Fine Gael website may breach privacy laws, warns expert


A WEBSITE launched by Fine Gael to invite members of the public to share their views on policy and the future of Ireland may be in breach of data protection laws, an expert in the field claimed yesterday.

The party set aside its main website on Tuesday and replaced it with – a site hosted by a US firm called ElectionMall Technologies.

More than 1,000 comments were submitted online by members of the public in the first day.

It emerged, however, that the website did not have a privacy statement and there were also concerns about whether there is a legal basis for the personal data being collected on the site to be processed in the US.

The Data Protection Commissioner’s office was notified about the lack of a privacy statement on the website and confirmed it had made contact with Fine Gael.

The party placed a privacy statement on the website late yesterday afternoon which was identical to the one published on its old website. A Fine Gael spokesman said this was done on a “belt and braces” basis, and he stressed the site was in compliance with data protection law.

A privacy statement must be carried on an organisation’s website as a declaration of how it applies data protection principles to information it collects and processes.

Where no such statement is published, the Data Protection Commissioner may ultimately instigate legal proceedings and the law provides for a fine of up to €100,000 on conviction.

Wexford-based data protection and information management expert Daragh O’Brien of Castlebridge Associates, who raised the issue in a blog post, said the privacy policy addressed a “cosmetic” issue but not the underlying legal issues if the website was hosted in the US. There is no impediment to the transfer of personal data within the 27 member states of the European Union, because all have equivalent legislation that is based on the same directive. Transfer to and processing of personal data by other countries, however, poses complex legal problems.

Mr O’Brien said a close reading of the privacy statement on the Fine Gael website did not relate to how the site actually works. “Personal data must be provided to interact with the new site, unless you wish to be a passive reader.”

He said if the US company ElectionMall was acting as an agent of Fine Gael then there was no issue regarding disclosure of data to a third party. But there was a need to have a written contract with the data processor “regardless of the existence or otherwise of the privacy statement”.

However, the Fine Gael spokesman said that data on the site was “absolutely secure” and protected under a “safe harbour framework” agreed between the EU and US authorities. He added there was nothing unusual in the site being hosted in the US as site hostings typically moved around for security purposes.

Noting over 3,000 comments had been submitted by yesterday, the spokesman also confirmed that a failed attempt had been made to hack the site on Thursday.