lengthy investigation and consideration of the complaint, the Commissioner has now issued a lengthy, detailed decision which finds:

DEASP’s stated rationale for processing the personal data involved is limited to a general description of policy objectives and control measures, and does not provide a detailed justification for the specific processing operations performed.
The forms issued by DEASP do not, of themselves, account for the necessity of the specific processing operations performed by the Department in this context.
The limited information supplied by DEASP regarding its processing is insufficient to conclude that such processing was necessary.
DEASP did not comply with the fairness principle because the Department selectively emphasised positive outcomes for child benefit recipients when describing the purposes of processing, which did not reflect the fact that the purpose of the processing was, to a substantial extent, the identification of persons who were no longer eligible to receive child benefit.
Because its information requests were mandatory and because of the types of information obtained, a significant duty of transparency fell on DEASP to explain the further processing which it intended to perform in relation to the information obtained.
DEASP should have provided at least information on its acknowledged “data-matching initiatives”, and specifically, information on the categories of personal data that may be processed in the course of data-matching initiatives, the purposes of processing for such data-matching and the identities of third party data controllers engaged in data-matching initiatives with DEASP.

The Commissioner notes the mandatory nature of the information requests and the fact that DEASP can suspend or terminate payments. In fact, DEASP repeatedly threatened to terminate my client’s payments and earlier this year, suddenly took the step of suspending the payments despite the fact that the Commissioner’s investigation was then at an advanced stage. Following objections, DEASP lifted the suspension pending the decision of the Commissioner.

The decision is very welcome and represents a significant challenge to the extensive and comprehensive data-gathering activities of DEASP and, indeed, other statutory bodies. It highlights the fact that the mere existence of a statutory provision or function is not sufficient to justify demands for personal data which go beyond that provision or which are not adequately explained or justified. While the decision concerns child benefit eligibility certificates in particular, it has relevance beyond those forms to many data-gathering activities of DEASP and other State bodies.

As mentioned, this is a pre-GDPR investigation and decision. The Commissioner did not refer to any intention to utilise the enforcement provisions in the pre-GDPR rules, but because DEASP continued to send out these forms and sent one to my client in 2019 (after the GDPR had come into force) that request for information by DEASP will now be considered by the (now) Commission under its GDPR complaint procedures. It is worth noting that the core data protection principles have not substantially changed, however, while the enforcement provisions have changed substantially.

Undisclosed advertorial in blogs and social media

It is commonly misconceived that blogging and social media are regulation-free publishing forums. In fact, most of the laws that apply to traditional publishers apply equally to blogs and, sometimes, social media posts. Particularly important is the prohibition on undisclosed paid promotion in editorial content, also known as “advertorial” or “surreptitious advertising”.

Readers will be familiar with advertorial content in printed publications: it is usually surrounded by a border that marks it apart from proper editorial content and is headed by phrases like “Commercial Feature” or “Advertisement”. Whatever method is used by the publisher to differentiate it from other content, it is usually clear that someone has paid for it to appear.

Marking such content apart is good, ethical editorial practice in the interests of consumer protection. The Advertising Standards Authority of Ireland code of standards requires this:

Advertisement promotions should be designed and presented in such a way that they can easily be distinguished from editorial material.

The ASAI is an industry-run, self regulatory body and can only impose sanctions on its own members. It is sometimes accused of being toothless but most major companies and advertisers tend to comply with its rulings. However, because it is an industry body not backed by legislation and which can impose sanctions on members only, it is commonly believed that there is no specific legal prohibition on this conduct. An article in the Irish Independent earlier this week said:

There are no strict guidelines for bloggers and influencers when featuring sponsored content, but according to the Advertising Standards Authority of Ireland, sponsored online content “must clearly state that the material is a marketing communication”.

This is not the case, failing to identify paid editorial content is a criminal offence.

The relevant law is section 55(1)(q) of the Consumer Protection Act 2007 which states that, among other practices, a trader shall not “use editorial content in the media to promote a product (if a trader has paid for that promotion) if it is not made clear that the promotion is a paid promotion”.

The Consumer Protection Act implements the European Union Unfair Commercial Practices Directive which categorises this type of advertising as conduct that “shall in all circumstances be regarded as unfair“. This means that it is “blacklisted”: no case-by-case assessment is necessary. (Surreptitious advertising on television is prohibited elsewhere by the Television Without Frontiers Directive.) It might not be sufficient to merely identify advertorial with a simple phrase or logo: the Hungarian Competition Authority found that editorial content which included a slogan “Sponsored by Vodafone” was not enough to identify the nature of the arrangement between the publisher and the advertiser.

The prohibtion applies to the “media”, which is not defined but it appears widely accepted that this includes blogs and even social media accounts. In the UK, for example, the then Office of Fair Trading carried out a targeted campaign some years ago requiring PR companies and celebrities to be transparent about their endorsements. The basis of this clamp down on undisclosed advertising was the UK equivalent of section 55 of the Consumer Protection Act.

The definition of “trader” in the Consumer Protection Act is wide enough to cover both the advertiser and the publisher/blogger and indeed some enforcement action in other Member States has been against both parties. In Ireland, the Competition and Consumer Protection Commission (formerly the National Consumer Agency) can prosecute breaches.

The penalties include a fine of up to €4,000 on summary conviction (or €60,000 on indictment) and/or jail. The Act provides for increased fines on subsequent conviction and daily fines if the conduct continues after conviction. The Irish courts tend not to impose significant fines for consumer law breaches of this nature and anyone prosecuted for such an offence in Ireland is likely to face a fine in the hundreds of euros if convicted or could benefit from an alternative to conviction (certainly for a first offence). Consumers can also bring an action for damages, though it might be difficult to establish loss.

It seems unlikely that the Commission will become active in this area unless it receives complaints. However, anyone can apply directly to the Circuit Court or the High Court for an order to stop someone who is in contravention of the prohibition, perhaps making private enforcement by competitors more likely than by the Commission.

Is the Law Society trying to regulate blogs?

Restrictive rules on advertising by solicitors contain important exemptions to protect the right of solicitors to comment on legal and other issues. Is the Law Society interpreting the rules in a way would restrict those exemptions and increase their oversight of comment by solicitors?

Advertising by solicitors is very tightly restricted by the law and regulated by the Law Society of Ireland. I have written about some of the restrictions before. Most of the rules regulate the tone of advertising; what might be termed “ambulance chasing” through advertising, for example, is not possible in Ireland. None of the UK-style personal injury ads you might see on daytime television are possible in Ireland. Even this, quite mild and professional, form of ad would most likely result in trouble for an Irish solicitor daring to upload it.

The Irish rules may or may not be a good way to regulate advertising by lawyers. They do, at the very least, clash with the demand that the professions be more competitive. But the rules do recognise a very important exemption: comment. Exemptions are included in the Solicitors Advertising Regulations that should ensure no overreach in their application that would regulate or prohibit genuine comment.

The Regulations only apply to an “advertisement”, defined as being almost any type of communication “which is intended to publicise or otherwise promote a solicitor in relation to the solicitor’s practice” but “excluding a communication which is primarily intended to give information on the law”. So, a communication must be both intended to promote a solicitor and not be primarily intended to give information on the law for the Regulations to apply.

This is quite a large exemption and obviously seeks to make a distinction between traditional advertising and, for example, news updates or comment. If a communication by a solicitor is primarily intended to give information on the law it is not an advertisement, is not governed by the extensive rules and restrictions contained in the Regulations and, importantly, is not subject to oversight by the Law Society. That oversight is significant: a breach of the Regulations is a disciplinary matter which can potentially have serious consequences for the solicitor involved.

One catch-all provision in the Regulations, for example, prohibits an advertisement which is likely to bring the solicitors’ profession into disrepute. It is quite difficult to know precisely what is covered by that prohibition (the Law Society does not publish decisions made under the Regulations) but it is quite easy to envisage an individual or organisation who dislikes a communication from someone who happens to be a solicitor making a complaint to the Society under this heading of the Regulations.

Last Friday the Law Society published a surprising practice note on advertising. The headine refers to legal advice columns, so you might think it applies only to regular pieces in local papers where readers send in questions, for example. It suggests that where the solicitor is paying to have the column appear or is simply reproducing the content, the exemption does not apply and the column might be an advertisement. This is fair enough: such a column should be identified as advertorial or a commercial feature by the publisher. In fact, paying for editorial content to appear in a newspaper without making it clear to readers that it is a paid feature is a criminal offence for all businesses, not just solicitors.

However, the practice note makes a number of significant leaps when interpreting the Regulations. It refers to an exemption “set down in regulation 12” and refers to the contents of regulation 12 as being a test. In fact, the exemption is contained in the definition of “advertisement” in regulation 2(a). Regulation 12(a) adds to or gives examples of the exemption, it does not limit it. Paragraphs (b) and (c) do limit the exemption by clarifying that the distribution of free legal books may, for example, constitute advertising even though the publication might be information on the law.

The danger in this practice note, which one must assume the Law Society will apply in interpreting the Regulations, is that it sets a far more restrictive scope to the comment exemption in the Regulations. The paid advice column is not a difficulty, but many solicitors now publish blogs, for example, and some pay to do so. Many solicitors have websites which may constitute advertising in their entirety or may include information on the law but either way are likely to be paid for by the solicitor.

Where an article does not satisfy this test, that is, if it has been paid for by or on behalf of the solicitor, or where it has enjoyed repeated publication, the article is subject to the regulations in the normal way.

I do not accept this. Rather, the article might be subject to the Regulations. This blog is published using WordPress.com who I pay for mapping a domain name to it. Is it a series of legal articles written by me where part of the space in which it is published is paid for by me? Possibly, depending on your view of domain name mapping to a free blogging platform and whether the former constitutes “space” in which the blog is published. Is it an advertisement? Certainly not. It is not intended to be and it constitutes information on the law.

Regulation 12 is not a “test” of whether or not a communication by a solicitor is commercial or non-commercial. The test is in the definition of “advertisement” itself. The practice note is, perhaps inadvertently, further evidence of how the the Regulations are out of date. These anachronistic advertising rules do not appropriately accommodate or regulate blogging, social media or other contemporary means of communication.

The Regulations are already the subject of infringement proceedings by the European Commission who allege that they breach the Services Directive, which required that Member States ease restrictions on advertising by professionals. Despite this, the Law Society has recently been publishing practice notes which reinforce the existing Regulations and present to solicitors an interpretation of them more restrictive than the Regulations themselves. Complete reform of the the Regulations is long overdue.

Be kind, rewind: the dangers of covert CCTV

Cameras are everywhere these days, but CCTV systems have been popular since well before the advent of camera phones. For the most part CCTV cameras are positioned in fixed, known locations such as public offices, shops or streets. A variety of covert cameras are available which have been used for many years to detect theft and fraud in particular. Any such use of covert recording should only be undertaken with caution, in specific circumstances and on the basis of advice.

@Limerick_Leader tomorrow: Covert cameras installed at local school. Teachers & parents not told about secret recordings. By @FintanYTWalsh

— Alan English (@AlanEnglish9) June 17, 2015

This week’s Limerick Leader carries a story of covert recording in the offices of a school. It appears from the report that the reason for covert recording was that sensitive files had gone missing from the school. The full circumstances of the case are not yet known. The use of covert CCTV systems raises one set of issues, the missing files another. Missing files indicates a security breach and while a loss of personal data (likely sensitive personal data) is not specifically governed in the Data Protection Acts 1988 and 2003 a duty of care arises and the Data Protection Commissioner has published a code of practice on dealing with such breaches.

In general terms, the main considerations in using CCTV systems are the individual’s constitutional right to privacy, the Data Protection Acts and employment law. The right to privacy is somewhat undefined as no specific privacy law has been enacted (a previous bill was abandoned). Data protection legislation does not specifically refer to recording equipment or CCTV but since cameras record images of individuals, the images themselves are personal data within the meaning of the Acts and the general rules therefore apply to them. It is crucial that the collection of personal data by recording images is justified. Security would be an obvious justification but the Data Protection Commissioner is very clear that security does not justify indiscriminate recording of employees, for example.

[U]sing a CCTV system to constantly monitor employees is highly intrusive and would need to be justified by reference to special circumstances. If the monitoring is for health and safety reasons, a data controller would need to demonstrate that the installation of CCTV was proportionate in addressing health and safety issues that had arisen prior to the installation of the system.

Cameras should not ordinarily be put in locations where occupants and visitors would have a reasonable expectation of privacy. Particular sensitivity might be required in a school, for example, which is obviously frequented by minors. In addition, the Acts require that people are provided with information about the data collected about them and who has collected it. In the context of CCTV, therefore, notices should be displayed indicating that recording is taking place, who is responsible for the recording and why it is being carried out.

Use for monitoring staff performance or conduct is not an obvious purpose and staff must be informed before any data are recorded for this purpose.

Of course, there are situations in which these rules will neither work nor be appropriate and the Acts do allow for this. Indeed, the collective EU grouping of data protection regulators accepts that employers may have to resort to covert recording in order to address fraudulent or criminal behaviour and that national laws may permit this. Employment law has long recognised that covert recording might sometimes be justified. But it is clear that specific consideration must be given on a case-by-case basis to the use of covert CCTV recording. Case studies of the Commissioner demonstrate the factors which must be borne in mind.

For data protection purposes, covert recording can be justified generally only with the involvement of the Gardaí. Covert recording may be justified in the case of criminal offences, but not for performance-related monitoring.

The use of recording mechanisms to obtain data without an individual’s knowledge is generally unlawful. Covert surveillance is normally only permitted on a case by case basis where the data are kept for the purposes of preventing, detecting or investigating offences, or apprehending or prosecuting offenders. This provision automatically implies that a written specific policy be put in place detailing the purpose, justification, procedure, measures and safeguards that will be implemented with the final objective being, an actual involvement of An Garda Síochána or other prosecution authorities for potential criminal investigation or civil legal proceedings being issued, arising as a consequence of an alleged committal of a criminal offence(s).

Where CCTV footage is recorded, whether covertly or not, obligations continue to govern its retention and access to it. It is common for operators of CCTV systems to refuse to provide copies of their recordings to anyone other than Gardaí. It should be noted that, because camera footage is the personal data of the people recorded on it, those people have a right of access to it under the Acts. Again the Commissioner is quite clear:

Where a data controller chooses to use technology to process personal data, such as a CCTV system to capture and record images of living individuals, they are obliged to shoulder the data protection obligations which the law places on them for such data processing. In the matter of access requests for CCTV footage, data controllers are obliged to comply fully with such requests. Claims by a data controller that they are unable to produce copies of footage or that stills cannot be produced from the footage are unacceptable excuses in the context of dealing with an access request. In short, where a data controller uses a CCTV system to process personal data, its takes on and is obliged to comply with all associated data protection obligations.

Tobacco packaging and intellectual property law

Photo by http://www.flickr.com/photos/sludgeulper/ — Misty water-colored memories, of the way we were

The Oireachtas is currently considering a draft law that would introduce mandatory “plain packaging” of tobacco products. Last week, the Law Society appeared before the Oireachtas Joint Committee on Health and Children to make a presentation opposing such a law. RTÉ’s Prime Time covered the issue on Monday evening.

From Irish Cancer Society — I’ve seen the future and it will be; I’ve seen the future and it works

A written submission was made by the Intellectual Property Law Committee of the Law Society in December 2013.

View this document on Scribd

Videos of the Law Society’s appearance before the Joint Committee appear at the end of this post.

A number of issues arise, both from the point of view of the proposed legislation itself and in relation to intellectual property rights. Australia has led the way in introducing a plain packaging law and its courts have upheld the measure. A case is underway under the World Trade Organisation dispute resolution system.

One of the main arguments, made both by the tobacco industry and the Law Society, against plain packaging is that such laws may breach international treaties on intellectual property. The Australians have already been down this road, so it is worth looking at their experience and commentary.

A detailed rejection of the argument that plain packaging laws contravene international (TRIPS and Paris Convention) obligations by Mark Davison (IP professor, Monash University):

no right of use exists under either Paris or TRIPS and … Article 20 of TRIPS has [a very limited role] in the context of the debate surrounding the legislation

Matthew Rimmer (Associate Professor in Intellectual Property at Australian National University), writing in the magazine of the World Intellectual Property Organization:

An important theme of the [Australian] ruling [which upheld their plain packaging law] concerned the nature and role of IP law. The judgments stressed that IP law is designed to serve public policy objectives – not merely the private interests of rights holders.

Following the introduction of the plain packaging law, Australia dropped a rank in the Global Intellectual Property Center International IP Index – from fourth place internationally, to fifth. That ranking has itself been criticised by IP experts. It is notable that, in the context of the Law Society fearing that a plain packaging law would damage our international standing, Ireland does not feature at all in the GIPC index. According to Mark Summerfield:

In a number of places the GIPC somewhat disingenuously neglects to mention that the restrictions are limited to tobacco products. For example, in its summary of key findings, under the heading ‘Moving Backwards’, it contends that ‘Australia’s plain packaging requirements severely limit the ability of trademark owners to exploit their rights, and send a chilling message to brand owners interested in selling in the Australian market’, as well as making a point of the fact that ‘[i]n 2013, five countries brought action against Australia in the WTO on the basis that the new law violates Australia’s WTO commitments.’

As far as the contribution to the index is concerned, Australia scores zero, out of a possible one point, in the category of ‘non-discrimination/non-restrictions on the use of brands in packaging of different products.’

That’s right, a total fail, on the basis of a restriction which applies to just one category of products, which is applied for the purpose of furthering public health policy!

The tobacco industry and the Law Society are also greatly concerned about counterfeiting. The Law Society submission stated:

plain packaging can only lead to an increase in counterfeit activity … The lack of distinguishing features on plain packaging will make it significantly easier to produce counterfeit tobacco products.

At the hearing of the Joint Committee, the Law Society effectively abandoned this point after representatives of An Garda Síochána and the Revenue Commissioners gave evidence that they did not expect to have to deal with an increase in counterfeiting activity on foot of a plain packaging law. According to Cancer Research UK, the argument does not hold water.

The least one can say is that the tobacco industry is very inconsistent in their main argument that plain packs will be easy to copy. On the one hand they claim that plain packs are easy to counterfeit, on the other they insist that counterfeiters already copy all paper-based material at short notice, even the most sophisticated tax stamps. The reality is that all packs are easy to counterfeit and that plain packaging will not make any difference.

An argument is also put forward that there is no evidence that a plain packaging law would be effective in reducing smoking. This argument is highlighted by the industry and the Law Society on the basis that, in the absence of such evidence, a plain packaging law may be unjustifiable and disproportionate. I am somewhat confused as to the points made in the written submissions and those made at the Joint Committee hearing regarding justifiability and proportionality and those elements appear to have been conflated in relation to intellectual property law and constitutional law. Nevertheless, the argument seems weak in an Irish context and at least in relation to the Constittuion, one Irish intellectual property expert has concluded that “on balance, plain packaging legislation is unlikely to be struck down on Irish constitutional property grounds”.

The tobacco industry commissioned its own research which, unsurprisingly, is inconclusive as to whether or not plain packaging laws have any effect on smoking rates. There appears to have been a reduction in smoking since the law was introduced in Australia, but the industry says that reduction in not statistically significant. Of course, the Australian law is still relatively new so the most that can be said is that it is too soon to say. Thankfully, the Australian media have fact-checked the industry’s claims. It certainly seems that the law has had an immediate impact:

Calls to the NSW Quitline increased by 78 per cent in the four weeks after the world-leading move in October 2012 before starting to taper off. “Our study demonstrates real behaviour change following the introduction of plain packaging,” said lead author University of Sydney Professor Jane Young. The response was more immediate and lasted longer than the 2006 introduction of graphic health warnings, said Prof Young, who is also scientific director at the Cancer Institute NSW.

Australia is the only country to have introduced a plain packaging law to date, and it has done so very recently. Therefore the evidence of the practical effects of such a law is not yet available and conclusions on the legal position of such a law remain to be tested. As things stand, it is clearly an area in which there is a significant level of debate and certainly very strong and convincing arguments against the position of the tobacco industry in relation to intellectual property law.

The Circle (a rare book review)

Sam Seaborn (or Aaron Sorkin) said it in 1999: “The next 20 years will be about privacy.” So it’s not surprising that serious authors will tackle the issue, as Dave Eggers has now done in The Circle.

The eponymous company in The Circle is quite obviously Google, or a successor to it. It dominates the internet and begins to dominate the world. Its name is apt, for the purposes of a book if not a real company: the Circle is closing in on us, one ring to rule them all, as it were.

Much discussion of the book has consisted of a misguided complaint that it lacks authenticity. Critics have made the absurd argument that because Eggers is not an insider it is not a valid portrayal. The complaint appears to be that he has not faithfully represented the internet, or Silicon Valley, as they exist (or are perceived to exist) today. This Wired review misses the point entirely.

In his desire to create a world where The Circle rules all, Eggers creates so many extremely unlikely or outright impossible scenarios that happen simply because he needs them to happen. As they stack up through the course of the book, it gets harder and harder to take it seriously even as satire until finally it becomes outright fantasy, with only a tenuous connection to reality as we know it.

It is true, to an extent, that some things happen because Eggers needs them to happen. Call it artistic licence or call it deus ex machina: an author is entitled to move a plot forward. Wired want a book about technology, which The Circle is not. Neither is it quite true that the book strays into the realm of fantasy; but even if it did, is that not a valid way of exploring the issues raised?

The Guardian, less obsessed with fidelity to the tech industry, struck the right note:

It’s not clear whether The Circle is intended as a satire of the present or a dystopian vision of the near future. Eggers’s writing is so fluent, his ventriloquism of tech-world dialect so light, his denouement so enjoyably inevitable that you forgive the thin characterisation and implausibility of what is really a clever concept novel.

The quality of the prose is not quite as the Guardian would have you believe and certainly does not match his earlier works. The Circle is patchy and clumsy in places (never in literature was a shark jumping pun more deserved). It is Crichtonesque and notably screenplay-friendly, but it fails to meet the standards set by either Crichton or Eggers himself. The Wall Street Journal sums it up well:

The Circle is not great literature. But it is a great warning—one that you’ll be hearing a lot more about.

The book is not interesting because of its prose or its authenticity: it is an allegorical tale, “a clever concept novel”. The allegory is not subtle and the tale is not particularly inventive, but nevertheless, even where the plot seems to overstretch, such as in the messianic monologues of The Wise Men, one does not have to go far to find similar statements and ideas already out there.

The Circle aims for “completion”, a state of complete “transparency” in society which effectively eliminates private spaces. Everyone has full access to everyone and everything else. That critics view this eventuality as being far fetched is astounding. For years now influential figures have formulated a philosophy of voluntarily limited privacy. In this profile of Mark Zuckerberg published by the New Yorker in 2010, a media and communications specialist at Microsoft Research outlined a key element of Zuckerberg’s views on privacy:

This is a philosophical battle. Zuckerberg thinks the world would be a better place—and more honest, you’ll hear that word over and over again—if people were more open and transparent.

In The Circle, it is as if Eggers has taken this quote and run with it. The book merely ties together a few strands that are already hanging out there today and develops them to a reasonably logical conclusion: how would people behave following a period of sustained erosion of privacy, cataloging of all information and aggressive privitisation or outsourcing of public services?

Zuckerberg, according to some, doesn’t believe in privacy. His response?

Zuckerberg defended the change — largely intended to keep up with the publicness of Twitter, saying that people’s notions of privacy were changing.

There are, generally, two primary ways the situation is currently viewed. In Zuckerberg’s articulation we have voluntarily modified our behaviour and our expectations of privacy. On the opposite end of the spectrum, as recently articulated by Eugene Kaspersky at the Dublin Web Summit, privacy can never be guaranteed online so you modify your behaviour accordingly. Either way there is grim inevitability.

“There is less and less privacy now. Fifty years ago, if governments and private companies were watching peoples every move there would have been huge protests,” he added.

A speaker at the same event pointed out that, despite the Snowden revelations, “nobody seems to care”, a view which arguably supports Zuckerberg’s vision of privacy.

In The Circle, the ability to modify behaviour and maintain privacy is challenged as the Circle closes in on everyone. Mercer, the totemic refusenik of the book, tries to live outside of the Circle and, in partly comic fashion, it closes in on him too.

Google’s long-stated aim has been to make the world, not just the internet, searchable. This can be achieved only by putting more information online and Google have been active in digitising libraries and cultural institutes to that end. Add in years of your emails and documents and they range of analyses they can perform are significant. The book addresses the issues raised by the digitisation of old information.

In Ireland, we are finally getting around to introducing a law on “spent convictions”. According to Remy Farrell SC:

as time passes the relevance of a person’s previous convictions diminishes to the point that they should be ignored.

Should a similar principle be said to exist in relation to information? Data protection law already requires that personal information should not be kept for longer than necessary; but how long is that? If you set up a Bebo account in 2005 which is now dormant but you have never deactivated it, at what point should there be an obligation on Bebo to shut it down and remove your photos from public view? At present, the European Union is preoccupied with “right to be forgotten” which, in The Circle, becomes the stated “right to disappear” of a high profile objector.

The Circle addresses, but does not fully confront, the manner in which the new global surveillance society is coming about: as a trade-off. You exchange your personal information for useful “free” services. You exchange your personal liberties for useful security services. The book presents the ultimate trade-off: what would you trade to stop child abduction?

Elements of The Circle that seem fanciful, such as politicians and individuals becoming “transparent” by voluntarily wearing webcams which broadcast at all times, seem less preposterous as technologies like Google Glass emerge. Adrian Weckler, reporting on the Web Summit, recently ran into Robert Scoble roaming the RDS wearing Google Glass. He mentioned, in jest, that you could not be sure if he was recording you or not.

Say cheese for @scobleizer's Google Glass specs. #WebSummit pic.twitter.com/xhlIYPNDZh

— Adrian Weckler (@adrianweckler) October 31, 2013

These technologies initially take off due to their “cool” factor. They gain critical mass and then the trade-off comes: why don’t you want to be transparent? What are you hiding? Eric Schmidt has already made outstanding statements:

If you have something that you don’t want anyone to know, maybe you shouldn’t be doing it in the first place, but if you really need that kind of privacy, the reality is that search engines including Google do retain this information for some time, and it’s important, for example that we are all subject in the United States to the Patriot Act. It is possible that that information could be made available to the authorities.

The “nothing to hide, nothing to fear” argument is Orwellian, oppressive, ridiculous and easily debunked. But it persists. Schmidt suggests privacy is some personal foible or luxury that you might unreasonably insist on, not a basic human right which, by the way, is enshrined in numerous laws.

An interesting aspect to corporate attitudes to privacy is the reaction of Google and others to the Snowden revelations. Google and Facebook believe you should be transparent, that you should put as much as your life online as possible and open that up to as many people as possible while also allowing them to analyse the information and your interactions with others. But when it is revealed that the NSA may be carrying out some analyses of their own by using backdoors to their systems, it’s a different matter.

“We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryption across more and more Google services and links, especially the links in the slide,” he said.

“We do not provide any government, including the US government, with access to our systems. We are outraged at the lengths to which the government seems to have gone to intercept data from our private fiber networks, and it underscores the need for urgent reform.”

So, Google’s chief legal officer says they don’t provide access to their systems. But just a few years ago, pre-Snowden, Google’s then-CEO warned that information retained by Google could be made available to the authorities. They want to ensure that your data is protected from others, but not themselves.

What is particularly confusing and contradictory about the current erosion of privacy is the extent to which corporate, institutional and governmental secrecy is on the rise. We are told to accept limits on our personal freedoms in exchange for security while also being told to accept limits on the transparency of organisations for the same reason. Glenn Greenwald is the cause célèbre:

I really urge everyone to take note of, and stand against, what I and others have written about for years, but which is becoming increasingly more threatening: namely, a sustained and unprecedented attack on press freedoms and the news gathering process in the US. That same menacing climate is now manifest in the UK as well, as evidenced by the truly stunning warnings issued this week by British Prime Minister David Cameron.

Attacking press freedom attacks the citizen’s ability, and right, to know what is going on. Transparency is for Us, it seems, but not for Them.

The Boston Globe’s review of The Circle begins:

When I finished reading Dave Eggers’s chilling and caustic novel, The Circle, I felt like disconnecting from all my online devices and retreating for a while into an unplugged world. I gather that’s what he had in mind.

I didn’t have that reaction. Rather, I was angry at the reaction of publications like Wired who so easily dismiss it. We have already sleepwalked into an era of eroded privacy and astounding information storage. It is not at all unlikely or impossible that the trend will continue. There have been a number of horrific privacy breaches over the past years that should make people question the extent to which they engage with online services or which might have led to changes in those services, but it hasn’t happened. Sometimes a work of fiction is needed to allow people to think about these issues outside of the dense worlds of tech and law.

The strange, hypocritical attitude of the Irish Government to copyright, the internet and citizens

[Updated, at end] The introduction yesterday of an amendment to the Copyright & Related Rights Acts has been in the works for a long time (posts here, here and here). The issue has generated quite a bit of heat on both sides and the Government would do well to observe that opponents to the law have not held a monopoly on intemperate comment.

The amendment was destined to be introduced by statutory instrument and the concerns of any critics were always going to be ignored but the attitude of Séan Sherlock, junior Minister for Research & Innovation, to the issue is strange and contradictory.

His announcement of the new law contains a significant dig at those who opposed the statutory instrument the Government has just introduced.

I urge all interested parties on all sides to come together and work in a constructive and realistic way to the benefit of all.

This is a boggling statement. Like any campaign there was a lunatic fringe that fired off ill-informed comments. But most opponents were relatively well organised and the Minister met with representatives of some of them (read Michele Neylon’s account here). So, at least some “sides” came together. The Stop Sopa Ireland campaign was up and running in a very short time and, unlike most campaigns of opposition, actually proposed alternative wording to the Minister.

A key paragraph in that alternative wording would have included an obligation on a court to carry out a balancing act when considering whether or not to grant an injunction to a copyright owner.

In considering an application for an injunction under this subsection, the court shall have due regard to the rights of any person likely to be affected by virtue of the grant of any such injunction (including the freedom to conduct business, the right to protection of personal data and the right to receive or impart information) and the court shall give such directions (including a direction requiring that persons likely to be affected be notified of the application) as the court considers appropriate in all of the circumstances.

It appears that Minister Sherlock considers such a proposal to be non-constructive and part of a campaign of setting the “dogs” on him. However, a few weeks ago the Minister bizarrely “welcomed” the decision of the European Court of Justice in Sabam v. Netlog with the following comment:

[T]his decision … reiterate[s] that, in the context of measures adopted to protect copyright holders, national authorities and courts must strike a fair balance between the protection of copyright and the protection of the fundamental rights of individuals who are affected by such measures …

I welcome today’s decision from the European Court of Justice. This will provide further clarity to Irish courts in adjudicating such matters.

What would also have provided clarity to Irish courts in adjudicating such matters is a clause like the one included in the alternative wording submitted to Minister Sherlock.

Instead, a bare-bones statutory instrument has been used to amend the Copyright & Related Rights Acts providing none of the clarity that the Minister otherwise appears to favour.

[Update 7 March 2012] A recent press release by Minister Sherlock’s party colleague, Phil Prendergast MEP demonstrates what appears to be quite a different attitude to citizen engagement with copyright reform.

Commenting on the referral of the Anti-Counterfeiting Trade Agreement to the Court of Justice of the European Union, Ms Prendergast says:

This extraordinary u-turn by the European Commission, who had up until now dismissed legitimate concerns, demonstrates that engaged citizens and civil society groups can have a decisive impact on politics, especially when fundamental freedoms are at stake.

Not under Labour in Ireland, it would seem.

Battle of the Bakers: Round 2 (and an interesting update re Round 1)

I had assumed that the McCambridge v. Brennan brown bread case was solely one of intellectual property infringement but the judgment of Mr Justice Peart, which has now been published, shows that there is more to it (an Irish Times report of the case is here).

Indeed, Peart J notes that McCambridge do not “have any proprietary rights as such over that type of re-sealable bag, its shape or indeed the shape and size of the loaf of bread inside.” The company itself accepted that it does have such proprietary rights, nor rights over the shape and colour or ingredients of the bread itself.

Notwithstanding that, Peart J agreed that the overall impression on consumers satisfied the conditions for passing off (a form of action used to protect unregistered intellectual property rights).

[I]t would take more care and attention that I believe it is reasonable to attribute to the average shopper for him or her not to avoid confusion between the two packages when observed on the shelf, especially when these are placed adjacently or even proximately so.

Peart J indicated that an injunction should be granted to prevent further passing off. However, the interesting element of the case comes next: he also considered whether McCambridge are entitled to an injunction under section 71 of the Consumer Protection Act 2007 on the basis that Brennans were engaging in a misleading commercial practice.

The Minister for Jobs, Enterprise & Innovation recently announced a planned overhaul of consumer legislation, arguably ignoring that the 2007 Act was supposed to be just that (I wrote about it here in April 2011). The 2007 Act was quite significant, but appears to have been barely used, particularly by the National Consumer Agency. Indeed, Peart J states that they held a watching brief in McCambridge v. Brennan but, strangely, adopted “a neutral position”.

(The failure of the Agency to adopt a position is reminiscent of the refusal of the Data Protection Commissioner to involve his office in the EMI v. eircom case. Ironically, he recently went on to order eircom to halt the three-strikes system which resulted from that case.)

Peart J decided that McCambridge were not entitled to an injunction under section 71, apparently (my interpretation) on the basis that the design of its packaging was not a commercial practice involving marketing or advertising.

Peart J was to hear the parties in relation to the exact terms of his proposed injunction, but the decision to grant an injunction has since been appealed to the Supreme Court by Brennans.

As stated, my interpretation of Peart J’s comments (at paragraph 45) is that an injunction was not available because packaging was not “marketing or advertising”. I would have thought that the European Communities (Misleading and Comparative Marketing Communications) Regulations 2007 were aimed at preventing misleading advertising and that the (quite similar) provisions of the 2007 Act were of broader application such as would capture packaging. The 2007 Act is the Irish implementation of the Unfair Commercial Practices Directive which, in the UK, was implemented by statutory instrument. Guidance from the UK’s Office of Fair Trading gives the following example of a prohibited practice:

A trader designs the packaging of shampoo A so that it very closely resembles that of shampoo B, an established brand of a competitor. If the similarity was introduced to deliberately mislead consumers into believing that shampoo A is made by the competitor (who makes shampoo B) – this would breach the [Regulations].

Of course, Peart J had decided that Brennans’ passing off was not deliberate, and so could not have found them to have intended to “deliberately mislead consumers”. Nevertheless, it appears to be a case where the views of the Consumer Protection Agency would have been of use.

New data protection rules on cookies & mandatory data breach reporting for electronic communications providers

From George Eastman House — Not those kind of cookies.

Last week, the Minister for Communications, Energy and Natural Resources signed a group of statutory instruments into law which transpose the EU telecommunications reform package.

Among those regulations are the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011.

The Regulations are lengthy but the Data Protection Commissioner already has a guidance note online outlining the changes introduced, the most significant being:

Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches

More stringent requirements for user consent for the placing of “cookies” on electronic devices

Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls

I previously wrote about mandatory reporting of data breaches in the context of general data protection law (rather than sector-specific rules).

Leo Moore (William Fry) points out that the new rules on cookies do not provide for a lead in time, as was the case in the UK. This will put pressure on operators subject to the rules to get their house in order quickly. He notes:

Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.

For more, try following Ronan Lupton (ALTO), TJ McIntyre (UCD/DRI), Leo Moore (WF) & David Cullen (WF) on Twitter.

Department of Jobs, Enterprise & Innovation (brief) consultation on filesharing injunctions

[Updated 23/06/11] In the (literally) last days of the previous Government, a rumour shot around that the then Minister for Enterprise, Trade and Innovation was about to sign a statutory instrument into law which would address the gap in the law criticised by Mr. Justice Chartleton in the EMI & ors v. UPC case.

A firm denial was issued by the Minister but I’m not sure anyone really believed that a draft SI wasn’t floating around somewhere. Anyway, the newly-titled Department of Jobs, Enterprise & Innovation has put a draft SI out to consultation. The relevant SI text is below.

~~Deadline for submissions is 1 July 2011: less than 2 weeks from today. That’s pretty swift consultation by any standard.~~ Apparently the Department received a number of requests for an extension to the consultation period, so the new deadline for submissions is Friday 29 July 2011.

New section 40(5A) of the Copyright & Related Rights Acts:

(5A)(a) without prejudice to subsections (3) and (4), the owner of the copyright in the work concerned may apply to the High Court for an injunction against a person who provides facilities referred to in subsection (3) where those facilities are being used by one or more third parties to infringe the copyright in that work.

(b) In considering an application for an injunction under this subsection, the court shall have due regard to the rights of any third party likely to be affected and the court shall make such directions (including, where appropriate, a direction requiring a third party to be put on notice of the application) as the court may deem necessary or appropriate in all the circumstances.

New section 205(9A) of the Copyright & Related Rights Acts:

(9A)(a) without prejudice to subsections (7) and (8), the rightsowner may apply to the High Court for an injunction against a person who provides facilities referred to in subsection (7) where those facilities are used by one or more third parties to infringe any of the rights referred to in Parts III and IV.

(b) In considering an application for an injunction under this subsection, the court shall have due regard to the rights of any third party likely to be affected and the court shall make such directions (including, where appropriate, a direction requiring a third party to be put on notice of the application) as the court may deem necessary or appropriate in all the circumstances.

Thanks to Ronan Lupton for bringing the consultation to my attention.