Commenting on the new requirements, the Commissioner stated “I am pleased that the Minister has introduced new legal requirements which recognise that the challenges to the maintenance of individual privacy are becoming increasingly complex in today’s electronic age. Individuals must be able to enjoy the benefits of new technology while at the same time remaining in control of their privacy. These new requirements give individuals new rights which my Office will enforce.
I particularly welcome the fact that the Minister has responded to public concern over data breach incidents by introducing strict requirements for service providers in this area with the ability for my Office to bring prosecutions where such requirements are not followed. I am also pleased that individuals can no longer be bothered on their mobile phones by direct marketers unless they have given their prior agreement.”
The main new requirements are:
- Compulsory notification of individuals and the Office of the Data Protection Commissioner in the case of data breaches
- More stringent requirements for user consent for the placing of “cookies” on electronic devices
- Stricter requirements for the sending of electronic marketing messages and the making of marketing phone calls
All telecommunications companies and internet service providers are now required to notify the Data Protection Commissioner of every data breach involving a subscriber. They are also required to notify customers in all cases where there is a risk their data may be accessed. Failure to do so can lead to prosecution by the Commissioner with a fine of up to €5,000 per instance. The Commissioner can also for the first time prosecute companies in this area for allowing a data breach with fines on indictment of up to €250,000.
Any company or website placing information, usually by way of what is known as a cookie, on user equipment (computer, smartphone etc) must provide appropriate information to the user and collect their consent except in limited circumstances where the cookie is strictly necessary for the provision of the service in question. In practice this means that websites placing cookies on user equipment that are not deleted when the user leaves their website must identify a means of obtaining user consent.
Electronic Marketing & Phonecalls
In a strengthening of the laws in this area, it is now an offence for any company or entity to phone a person on their mobile phone for a marketing purpose without having obtained their prior consent for such contact. The requirements now extend to all forms of marketing carried out by means of a publicly available electronic communications service – including, for example, the soliciting of support for charitable organisations or political parties.
Data Protection Commissioner launches his Annual Report for 2010 including special investigation on insurance data
Insurance Link Claims Database
The Commissioner is publishing the findings of the most wide ranging investigation yet undertaken by his Office of a database of personal data kept by the insurance sector known as Insurance Link. This is a shared claims database that allows member organisations to share and cross-reference their insurance claims data. At the time of the investigation it contained details of almost two and a half million claims. The investigation identified a major lack of transparency with regard to Insurance Link and that far too many individuals in insurance companies and other entities had access to the database with little or no oversight of that access. Some serious incidents of inappropriate access were identified and are listed in the report.
Data Security Breaches
The Commissioner reports on his publication of a data security breach Code of Practice. This was one of the recommendations of a Working Group set up by the previous Minister for Justice, Equality and Law Reform which also recommended a strengthening of our data protection laws to provide for penalties for serious breaches. The Code focuses on informing the people affected by security breaches so that they can take appropriate measures to protect themselves. It alsoencourages organisations to voluntarily report incidents to the Commissioner’s Office. 410 data security breach incidents were reported to the Office in 2010, a 350% increase on the number of reports received in the previous 12 months (there were 119 reports in 2009). This large increase in reporting is a consequence of the more exacting demands of the Code of Practice. The Commissioner reports on serious data security breach incidents that occurred in 2010 involving the GAA and SelfCatering.ie (see pages 77 and 79 of the Report). The report also includes details of an ongoing investigation of a breach affecting personal data held by the Department of Social Protection.
Data Sharing in the Public Sector
The Commissioner is publishing a set of guidelines for public sector agencies that wish to share personal data in the public interest – for example, to prevent tax evasion and other types of fraud. Transparency and proportionality are the key guiding principles. The sharing should be explicitly provided for by law. The public sector customer should know what personal data may be shared. The extent of sharing should be limited to what is necessary to achieve the public interest objective. The disclosed data should benefit from a high level of security and be securely destroyed when no longer needed.
The deployment and use of CCTV continues to give rise to complaints from members of the public. Investigations regarding the use of CCTV systems in schools, workplaces and in a small village, Culfadda in Sligo are detailed.
The report outlines concerns which arose following audits of charities. The report also provides information on positive engagements with the National Board for Safeguarding Children and the Catholic Church, the HSE in relation to its child welfare work in Limerick City and the Irish Council for General Practitioners.
The Commissioner’s report includes case studies of a number of investigations including:
· Prosecution of Ice Communications Ltd. for failing to comply with legal notices;
· Prosecution of three companies (Free Spirit Hair & Beauty Salon Ltd, Crunch Fitness Ltd and The Black Dog Communications Ltd) for sending marketing text messages;
- Prosecution of Fairco Ltd and Pure Telecom for calling numbers listed on the NDD opt-out register;
- Prosecution of Tesco for email marketing;
- Prosecution of UPC for offences related to unsolicited marketing phone calls;
- Deployment of biometric systems by commercial service providers and schools;
- Use of vehicle tracking systems
- Disclosure of previous defence force career information by the Defence Forces
- Disclosure of personal data by a housing association to a debt collection agent.
Note: The Annual Report is available for download in PDF format from the Data Protection Commissioner’s website: www.dataprotection.ie
Every organisation, whether in the public or the private sector, must respect the confidence placed in it by members of the public who hand over their personal data. Every customer, client and employee has the right to full control over the use of their personal information. Personal information is a valuable resource and processing it is a privilege earned by respecting the rights of individuals.
Members of the public must also be on guard to protect their personal information from criminal gangs and other organisations that purposefully set out to engage in fraud or mis-use. In that regard, the Office of the Data Protection Commissioner is calling on all households to be particularly vigilant when receiving phone calls from organisations “out of the blue” offering to fix problems that the householder did not know existed.
Specifically, the Office of the Data Protection Commissioner and Microsoft Ireland would like to warn people of a scam that remains active in the Irish marketplace. Irish consumers are receiving telephone calls from persons claiming to be from Microsoft, or working on behalf of Microsoft, to tell them they have a virus on their computer.
Details of the Scam:
- Consumers are cold called from someone claiming to be from Microsoft and told there is a problem with their computer and offered help to solve the computer problems.
- Once the caller has gained the consumer’s trust, they ask consumers to log onto a website to download a file to help solve the problem.
- They then ask for credit card details to pay for software which will fix the virus and also potentially attempt to steal from the person by accessing personal information on their computer. In addition to gaining access to your personal details, they can also infect your computer with damaging viruses and spyware.
Deputy Data Protection Commissioner, Gary Davis indicated “Our Office has received ongoing complaints and queries from unsuspecting members of the public who have received these calls. This would appear to be a major scam targeting Ireland and people need to be aware of the issue. Together with the Gardaí, Comreg and the National Consumer Agency we have sought to highlight the issue to ensure that consumers do not fall victim. We are making progress in identifying an Irish link to these calls and intend to bring prosecutions. In the meantime the best answer is to hang up if receiving such a call and if you have provided details of your credit card to any entity on foot of such a call, we would advise you to contact your credit card provider immediately.”
Speaking on the issue Paul Rellis, General Manager, Microsoft Ireland said, “Microsoft takes the privacy and security of all our customers and partners’ personal information very seriously. We are advising customers to treat all unsolicited phone calls with scepticism and not to provide any personal information to anyone over the phone or online. Anyone who receives an unsolicited call from someone claiming to be from Microsoft should hang up. We can assure you Microsoft does not make these kinds of calls”.
More information on this scam and how consumers can protect themselves is available here:
Note to Editors:
The Council of Europe has decided that each year there should be a special day dedicated to Data Protection. The 28 January is the anniversary of the opening for signature of the Council of Europe’s Data Protection Convention. This is the fifth year that countries across Europe and indeed beyond have marked the day by increasing awareness of data protection and privacy rights. More information on Council of Europe Data Protection Day can be found at: http://www.coe.int/t/e/legal_affairs/legal_co-operation/data_protection/
A working group established by the Minister for Justice, Equality and Law Reform is at present examining if changes in data protection law are necessary to deal with such data breaches.
In the public sector, recent guidance from the Department of Finance on data security advises departments and agencies to report data breaches immediately to this Office. The guidance issued today by the Commissioner recommends that the same approach be followed by all organisations.
Commenting on the Guidelines, the Commissioner said: "we have seen a welcome trend towards organisations seeking our advice when they suffer a data breach. Our main focus is on preventing such loss of personal data and the distress it can cause to individuals. But we recognise that mistakes do happen and it is vital that organisations are ready to react. That means having plans in place to trace and secure the data that has been compromised, to prevent further security breaches and to warn those affected by the data security breach. It means allocating responsibility for the key decisions that have to be made in such circumstances. By these means organisations will prevent a bad situation from deteriorating further."
Although the Darklight Symposia weren’t quite like the bar in Cheers where everybody knows your name, there was a lot of familiar names and faces at this event. A good sign for Darklight because it means that they touched a chord with the topics they chose and also attracted a respected panellists. I attended the first symposium of the day “Letting it all hang out: Privacy vs. Publicity in the Virtual World” and caught the very end of the second “Web 3.0: Where next for the Internet”. Brendan Hughes, chair of the IIA Social Media Working Group gives a good overview of the topics on his own blog. The festival continued in venues around Dublin all weekend.
I was particularly interested in the first symposium they ran this morning. Regular readers might recall that I was at another seminar last month about privacy in the Institute of International and European Affairs. While the two audiences were very different (Peter Fleischer from Google would not have been making jokes about Google employees non-tie-wearing* at today’s event, let me encapsulate it like that!) they had many of the same concerns albeit from a different angle. There was a strong sense of “us” and “them” to many of the comments from the floor. “Us” seemed to refer to the private citizen and “them” to anyone who wasn’t; but even “them” is made up of private citizens who have rights too; among them a right to earn a living. Also “them” variously referred to businesses and government: businesses who are retaining data about those using their services; governments using that data to for crime-fighting purposes. However there was little acknowledgement of the fact that those companies were generally obliged by those governments to keep that information but also to protect it. And where does the government get the mandate to oblige those companies to keep AND to protect it? From this “us”. However it would be disingenuous not to acknowledge that many of the concerns in the room were about the lack of disclosure about and access to exactly what information certain larger internet companies are retaining about individuals and their use of their services.
Businesses are, of course, not without their influence when it comes to data-protection policies. Involvement in bodies like the IIA allows businesses to come together and debate these issues and present a united view to the government. It is also essential that businesses remain aware of their obligations under data protection and privacy legislation and the IIA hopes to keep businesses abreast of these issues.
The keynote speaker was Daniel J. Solove, Associate Professor of law at the George Washington University Law School, and the author of “The Digital Person: Technology and Privacy In The Information Age”. This book can be downloaded for free from www.futureofreputation.com Chaired by solicitor and digital rights expert Caroline Campbell, the panel included journalist Jim Carroll, Hotline.ie director Cormac Callanan, Relevant Media owner Niall Larkin and Irish blogger Damien Mulley. The audience was made up of a mix of bloggers, developers, researchers, consultants and policy makers.
* Tie-wearing: I recall being irked at the IIEA seminar because Fleischer made a flip comment about how he could spot his Google colleagues a mile off because they were always the ones not wearing ties. This annoyed me because I had spoken to one of his colleagues earlier and SHE was most definitely not wearing a tie and probably never does. Similarly Annette Clancy from Inter-Actions, who I was sitting beside at the Darklight symposium on Friday, made a point from the floor that there were no women (bar the chair) on the panel on Friday and this was the case in both of the sessions. Working for an organisation that is constantly seeking good speakers and presenters for a variety of event types I understand the Darklight’s conundrum when they approach people and some of them are unavailable and unfortunately that effects the gender balance on their panel. Similarly I appreciate the viewpoint that to deliberately seek women because they are women could be just as sexist as not having women at all. However I do tend more to the side that it is essential that all aspects of a question are discussed. Women experience and use technology differently and for different purposes to men. I’m sure there’s research to back this up and would appreciate any links to same. Annette said to me later that one issue that was not discussed, and she feels, that this was due to the lack of women on the panel, was the issue of privacy and cyber-stalking. While this may not be solely experienced by women, if virtual life reflects real life chances are the majority of its victims are women.
Is the virtual life experience of women and their absence from some fora a reflection of the real life experience of women in technology and business? Why are the women unavailable? Where is the brave new world that the internet promises to all of us?
One of the many things I have been doing since I began working here in the Irish Internet Association has been responding to queries that come in from members and from the general public. In order to do this I have to try very hard to keep abreast of the kind of issues that are concerning our members. One of our newer members originally contacted me with a query about data protection legislation and I felt terribly ignorant when he seemed to know more than I did. Happily he still joined the IIA!
So last week I gratefully accepted an invitation from the Institute of International and European Affairs to attend their event “Perspectives on privacy in the Internet Age” with presentations by Peter Fleisher, Chief Privacy Counsel, Google Inc., and Billy Hawkes, Data Protection Commissioner. There was also a brief presentation from the floor by Inspector Pat Burke of An Garda Síochána. Here is a brief synopsis but please if you were present and feel I am misrepresenting anyone, I would welcome corrections and clarifications. Thanks!
Both Peter and Billy opened their presentations quoting Scott McNealy’s now infamous and eight year old comment “You have zero privacy anyway. Get over it.” although it became quickly clear that neither of them are even remotely as blasé as McNealy was way back then when it comes to privacy and data protection.
Both of the speakers talked about how, now that information storage is so cheap, it’s actually more cost effective to keep rather than delete information. Fleisher suggested that corporations who are required to comply with privacy and data protection legislation could deal with this in a number of ways:
- Time based anonymisation: forgetfulness should be programmed in so that once information reaches the time limit required by law, it is forgotten by the database.
- Include privacy controls so that users can choose what level of privacy they wish to set for the information that they are storing or publishing online.
- Education: Corporations like Google have a responsibility to educate users about privacy and data protection in a clear and accessible manner.
However Google’s biggest difficulty in relation to privacy legislation is that they are required to comply to location based regimes as he called them. Even within the EU and based on the EU directive countries could set their own time limits for data retention and Google has to comply to all of these while in reality all of this data exists in the cloud rather than any specific location. He also pointed out that in the US there are 39 Security Breach laws each with their own details because the legislation that governs privacy in the US is not federal.
In relation to education Fleisher told us that Google have developed a selection of videos about privacy which have been viewed by half a million viewers. He suggested that corporations might consider video as a more personable approach to privacy statement than the current privacy statements that can now be found on most websites. Fleisher said that the APEC privacy framework was, so far, Google’s preferred framework with it’s emphasis on preventing harm and focus on accountability.
He finished up by reminding us that the big question should be what do we want technology to do for us rather than what is technology doing to us?
Billy Hawkes, the Data Protection Commissioner, had some very interesting statistics about data protection in Ireland and attitudes to data protection and privacy among Irish citizens. Firstly he pointed out that only 10% of companies in Ireland transfer data outside the EU so there may not be currently a requirement for global laws. Citing the Eurobarometer 2008: Data Protection in the European Union: Citizens’ Perceptions, he pointed out that Irish people were slightly more concerned about privacy than the EU average but were also among those most opposed to monitoring of internet usage. All these details can be accessed via the Eurobarometer website. (PDF) Nora Owen, who chaired the session, in her summing up made particular reference to Hawkes use of the phrase “function creep”. He used this when referring to the reasons why data is being kept. Does less privacy and more monitoring equal enhanced security for citizens? Does it equal less crime.
When talking about the future he suggested that corporations should include privacy by design or commission privacy enhancing technology. Similar to Fleisher he emphasised the need to educate people about revealing information, making the point that privacy rights are technology neutral.
Inspector Pat Burke from An Garda Síochána also added from the floor that through their cooperation with the Data Protection Commissioner and always operating within the law and with the right to do proper, legitmate investigation they have had some success in tackling crime which uses the Internet as a platform such as child pornography, internet fraud and identity theft. They have also been able to tackle transnational crimes such as human and child trafficking.
Questions from the floor were put by TJ McIntyre from Digital Rights Ireland and Mark Kelly of Irish Council for Civil Liberties who asked if Google would use a human rights framework to which Fleisher responded that Google are very focussed on the ethical use of the Internet and while they were forced into “the odious concept of censorship” in China, their search results in China include a statement that the results have been filtered. They also will not offer Gmail in China. Brian Greene also made the point that 90% of people using the internet are consumers rather than content producers and there are issues when corporations get and retain data about consumers. Fleisher clarified that Google comes in two flavours: plain ol’ search or search enhanced via logging into your Google account where Google gets to know you and offers you results based on your search history. It’s the consumers choice which search to use.
An interesting afternoon and do you know what? The lunch was delicious too!
As I mentioned at the top of the post I’m new to a lot of these issues so I would really appreciate any comments or clarifications via the comments below.