I read this morning that, in a wide-ranging letter to Congress on racial justice reform, IBM CEO Arvind Krishna wrote that IBM will no longer offer “general purpose facial recognition or analysis software”. Of course, “general purpose” is doing a lot of work in that sentence. But let’s see where it goes. [Update]: two days later, Amazon followed with a one-year moratorium on police use of their facial recognition technology, to give Congress enough time to implement appropriate rules. Again, let’s see where this goes.[End update]

These developments reminded me of a recent local story about Dublin City Council. Not content with seeking to post freeze-frame closed-circuit television (CCTV) images of people dumping their rubbish in litter black-spots, in the hope of shaming them or others into desisting from doing so in the future, now they want CCTV cameras with facial-recognition capabilities. Nearly three months ago (in the world just before lockdown) Sean Finnan reported in the Dublin Inquirer [with added links]:

Council Installed Cameras with Facial Recognition on Football Pitch

Before the refurbishment of the football pitch at Bluebell Road in the west of the city, it was an anti-social blackspot, says Michael O’Shea, chairman of Inchicore Athletic FC.

Read More »

A few weeks ago, I was proud to be a signatory to an open letter (available here and here), from the Irish Council for Civil Liberties (ICCL), Digital Rights Ireland (DRI), and several scientists, data protection experts, and academics, warning that experts and the public need to see details of the Government’s planned contact tracing app. By way of follow-up, ICCL, DRI and others have drafted principles for legislators on the implementation of new technologies. These principles seek to frame positive engagement with Government and legislators on the implementation of technologies developed in-house or in partnership with third parties, such as Covid-19 contact-tracing apps. The principles (pdf; via here) are set out below; and, once again, I am proud to be a signatory.

Principles for legislators on the implementation of new technologies

The Irish Government and Irish legislators must not abandon their legal responsibilities to ensure any tech solution deployed as part of public policies is developed with human rights at the front and centre, and has robust privacy protections.

In a democracy, any technology developed by a government or in partnership with third parties, will need to have the trust and consent of the population to work effectively.…

Read More »

I am proud to be a signatory to the letter below, from the ICCL website:

Covid-19 is a threat to us all. Ireland’s health services are developing a Covid Tracker Ireland App, which has both contact-tracing and symptom-reporting elements.

We, the undersigned civil societies, scientists, and academics believe that more consideration needs to be given to the production of an app solution. The Ada Lovelace Institute’s assessments of contact-tracing apps warn of insufficient evidence saying the ‘technical limitations, barriers to effective deployment and social impacts demand more consideration’.

If Ireland decides to use an app we must ensure that it respects legality and human rights norms. Failing to do so will undermine the public trust required for it to have public health benefits. In developing the app, the Health Service Executive (HSE) and the Department of Health should:

1. Embrace transparency and promote trust. To better protect privacy and personal data, the European Data Protection Board advises that source code cannot be concealed and must be shared publicly and regularly audited by external experts. It is vital that the public trusts the solutions of our government.
2. Design for privacy and data protection. Protection of citizens’ public data must be considered in the basic design.

Read More »

In my previous post in this series, I argued (yet again) that Collins v FBD Insurance plc [2013] IEHC 137 (14 March 2013) was wrongly decided. It precludes a claim for damages for distress for breach of data protection rights, pursuant to section 7 of the Data Protection Act, 1988 (also here) [hereafter: section 7 DPA88]. Building on a case in which the Workplace Relations Commission ordered a company, whose CEO hacked into an employee’s phone and downloaded intimate photos of her from it, to pay her a total of €94,708 damages, I argued that, if the surreptitious download had occurred outside an employment relationship, the complainant should be able to recover damages for distress for breach of her data protection rights, pursuant to section 7 DPA88. However, when the Supreme Court was presented with an opportunity to depart from Collins, it did not take it. Instead, in Murphy v Callinan [2018] IESC 59 (30 November 2018) Baker J (Clarke CJ and Dunne J concurring) approved and applied Collins. In my previous post, I argued that Collins was wrong as a matter of domestic law, and of European law, and that Google Inc v Vidal-Hall [2016] QB 1003, [2015] EWCA Civ 311 (27 March 2015) and Case C–362/14 Schrems v Data Protection Commissioner (ECLI:EU:C:2015:650; CJEU, 6 October 2015) illustrated the EU law points and undercut the reasoning in Collins.…

Read More »

A story in the newspapers this morning has made me think once again about some of the weaknesses in Irish law relating to damages for data protection infringements. The Workplace Relations Commission [WRC] has ordered a company, whose CEO hacked into an employee’s phone and downloaded intimate photos of her from it, to pay her a total of €94,708 damages (see, eg, Breaking News | Irish Independent | Irish Sun | Irish Times | TheJournal.ie). She had plugged her phone into his laptop to charge it, and he downloaded the images while she was in the bathroom. The award of €94,708 includes €65,000 for persistent sexual harassment, and €25,000 for unfair dismissal. The case is WRC Adjudication ADJ-00020222 An International Sales and Marketing Executive v A Fashion Company (25 November 2019); the report explains that the download occurred in October 2017, and that the complainant became aware of this in March 2018. She found herself in a terrible situation, but at least she was able to get some compensation for breaches of various pieces of workplace legislation. And the WRC Adjudication Officer ordered the respondent “to immediately destroy all photographs or images that depict the complainant or belong to her”.…

Read More »