Tag: Privacy

Privacy and the press

I wrote a short article for last week’s Sunday Business Post on the super-injunctions story and the conflict between freedom of speech and privacy. It appeared in the Computers and Business magazine and is available here.

It’s a difficult topic to tackle in a short article and some more thoughts on the issue are in my earlier rambling blogpost. However, Karlin Lillington dealt with the issue expertly in last Friday’s Irish Times by contrasting the UK super-injunctions saga with the Irish experience of data protection and retention laws.

PRIVACY HAS two definitions. There is the definition that applies if you are wealthy, or a celebrity, or a corporation or organisation, and you wish carefully to protect from the public eye your infidelities, personal peccadilloes, ethically questionable activities, illegal doings or other foibles that might damage your income, reputation or bottom line.

Then, there is the definition that applies if you are just an ordinary citizen and a bank, an insurance company, an electronics manufacturer, a telecommunications company, a law enforcement agency, a government department or other organisation holds or would like to view lots of potentially sensitive information about you.

If you are in the former, elite group, lucky you. You will find you are entitled to all sorts of perks and privileges when it comes to your special definition of privacy. Your national government may come up with laws specifically to protect your version of privacy.

Justice systems may invent special protections that mean not only is no one allowed to mention whatever it is you or your company is said to have done, but no one is even allowed to mention that such a legal protection is there in the first place.

Social media and internet companies may, despite public statements about valuing their users and freedom and democracy, relinquish information about the people who might have said something annoying about you, your company or your government, the better to enable the justice system to get these aggravating people off your back.

If you are in the second group, your privacy is too often a commodity.

There is nothing super about these injunctions

The unfolding superinjunctions scandal in the United Kingdom is one of those legal stories that has gripped the media, broadsheet and tabloid alike. Much of the coverage now focuses on the fact that social media tends to make a superinjunction redundant.

An injunction is an equitable remedy and therefore a number of specific rules (maxims) apply when a judge considers whether to grant one. One such maxim is that equity will not act in vain. Mr. Justice Clarke summarised the position in a recent Irish case involving an attempt to force through the sale of a property where the purchasers had no ability to pay.

It has often been said that equity will not act in vain. A court should, therefore, be reluctant to make an equitable order where there is no reasonable prospect of the order concerned being complied with. I should add one qualification to that statement. There obviously may be cases where persons may simply decline to obey an order of the court. The fact that a party might be most unlikely to obey a court order could not, in my view, be a reason for the court not making the order in the first place. However, where it is clear on the evidence that a party would not, in fact, be able to comply with a court order, then a court should be most reluctant to make such an order.

For superinjunctions of the type currently in the news, there is no reasonable prospect of the orders being complied with. But this results from the fact that Twitter users, for example, are unlikely to obey the order, rather than being unable to obey it. Nevertheless, the issue of enforceability is significant. Proposals to impose editorial moderation on social media are somewhat silly and, as with many of the measures adopted to tackle illegal filesharing, doomed to fail.

As the Guardian commented in its editorial yesterday:

The case is, on the face of it, not a terribly attractive one for arguing either the cause of freedom of speech or for the supremacy of parliament.

However, the issue is not about the peccadilloes of a premiership footballer and the same principles will apply in far more serious circumstances.

What if some people on Twitter decided to name rape victims, or publish the current identity and whereabouts of Mary Bell, the child killer was who has, since 2003, been protected by a court order?

On the other hand, the existence of superinjunctions first came to public attention during the remarkable Trafigura affair in 2009 when the Guardian was prohibited from reporting on a question asked in the British Parliament. The case was something of a nightmare scenario for those with an interest in open democracy and press freedom.

The UK controversies inevitably involve debate on the merits of introducing a privacy law or reforming defamation law. What about this jurisdiction? Reforms have recently been made to our defamation law and while they were to be accompanied by a “deeply flawed” privacy law, that initiative has stalled.

The Privacy Bill 2006 proposed that a court could, in a privacy action, make an order prohibiting a defendant from doing anything that the court considers violate the privacy of the plaintiff. It also allowed for wide powers to control media reporting of privacy actions. It certainly appeared wide enough to allow for superinjunctions. Eoin O’Dell outlined the conundrum that the Bill would present the media with when coupled with the Defamation Act 2009.

[The Bill] has raised the spectre the defamation gagging writ of old simply being replaced by a shiny new privacy gagging writ. One aspect of the two Bills together puts journalists into a potentially invidious situation. To be able to rely on the defence of reasonable publication in a defamation action, one of the factors which the court will take into account is the extent to which a reasonable attempt was made by the journalist to obtain and publish a response from the person who is the subject of the article.

However, a journalist who makes such contacts in advance, now runs the risk of precipitating a privacy action from that person.

The journalist is now potentially damned by the Privacy Bill for contacting the subject of the article, and damned by the Defamation Bill for not doing so.

Of course, we don’t know if there are any superinjunctions in force in Ireland because, by their nature, the media is generally prohibited from reporting even their existence. Given that Ireland is such a small community, however, it seems probable that word of superinjunctions would quickly leak out. In addition, as noted by Flor McCarthy:

The constitutional requirement in this jurisdiction that justice must be administered in public would be a high hurdle for an applicant to overcome; though maybe we just don’t have the right celebrities!

Nevertheless, it is not inconceivable that such draconian injunctions could be issued in Ireland. After all, the ongoing banking crisis in Ireland has been accompanied by an astounding level of secrecy. The Credit Institutions (Stablisiation) Act 2010, a remarkable piece of legislation which should be far more controversial than it currently is, baldly provides:

The Court may order that any application under this Act, or any part of such an application, shall be heard otherwise than in public or may impose restrictions with regard to the disclosure in open court, publication or reporting of any material that might be commercially sensitive.

This is a very broad provision and was relied on almost immediately after the Act was passed. It was quite clear at the time this Act was first used that the parties hoped that the media would not be aware of the proceedings. Could a judge order that an article such as that in the Irish Times not be published on the grounds that the fact of the application itself was commercially sensitive?

There may well be grounds for the use of draconian court orders on occasion but it must be considered that the parties most likely to seek them are large corporations and wealthy individuals. As Mark Stephens, a high profile media lawyer, commented:

They are almost discriminatory justice. Not a single woman has taken out a super injunction and as a result of that, it is only the men. Invariably they are rich men because it costs between £50,000 and £100,000 (€56,000 and €113,000) to get a superinjunction.


Election 2011: Privacy, intellectual property & the internet

With so much of the electoral attention focussed on crisis management, it is easy to ignore other aspects of each party’s manifestos (or the absence of same in the case of many independents).

It is worth checking these manifestos for references to any issues you have a particular interest in: you might be surprised at what you find. Luckily, blogs like Maman Poulet and Human Rights in Ireland are keeping an eye on the aspects of the party manifestos not concerned solely with bond-burning.

Crowd checking the 1931 general election results, Willis Street, Wellington, 1931
Election night results, pre-Twitter

Our courts and citizens are having to deal with an increasing number of issues under our privacy, data protection and intellectual property laws, so I had a look at the parties’ positions in these areas. If I have missed anything, please let me know in the comments, along with suggestions as to what the manifestos should contain.

Fine Gael

  • FG would “review and update Intellectual Property legislation currently in place to benefit innovation.” This commitment is vague and suggests that the party is aware of issues but hasn’t thought about any solutions yet.
  • FG would “clarify the laws relating to on-line copyright infringement and the enforcement of rights relating to digital communications”. This probably refers to the consequences of the IRMA litigation (contrast with the Green Party manifesto, below). Again, the party does not appear to be ready to offer solutions.
  • What is meant by “the enforcement of rights relating to digital communications”? Does it refer to data retention or freedom of speech? The sentence is somewhat worrying in the absence of elaboration.
  • FG will revamp the Patents Office website. This is a bizarrely specific proposal, by contrast with the other high-level proposals.
  • The consultancy industry will be delighted to learn of plans for “an E-day on January 1st, 2016 by which all government services to business will be on-line only.”
  • FG would “develop Ireland as a ‘Digital Island’ and first-mover when it comes to information technology.” One might be forgiven for thinking that is an aspiration that is somewhat unrealistic in 2011.
  • FG would introduce a national DNA database. The process of doing so had already been started by the outgoing administration.
  • The party proposes a Circuit Commercial Court along the lines of the existing Commercial Court but which deals with smaller-value commercial disputes (the Circuit Court can generally hear cases for claims worth up to €38,092.14)

Labour

  • Labour’s Innovation Strategy Agency would, among other things, “make Ireland a world leader in the management of [IP]”.
  • Labour “supports the development of an International Content Services Centre in Ireland, and its potential to make Ireland a European hub for the dissemination of Intellectual Property.” This was, in fact, a commitment of the renewed Programme for Government agreed by Fianna Fáil and the Green Party in October 2009. It is also firmly in Your Country, Your Call territory: one of the winning YCYC proposals was to establish an ICSC. The competition winners were announced in September 2010, almost one year after the establishment of an ICSC became Government policy.
  • Labour propose to introduce civil orders against serious offenders following conviction, for example, restrictions on the use of the internet by those convicted of child sex offences.
  • Labour wants to make Ireland a headquarters location for data centres and cloud computing. The party would establish an expert group to review security and privacy issues arising from these areas. A data protection review group established by the Minister for Justice 2008 published a report in 2010. The EU is also currently reviewing the Data Protection Directive (Irish law implements the Directive) and cloud computing is one issue under review in that context.

Fianna Fáil

I will not be the first to suggest that the FF manifesto consists primarily of a defence of the outgoing Government’s policies and lists of achievements since 1997. It is not surprising, therefore, that party does not appear to offer much in the areas of privacy, IP and the internet.

No direct reference is made to copyright, data protection, privacy or the internet (not one instance of the word internet in the whole manifesto, though commitments are made about broadband). One, incidental, reference is made to IP in the context of publicly-funded research. While FG want to clarify the law on exploiting IP developed by third level institutions, FF want the outcomes of publicly-funded research to be made freely available “save where there are specific commercial intellectual-property issues.”

  • FF commits to supporting research and development and to continue use of the innovation voucher system to help small businesses acquire R&D.
  • Like the Labour party, the FF manifesto commits to fostering cloud computing services. It also commits to establishing the International Content Services Centre (as already mentioned, this has been Government policy since 2009).

Green Party

  • The Greens would “[p]revent private organisations from intruding into a citizen’s privacy”. The Data Protection Acts 1988 and 2003 already do this in general terms, but I assume that the Greens are proposing either reform of those Acts or the implementation of some form of specific privacy law, as was proposed but not implemented by the outgoing administration.
  • The Greens would prevent organisations from “summarily punishing citizens for alleged illegal activities and from interfering with citizens’ legitimate and legal uses of content.” Again, a little interpretation is required, but I assume this suggests that the Greens would deal with the consequences of the IRMA litigation in a manner which favours citizens over companies. As Minister for Communications, Eamon Ryan said that he was seeking the advice of the Attorney General in this area but his holding statement to the Dáil last year did not indicate any thinking along the lines of what is now contained in the manifesto.
  • The party would “[u]pdate the role of the Data Commissioner to ensure evolving technologies are in check with the rights of Irish citizens.” This might refer to increased enforcement powers, which would be welcome.
  • The party would completely oppose the introduction of software patents.

Sinn Féin

The SF manifesto makes no direct reference to copyright, intellectual property, data protection, privacy or the internet. However, the party would “focus on creating new jobs across the agri-food, tourism and IT/pharma sectors, and Research and Development as well as with initiatives that will ensure Ireland becomes a world leader in green energy.”


Do you own your wedding album?

You might think this a silly question. Of course you own your cherished wedding or civil partnership ceremony photographs. But how far does that ownership extend? Do you have the right to make copies of them and, perhaps more importantly, control their use? The short answer, for most couples, is: no.

Section 23 of the Copyright and Related Rights Acts 2000 to 2007 sets the default position: the author of a work shall be the owner of copyright in that work. In the case of photographs, section 21(h) provides that the author means the photographer. Accordingly, if your photographer provides you with an  album and nothing more is said or agreed, it is likely that you have merely purchased the services of the photographer in attending the ceremony along with the physical photo album.

Center for Jewish History, NYC
I suspect this couple was not given a CD of their wedding photos.

These days, photographers usually offer additional goods or services. For example, many provide a CD with digital copies of some or all of the photos. Some charge extra for such a CD. This is usually done with the expectation that the customer is entitled to make unlimited copies of these photos, but the agreement is often not explicit on this point. Indeed, many customers will not have a written contract in place with their photographer. If the customer is provided with a set of terms and conditions, perhaps on the invoice, this will probably form that contract.

If a photographer provides a CD of digital photos with the right to make copies, this might not permit further dealing with the photos, such as the right to upload them to Pix.ie or Facebook, for example, or to apply effects so that the photo could be printed on canvas in the style of a painting.

An important consequence of the photographer retaining copyright in the photos is that (s)he benefits from the rights of the copyright owner set out in Part II Chapter 4 of the Acts, specifically the right of the photographer to make his/her own use of the photos. I have come across a number of incidents where a recently married couple was surprised to find photos of their wedding displayed on the photographer’s website, magazine ads or even at wedding fairs (in one such case, the bride had not yet seen her own wedding photos when she saw them displayed at a wedding fair).

At this point first ownership of copyright in photos clashes with the Data Protection Acts 1988 and 2003. A photograph of individuals is personal data for the purposes of the Acts and generally should not be displayed publicly by another person without the consent of the people depicted in the photo. A photographer’s terms and conditions might include such consent, but any such consent can only be given by the customers (the couple) and cannot apply to guests. [See also the comments below concerning the right to privacy contained in section 114 of the Copyright and Related Rights Acts.]

Section 22A of the Data Protection Acts provides a limited exemption in the case of journalistic or artistic use of personal data but it is hard to see how a photographer could establish that publication of private photos was a matter of public interest (except perhaps in the case of celebrities, an area which itself is fraught with legal claims).

It is possible to agree with the photographer that copyright in all photos shall be assigned (ie. transferred) to the customer. Any such agreement must be in writing. However, most photographers will either be unwilling to agree to assignment or will charge an additional fee (which might be substantial).

As with anything, it is advisable to discuss with a photographer what exactly is being provided. The photographer should be asked if they retain copyright or assign it, and if they retain it reach explicit agreement on:

  1. what is the customer permitted to do with the photos provided; and
  2. that the photographer will agree not to use the photos in any public way.

The surprising reason given for the change to HSE policy on providing patient lists to clergy

This morning’s Irish Times reports on a change to a Health Service Executive policy I never knew existed. Until now, Irish hospitals provided members of the clergy with access to patient admission records. This practice, the article reports, “has been stopped by recent data protection legislation.”

I was surprised by the reference in the article to “recent data protection legislation” and “new legislation”. The main Irish legislation in this area is the Data Protection Act 1988. It was amended in 2003. There are a number of regulations affecting those Acts but the most recent relates only to the Director of Corporate Enforcement.

So, is the new legislation referred to the 8 year old act or the 23 year old one?

The truth is, one might reasonable speculate, that the consequences of long-standing legislative requirements have recently been considered by the HSE and they changed their policy accordingly. [I since found that the Offaly Independent reported on this story last Friday, without any indication that the legislative requirement which led to the policy change was new or recent.]

Information on an individual’s health is sensitive personal data for the purposes of the Acts and is the category of personal information that is subject to the strongest protections.

The Data Protection Commissioner has published a guidance note on the application of the Acts to the health sector. That note begins with the following, non-legislative point:

The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care.

It goes on to say that

Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data.

This recent, very much belated, change of policy by the HSE suggests that the organisation may have some distance to travel in this regard.

Privacy & Human Rights in Europe

Privacy InternationalPrivacy International have published their latest study reviewing privacy and human rights in Europe.

I contributed to the Irish chapter of the report, along with TJ McIntyre and Colin Irwin. It gives a good overview of current Irish law on privacy and data protection.

The report concludes that, while Europe is the world leader in privacy rights, there remains much work to be done in the field.

The Directive on Data Protection has been implemented across EU member states and beyond, but inconsistencies remain. Surveillance harmonisation that was once threatened is now in disarray. Yet there are so many loopholes and exemptions that it is increasingly challenging to get a full understanding of the privacy situations in European countries. The cloak of ‘national security’ enshrouds many practices, minimises authorisation safeguards and prevents oversight.

The report includes a report card in its key findings, the highlights of which for Ireland include criticisms that Ministerial warrants can override privacy law protections and that powers allowing for interception of VoIP calls are ambiguous.

For more on international privacy law, Morrison Foerster have a very useful library which acts as an online sourcebook.

Why people care about The Record Industry v. The Customer

Cory Doctorow makes some good points on the use and abuse of copyright law, in response to some pretty churlish criticism recently directed his way. I particularly liked this:

… I don’t care if you want to attempt to stop people from copying your work over the internet, or if you plan on building a business around this idea. I mean, it sounds daft to me, but I’ve been surprised before.

But here’s what I do care about. I care if your plan involves using “digital rights management” technologies that prohibit people from opening up and improving their own property; if your plan requires that online services censor their user submissions; if your plan involves disconnecting whole families from the internet because they are accused of infringement; if your plan involves bulk surveillance of the internet to catch infringers, if your plan requires extraordinarily complex legislation to be shoved through parliament without democratic debate; if your plan prohibits me from keeping online videos of my personal life private because you won’t be able to catch infringers if you can’t spy on every video.

Via Adrian Weckler.

If you didn’t friend the Department of Social Protection, one of your “friends” snitched

The stories about the Department of Social Protection’s use of Facebook to detect fraud raised more questions than they answered.Someone talked! So, I requested details from the Department of its use of social networking.

Here’s the relevant part of the response:

Social networking sites, such as Facebook, are not a systematic part of the Department’s on-going targeted fraud and error control activities.

Circumstances, however, may give rise to a member of staff examining publicly available information on the internet, for example following receipt of a report from a member of the public making reference to relevant information on social networking sites.

Information from such sources is not used as evidence to terminate a claim in payment but may result in a review of entitlement by the Department.

On a point of information, at the end of August 2010 (latest figures available)

  • over 7,200 anonymous reports were made to the Department’s Central Control Division. (Reports are also made directly to scheme areas and public offices which are not included in that figure).
  • 500,000 reviews approx. were completed by the Department. Investigations which refer to social networking sites would be negligible in an overall context.

As only information which is publicly available on social networking sites is accessed in such investigations, the cooperation of the operators of such sites is not needed. The Department has not accessed, or sought to access, information on social networking sites which is not available to the public at large.

The above doesn’t necessarily get the Department around the requirements of the Data Protection Acts and it is not clear what the Department does with data submitted to it by members of the public which is not publicly available online.

Did you friend the Department of Social Protection?

Over on the Irish Computer Society’s data protection blog yesterday, Daragh O’Brien wrote about the news that the Department of Social Protection is monitoring Facebook when investigating suspected welfare fraud.

Daragh discusses the data protection principle of fair obtaining in this context. He notes section 8(b) of the Data Protection Acts 1988 and 2003, which suspend the restrictions in the Acts for the purposes of the investigation or prosecution of offences and in the case of collecting or assessing monies due to the State. However, the section 8(b) exemption only applies where processing of personal data (which would include getting it from Facebook) is required for the purposes of investigation, etc. The provision is, as yet, untested, but the wording certainly suggests that it is not open to the Department to process personal data obtained from Facebook merely as an aid to investigation.

© Brian Solis
After all, this guy doesn't believe in privacy.

This morning, the Irish Independent followed up on the story with surprising statements from Facebook itself, primarily that:

“Facebook protects people’s right to privacy but in the same way officials investigating a case can access post office details or phone records, accessing Facebook profiles would be the same kind of thing,” a spokesman said.

It comes as a surprise to me* that the Department could access post office details (and: what are those details?) and phone records without a court order or the consent of the data subject, but Facebook apparently believes this is the done thing. It’s an important point because Facebook’s privacy policy purports to allow the company to hand over your information.

We may disclose information pursuant to subpoenas, court orders, or other requests (including criminal and civil matters) if we have a good faith belief that the response is required by law. This may include respecting requests from jurisdictions outside of the United States where we have a good faith belief that the response is required by law under the local laws in that jurisdiction, apply to users from that jurisdiction, and are consistent with generally accepted international standards.

It is not known from the news reports whether Facebook has facilitated the Department of Social Protection or handed over information or access to profiles to the Department. If not, it is difficult to see how the Department has accessed any meaningful information from the site, unless it has taken advantage of data which has inadvertently been made public or, alternatively, if the Department has obtained the data by deception.

From the comments made by Facebook to the Irish media, it appears that Facebook has an off-hand attitude to the specifics of Irish law on this point and its privacy policy suggests that the company will err on the side of caution in assisting a State agency. It won’t surprise many that Facebook might not rush to defend your privacy.

The incident is certainly worthy of investigation by the Data Protection Commissioner.

* I’m not an expert on the Social Welfare Acts and they are labyrinthine, but anyone with more knowledge on the powers of the Department in this area might comment below. I understand certain information can be shared by some State agencies for the purposes of making a decision on whether to provide social welfare or grants, but I don’t believe that extends to investigations by the Department.

Rage against the machine

The march of the machines is irresistible, with technology providing a range of opportunities for businesses to reduce the need for human input. There is a legal limit to such progress, but how many people know about it?

Section 6B of the Data Protection Acts 1988 and 2003 provides:

a decision which produces legal effects concerning a data subject or otherwise significantly affects a data subject may not be based solely on processing by automatic means of personal data in respect of which he or she is the data subject and which is intended to evaluate certain personal matters relating to him or her such as, for example (but without prejudice to the generality of the foregoing), his or her performance at work, creditworthiness, reliability or conduct

Photo licensed under Creative Commons Attribution-Share Alike 3.0 Unported license.
Four musicians invoke section 6B against the machine.

There are, as ever, exceptions to the ban, the most straightforward being consent. I have yet to see a set of terms and conditions containing such consent.

The widest exception concerns decisions made for the purposes of considering whether to contract with the data subject or in the course of performing such a contract. A further exception may arise where automatic decision making is required or authorised by law.

The contractual exception appears to strip the ban of much of its force. However, any exception to the ban on automated decision making only applies if the request for the entering into or the performance of the contract is granted or if there are suitable measures to safeguard the subject’s legitimate interests.  Therefore, if the result of an automated decision is to not grant what the data subject requested, that decision will have to be reviewed by a human being.

A glaring question remains: what happens when section 6B is breached? As is often the case with data protection law in Ireland, the answer is unknown but it is likely that some enforcement proceeding might be engaged in by the Data Protection Commissioner.

PS.

  1. Section 6B, which implements into Irish law Article 15 of the EU Data Protection Directive, appears to be ambiguously drafted (due to poor formatting), arguably making the contractual exemption wider than intended. I have, however, gone with the intention of the Directive on this point.
  2. The real Rage Against the Machine.