Data protection laws under strain

Why the Sate is struggling to keep up with privacy breaches that are becoming the norm in people’s digital lives

Thu, Jun 19, 2014, 01:05

The office of the Data Protection Commissioner (DPC) is under-resourced and lacking the power needed to deal with increasingly complex issues around personal privacy, according to TJ McIntyre, lecturer in law at University College Dublin and privacy advocate behind the lobby group Digital Rights Ireland.

He is unimpressed by announcements in the annual DPC report, published in May, that a technology advisor and in- house legal expert had joined the team to deal with increased responsibilities. “It’s incredible that they’ve only hired these people for the first time,” he said, stating there were still be fewer than 30 employees to deal with a digital world where privacy is compromised on a regular basis.

Barely a week goes by without new revelations that raise questions, whether it’s Vodafone’s tracked phone calls reigniting concerns about mass surveillance or fallout from the Google “right to be forgotten” case.

Another privacy issue recently erupted in the States when the Federal Trade Commission (FTC) challenged the practices of data brokers, firms that acquire personal information and sell it on. This is less of a problem in Europe where people have to give “informed consent” for a third party to use and monetise any data, but it’s another grey area according to McIntyre.

“In practice, informed consent tends not to be informed. You have to agree to terms of use that are so long that no sane human would ever spend significant time reading them,” he says. Like other privacy advocates he wants the concept of informed consent to be tightened up as part of ongoing EU data protection reforms. The alternative is neatly summed up by an adage often attached to internet – “If you’re not paying for the product, you are the product.”

 

Enforcement weaker in Europe

Though Europe may have more stringent rules around data protection than the US, enforcement is a lot weaker. Steep financial penalties are commonplace across the Atlantic. When mobile messaging firm Snapchat recently committed a breach, part of the settlement with the FTC was agreeing to a comprehensive privacy programme that will be monitored for the next 20 years.

 

In Ireland, the DPC can’t impose fines because it falls foul of part of the constitution that prevents a non-court body from making judicial decisions. “The financial regulator can impose fines so given that precedent it would be desirable if the DPC could do the same,” said McIntyre.

On the “right to be forgotten” case, McIntyre is pleased that Google’s attempt to evade European law – because it’s headquartered in the US – was quashed, but is concerned about the detail of the ruling. “It wasn’t, as widely reported, about the right to be forgotten, it was about the right to prevent Google processing information about people,” he said.