Data protection laws under strain

Why the Sate is struggling to keep up with privacy breaches that are becoming the norm in people’s digital lives


The office of the Data Protection Commissioner (DPC) is under-resourced and lacking the power needed to deal with increasingly complex issues around personal privacy, according to TJ McIntyre, lecturer in law at University College Dublin and privacy advocate behind the lobby group Digital Rights Ireland.

He is unimpressed by announcements in the annual DPC report, published in May, that a technology advisor and in- house legal expert had joined the team to deal with increased responsibilities. “It’s incredible that they’ve only hired these people for the first time,” he said, stating there were still be fewer than 30 employees to deal with a digital world where privacy is compromised on a regular basis.

Barely a week goes by without new revelations that raise questions, whether it’s Vodafone’s tracked phone calls reigniting concerns about mass surveillance or fallout from the Google “right to be forgotten” case.

Another privacy issue recently erupted in the States when the Federal Trade Commission (FTC) challenged the practices of data brokers, firms that acquire personal information and sell it on. This is less of a problem in Europe where people have to give “informed consent” for a third party to use and monetise any data, but it’s another grey area according to McIntyre.

“In practice, informed consent tends not to be informed. You have to agree to terms of use that are so long that no sane human would ever spend significant time reading them,” he says. Like other privacy advocates he wants the concept of informed consent to be tightened up as part of ongoing EU data protection reforms. The alternative is neatly summed up by an adage often attached to internet – “If you’re not paying for the product, you are the product.”


Enforcement weaker in Europe

Though Europe may have more stringent rules around data protection than the US, enforcement is a lot weaker. Steep financial penalties are commonplace across the Atlantic. When mobile messaging firm Snapchat recently committed a breach, part of the settlement with the FTC was agreeing to a comprehensive privacy programme that will be monitored for the next 20 years.


In Ireland, the DPC can’t impose fines because it falls foul of part of the constitution that prevents a non-court body from making judicial decisions. “The financial regulator can impose fines so given that precedent it would be desirable if the DPC could do the same,” said McIntyre.

On the “right to be forgotten” case, McIntyre is pleased that Google’s attempt to evade European law – because it’s headquartered in the US – was quashed, but is concerned about the detail of the ruling. “It wasn’t, as widely reported, about the right to be forgotten, it was about the right to prevent Google processing information about people,” he said.

The upshot is that internet companies are now considered data processors – but not necessarily data controllers – and subject to the Data Protection Directive. McIntyre finds its worrying that Google is now responding to tens of thousands of user requests and making decisions on public interest about whether information should be accessible. Other things could be done, he suggests, perhaps allowing a correction or clarification in search results – like newspapers do with articles.

He thinks it is inevitable that national data protection authorities will be a port of call for citizens looking to appeal how they appear in search engines. “It’s legal logic. The question is whether they have either the power or resources to do anything. In Ireland the office of the DPC is hamstrung on both fronts.”

He ultimately sees the Google ruling as a “blunt remedy” because the information can still be maintained by the original web site. All that’s happened is that it can’t be displayed in response to a particular type of search. “That’s analogous to a library keeping a book on a shelf but not listing it in the card index. It would make more sense to say that if the information can be lawfully published in the first place then it should similarly be lawful to index.”


Mass surveillance

Digital Rights Ireland is focused on many fronts and most recently made the news when the European Court supported its view that the EU Data Retention Directive should be invalid, a law that McIntyre argues is unconstitutional and synonymous with mass surveillance. The case will now return to the High Court in Dublin.


Taking it to the European courts was a response to the failure of successive Irish governments to address the issue, according to McIntryre, because of what he sees as a reactive rather than proactive approach to privacy issues, driven by outside pressure rather than a national obligation to “do the right thing”.

The other problem is that the law always takes time to catch up with technological change. “Very often it takes a number of scandals, be it in the financial or privacy sector, before you see effective regulation,” says McIntyre. “We’ve had the scandals; it’s about time we saw some more effective regulation.”