Category: GDPR

Not archiving the .ie domain, and the death of new politics

Internet Archive Googly Eyes via FlickrAbout this time last year, the Government lost some votes on important issues as the Bill that became the Data Protection Act 2018 (also here) was at Committee Stage in the Dáil. Writing on this blog, I described this as an example of new politics making for interesting times. Rather magnanimously, they did not seek to reverse these defeats; at the last stage of the Bill, the Minister confirmed that it was “not [his] intention to revisit the putting of the amendment in any other form”. In the intervening year, much has changed – for one thing, we are a year closer to a general election, commentators forecast that the next budget in October will be this Government’s last, and there is speculation that the Taoiseach may even call a snap election earlier than that. All of this means that the detente of new politics is breaking down. There can be no surer sign of this than that the Government is no longer magnanimously prepared to accept parliamentary defeats, and will reverse them if it can. There was a shameful example of this arrogance earlier this week in the Seanad, during the Report Stage debate on the Copyright and Other Intellectual Property Law Provisions Bill 2018.

At Committee Stage, the Seanad approved an amendment put down by Senator Fintan Warfield (Sinn Féin) and opposed by the Government that would have ensured that that the archiving of the .ie domain would not infringe copyright. Writing on this blog, I welcomed this outcome as excellent news as a matter of principle, and an important step in making Irish copyright law fit for the digital age. However, at Report State, in an unseemly fit of pique, the Minister who had carriage of the Bill during the debate (the Minister of State for Training, Skills, Innovation, Research and Development, John Halligan TD) unapologetically restated his objections that there were issues with other government departments and public institutions, and that it would have significant resource implications, and he put down an amendment to reverse Senator Warfield’s earlier successful amendment (see amendment no 7 here). In the event, Senator Warfield acquiesced in the Minister’s amendment with a heavy heart, and it was accepted by the Seanad without a vote. All that remains is a commitment to bring forward proposals within a year.

Meanwhile, Ireland will – entirely unnecessarily – lag far behind the US and the UK. For example, in the US, the Internet Archive (the digital equivalent of the ancient library of Alexandria) is building a digital library of Internet sites and other cultural artifacts in digital form, searchable through its Wayback Machine. Similarly, the UK Web Archive performs an automated collection of UK websites (otherwise known as a ‘crawl’) at least once a year, and it collects a number of important websites more frequently (up to daily). The Minister’s petty amendment means that Irish libraries and archives cannot match even the modest collecting of the UK Web Archive, let alone replicate the greater ambition of the Internet Archive.

There is much to be welcomed in the Bill, and I look forward to it being signed into law by the President, but the removal of Senator Warfield’s sensible amendment is a blot on the escutcheon of the Government in its final days in office.

The further GDPR travails of Ross O’Carroll-Kelly

Statue of Ross O'Carroll-Kelly, via Wikipedia
Statue of Ross O’Carroll-Kelly
Ross O’Carroll-Kelly (pictured left) is in GDPR-trouble again. Last time, he was fired from his job as an estate-agent for failing to report a data breach, when his work lap-top was stolen from his car just as the GDPR came into full effect. This time (as recounted in last Saturday’s Irish Times magazine; audio here), he learns to his great cost the power of the data subject access request under Article 15 GDPR.

The background is well explained by Jennifer O’Connell’s experiences also recounted in last Saturday’s Irish Times magazine. Her story starts with staff members in a hotel asking customers: “If you enjoyed the service, would you minding leaving a TripAdvisor review, and mentioning me by name?” As she explains

It’s not only people in the service industry whose job security now rests on the whims of the terminally irate. If you’re a writer, Goodreads and Amazon reviews are your nemesis. If you’re a driver, it’s Uber. If you rent out your house, it’s Airbnb. If you’re a journalist, it’s the below-the-line comments.

She hasn’t reviewed the hotel waiter yet (she’ll be kind); but “in a Dublin hotel a few months ago, unable to sleep due to the sound of the four-hour, vigorous, live-action porn show on the other side of the cardboard door connecting [her] room with the one next door, [she] lay there plotting [her] TripAdvisor review”.

However, on some of these platforms, reviews go both ways. For example, not only do riders rate drivers on Uber, but, after every trip, drivers can rate riders as well. It is the same with the taxi app being used by Ross’s wife, Sorcha. She’s worried because she has an average “one-stor” customer rating from the drivers, out of five, which the lowest rating that it’s possible to get. This gets Ross worried too, not because he’s concerned for his wife, but

because her one-stor rating is almost certainly down to me, given that I’ve been using her account for the past six months and taxi drivers tend to bring out the worst side of my personality.

He tries to make light of it, but Sorcha is having none of it, revealing that she has already

… made a Data Access Subject Request. … All citizens have the right to access their personal data, Ross. I’m entitled to know why taxi drivers seem to think so little of me, especially given how much I tip.

As Sorcha leaves Ross to check whether the postman had delivered the hardcopy reply, their daughter-from-hell, Honor, arrives, having intercepted the post along the way. Together, they read all the horrible things Ross said to the taxi drivers over the previous six months; and they learn of some co-passengers Sorcha might not like to learn about; so Ross bribes Honor a thousand euros not to say anything to her mother. She agrees. And Ross relaxes, thinking he’s off scot-free. Then:

Sorcha steps back into the kitchen. “Nothing in the post,” she goes.

I’m there, “Like I said, you should just let it go, Babes.”

“No, it’s fine,” she goes, holding up her phone, “because they’ve emailed me the information anyway.”

Honor stands up from the table. She goes, “I’ll leave you to it, Dad. I still want that thousand euros, by the way.”

I wonder if anyone’s left a comment on Jennifer’s TripAdvisor review of the performance in the adjacent hotel room, or perhaps lodged a subject access request to find out more about it?

60minutes says that the GDPR is the law that lets Europeans take back their data from big tech companies




From the report embedded above (with added links):

Tech companies’ reign over users’ personal data has run largely unchecked in the age of the internet. Europe is seeking to end that with a new law

… the European Union enacted the world’s most ambitious internet privacy law [the General Data Protection Regulation (the GDPR)], even winning support from the CEO of the biggest tech company in America, Apple’s Tim Cook. …

Max Schrems: The default under the European system is you’re not allowed to use someone else’s data unless you have a justification. …

Jeffrey Chester: Americans have no control today about the information that’s collected about them every second of their lives. …

Today, if one of the big tech companies chooses to ignore Europe’s new data protection law it could cost them 4 percent of their global revenues, which for the biggest companies would mean billions of dollars. Those decisions will likely be made here in Dublin, … Ireland’s data protection commissioner Helen Dixon says it’s not going to be business as usual.

Helen Dixon: U.S. internet companies have no doubt that this law is serious, it has serious bite. And all of them are eager to avoid any engagement with that.

Dixon says tech companies are spending tens of millions of dollars hiring lawyers, compliance officers and engineers to make sure they are operating within the law. …

Steve Kroft: You think the big tech companies, the people in Silicon Valley are taking this seriously?

Eoin O’Dell: I think they have to.

Eoin O’Dell is a law professor at Trinity College in Dublin and a leading expert on European privacy law. He says Europe has now established an international standard for internet privacy, and companies like Facebook, Google and Amazon are not about to retreat from a $17 trillion market.

Eoin O’Dell: We have safety standards in cars, but that hasn’t stopped us driving cars. We have emissions standards for – for the gas in the cars but that hasn’t stopped us using the gas in the cars . The data companies are – going to comply in the same way as the – car companies have complied

Steve Kroft: To stay in business.

Eoin O’Dell: To stay in business.

Since the European privacy law was passed, at least ten other countries have adopted similar rules. So has the state of California. Perhaps sensing the inevitable, Facebook, Twitter, Google and Amazon are now saying they could support a U.S. privacy law if they were given considerable input. The Internet Association, which lobbies for big tech, and its president Michael Beckerman say they would support giving Americans reasonable access to their information and some privacy rights now enjoyed by the Europeans. …

Produced by Maria Gavrilovic. Associate producer, Alex Ortiz.

We’ve reached peak GDPR when Ross O’Carroll-Kelly gets fired for a data breach

Statue of Ross O'Carroll-Kelly, via Wikipedia
Statue of Ross O’Carroll-Kelly
In today’s Irish Times, this week’s instalment (audio here) in the ongoing mis-adventures of Ross O’Carroll-Kelly (pictured left) intersected with this blog. Ross is a hapless dad and clueless (if ruthless) estate-agent, who has been described as “Ireland’s most eligible married man” and “the greatest Irish [rugby] player never to actually make it in the game”, and the scene opens with our hero being summoned by the boss:

It’s, like, just before midday when Lauren tells me she wants to talk to me in her office. … She goes, “What do you know about GDPR, Ross?”

I’m like, “Quite a lot, actually.”

Oh, that shocks her – such is my reputation for being as stupid as a goose.

She’s like, “Okay, tell me what you know about GDPR.”

“First,” I go, “you make sure the patient is comfortable by putting some kind of cushion under their head and loosening any tight clothing. Then, you place the heel of your hand on the patient’s breastbone, with your other hand on top of it, interlocking your fingers …”

“That’s CPR, Ross.”

And so it goes on for a while, until Dave – “from Human Resources (formerly Payroll)” – arrives, and asks Ross where his laptop is. Poor Ross. We know from last week’s column (audio here) that he had left his car unlocked at a filling station, from which someone stole his “laptop bag, a briefcase and three Donnybrook Fair shopping bags out of the boot”. So, Ross eventually comes clean to Lauren:

I’m there, “Okay, I’m going to be finally honest with you. They were stolen from the boot of my cor when I pulled in to get petrol. Was there any sign of the three shopping bags from Donnybrook Fair that were also taken? There was six tins of individually, line-caught, white tuna fillets in there that cost 11 yoyos per pop.”

“Why didn’t you tell me about this?”

“Er, why would I tell you about it? It was my laptop. They were my client files.”

“I’m the Managing Director of this estate agency, Ross. It’s my responsibility to report breaches to the Data Protection Commissioner as soon as they’re discovered. Do you know what the penalties for this could be?”

“Chill out, Lauren. There’s no real damage done.”

And that’s when she says it. She fixes me with a look and goes, “You’re fired, Ross.”

As he will no doubt quickly learn, GDPR stands for the EU’s General Data Protection Regulation. It, and its incorporating Irish legislation, came into effect on Friday 25 May 2018. And the theft of the laptop and files (and, let’s not forget, tuna fillets and other overpriced groceries) came to light in the column published on Saturday 26 May. If the Saturday column is real-time reportage, or if it is reporting something that happened on Friday, then the data breach happened after the GDPR and Irish legislation came into force, and Lauren does indeed have to report it to the Data Protection Commission. However, if the column is reporting something that happened earlier in the week, then the GDPR was not in force, and the Rossmeister might just get away with it – again.

New politics and the digital age of consent

An Interesting Game

An Interesting Game (1881)
Frederick Arthur Bridgman (1847-1928)
via Brooklyn Museum
New politics certainly make for interesting times. Minority governments are no strangers to defeats, even to two defeats in one day, but yesterday marked another milestone, when the government lost not merely two votes, but votes on two successive legislative amendments. They both related to the protection of children in the Data Protection Bill, 2018. The first will make it an offence to process the personal data of a child for the purposes of direct marketing, profiling or micro-targeting; the second will set the digital age of consent at 16. In fact, seeing the writing on the wall, rather than suffer the indignity – surely unique, even in this era of new politics – of four defeats in one evening, the Minister accepted a third amendment and declined to press a fourth of his own. The third amendment that he accepted will permit not-for-profit bodies to seek damages on behalf of data subjects; and the amendment that he withdrew would have undercut the effect of the third successful amendment. (The three successful amendments are amendments 14, 15 and 115 here (pdf), amending this version (pdf) of the Bill, and debated here). Earlier versions of all three successful amendments had been defeated by the government at every previous stage of the Bill. Time will tell if any of them proves significant, but the one that has generated the most coverage so far is the amendment to the digital age of consent.

The aim of the Bill is to incorporate the General Data Protection Regulation (Regulation (EU) 2016/679) into Irish law. Article 6(1) GDPR sets out six bases for lawful processing of personal data, the first of which, specified in Article 6(1)(a), is that “the data subject has given consent to the processing of his or her personal data for one or more specific purposes” [on consent, see ICO | WP29]. A child can, in principle, provide such consent; but a minimum age at which children as data subjects can consent to having their personal data processed is not specified in the GDPR. Article 7 GDPR provides that the controller must be able to demonstrate this consent, and the younger the child is, the more difficult it will be for the controller to do so. To these flexible general rules relating to the consent of children, Article 8 GDPR provides a bright-line exception, which has become known as the digital age of consent. (more…)

The UK’s Data Protection Bill 2017: repeals and compensation – updated

UK Data Protection image, via UK gov websiteIn the UK, the Department of Digital, Culture, Media and Sport (DCMS) has today published the Data Protection Bill 2017, to incorporate the General Data Protection Regulation (GDPR) and to implement the Police and Criminal Justice Authorities Directive (PCJAD) (respectively: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC; and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA; aka the Law Enforcement Directive). The progress of the Bill through Parliament can be tracked here.

In Ireland, when the Department of Justice published the the General Scheme of the Data Protection Bill 2017 (scheme (pdf)), I expressed two concerns, both of which are equally applicable to the UK Bill. (more…)

Compensation for breach of the General Data Protection Regulation

I have just posted a paper on SSRN entitled “Compensation for breach of the General Data Protection Regulation”; this is the abstract:

Article 82(1) of the General Data Protection Regulation (GDPR) provides that any “person who has suffered material or non-material damage as a result of an infringement of this Regulation shall have the right to receive compensation from the controller or processor for the damage suffered”. As a consequence, compliance with the GDPR is ensured through a mutually reinforcing combination of public and private enforcement that blends public fines with private damages.

After the introduction, the second part of this article compares and contrasts Article 82(1) GDPR with compensation provisions in other EU Regulations and Directives and with the caselaw of the CJEU on those provisions, and compares and contrasts the English version of Article 82(1) GDPR with the versions of that Article in the other official languages of the EU, and concludes that at least 5 of the versions of Article 82(1) GDPR are unnecessarily ambiguous, though the CJEU (eventually, if and when it is asked) is likely to afford it a consistent broad interpretation. However, the safest course of action at this stage is to provide expressly for a claim for compensation in national law. The third part of this article compares and contrasts the compensation provisions in the Irish government’s General Scheme of the Data Protection Bill 2017 with existing legislation and case-law in Ireland and the UK, and with incorporating legislation and Bills in other EU Member States, and concludes that the Heads of the Scheme do not give full effect to Article 82(1) GDPR. Amendments to the Scheme are therefore proposed.

To ensure that any person who has suffered such damage has an effective remedy pursuant to Article 47 CFR, Member States will have to provide, pursuant to Article 19 TEU, remedies sufficient to ensure effective legal protection in the fields of privacy and data protection. In particular, they will have to provide expressly for a claim for compensation, incorporating Article 82(1) GDPR into national law. Claims for compensation are an important part of the enforcement architecture of the GDPR. Private enforcement will help to discourage infringements of the rights of data subjects; it will make a significant contribution to the protection of privacy and data protection rights in the European Union; and it will help to ensure that the great promise of the GDPR is fully realised.

As I was working on this paper, I published several posts on this blog (here | here | here) including discussions of the literal meaning of Article 82(1) GDPR in each of the EU’s 24 official languages and the current status of GDPR incorporation in the EU’s 28 Member States. Thanks to everyone who has engaged with these posts – the analysis in my paper has improved immeasurably. All comments on the current version gratefully received.

What is the current status of GDPR incorporation in the EU’s 28 Member States? [Ongoing updates]

Last updated: 7 May 2018

GDPR incorporationHaving looked, in my previous post, at what Article 82(1) of the General Data Protection Regulation says and means in each of the EU’s 24 official languages, I’m interested in this post in the related question of the current status of incorporation* of the GDPR in each of the EU’s 28 Member States. I am interested in particular in whether provision has been made in any incorporating* legislation or draft for an express claim for compensation or damages to give effect to Article 82 GDPR. The list below is the current state of play so far as I have been able to find out. I would be grateful if you correct any errors and help me fill in the blanks – via the comments below, via email, or via the contact page on this blog – I would very grateful indeed.

Complete incorporation: Legislation to incorporate* the GDPR has been enacted in Austria, Belgium (though a further Bill is pending), Germany, Poland, Slovakia and Slovenia (a French Act anticipated some of its requirements, though a full incorporation Bill is pending). About half of the Member States are likely to complete the process before 25 May 2018.

No information: Drafts have not been published in Bulgaria, Cyprus, Italy, and Malta.

Compensation: Incorporations in various jurisdictions are taking differing positions on Article 82 GDPR. On the one hand, such express claims are included in legislation in Austria, Poland and Slovakia, in Bills in Denmark, Greece, Hungary, Ireland, Romania, Spain, Sweden and the UK. On the other hand, no such express claims appear in legislation in Belgium, France and Germany, in Bills in Belgium (again), Estonia, France (again), Latvia, Lithuania, Luxembourg, the Netherlands, Portugal and Slovenia. Croatia, Finland and Portugal take the view that Article 82 is directly effective; while the Czech Republic considers that the existing compensation provisions cover Article 82 GDPR.

As Katie Nolan points out, this matters a great deal, because – unlike Article 4 of the Data Protection Directive (Directive 95/46/EC) – the GDPR contains no choice of law mechanism to determine which national data protection legislation applies in cross-border cases. In the context of Article 82 GDPR, differences in national incorporations are likely to encourage plaintiffs to shop for the fora with the most generous compensation claims.

(more…)