Skip to content

cearta.ie

the Irish for rights

Menu
  • About
  • Privacy Policy
  • Disclaimer
  • Contact
  • Research

Category: Data Protection

It’s good to TalkTalk – Part 2: negligence claims for data breaches

18 July, 202225 July, 2022
| No Comments
| Data Protection, Privacy, Privacy, Tort

It's still good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In my previous post, I looked at the limits of claims for misuse of private information for both breaches in Smith. In this post, I want to look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.

2. Negligence claims in Smith

The main problem in Smith is that TalkTalk did not take steps to secure the data involved in the 2014 breach and the 2015 hack. This sounds like a failure to take reasonable care. But a negligence claim in such circumstances was not pleaded, as it was probably precluded by authority.

In Swinney v Chief Constable of Northumbria Police Force [1997] QB 464, [1996] EWCA Civ 1322 (22 March 1996), the plaintiff saw a car which had hit and killed a police officer, and provided that information to the police.…

Read More »

It’s good to TalkTalk – Part 1: misuse of private information claims for data breaches

15 July, 202218 July, 2022
| 6 Comments
| Data Protection, Privacy, Privacy

It's good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In this post, I want to look at the limits of claims for misuse of private information for both breaches in Smith. In the next post, I will look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.


2. Smith and the 2014 TalkTalk breach: no misuse of private information

In Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) (noted on Panopticon), in September 2014, TalkTalk customers began to receive scam calls purporting to be from TalkTalk, which were ultimately traced to data obtained by users of Wipro, a third party providing network services to TalkTalk. However, Wipro put no adequate controls in place to prevent unauthorised access by its users to the data supplied by TalkTalk.…

Read More »

Seán Quinn, the Streisand Effect, and improving the operation of the right to be forgotten – updated

9 November, 202124 October, 2022
| 5 Comments
| GDPR, Right to be Forgotten

Google search RtbF notice

I have just conducted a search on a popular search engine for “Seán Quinn”, and the above message – that Some results may have been removed under data protection law in Europe – appears at the bottom of each page of results. Over the past weekend, there was widespread media coverage of attempts by Seán Quinn to rely on the EU’s right to be forgotten to remove newspaper articles from search listings that highlighted significant aspects of his bankruptcy and of his family’s lavish pre-bankruptcy lifestyle. This attempt at reputation management backfired spectacularly on him, and stands as an example of the Streisand effect, which is:

… a phenomenon that occurs when an attempt to hide, remove, or censor information has the unintended consequence of increasing awareness of that information, often via the Internet. It is named after American singer Barbra Streisand, whose attempt to suppress the California Coastal Records Project photograph of her residence in Malibu, California, taken to document California coastal erosion, inadvertently drew greater attention to it in 2003.

On Saturday, in the Irish Independent, Shane Phelan published the following story:

Revealed: Quinn family succeeds in campaign to erase press coverage of lavish lifestyle

Google delists dozens of articles on court battles and even €100,000 wedding cake

Members of ex-billionaire Seán Quinn’s family have mounted a successful campaign to have press coverage about their past ‘forgotten’ by Google.

…

Read More »

Neither a pretty face nor a beautiful game — of football pitches, data protection impact assessments, artificial intelligence, facial recognition, and closed-circuit television surveillance

9 June, 202011 June, 2020
| No Comments
| Data Protection

CCTV at a chinese playing pitchI read this morning that, in a wide-ranging letter to Congress on racial justice reform, IBM CEO Arvind Krishna wrote that IBM will no longer offer “general purpose facial recognition or analysis software”. Of course, “general purpose” is doing a lot of work in that sentence. But let’s see where it goes. [Update]: two days later, Amazon followed with a one-year moratorium on police use of their facial recognition technology, to give Congress enough time to implement appropriate rules. Again, let’s see where this goes.[End update]

These developments reminded me of a recent local story about Dublin City Council. Not content with seeking to post freeze-frame closed-circuit television (CCTV) images of people dumping their rubbish in litter black-spots, in the hope of shaming them or others into desisting from doing so in the future, now they want CCTV cameras with facial-recognition capabilities. Nearly three months ago (in the world just before lockdown) Sean Finnan reported in the Dublin Inquirer [with added links]:

Council Installed Cameras with Facial Recognition on Football Pitch

Before the refurbishment of the football pitch at Bluebell Road in the west of the city, it was an anti-social blackspot, says Michael O’Shea, chairman of Inchicore Athletic FC.

…

Read More »

Principles for legislators on the implementation of new technologies

3 June, 20203 June, 2020
| No Comments
| Data Protection

Covid-19 Tracing App


A few weeks ago, I was proud to be a signatory to an open letter (available here and here), from the Irish Council for Civil Liberties (ICCL), Digital Rights Ireland (DRI), and several scientists, data protection experts, and academics, warning that experts and the public need to see details of the Government’s planned contact tracing app. By way of follow-up, ICCL, DRI and others have drafted principles for legislators on the implementation of new technologies. These principles seek to frame positive engagement with Government and legislators on the implementation of technologies developed in-house or in partnership with third parties, such as Covid-19 contact-tracing apps. The principles (pdf; via here) are set out below; and, once again, I am proud to be a signatory.



Principles for legislators on the implementation of new technologies

The Irish Government and Irish legislators must not abandon their legal responsibilities to ensure any tech solution deployed as part of public policies is developed with human rights at the front and centre, and has robust privacy protections.

In a democracy, any technology developed by a government or in partnership with third parties, will need to have the trust and consent of the population to work effectively.…

Read More »

HSE app: experts and public need to see details

30 April, 20203 June, 2020
| 2 Comments
| Data Protection

Covid-19 Tracing App

I am proud to be a signatory to the letter below, from the ICCL website:

Covid-19 is a threat to us all. Ireland’s health services are developing a Covid Tracker Ireland App, which has both contact-tracing and symptom-reporting elements.

We, the undersigned civil societies, scientists, and academics believe that more consideration needs to be given to the production of an app solution. The Ada Lovelace Institute’s assessments of contact-tracing apps warn of insufficient evidence saying the ‘technical limitations, barriers to effective deployment and social impacts demand more consideration’.

If Ireland decides to use an app we must ensure that it respects legality and human rights norms. Failing to do so will undermine the public trust required for it to have public health benefits. In developing the app, the Health Service Executive (HSE) and the Department of Health should:

  1. Embrace transparency and promote trust. To better protect privacy and personal data, the European Data Protection Board advises that source code cannot be concealed and must be shared publicly and regularly audited by external experts. It is vital that the public trusts the solutions of our government.
  2. Design for privacy and data protection. Protection of citizens’ public data must be considered in the basic design.
…

Read More »

Damages for Data Protection Breaches – II – Why Murphy v Callinan is wrong

13 December, 201916 December, 2020
| 4 Comments
| Data Protection

Auto insurance, via FlickrIn my previous post in this series, I argued (yet again) that Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013) was wrongly decided. It precludes a claim for damages for distress for breach of data protection rights, pursuant to section 7 of the Data Protection Act, 1988 (also here) [hereafter: section 7 DPA88]. Building on a case in which the Workplace Relations Commission ordered a company, whose CEO hacked into an employee’s phone and downloaded intimate photos of her from it, to pay her a total of €94,708 damages, I argued that, if the surreptitious download had occurred outside an employment relationship, the complainant should be able to recover damages for distress for breach of her data protection rights, pursuant to section 7 DPA88. However, when the Supreme Court was presented with an opportunity to depart from Collins, it did not take it. Instead, in Murphy v Callinan [2018] IESC 59 (30 November 2018) Baker J (Clarke CJ and Dunne J concurring) approved and applied Collins. In my previous post, I argued that Collins was wrong as a matter of domestic law, and of European law, and that Google Inc v Vidal-Hall [2016] QB 1003, [2015] EWCA Civ 311 (27 March 2015) and Case C–362/14 Schrems v Data Protection Commissioner (ECLI:EU:C:2015:650; CJEU, 6 October 2015) illustrated the EU law points and undercut the reasoning in Collins.…

Read More »

Damages for Data Protection Breaches – I – Why Collins v FBD Insurance is wrong (again)

11 December, 201913 December, 2019
| 3 Comments
| Data Protection

Phone cable laptop; via FlickrA story in the newspapers this morning has made me think once again about some of the weaknesses in Irish law relating to damages for data protection infringements. The Workplace Relations Commission [WRC] has ordered a company, whose CEO hacked into an employee’s phone and downloaded intimate photos of her from it, to pay her a total of €94,708 damages (see, eg, Breaking News | Irish Independent | Irish Sun | Irish Times | TheJournal.ie). She had plugged her phone into his laptop to charge it, and he downloaded the images while she was in the bathroom. The award of €94,708 includes €65,000 for persistent sexual harassment, and €25,000 for unfair dismissal. The case is WRC Adjudication ADJ-00020222 An International Sales and Marketing Executive v A Fashion Company (25 November 2019); the report explains that the download occurred in October 2017, and that the complainant became aware of this in March 2018. She found herself in a terrible situation, but at least she was able to get some compensation for breaches of various pieces of workplace legislation. And the WRC Adjudication Officer ordered the respondent “to immediately destroy all photographs or images that depict the complainant or belong to her”.…

Read More »

Posts navigation

1 2 Next

Welcome

Me in a hat

Hi there! Thanks for dropping by. I’m Eoin O’Dell, and this is my blog: Cearta.ie – the Irish for rights.


“Cearta” really is the Irish word for rights, so the title provides a good sense of the scope of this blog.

In general, I write here about private law, free speech, and cyber law; and, in particular, I write about Irish law and education policy.


Academic links
Academia.edu
ORCID
SSRN
TARA

Subscribe

  • RSS Feed
  • Twitter
  • LinkedIn

Recent posts

  • Winter is coming: the future of First Amendment analysis, and the prospects for New York Times v Sullivan, after NYSR&PA v Bruen
  • Couple mistakenly paid Aus$10.5m by Crypto.com claim they thought they had won a contest
  • Blooming Lawyers: from Sadgrove v Hole, via Palles CB and Ulysses, to Facebook
  • Women in plain sight in the law: Síofra O’Leary, Catherine McGuinness, Frances Kyle & Averil Deverell
  • Restitution of mistaken payments, again: Chase quickly recovers $50billion; while Citibank eventually recovers (a mere) $500million, defeating defences of “discharge for value”
  • Fortune favours the brave, but not the foolhardy – recipients of mistaken payments must make restitution, or face the consequences
  • Of Schrödinger’s contract and ambiguous terms: when a website mistakenly lists designer trainers for €10, do their ambiguous terms and conditions apply?

Archives by month

Categories by topic

Recent tweets

Tweets by @cearta

Licence

Creative Commons License

This blog is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License. I am happy for you to reuse and adapt my content, provided that you attribute it to me, and do not use it commercially. Thanks. Eoin

Credit where it’s due

Some of those whose technical advice and help have proven invaluable in keeping this show on the road include Dermot Frost, Karlin Lillington, Daithí Mac Síthigh, and
Antoin Ó Lachtnáin. I’m grateful to them; please don’t blame them :)

Thanks to Blacknight for hosting.

Feeds and Admin

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

© cearta.ie 2023. Powered by WordPress