Data protection must be front and centre in information age

Minister must ensure tech firms keep doing business here while also protecting privacy

When Fine Gael TD Dara Murphy, was promoted by Taoiseach Enda Kenny to a ministerial role last July, the position had a special twist. As well as being named Minister of State for European Affairs, the Corkman and former Cork city mayor also became Europe's first national Minister for Data Protection.

"The Taoiseach asked me to take on the job of Minister for European Affairs in his own department, and given the importance of data protection, [decided] that we would become the first country in Europe to have a data protection Minister," Murphy says.

In an interview last week just before giving a keynote speech at the seventh National Data Protection Conference in Dublin Castle on International Data Privacy Day, he said that "the rational is quite straightforward" for creating the data protection post (which is separate to Ireland's independent Office of the Data Protection Commissioner, led by Helen Dixon).

"Data protection is an extremely broad area and the ambition is we would now have a whole government approach. There is a significant body of work to be done, for example, at the Department of Public Expenditure and Reform with respect to how Government departments share data. Every department and semi-State [agency] has an important data role."

READ MORE

Data centres

Ancillary areas of interest for the role are developing Ireland's growing reputation as a hosting site for data centres. Set alongside the range of technology companies here, Murphy says Ireland also has the capacity to be a data analytical centre of excellence.

“We have 29 of the top 30 technology companies on the planet in the Republic of Ireland and we have some of the finest brains in the broadest data and technology sense through those companies, so with our own third level academic institutions, there’s a chance to cluster and have a best in class global data analytical centre of excellence on the island.”

But these seem like peripheral niceties compared to the unprecedented national and international focus on data privacy at the moment, manifested in public anger at Irish Water’s initial move to collect PPS numbers, or the Department of Education’s controversial intent to gather data on Irish schoolchildren and hold them until students are age 30.

Then there have been ongoing departmental data breaches, either accidental or intentional.

“We do need to see a couple of things. One, we need to see more leadership from our own Government departments. Many of the breaches we have seen from State agencies and Government departments have been caused by carelessness,” Murphy says.

“The same is true of the private sector, by the way. You very rarely see deliberate data breaches, so we will be leading a campaign now to see a greater regard from all the departments and semi-States towards data protection. I think it’s important that they respect their obligations, to have the confidence of people in the country. We have a job of work to bolster the confidence people have in the State sector, that data given to them is properly held and only used for the purpose for which it is acquired.”

There have been a number of examples where departments “have just been a little bit careless. Irish Water, for example, is a case where if a little bit more thought had been put in place . . . ”

Watchdog role

Ireland is also about to take on a significant, if incidental, European data watchdog role because of the large number of multinational internet, social media and technology companies – all huge data handlers – based here.

EU politicians have yet to hammer out the final details of a proposed new data protection regulation, but it is almost certain to shift responsibility for complaints and appeals against companies to the Data Protection Commissioner in the EU headquarters for a company.

Despite criticisms from some EU states, such as Germany and France, Murphy is adamant that Ireland has not, and will not, kowtow to such firms, regardless of whether they are major employers here.

"Ireland has a proud record of independent agencies, often to the discomfort of Government agencies or politicians. I think [Data Protection Commissioner] Helen Dixon and her predecessors have shown absolute independence in how they've conducted themselves."

Other EU states may be jealous of Irish success in attracting such a multinational base, but multinationals want it to be known that they’re operating in a country which has a very robust regulatory system, he says.

Later in the day, another conference keynote speaker, Austrian law student Max Schrems, will dispute whether Ireland – or Europe as a whole – has an adequately vigorous and properly enforced data protection regime, however. Schrems has taken a High Court case in Ireland arguing that his own complaints about Facebook's handling of his personal data were not properly investigated. The case has been referred to the European Court of Justice.

Strong statements

Murphy has not backed away from making strong pro-privacy statements on controversial, topical issues such as a current US case in which Microsoft is fighting a US court's demands that it hand over emails held in a server in its Irish data centre.

To do so would threaten the privacy rights of individuals, Murphy noted in a statement that also argued that Ireland and the US already had channels through which to make such data requests, Mutual Legal Assistance Treaties (MLATs).

He has also argued against proposals to increase surveillance on private social media communications and to hobble the use of encryption for personal and business communications and activities.

“For many generations it has been possible for someone in privacy to post a letter to another person. It should be possible for someone to communicate in privacy with another person online,” he says.

In the context of recent terrorist events, he can see why some people might call for limitations on the use of encryption by adding “back doors” to allow law enforcement to read all communications.

“But in practical terms [because encryption is central to so many everyday business activities], that is largely unimplementable. And if it were to be implemented – and I can’t see how it could be – the lack of encryption would give rise to far more difficulties that it could possibly create.” Cripple encryption and people would be more at the mercy of criminals, he says.

“We also have seen very strong expressions from the European Court of Justice [stating] there is a right to privacy, and that right [isn’t] required to be set against other rights. There can be a balance.”

However, the ECJ made many of those statements when it threw out the former Data Retention Directive based on a challenge by Irish privacy advocates Digital Rights Ireland to the Irish implementation of the directive.

Murphy won’t comment on whether the government here plans fresh data retention legislation, only noting: “The ECJ has made a ruling. It has given rise I think to a very reasonable discussion around the relevance of data being held, and how long it should be held for.”

What about the revelations, via leaked documents from whistleblower Edward Snowden, that British spy agency Government Communications Headquarters (GCHQ) routinely spied on Irish communications passing over the major subsea telecommunications cables that link Ireland and the UK?

“The Government haven’t made any comment and we’re not going to make any comment now.”

But would such a degree of secret data gathering on the Irish population concern him as a Minister with a data protection remit? “In my role as a data protection Minister, in the first instance I’m responsible for what we do here in Ireland and responsible also for what we do collectively as Europeans. But it is clear that it is vital – and I am not going to name any other state – but it is vital that we continue to develop strong relationships. We have already for example an MLAT with various parts of the world [for security agency data requests].”

Partner countries need to ensure MLATs are strong and efficient. “Then, if there is the prospect of serious crime or terrorism, the agencies would seek an alternative route to acquire [data].”

Plane data

But Ireland will support the controversial calls for an EU-wide sharing of aeroplane passenger data (passenger name records, or PNRs) as long as the system is balanced, Murphy says.

And as for data protection regulation, long promised but still in bitter discussion, will it ever materialise?

“Is it stalled? Quite the contrary. There’s now a very significant energy behind it,” he says. “It was the top item on the agenda, and the most discussed” at the last meeting of the committee overseeing it.

Once passed, it will undoubtedly add greater force and definition to his own role. However, the degree of respect ultimately accorded any Minister for Data Protection will depend ultimately on the will of the Taoiseach to make this new role nationally powerful, and internationally significant.