Eircom's three strikes system - down but not out?
The week before Christmas brought the significant news that the Data Protection Commissioner had found Eircom's three strikes system to be in breach of data protection law and had ordered Eircom to discontinue the system within 21 days (TheJournal | SiliconRepublic). Without sight of the ruling it's hard to comment, but I wrote about the background to the investigation previously and the statement from the DPC at that stage suggests that the system was viewed as being a disproportionate use of personal data, particularly in light of its impact on the right to access the internet.
Eircom has not accepted the DPC's decision and (according to Mark Tighe in yesterday's paywalled Sunday Times) has now appealed to the Circuit Court. It's hard to see what the troubled Eircom stands to gain from this - though it may be that failure to appeal would jeopardise their deal with the music industry to offer streaming and downloads. In any event, the appeal offers some breathing space - going by past experience, this appeal should take approximately 6 months or so to resolve, enabling Eircom to continue to operate three strikes until then. Incidentally, Mark Tighe also confirms that no Eircom customers have yet been disconnected for four "offences", though a number have had their accounts suspended for seven days.
Ireland's first prosecution for data disclosure
The same week also brought news of what seems to be the first successful prosecution in Ireland for deliberate disclosure of personal information (Irish Times | Independent | Examiner). This case centred on a corrrupt Revenue worker who disclosed information on six separate individuals to her own father (as a "favour to a business associate of his") and to her father in law - a retired garda who was working as a private investigator for Quinn Insurance.
Significantly, this came to light only due to initial fears that the victims were being targeted for criminal attacks - accounting for the garda involvement which led to this prosecution being brought. As I've already blogged, despite the existence of a "culture of snooping" within the Revenue previous cases have not been referred to police. This case isn't exceptional in involving snooping - it is exceptional only in seeing criminal consequences. Had this case not involved particularly sensitive targets (an executive of Brinks Allied security company and a former Revenue official now working against cigarette smuggling in Europe) then it is likely that no prosecution would have been brought.
All three defendants pleaded guilty to data protection offences. Unfortunately, the media coverage doesn't indicate the precise offences involved but it seems likely that each was charged with the offence of disclosing personal information obtained without authority, contrary to section 22 of the Data Protection Act 1988. This presents an interesting issue in the case of the Revenue worker, as the section 22 offence doesn't apply to "a person who is an employee or agent of the data controller or data processor concerned". Consequently, it is hard to see how this charge could have been brought against her unless as a civil servant she was regarded as not being an "employee" for the purposes of that section. [Update - I'm now informed that the charge against the Revenue worker was brought under section 21, which specifically targets employees also. However section 21 is limited to data processors rather than data controllers, which presents a further issue as to whether Revenue should properly be treated as a mere data processor.]
The case also reveals a lack of awareness amongst the Irish judiciary of the importance of data protection. In a worrying comment, the judge stated that "the breaches in this case were not unduly sinister and that they were possibly done without an appreciation of the seriousness of the actions". Remarkably, each offender was given the benefit of the Probation Act and allowed to escape conviction on condition that they donate €1,000 to charity. This can only be viewed as derisory in the context of a serious and repeated breach of trust (on the part of the Revenue worker) and a deliberate attempt to profit from wrongdoing (the private investigator) and if anything highlights the urgent need to introduce custodial sentences and not merely fines for this type of offence. As UK MPs recently noted, these trivial fines mean that "there is no deterrent because the financial gain resulting from the crime far exceeds the possible penalty".
(Yet another) Irish company spying on employees
Unfair dismissal actions have a way of exposing employers with a cavalier attitude to data protection. In November it was Dunnes Stores making secret use of CCTV. December revealed that Galen - a Northern Ireland pharmaceutical company - had covertly fitted GPS trackers to the cars of employees. According to the Employment Appeals Tribunal Galen had "breached the trust of its employees" by doing so, though it didn't address the question of whether this evidence was inadmissible as a result. Incidentally, I see from their website that Galen's motto is "Doing the right thing with the right priorities".