In providing a service over the internet into other EU countries, from a website hosted in Ireland, an internet service provider will typically want to ensure that if there is a dispute with a user of the service, that the dispute can be litigated in Ireland.
The Brussels Regulation (which determines which courts have jurisdiction in civil and commercial disputes between companies and individuals) at article 2 provides (subject to some exceptions including that set out in article 23) that a person (legal or natural) may only be sued in the member state in which he or she is domiciled.
One of the issues that a previous decision of the European court of justice had argued, was that an EU member state court could have exclusive jurisdiction where there was a validly concluded jurisdiction clause, even where there was a dispute as to the validity of the agreement in which the clause was included.
The judgement provides some encouragement to web site owners, that if their web site terms are sufficiently well drafted (including incorporating a home state jurisdiction clause), and are brought properly to the attention of site users, that the onerous provision of article 2 of the Brussels Regulation can be avoided and home state jurisdiction maintained. It remains to be seen whether the Supreme Court will uphold this decision.
I have just posted a news item on our site in relation to the Broadcasting Bill 2008. This issue was brought to my attention and the attention of Fergal, IIA CEO, via various avenues so thanks to anyone who got in touch late last week.
The Broadcasting Bill 2008, if enacted as is, could create confusion and a possible loophole for an added tax on both consumers and business users of the internet. However, we hope to be corrected and that this is not the case! Please use the comments below to contribute. Check out our news item on the IIA site to get more details. We would like to ensure that those debating this issue are aware of this lack of clarity and clear it up now. I imagine the government would have a hard time justifying a licence fee on all devices capable of accessing the type of content described in the bill particularly considering the lack of availability of adequate broadband for many.
On the occasion of the 3rd Council of Europe Data Protection Day, Data Protection Commissioner Billy Hawkes today launched two new initiatives aimed at increasing awareness of data protection rights and obligations amongst the public and those holding personal data.
The Commissioner is publishing a new data protection audit resource for organisations. It is hoped that the new resource will provide organisations holding personal data with a simple and clear basis to conduct a self-assessment of their compliance with their obligations under the Data Protection Acts. The Commissioner noted that "over the past year we have had a large number of very high profile losses of personal data and other incidents affecting all sectors of society. There is clear room for improvement. The data protection audit resource will help organisations to easily identify areas where improvement in their data protection practices are required."
The second initiative is a new video clip competition with a €10,000 prize fund. This is a joint collaboration with Google. Entrants are asked to submit video clips on the theme of ‘Private I, Public Eye’. This is the second year of the video clip competition. Commissioner Hawkes said "My office is delighted to organise this competition in conjunction with Google. Based on the extremely high standard of entries received for last year’s competition, I am confident that this year the competition will be even more successful in reaching out to people who may not be fully aware of their data protection rights. I am particularly delighted to work closely with Google as a key provider of public access to information, including personal information and also appreciate Google’s commitment in providing the prize fund for this competition."
Google, when announcing the competition said "We are delighted to work with the Office of the Data Protection Commissioner to help promote awareness of privacy and data protection. YouTube is a fantastic channel through which to promote such issues among younger people in particular and this competition provides a great opportunity for amateur film makers to profile their work to a global audience".
The competition is being hosted on YouTube and the aim is to use the winning clips in schools to promote awareness of how people can take more control of their own information.
The new audit resource is available to download from
details for the competition are available at www.youtube.com/dataprotection
Statutory Instrument No. 526 of 2008 which has now come into effect amends Statutory Instrument No. 535 of 2003 which has been in force since November 2003. Amongst the changes in the new Statutory Instrument are:
An increase from €3,000 to €5,000 in the penalty for a summary offence in respect of a contravention of the regulation relating to unsolicited communications.
The creation of an indictable offence for a contravention of the regulation relating to unsolicited communications. Where the person tried is a body corporate the fine imposed may not exceed €250,000 or, if 10% of the turnover of the person is greater than that amount, an amount equal to that percentage. Where the person tried is a natural person, the fine imposed may not exceed €50,000.
Provision for the prosecution of an officer of a body corporate for an offence under the regulations whether or not the body corporate itself has been proceeded against or been convicted of the offence committed by the body.
In relation to offences concerning the contravention of the regulation relating to unsolicited communications if, in court proceedings concerning such offences, the question of whether or not a subscriber consented to receiving an unsolicited communication is in issue, the onus of establishing that the subscriber consented will lie on the defendant.
Speaking today, Billy Hawkes said: "The signing of these Regulations by the Minister is an important and significant step in the fight against unsolicited communications for marketing purposes. I welcome the increase in penalties which have come into effect I am confident that the strengthening of the law in this area will help me in my task to enforce the regulations concerning unsolicited communications. I want to take this opportunity to remind persons engaged in direct marketing activities that my Office continues to pay close attention to the whole area of unsolicited communications by telephone, fax, email and text message. The new regulations, together with the serving of a considerable volume of summonses by my Office in the past fifteen months, serve to send a strong message to all involved in direct marketing about the necessity of compliance with the law."
Concluding, the Commissioner said: "I want, in particular, to send a message to all involved in business to familiarise themselves with the law which applies to unsolicited communications for direct marketing purposes. Increasingly, in this period of economic downturn, my Office is receiving complaints about businesses making unsolicited contact with their past customers for marketing purposes. In many cases, such contact is unlawful and, if carried out by telephone, text message or email it may be a criminal offence. Ignorance of the law is not an acceptable excuse for non-compliance and I will have no hesitation in applying the full force of the new regulations to offenders."
One of the many things I have been doing since I began working here in the Irish Internet Association has been responding to queries that come in from members and from the general public. In order to do this I have to try very hard to keep abreast of the kind of issues that are concerning our members. One of our newer members originally contacted me with a query about data protection legislation and I felt terribly ignorant when he seemed to know more than I did. Happily he still joined the IIA!
So last week I gratefully accepted an invitation from the Institute of International and European Affairs to attend their event “Perspectives on privacy in the Internet Age” with presentations by Peter Fleisher, Chief Privacy Counsel, Google Inc., and Billy Hawkes, Data Protection Commissioner. There was also a brief presentation from the floor by Inspector Pat Burke of An Garda Síochána. Here is a brief synopsis but please if you were present and feel I am misrepresenting anyone, I would welcome corrections and clarifications. Thanks!
Both Peter and Billy opened their presentations quoting Scott McNealy’s now infamous and eight year old comment “You have zero privacy anyway. Get over it.” although it became quickly clear that neither of them are even remotely as blasé as McNealy was way back then when it comes to privacy and data protection.
Both of the speakers talked about how, now that information storage is so cheap, it’s actually more cost effective to keep rather than delete information. Fleisher suggested that corporations who are required to comply with privacy and data protection legislation could deal with this in a number of ways:
- Time based anonymisation: forgetfulness should be programmed in so that once information reaches the time limit required by law, it is forgotten by the database.
- Include privacy controls so that users can choose what level of privacy they wish to set for the information that they are storing or publishing online.
- Education: Corporations like Google have a responsibility to educate users about privacy and data protection in a clear and accessible manner.
However Google’s biggest difficulty in relation to privacy legislation is that they are required to comply to location based regimes as he called them. Even within the EU and based on the EU directive countries could set their own time limits for data retention and Google has to comply to all of these while in reality all of this data exists in the cloud rather than any specific location. He also pointed out that in the US there are 39 Security Breach laws each with their own details because the legislation that governs privacy in the US is not federal.
In relation to education Fleisher told us that Google have developed a selection of videos about privacy which have been viewed by half a million viewers. He suggested that corporations might consider video as a more personable approach to privacy statement than the current privacy statements that can now be found on most websites. Fleisher said that the APEC privacy framework was, so far, Google’s preferred framework with it’s emphasis on preventing harm and focus on accountability.
He finished up by reminding us that the big question should be what do we want technology to do for us rather than what is technology doing to us?
Billy Hawkes, the Data Protection Commissioner, had some very interesting statistics about data protection in Ireland and attitudes to data protection and privacy among Irish citizens. Firstly he pointed out that only 10% of companies in Ireland transfer data outside the EU so there may not be currently a requirement for global laws. Citing the Eurobarometer 2008: Data Protection in the European Union: Citizens’ Perceptions, he pointed out that Irish people were slightly more concerned about privacy than the EU average but were also among those most opposed to monitoring of internet usage. All these details can be accessed via the Eurobarometer website. (PDF) Nora Owen, who chaired the session, in her summing up made particular reference to Hawkes use of the phrase “function creep”. He used this when referring to the reasons why data is being kept. Does less privacy and more monitoring equal enhanced security for citizens? Does it equal less crime.
When talking about the future he suggested that corporations should include privacy by design or commission privacy enhancing technology. Similar to Fleisher he emphasised the need to educate people about revealing information, making the point that privacy rights are technology neutral.
Inspector Pat Burke from An Garda Síochána also added from the floor that through their cooperation with the Data Protection Commissioner and always operating within the law and with the right to do proper, legitmate investigation they have had some success in tackling crime which uses the Internet as a platform such as child pornography, internet fraud and identity theft. They have also been able to tackle transnational crimes such as human and child trafficking.
Questions from the floor were put by TJ McIntyre from Digital Rights Ireland and Mark Kelly of Irish Council for Civil Liberties who asked if Google would use a human rights framework to which Fleisher responded that Google are very focussed on the ethical use of the Internet and while they were forced into “the odious concept of censorship” in China, their search results in China include a statement that the results have been filtered. They also will not offer Gmail in China. Brian Greene also made the point that 90% of people using the internet are consumers rather than content producers and there are issues when corporations get and retain data about consumers. Fleisher clarified that Google comes in two flavours: plain ol’ search or search enhanced via logging into your Google account where Google gets to know you and offers you results based on your search history. It’s the consumers choice which search to use.
An interesting afternoon and do you know what? The lunch was delicious too!
As I mentioned at the top of the post I’m new to a lot of these issues so I would really appreciate any comments or clarifications via the comments below.