Tag: data retention

Taxing and woolly data retention laws will discourage new business – The Irish Times – Fri, Apr 15, 2011

KARLIN LILLINGTON

The cost and complexity of new data legislation creates difficulties for new investors

AS THE implications of our recently enacted data retention legislation sink in, internet service providers – defined broadly – are beginning to express concern.

The Communications (Retention of Data) Act 2011, signed into law in January, does not merely target telecoms companies or conventional ISPs, say legal experts. Operators of cyber cafes, and any hotel or hostel that offers internet access to customers, are likely to fall under its remit.

Handlers of internet and e-mail data – including those who operate data warehouses – may now have obligations to store user data under this Act. Even people who run internet discussion boards fall into a grey area, depending on how they manage e-mail services for board members.

Data handlers must not only store, but maintain and manage data in such a way as to make it quickly accessible to law-enforcement agencies upon request and – in a move that has been questioned by privacy advocates such as Digital Rights Ireland – the Revenue service.

Doing so will generally involve software, employee and hardware costs. These could prove crippling to smaller service providers and cause hotels to question whether to offer internet access at all.

Another excellent piece by Karlin – see an earlier piece by her, linked here.

Nothing to hide, nothing to fear?

A cartoon for the week which saw both international data privacy day and the enactment of the Communications (Retention of Data) Act, 2011 (No 3 of 2011, not yet available on pdf, but see the Oireachtas site for the Bill; update: noted here by Rossa McMahon), via philosophyblog:

Privacy cartoon, via Philosophy blog

Woman behind shower curtain: Hey! What about my privacy?
Peeping eye: They say that people who worry about their privacy have something to hide …



Earlier posts of mine on this topic: The innocent have nothing to hide? | Traffic Data Retention, Irish-style, returns to the legislative agenda | Nothing to hide?

Beware of gullible politicos tinkering with data privacy – Karlin Lillington the in Irish Times

Today is international data privacy day, and It’s a shame we do so little to mark the event

WITH THE Seanad passing the data retention – oops, communications – Bill without amendment last week, and Data Protection Commissioner Billy Hawkes warning political parties on Monday that they are not to illegally use (again, for some) unsolicited text messages, calls or emails in the looming election, how ironically appropriate that today is International Data Privacy and Data Protection Day.

Setting tone from the Top | The DOBlog

“Privacy by Design” is becoming the mantra of Data Protection enforcement world wide. Simply cutting and pasting a solution from another jurisdiction into an Irish or EU context invites breaches of legislation and failures of the required governance and controls. This is not just a technology issue.

Given that politicians are asking us to trust them, they should ensure that they take the necessary steps to earn that trust. Just like any other organisation embracing new technologies, they must ensure that the necessary due diligence and governance structures are in place to ensure that they are acting in compliance with long established legislation. If they are promoting a “tough on regulation” policy platform, then they must lead with a clear “tone from the top” of Compliance and good Governance.

Traffic Data Retention, Irish-style, returns to the legislative agenda

AC Grayling book cover, via BloomsburyThe Communications (Retention of Data) Bill 2009, published last week, has caused a bit of a stir in this morning‘s newspapers. It will give effect to EU Data Retention Directive 2006/24/EC of 15 March 2006 (blogged here) which recently survived challenge by the Irish Government in the European Court of Justice, and it will replace the radically misconceived and deeply flawed stop-gap Part 7 of the Criminal Justice (Terrorist Offences) Act, 2005 (also here) (blogged here).

In essence, the Bill requires telecommunications companies, internet service providers, and the like, to retain data about communications (though not the content of the communications); phone and mobile traffic data have to be retained for 2 years; internet communications have to be retained for one year. This is better than it could have been, in that the Directive would have allowed 2 years for all traffic data; but it is a lot worse than the minimum of 6 months allowed by the Directive. This will impose significant costs on those obliged to retain and secure the data, and those costs will be passed on to their already hard-pressed customers. And it is likely to drive international telecommunications and internet companies to European states which have introduced far less demanding regimes.

Traffic data retention (like any example of pre-emptive and widespread surveillance) is simply a bad idea; it is a massive invasion of privacy; it is founded on the illiberal and anti-democratic suspicion that someone somewhere might be doing something; and it is not good enough to reply that if you have nothing to hide, you have nothing to fear from surveillance. As the prolific and challenging AC Grayling argues in his new book Liberty in the Age of Terror: A Defence of Civil Society and Enlightenment Values (Bloomsbury, 2009; reviewed by The Economist here), this pernicious assertion is “one of the most seductive betrayals of liberty” imaginable; it assumes that

the authorities will always be benign; will always reliably identify and interfere with genuinely bad people only; will never find themselves engaging in ‘mission creep’, with more and more uses to put their new powers and capabilities to; will not redefine crimes, nor redefine various behaviours or views now regarded as acceptable, to extend the range of things for which people can be placed under suspicion—and so considerably on.

The concerns might be met by strong protections coupled with meaningful oversight, but the Bill is worryingly bereft on this score. Although it imposes obligations to retain data, and to maintain it secure, and to prevent unauthorised access to data, it does not provide any redress to someone whose data is retained insecurely or accessed without authorisation; and the Data Protection Acts, 1988 (also here) and 2003 (also here) are inadequate to cope (for example, they would provide no criminal sanction for the News of the World‘s recently-disclosed shenanigans). Worse than that, large-scale databases are peculiarly vulnerable to attack – an investigation by More4 News for Channel 4 reported last week (in a story that should give some pause to those planning a system to trace patients for Ireland) that more than 8,000 dangerous viruses have infected NHS computers in the last year, overloading networks, and massively compromising large amounts of personal data.

It is appropriate to restrict individual privacy provided that there is a good reason to do so, and the restrictions do not good too far. In the context of this Bill, the prevention of crime is a good reason, but the restrictions seem to go very far indeed, especially in the absence of proper protections and oversight. In S and Marper v UK 30562/04 [2008] ECHR 1581 (4 December 2008) one of the reasons given by the European Court of Human Rights for holding that the UK’s retention of innocent people’s DNA records on a criminal register infringed their right to privacy was the lack of sufficiently strong safeguards. I am a Director of Digital Rights Ireland; this is one aspect of our ongoing challenge to Ireland’s data retention regime; and this flawed Bill does nothing to alleviate these concerns.

The power of letters

Front page of today's Guardian, via the Guardian's siteShami Chakrabarti, director of Liberty (the National Council for Civil Liberties), has an editorial letter published in today’s Guardian which begins:

Sir – 75 years ago today, in a Britain strained by economic crisis and social unrest, and in the long shadow of international conflict, the birth of the National Council for Civil Liberties was announced in a letter to this newspaper.

Little has changed. As is reported elsewhere in the same edition, students from the University College London Student Human Rights Programme, have prepared a report setting out the current assaults on liberty in the UK, under the suitably Orwellian title of The Abolition of Freedom Act 2009. It was prepared for this weekend’s forthcoming Convention on Modern Liberty (organised by the UK’s leading human rights campaigners, including Liberty and the Guardian) and it makes for chilling reading.

The situation is equally as grim in Ireland. Today’s Irish Times carries an article by Elaine Byrne on a forthcoming report prepared by her for Transparency International on serious shortcomings which have weakened the quality of Ireland’s democracy. The same edition carries an article on the financial costs associated with the forthcoming data retention regime being challenged by Digitial Rights Ireland. More generally, the Irish Council for Civil Liberties (ICCL) was formed in 1976 for reasons similar to those which motivated the 1934 letter writers; and – as I have already noted on this blog – it too is one of the organisers of a forthcoming conference on the state of civil liberties in Ireland.

Were it not for such organisations, more of our civil liberties would be eroded by stealth. What liberties we still have we owe to their vigilance. So, what are you waiting for? Get involved: click on the links in this post; click on one of the buttons in the right-hand column; or find your own way to begin to contribute. Lest they perish, we must all do our bit to protect our civil liberties, human rights and fundamental freedoms.

Data retention ironies

I can’t make up my mind whether it’s ironic or not that the European Court of Justice has upheld the Data Retention Directive on Safer Internet Day.

I’ll let Digital Rights Ireland tell the story:

European Court upholds data retention… for the time being

The European Court of Justice has given its decision today in the Irish Government challenge to the Data Retention Directive [Case C-301/06] Ireland v. Parliament and Council (Press Release | Judgment). Unsurprisingly (in light of the Advocate General’s Opinion) it has held that the directive was properly adopted as an internal market measure (by qualified majority voting) rather than as a criminal matter (requiring unanimity). Where does this leave us and our case?

While it’s a pity to see the Directive upheld, the Government’s challenge was a very narrow one, dealing only with the essentially technical matter of the legal basis for the Directive. The Government didn’t raise and the ECJ wasn’t asked to decide on the fundamental rights issues. Indeed it expressly stated:

The Court notes at the outset that the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement by the directive of fundamental rights resulting from interference with the exercise of the right to privacy.

Consequently, the decision doesn’t affect the core of our challenge to the Directive, which will still go ahead on the basis that it infringes the rights to privacy and freedom of expression. At the moment we’re waiting on a decision from the High Court on our application to refer these issues to the ECJ – we’re confident that when these issues reach the ECJ that they will decide in our favour.

(more…)

Google and Privacy: the facts speak for themselves

image via Battelle mediaFrom the BBC (hat tip also to Canadian Privacy Law Blog; advance warning from The Register):

Google is to halve the amount of time it stores users’ personal search data in response to continued pressure from the EU over its privacy policy. The search giant has said it will anonymise identifiable IP addresses on its server logs after nine months. Google said respecting users’ privacy is “fundamental to earning and keeping their trust”.

From the Official Google blog (cross-posted on the Google Public Policy Blog): (more…)