Ireland must be pro-active on e-privacy

It is now well over two years since Ireland was required to implement the Data Protection Directive; as a result the EU is now…

It is now well over two years since Ireland was required to implement the Data Protection Directive; as a result the EU is now taking action against Ireland in the European Court of Justice. There is nothing unusual about Ireland being slow to implement EU directives, but Ireland's tardiness may cause problems for the Electronic Commerce Act 2000, which is intended to give Ireland a competitive advantage in e-commerce by strictly protecting the privacy of encrypted data and Internet communications.

Such protection can be contrasted with Britain's Regulation of Investigatory Powers Act 2000, which provides for the monitoring of Internet communications. Ireland must hope that its pro-privacy Internet policies will boost the Irish encryption industry in the same way as its pro-business taxation policy boosted the IFSC. But this pro-privacy stance is already coming under threat from European laws such as the Council of Europe's Draft Convention on Cyber-crime. Ireland may find it difficult to argue that its citizens need the pro-privacy provisions of the E-Commerce Act 2000, if it disdains granting them the more fundamental privacy protections contained in the data protection directives.

Data protection laws have relevance to a whole range of day-to-day issues, notably the use of mobile phones. The UK Data Protection Registrar recently initiated an action against a firm that was sending four million "junk" text messages a week to mobile phone users in the UK. These messages gave a number and read "please call - urgent".

The 30 per cent of recipients who responded got to hear a recorded message advertising insurance. Data protection will have implications for third generation (3G) mobile phone licences. Four of these were recently auctioned for €36 billion (£28.35 billion) in the UK, and the framework for bidding for 3G licences in Ireland was announced by the Office of the Director of Telecommunications Regulation last week. It is anticipated that around €500 million will be paid in total for the four Irish licences.

READ MORE

Licensees will hope to recoup the cost of 3G licences by providing services such as location-based advertising, which might involve sending a list of today's menu specials to the mobile phones that are near a particular restaurant. This can be done because 3G phones allow users' locations to be identified with precision. However, successful bidders will have to take into account the EU's recently published draft Data Protection Directive, which clarifies the existing law contained in the Directive on Data Protection on telecoms networks. The new draft directive makes it categorically clear that such services can only be provided with the consent of users; if you do not want your position tracked in this way then you can object.

Privacy is already an issue for Irish businesses, notably those that wish to monitor what their employees do online. There are legitimate reasons why a business would wish to monitor their employees' Internet usage, but there are limits. In Halford v UK, the European Court of Human Rights held that an employer who monitored the phone calls of an employee who had initiated a discrimination case had breached that employee's right to privacy. Unfortunately, these limits are unclear, even if it is agreed that an employer can monitor an individual employee's email, that agreement will not necessarily mean that the employer can breach the privacy of outsiders who corresponds with that employee.

There is a need for an approach that may be an agreed code of practice, setting out what can and cannot be monitored by employers. There is a danger that if this is not done then employers may simply follow UK standards such as the draft Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (UK). Following UK standards with regard to privacy may be dangerous, as the Irish and UK laws on privacy can differ.

The Data Protection Directive would also apply to the processing of audio-visual data derived from installation of CCTV in town centres throughout Ireland. This can be highly invasive technology, and if linked to sophisticated software it can automatically identify and monitor specific individuals.

Ireland is not alone in finding it difficult to reconcile the needs of commerce with the right to privacy. Since the enormous investment in 3G licences threatens the stability of the European telecoms industry, the EU may come under serious pressure to amend European data protection laws in its new Data Protection Directive. Arguably, the EU has already compromised these by agreeing "safe harbour principles" that allow American Internet websites to process European personal data.

People value their privacy, particularly online, and Irish law has always expressed a strong respect for privacy, whether in the Constitution or in court cases such as Kennedy v Ireland. If Ireland wants to build upon the strong pro-privacy provisions of the E-Commerce Act 2000, these can be used to develop and promote Ireland as a hub for e-commerce. But this will only succeed if Ireland makes it clear that privacy is a fundamental Irish principle and not just a commercial gimmick.

Denis Kelleher is a practising barrister: deniskelleher@ireland.com