Category: Data Protection

Open Justice and the GDPR: GDPRubbish, the Courts Service, and the Defence Forces

| 1 Comment
| Data Protection, Open Justice

Peter Ward SCLast June, Tánaiste and Minister for Defence Micheál Martin announced the appointment of Peter Ward SC (pictured right) to examine the administration of cases involving Defence Forces personnel charged or convicted of criminal offences. The Report (pdf) was published this week. One of the headlines about it caught my eye:

Soldier jailed for sexual assault was able to remain in Army due to ‘data protection’ concerns

A soldier was able remain in the Defence Forces while in prison for sexual assault after the court authorities refused to hand over details of his offences to the military due to “data protection” concerns.
… The report, by senior counsel Peter Ward, found various instances of information on criminal convictions held by civilian authorities not being shared with the Defence Forces. In some cases, this significantly delayed the discharge process. …

In a post on Twitter (I still can’t call it X), Mark Hennessy (Ireland and Britain Editor of the Irish Times) commented that this was a

… scandalous misuse of the GDPR legislation, displaying a complete lack of common sense, amongst other failings. Court documents are public documents, unless there are legitimate grounds for them not being so, and this is clearly not the case her

On the basis simply of the above press report, I was inclined to agree.…

Read More »

Closing off the Warren of Negligence Claims for Data Breaches

| No Comments
| Cyberlaw, Cyberlaw, Data Protection, Digital Rights, Privacy, Privacy, Tort

Data and Private Law bookcoverI have just published “Closing off the Warren of Negligence Claims for Data Breaches” in Damian Clifford, Kwan Ho Lau & Jeannie Marie Paterson (editors) Data and Private Law (Hart Studies in Private Law, Bloomsbury, 2023) chapter 10; pp161-174 (available via SSRN). Here is the abstract:

Large databases of personal data are increasingly vulnerable to hacks. Arising out of the biggest data breach in the United Kingdom’s history, the claimant in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (30 July 2021) sought damages for distress for breach of data protection legislation, misuse of private information, and breach of a duty of care in negligence. Saini J dismissed the negligence claim because there is neither need nor warrant to impose such a duty of care where there exists a bespoke statutory regime. But this is an incoherent policy, inconsistently applied. Moreover, it ought not to operate at all in cases where the defendant has voluntarily assumed responsibility towards the claimant. Nevertheless, after Warren, the tort of negligence provides no incentive for the controllers of large databases to protect them.

The cover of the book is above, right. It is very elegant. And this is one time where you really can judge the book by its cover.…

Read More »

Recent developments with traffic data retention – variously updated

| No Comments
| Data Protection, data retention, ECJ

EyePhoneIn my post on the Communications (Retention of Data) (Amendment) Act 2022: ignore the warnings, legislate in haste, repent at leisure, I sketched how the Government came to enact Communications (Retention of Data) (Amendment) Act 2022 (also here) last Summer.

Since then, there have been several developments.

First, the 2022 Act was intended to buy the government some time to complete a thorough overhaul of the Communications (Retention of Data) Act 2011 (also here). A Bill to that effect has been listed in every Legislation Programme since 2018. So, it is unsurprising that, on 19 April 2023, a Communications (Data, Retention and Disclosure) Bill, to consolidate and replace the 2011 Act, was listed in the Government’s Legislation Programme for the Summer Session 2023 (pdf). However, not only is that Bill not listed as a priority, but we are told simply that the Heads are still “in preparation” (p21).

Still? Still?? Since 2018??? (Indeed, even 2018 was slow, because the underlying Directive was struck down by the CJEU in 2014). Give me a break. Better still, give us all a break by publishing the Bill already!

Second, earlier this month, on 6 June 2023, Minister McEntee signed the Communications (Retention of Data) (Amendment) Act 2022 (Commencement) Order 2023 (SI No 287 of 2023) (also here) to bring most of the Act into effect on 26 June 2023.…

Read More »

The Communications (Retention of Data) (Amendment) Act 2022: ignore the warnings, legislate in haste, repent at leisure – variously updated

| 1 Comment
| Data Protection, data retention, ECJ

Data Retention; via Dall-E 2; modifiedThe headline in the Irish Examiner is stark: “European Commission says Ireland’s new data law may be ‘inapplicable’.” Cianan Brennan reports that the European Commission “has dismissed Ireland’s new controversial data retention law as possibly ‘inapplicable and unenforceable’, as it was not submitted to the Commission before its enactment”. The legislation in question is the Communications (Retention of Data) (Amendment) Act 2022 (also here); and it was, as Brennan says, rushed through the Oireachtas last summer with minimal scrutiny.

It is worth pausing for a moment to see where the Act came from, and to consider why it was so rushed. The Department of Justice repeatedly failed to take the right path, even as it has had plenty of opportunity to do so. When it finally did something, it acted hastily; and it now seems that the hasty solution hasn’t worked.

The legal story starts on 27 March 2015, when Graham Dwyer was convicted of murdering Elaine O’Hara in 2012. Much of the evidence had been gathered pursuant to Section 6(1) of the Communications (Retention of Data) Act 2011 (also here), which provides:

A member of the Garda Síochána not below the rank of chief superintendent may request a service provider to disclose to that member data retained by the service provider in accordance with section 3 where that member is satisfied that the data are required for—

(a) the prevention, detection, investigation or prosecution of a serious offence, …

That Act had been introduced to implement the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, 13.4.2006, p.

Read More »

It’s good to TalkTalk – Part 2: negligence claims for data breaches

| No Comments
| Data Protection, Privacy, Privacy, Tort

It's still good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In my previous post, I looked at the limits of claims for misuse of private information for both breaches in Smith. In this post, I want to look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.

2. Negligence claims in Smith

The main problem in Smith is that TalkTalk did not take steps to secure the data involved in the 2014 breach and the 2015 hack. This sounds like a failure to take reasonable care. But a negligence claim in such circumstances was not pleaded, as it was probably precluded by authority.

In Swinney v Chief Constable of Northumbria Police Force [1997] QB 464, [1996] EWCA Civ 1322 (22 March 1996), the plaintiff saw a car which had hit and killed a police officer, and provided that information to the police.…

Read More »

It’s good to TalkTalk – Part 1: misuse of private information claims for data breaches

| 6 Comments
| Data Protection, Privacy, Privacy

It's good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In this post, I want to look at the limits of claims for misuse of private information for both breaches in Smith. In the next post, I will look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.


2. Smith and the 2014 TalkTalk breach: no misuse of private information

In Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) (noted on Panopticon), in September 2014, TalkTalk customers began to receive scam calls purporting to be from TalkTalk, which were ultimately traced to data obtained by users of Wipro, a third party providing network services to TalkTalk. However, Wipro put no adequate controls in place to prevent unauthorised access by its users to the data supplied by TalkTalk.…

Read More »

Seán Quinn, the Streisand Effect, and improving the operation of the right to be forgotten – updated

| 5 Comments
| GDPR, Right to be Forgotten

Google search RtbF notice

I have just conducted a search on a popular search engine for “Seán Quinn”, and the above message – that Some results may have been removed under data protection law in Europe – appears at the bottom of each page of results. Over the past weekend, there was widespread media coverage of attempts by Seán Quinn to rely on the EU’s right to be forgotten to remove newspaper articles from search listings that highlighted significant aspects of his bankruptcy and of his family’s lavish pre-bankruptcy lifestyle. This attempt at reputation management backfired spectacularly on him, and stands as an example of the Streisand effect, which is:

… a phenomenon that occurs when an attempt to hide, remove, or censor information has the unintended consequence of increasing awareness of that information, often via the Internet. It is named after American singer Barbra Streisand, whose attempt to suppress the California Coastal Records Project photograph of her residence in Malibu, California, taken to document California coastal erosion, inadvertently drew greater attention to it in 2003.

On Saturday, in the Irish Independent, Shane Phelan published the following story:

Revealed: Quinn family succeeds in campaign to erase press coverage of lavish lifestyle

Google delists dozens of articles on court battles and even €100,000 wedding cake

Members of ex-billionaire Seán Quinn’s family have mounted a successful campaign to have press coverage about their past ‘forgotten’ by Google.

Read More »

© cearta.ie 2025. Powered by WordPress