Tag: Privacy

New data protection rules on cookies & mandatory data breach reporting for electronic communications providers

 

From George Eastman House
Not those kind of cookies.

Last week, the Minister for Communications, Energy and Natural Resources signed a group of statutory instruments into law which transpose the EU telecommunications reform package.

Among those regulations are the European Communities (Electronic Communications Networks and Services)(Privacy and Electronic Communications) Regulations 2011.

The Regulations are lengthy but the Data Protection Commissioner already has a guidance note online outlining the changes introduced, the most significant being:

  • Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
  • More stringent requirements for user consent for the placing of “cookies” on electronic devices
  • Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls

I previously wrote about mandatory reporting of data breaches in the context of general data protection law (rather than sector-specific rules).

Leo Moore (William Fry) points out that the new rules on cookies do not provide for a lead in time, as was the case in the UK. This will put pressure on operators subject to the rules to get their house in order quickly. He notes:

Website operators and other interested parties are keenly following how the Cookie Regulations will be interpreted and enforced in Ireland in light of the need to obtain website user consent each time a cookie is placed on a website user’s computer. Many such parties have concerns in relation to the practical implications of complying with such obligations.

For more, try following Ronan Lupton (ALTO), TJ McIntyre (UCD/DRI), Leo Moore (WF) & David Cullen (WF) on Twitter.

Advertisements

Department of Jobs, Enterprise & Innovation (brief) consultation on filesharing injunctions

[Updated 23/06/11] In the (literally) last days of the previous Government, a rumour shot around that the then Minister for Enterprise, Trade and Innovation was about to sign a statutory instrument into law which would address the gap in the law criticised by Mr. Justice Chartleton in the EMI & ors v. UPC case.

A firm denial was issued by the Minister but I’m not sure anyone really believed that a draft SI wasn’t floating around somewhere. Anyway, the newly-titled Department of Jobs, Enterprise & Innovation has put a draft SI out to consultation. The relevant SI text is below.

Deadline for submissions is 1 July 2011: less than 2 weeks from today. That’s pretty swift consultation by any standard. Apparently the Department received a number of requests for an extension to the consultation period, so the new deadline for submissions is Friday 29 July 2011.

New section 40(5A) of the Copyright & Related Rights Acts:

(5A)(a) without prejudice to subsections (3) and (4), the owner of the copyright in the work concerned may apply to the High Court for an injunction against a person who provides facilities referred to in subsection (3) where those facilities are being used by one or more third parties to infringe the copyright in that work.

(b) In considering an application for an injunction under this subsection, the court shall have due regard to the rights of any third party likely to be affected and the court shall make such directions (including, where appropriate, a direction requiring a third party to be put on notice of the application) as the court may deem necessary or appropriate in all the circumstances.

New section 205(9A) of the Copyright & Related Rights Acts:

(9A)(a) without prejudice to subsections (7) and (8), the rightsowner may apply to the High Court for an injunction against a person who provides facilities referred to in subsection (7) where those facilities are used by one or more third parties to infringe any of the rights referred to in Parts III and IV.

(b) In considering an application for an injunction under this subsection, the court shall have due regard to the rights of any third party likely to be affected and the court shall make such directions (including, where appropriate, a direction requiring a third party to be put on notice of the application) as the court may deem necessary or appropriate in all the circumstances.

Thanks to Ronan Lupton for bringing the consultation to my attention.

Privacy and the press

I wrote a short article for last week’s Sunday Business Post on the super-injunctions story and the conflict between freedom of speech and privacy. It appeared in the Computers and Business magazine and is available here.

It’s a difficult topic to tackle in a short article and some more thoughts on the issue are in my earlier rambling blogpost. However, Karlin Lillington dealt with the issue expertly in last Friday’s Irish Times by contrasting the UK super-injunctions saga with the Irish experience of data protection and retention laws.

PRIVACY HAS two definitions. There is the definition that applies if you are wealthy, or a celebrity, or a corporation or organisation, and you wish carefully to protect from the public eye your infidelities, personal peccadilloes, ethically questionable activities, illegal doings or other foibles that might damage your income, reputation or bottom line.

Then, there is the definition that applies if you are just an ordinary citizen and a bank, an insurance company, an electronics manufacturer, a telecommunications company, a law enforcement agency, a government department or other organisation holds or would like to view lots of potentially sensitive information about you.

If you are in the former, elite group, lucky you. You will find you are entitled to all sorts of perks and privileges when it comes to your special definition of privacy. Your national government may come up with laws specifically to protect your version of privacy.

Justice systems may invent special protections that mean not only is no one allowed to mention whatever it is you or your company is said to have done, but no one is even allowed to mention that such a legal protection is there in the first place.

Social media and internet companies may, despite public statements about valuing their users and freedom and democracy, relinquish information about the people who might have said something annoying about you, your company or your government, the better to enable the justice system to get these aggravating people off your back.

If you are in the second group, your privacy is too often a commodity.

There is nothing super about these injunctions

The unfolding superinjunctions scandal in the United Kingdom is one of those legal stories that has gripped the media, broadsheet and tabloid alike. Much of the coverage now focuses on the fact that social media tends to make a superinjunction redundant.

An injunction is an equitable remedy and therefore a number of specific rules (maxims) apply when a judge considers whether to grant one. One such maxim is that equity will not act in vain. Mr. Justice Clarke summarised the position in a recent Irish case involving an attempt to force through the sale of a property where the purchasers had no ability to pay.

It has often been said that equity will not act in vain. A court should, therefore, be reluctant to make an equitable order where there is no reasonable prospect of the order concerned being complied with. I should add one qualification to that statement. There obviously may be cases where persons may simply decline to obey an order of the court. The fact that a party might be most unlikely to obey a court order could not, in my view, be a reason for the court not making the order in the first place. However, where it is clear on the evidence that a party would not, in fact, be able to comply with a court order, then a court should be most reluctant to make such an order.

For superinjunctions of the type currently in the news, there is no reasonable prospect of the orders being complied with. But this results from the fact that Twitter users, for example, are unlikely to obey the order, rather than being unable to obey it. Nevertheless, the issue of enforceability is significant. Proposals to impose editorial moderation on social media are somewhat silly and, as with many of the measures adopted to tackle illegal filesharing, doomed to fail.

As the Guardian commented in its editorial yesterday:

The case is, on the face of it, not a terribly attractive one for arguing either the cause of freedom of speech or for the supremacy of parliament.

However, the issue is not about the peccadilloes of a premiership footballer and the same principles will apply in far more serious circumstances.

What if some people on Twitter decided to name rape victims, or publish the current identity and whereabouts of Mary Bell, the child killer was who has, since 2003, been protected by a court order?

On the other hand, the existence of superinjunctions first came to public attention during the remarkable Trafigura affair in 2009 when the Guardian was prohibited from reporting on a question asked in the British Parliament. The case was something of a nightmare scenario for those with an interest in open democracy and press freedom.

The UK controversies inevitably involve debate on the merits of introducing a privacy law or reforming defamation law. What about this jurisdiction? Reforms have recently been made to our defamation law and while they were to be accompanied by a “deeply flawed” privacy law, that initiative has stalled.

The Privacy Bill 2006 proposed that a court could, in a privacy action, make an order prohibiting a defendant from doing anything that the court considers violate the privacy of the plaintiff. It also allowed for wide powers to control media reporting of privacy actions. It certainly appeared wide enough to allow for superinjunctions. Eoin O’Dell outlined the conundrum that the Bill would present the media with when coupled with the Defamation Act 2009.

[The Bill] has raised the spectre the defamation gagging writ of old simply being replaced by a shiny new privacy gagging writ. One aspect of the two Bills together puts journalists into a potentially invidious situation. To be able to rely on the defence of reasonable publication in a defamation action, one of the factors which the court will take into account is the extent to which a reasonable attempt was made by the journalist to obtain and publish a response from the person who is the subject of the article.

However, a journalist who makes such contacts in advance, now runs the risk of precipitating a privacy action from that person.

The journalist is now potentially damned by the Privacy Bill for contacting the subject of the article, and damned by the Defamation Bill for not doing so.

Of course, we don’t know if there are any superinjunctions in force in Ireland because, by their nature, the media is generally prohibited from reporting even their existence. Given that Ireland is such a small community, however, it seems probable that word of superinjunctions would quickly leak out. In addition, as noted by Flor McCarthy:

The constitutional requirement in this jurisdiction that justice must be administered in public would be a high hurdle for an applicant to overcome; though maybe we just don’t have the right celebrities!

Nevertheless, it is not inconceivable that such draconian injunctions could be issued in Ireland. After all, the ongoing banking crisis in Ireland has been accompanied by an astounding level of secrecy. The Credit Institutions (Stablisiation) Act 2010, a remarkable piece of legislation which should be far more controversial than it currently is, baldly provides:

The Court may order that any application under this Act, or any part of such an application, shall be heard otherwise than in public or may impose restrictions with regard to the disclosure in open court, publication or reporting of any material that might be commercially sensitive.

This is a very broad provision and was relied on almost immediately after the Act was passed. It was quite clear at the time this Act was first used that the parties hoped that the media would not be aware of the proceedings. Could a judge order that an article such as that in the Irish Times not be published on the grounds that the fact of the application itself was commercially sensitive?

There may well be grounds for the use of draconian court orders on occasion but it must be considered that the parties most likely to seek them are large corporations and wealthy individuals. As Mark Stephens, a high profile media lawyer, commented:

They are almost discriminatory justice. Not a single woman has taken out a super injunction and as a result of that, it is only the men. Invariably they are rich men because it costs between £50,000 and £100,000 (€56,000 and €113,000) to get a superinjunction.


Election 2011: Privacy, intellectual property & the internet

With so much of the electoral attention focussed on crisis management, it is easy to ignore other aspects of each party’s manifestos (or the absence of same in the case of many independents).

It is worth checking these manifestos for references to any issues you have a particular interest in: you might be surprised at what you find. Luckily, blogs like Maman Poulet and Human Rights in Ireland are keeping an eye on the aspects of the party manifestos not concerned solely with bond-burning.

Crowd checking the 1931 general election results, Willis Street, Wellington, 1931
Election night results, pre-Twitter

Our courts and citizens are having to deal with an increasing number of issues under our privacy, data protection and intellectual property laws, so I had a look at the parties’ positions in these areas. If I have missed anything, please let me know in the comments, along with suggestions as to what the manifestos should contain.

Fine Gael

  • FG would “review and update Intellectual Property legislation currently in place to benefit innovation.” This commitment is vague and suggests that the party is aware of issues but hasn’t thought about any solutions yet.
  • FG would “clarify the laws relating to on-line copyright infringement and the enforcement of rights relating to digital communications”. This probably refers to the consequences of the IRMA litigation (contrast with the Green Party manifesto, below). Again, the party does not appear to be ready to offer solutions.
  • What is meant by “the enforcement of rights relating to digital communications”? Does it refer to data retention or freedom of speech? The sentence is somewhat worrying in the absence of elaboration.
  • FG will revamp the Patents Office website. This is a bizarrely specific proposal, by contrast with the other high-level proposals.
  • The consultancy industry will be delighted to learn of plans for “an E-day on January 1st, 2016 by which all government services to business will be on-line only.”
  • FG would “develop Ireland as a ‘Digital Island’ and first-mover when it comes to information technology.” One might be forgiven for thinking that is an aspiration that is somewhat unrealistic in 2011.
  • FG would introduce a national DNA database. The process of doing so had already been started by the outgoing administration.
  • The party proposes a Circuit Commercial Court along the lines of the existing Commercial Court but which deals with smaller-value commercial disputes (the Circuit Court can generally hear cases for claims worth up to €38,092.14)

Labour

  • Labour’s Innovation Strategy Agency would, among other things, “make Ireland a world leader in the management of [IP]”.
  • Labour “supports the development of an International Content Services Centre in Ireland, and its potential to make Ireland a European hub for the dissemination of Intellectual Property.” This was, in fact, a commitment of the renewed Programme for Government agreed by Fianna Fáil and the Green Party in October 2009. It is also firmly in Your Country, Your Call territory: one of the winning YCYC proposals was to establish an ICSC. The competition winners were announced in September 2010, almost one year after the establishment of an ICSC became Government policy.
  • Labour propose to introduce civil orders against serious offenders following conviction, for example, restrictions on the use of the internet by those convicted of child sex offences.
  • Labour wants to make Ireland a headquarters location for data centres and cloud computing. The party would establish an expert group to review security and privacy issues arising from these areas. A data protection review group established by the Minister for Justice 2008 published a report in 2010. The EU is also currently reviewing the Data Protection Directive (Irish law implements the Directive) and cloud computing is one issue under review in that context.

Fianna Fáil

I will not be the first to suggest that the FF manifesto consists primarily of a defence of the outgoing Government’s policies and lists of achievements since 1997. It is not surprising, therefore, that party does not appear to offer much in the areas of privacy, IP and the internet.

No direct reference is made to copyright, data protection, privacy or the internet (not one instance of the word internet in the whole manifesto, though commitments are made about broadband). One, incidental, reference is made to IP in the context of publicly-funded research. While FG want to clarify the law on exploiting IP developed by third level institutions, FF want the outcomes of publicly-funded research to be made freely available “save where there are specific commercial intellectual-property issues.”

  • FF commits to supporting research and development and to continue use of the innovation voucher system to help small businesses acquire R&D.
  • Like the Labour party, the FF manifesto commits to fostering cloud computing services. It also commits to establishing the International Content Services Centre (as already mentioned, this has been Government policy since 2009).

Green Party

  • The Greens would “[p]revent private organisations from intruding into a citizen’s privacy”. The Data Protection Acts 1988 and 2003 already do this in general terms, but I assume that the Greens are proposing either reform of those Acts or the implementation of some form of specific privacy law, as was proposed but not implemented by the outgoing administration.
  • The Greens would prevent organisations from “summarily punishing citizens for alleged illegal activities and from interfering with citizens’ legitimate and legal uses of content.” Again, a little interpretation is required, but I assume this suggests that the Greens would deal with the consequences of the IRMA litigation in a manner which favours citizens over companies. As Minister for Communications, Eamon Ryan said that he was seeking the advice of the Attorney General in this area but his holding statement to the Dáil last year did not indicate any thinking along the lines of what is now contained in the manifesto.
  • The party would “[u]pdate the role of the Data Commissioner to ensure evolving technologies are in check with the rights of Irish citizens.” This might refer to increased enforcement powers, which would be welcome.
  • The party would completely oppose the introduction of software patents.

Sinn Féin

The SF manifesto makes no direct reference to copyright, intellectual property, data protection, privacy or the internet. However, the party would “focus on creating new jobs across the agri-food, tourism and IT/pharma sectors, and Research and Development as well as with initiatives that will ensure Ireland becomes a world leader in green energy.”


Do you own your wedding album?

You might think this a silly question. Of course you own your cherished wedding or civil partnership ceremony photographs. But how far does that ownership extend? Do you have the right to make copies of them and, perhaps more importantly, control their use? The short answer, for most couples, is: no.

Section 23 of the Copyright and Related Rights Acts 2000 to 2007 sets the default position: the author of a work shall be the owner of copyright in that work. In the case of photographs, section 21(h) provides that the author means the photographer. Accordingly, if your photographer provides you with an  album and nothing more is said or agreed, it is likely that you have merely purchased the services of the photographer in attending the ceremony along with the physical photo album.

Center for Jewish History, NYC
I suspect this couple was not given a CD of their wedding photos.

These days, photographers usually offer additional goods or services. For example, many provide a CD with digital copies of some or all of the photos. Some charge extra for such a CD. This is usually done with the expectation that the customer is entitled to make unlimited copies of these photos, but the agreement is often not explicit on this point. Indeed, many customers will not have a written contract in place with their photographer. If the customer is provided with a set of terms and conditions, perhaps on the invoice, this will probably form that contract.

If a photographer provides a CD of digital photos with the right to make copies, this might not permit further dealing with the photos, such as the right to upload them to Pix.ie or Facebook, for example, or to apply effects so that the photo could be printed on canvas in the style of a painting.

An important consequence of the photographer retaining copyright in the photos is that (s)he benefits from the rights of the copyright owner set out in Part II Chapter 4 of the Acts, specifically the right of the photographer to make his/her own use of the photos. I have come across a number of incidents where a recently married couple was surprised to find photos of their wedding displayed on the photographer’s website, magazine ads or even at wedding fairs (in one such case, the bride had not yet seen her own wedding photos when she saw them displayed at a wedding fair).

At this point first ownership of copyright in photos clashes with the Data Protection Acts 1988 and 2003. A photograph of individuals is personal data for the purposes of the Acts and generally should not be displayed publicly by another person without the consent of the people depicted in the photo. A photographer’s terms and conditions might include such consent, but any such consent can only be given by the customers (the couple) and cannot apply to guests. [See also the comments below concerning the right to privacy contained in section 114 of the Copyright and Related Rights Acts.]

Section 22A of the Data Protection Acts provides a limited exemption in the case of journalistic or artistic use of personal data but it is hard to see how a photographer could establish that publication of private photos was a matter of public interest (except perhaps in the case of celebrities, an area which itself is fraught with legal claims).

It is possible to agree with the photographer that copyright in all photos shall be assigned (ie. transferred) to the customer. Any such agreement must be in writing. However, most photographers will either be unwilling to agree to assignment or will charge an additional fee (which might be substantial).

As with anything, it is advisable to discuss with a photographer what exactly is being provided. The photographer should be asked if they retain copyright or assign it, and if they retain it reach explicit agreement on:

  1. what is the customer permitted to do with the photos provided; and
  2. that the photographer will agree not to use the photos in any public way.

The surprising reason given for the change to HSE policy on providing patient lists to clergy

This morning’s Irish Times reports on a change to a Health Service Executive policy I never knew existed. Until now, Irish hospitals provided members of the clergy with access to patient admission records. This practice, the article reports, “has been stopped by recent data protection legislation.”

I was surprised by the reference in the article to “recent data protection legislation” and “new legislation”. The main Irish legislation in this area is the Data Protection Act 1988. It was amended in 2003. There are a number of regulations affecting those Acts but the most recent relates only to the Director of Corporate Enforcement.

So, is the new legislation referred to the 8 year old act or the 23 year old one?

The truth is, one might reasonable speculate, that the consequences of long-standing legislative requirements have recently been considered by the HSE and they changed their policy accordingly. [I since found that the Offaly Independent reported on this story last Friday, without any indication that the legislative requirement which led to the policy change was new or recent.]

Information on an individual’s health is sensitive personal data for the purposes of the Acts and is the category of personal information that is subject to the strongest protections.

The Data Protection Commissioner has published a guidance note on the application of the Acts to the health sector. That note begins with the following, non-legislative point:

The confidentiality of patient records forms part of the ancient Hippocratic oath, and is central to the ethical tradition of medicine and health care.

It goes on to say that

Given the immense sensitivity of health-related information, it is imperative that professionals in this sector be clear about their use of personal data.

This recent, very much belated, change of policy by the HSE suggests that the organisation may have some distance to travel in this regard.