Issues with the new Garda Powers Bill

I have a piece in today's Irish Times which identifies some serious concerns with the new Garda Powers Bill. Here's an excerpt:

The sensitivity of your phone means that this week’s proposal from the Department of Justice for a new Garda Síochána Powers Bill requires close scrutiny. That proposal would introduce a new power for gardaí, when carrying out search warrants, to demand your password or PIN and require you to biometrically unlock your phone (or tablet, or computer) using your fingerprint or face.

As well as taking a copy of everything on the device itself, gardaí could also use the device to access any other service you use – such as your webmail, cloud storage, or online banking – and then take a copy of that data also.

The way in which the searches would be carried out is concerning. Failure to comply with the demand there and then (with no right to consult a solicitor) would be an offence exposing you to immediate arrest, punishable by imprisonment for up to five years and a fine of up to €30,000. This power would also apply to the devices of “any person present at the place where the search is carried out”, including for example the parents or siblings of a suspect or someone who shares a house with them.

Full text

The GAA and the GDPR

I have a piece in the Irish Times today discussing the kerfuffle about GAA clubs using WhatsApp to communicate with members. It may be the first time the phrase "dick pics" has appeared on the opinion pages of the paper of record. Here's an excerpt:

Facebook is not providing WhatsApp for philanthropic purposes, and information about who you communicate with, how and when is immensely valuable. When it bought WhatsApp, Facebook attempted to combine that information with individuals’ Facebook activity – to build up a complete picture of your activity, public and private – despite stating to the European Commission that it would not do so. Facebook was eventually stopped by data protection authorities, and in 2017 it was fined €110 million by the European Commission for its deceptive statements during the merger. 

Nevertheless, it has stated that it still aims to use WhatsApp information for Facebook advertising, and presumably will also use your WhatsApp activity for ad targeting as it rolls out advertising on WhatsApp in 2020. 

Given the commercial value of this personal information, clubs and other groups who communicate through WhatsApp are still paying for a service – it’s just that they’re shifting the cost to their members, who pay with their privacy.

Full text

The new Irish ban on social media posts from court

I have an opinion piece in the Irish Independent on the new practice direction restricting social media posts from the courtroom. Here's an excerpt:

In 2011, the English courts introduced rules preventing anyone other than journalists or lawyers from posting to social media in the courtroom; the new Irish rules are largely identical, and seem to have been prompted now by judicial concern at both the Jobstown trial and the Belfast rugby rape trial. The #JobstownNotGuilty and #IBelieveHer hashtags show a growing popular willingness to second-guess the judicial process and this ban can be seen as a direct response.

There are certainly good reasons for banning live tweeting in some cases, particularly in criminal trials where much takes place in the absence of the jury.

However, the speech by the Chief Justice did not make the case for the blanket ban which was introduced. All the examples of abuse he gave related to criminal trials - there is no obvious reason why civil trials, which normally do not have a jury, should be treated in the same way. This is equally true of appeal courts, which hear legal argument rather than evidence, and in the UK the Supreme Court allows any person attending a hearing to live tweet except in special circumstances.

The restriction to "bona fide members of the news media profession" is also problematic. In his speech, the Chief Justice equated "hobby journalists" with "the single contrarian in a basement".

However this disregards a number of Irish and European judgments stressing the high constitutional value of citizen journalism; restricting live coverage to those who can produce traditional media credentials has the merit of administrative convenience but will limit many who could provide useful and informed coverage of proceedings.

Full text of the article.

Ireland must learn from UK data protection and ID disasters

I have a piece in today's Irish Times on the approach of the Irish state to privacy. In short: there's a lot of room for improvement. Text below with added links.

Ireland must learn from UK data protection and ID disasters

The growth of the public services card as a de facto national ID card has attracted a lot of media attention recently, with special credit due to Elaine Edwards of this newspaper for her persistence in excavating the facts on which most of the later reporting has been based.

The issue continues to rumble on, and the Data Protection Commissioner has asked the Department of Social Protection to explain the legal basis for the claim that the card is mandatory. One month later, despite repeated promises, the department has not yet done so.

More could be written about the public services card, and the varying and sometimes contradictory claims put forward to support it. But if we focus on the card we risk missing the wider picture, which is that the card is not an aberration but exemplifies a systematic disregard for privacy and data protection throughout the State.

Consider the Department of Health. In a remarkable statement to the Dáil earlier this month, Minister for Health Simon Harris admitted that Ireland “remains in breach of both European Union and national data protection legislation” by keeping a database of blood samples from newborn children without the consent of their parents. Following a complaint in 2009, the Data Protection Commissioner ordered that these samples be destroyed. However, the Department of Health has failed to comply and is instead proceeding with plans to retain the database and to open it up for research and possible other uses.

This defiance of the law raises significant questions for the independence of the Data Protection Commissioner, who has taken no enforcement action against this challenge to her statutory authority. The message to the State is that it can ignore data protection law with impunity.

Since 2014, the Department of Health has also been involved in developing health identification numbers and electronic health records schemes, which present significant issues of privacy and confidentiality. For example, by requiring the use of health identification numbers these schemes tie together potentially leak-sensitive information about an individual’s medical history, despite an earlier promise that use of these numbers would be voluntary. It is hard to trust assurances from the department on this issue given that it is already, by its own admission, in deliberate breach of data protection law.

We see the same picture elsewhere.

In 2014, An Garda Síochána started using body-worn cameras in an ad hoc way, without any legislation or formal safeguards. The Garda five-year modernisation plan says that the Garda will start taking video feeds from the National Roads Authority, local authorities and private car park operators to run automatic number plate recognition systems – creating a national database of people’s travel to be stored for an unspecified period.

That plan also says that, from 2017, the Garda will start using “face-in-the-crowd and shape-in-the-crowd biometrics” to identify people on CCTV systems. Again, all of this is to take place without any legal basis, in a manner that appears to be contrary to data protection law. It seems the Garda has not learned any institutional lessons from the 2014 scandal around the recording of calls to and from Garda stations, nor from the ongoing concerns about abuse of the Pulse system.

The common pattern in these cases is that fundamental rights are viewed as inconvenient obstacles. This is a paternalistic view, in which the institution knows best and public concern can be disregarded. However, this approach merely stores up problems for the future. There are lessons for Ireland from the UK, where many of these issues have already been played out.

In 2002, the UK government launched a National Health Service-wide electronic health records system which failed to adequately address patient confidentiality. This was eventually scrapped in 2011, in large part due to concerns about privacy, and replaced with systems which guarantee that patients can opt out of data sharing. The ultimate cost was in the region of £10 billion.

The public services card has a parallel in the UK, where ID cards and a National Identity Register were introduced by legislation in 2006, only to be abandoned and the data destroyed in 2011 following extensive public opposition. Similar to the public services card, the UK ID card had no clear rationale and was ultimately rejected by the Tory/Lib Dem coalition government as “wasteful, bureaucratic and intrusive”, at an eventual cost of about £5 billion.

The increasing Garda use of CCTV, facial recognition and number-plate recognition also echoes the UK, where both the information commissioner and the independent surveillance camera commissioner have described similar practices by UK police forces as intrusive, disproportionate and illegal.

The message from these UK examples is clear. While state authorities may push ahead with plans which ignore concerns about privacy and data protection, the law will eventually catch up with them, usually at significant cost to the taxpayer. Fundamental rights are factors which must be taken into account at the outset, not reluctantly considered when a scheme is already being implemented.

As the Data Protection Commissioner put it in her most recent annual report: “Public-sector bodies and Government departments are in many cases slow to adjust to the reality that data-protection rights cannot simply be legislated away without sufficient necessity and proportionality analysis and prejudice tests being applied.”

The failure of the State to accept these points has already squandered public trust in areas such as the public services card, and seems likely to do so in other areas such as electronic health records.

Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law, a solicitor with FP Logue Solicitors and the chair of Digital Rights Ireland

Letter regarding the Public Services Card

I'm very grateful to my colleagues who have signed a letter expressing concern at the growing use of the (supposedly optional) public services card as a mandatory requirement for essentials as passports and social welfare, creating a de facto national ID card or Ireland without public debate.

The full text of the letter and the signatories are below.

Oversight of phone tapping in Ireland: still inadequate

Following allegations of abuse of phone tapping by Irish police, I have an opinion piece in today's Irish Independent explaining why oversight mechanisms in this area are ineffective. Here's a flavour:

The reaction of the Department of Justice and An Garda Síochána to the latest phone-tapping scandal has been a predictable circling of the wagons. As usual, those bodies have refused to address the details of the allegations. We have seen generic statements, asserting that there is a legal basis for phone tapping and that it is subject to judicial oversight. 

The problem with that response is simple: it is clear that both the Irish law on phone tapping and the way it is implemented fail to meet fundamental international standards. 

Take the most basic starting point: who decides whether a phone tap should take place? International human rights law requires that interception of communications be authorised by a judge or an equivalent independent body. In Ireland, however, this power is given to the Justice Minister - leaving it open to allegations of political motivation. 

Irish law also falls down on the question of who can have their phones tapped. Contrary to international standards, there are no safeguards on phone tapping targeting lawyers, journalists or parliamentarians. 

Unusually for a Western democracy, Ireland does not have separate security and police agencies. Instead, both roles are combined in An Garda Síochána. The result is a blurring of the boundaries between the two functions which means that all surveillance ends up being concealed in unnecessary secrecy. 

The Irish oversight system is also out of line with international practice. In almost all EU member states, there are parliamentary committees which can oversee surveillance by security agencies. Ireland is one of only four EU states which does not make its security agency accountable to parliament. Instead, in security matters the Garda Commissioner answers only to the Justice Minister - the same person who is responsible for decisions to tap phones in the first place.

I've written more about the issue in the chapter "Judicial Oversight of Surveillance: The Case of Ireland in Comparative Perspective" (2016), full text online at the UCD research repository.

Back in the saddle

I'm delighted to be able to say that starting this week I'll be working as a consultant with FP Logue Solicitors. The partners - Fred Logue and Niall Rooney - have an excellent track record in business law, with a focus on brands, intellectual property, technology law and information law generally, making for a great fit with my own areas of interest. I greatly enjoy practice as well as research and teaching, and I've always found that each informs the other. Obligatory press release and group photo.

Search warrants and privacy in Ireland - CRH, Irish Cement & Lynch v. CCPC

The High Court gave a very important judgment yesterday (Independent.ie story) on the issues raised by the use of a search warrant to seize an entire email account where many of the emails in the account were not caught by the terms of the warrant. To grossly simplify a complicated decision, Barrett J. held that where the Competition and Consumer Protection Commission (CCPC) had seized an entire email account it was not itself entitled to carry out a "sifting" exercise to determine which emails fell within the scope of the warrant - instead, this had to be done by some impartial vetting process. In the lack of a suitable statutory mechanism, this could be done by agreement between the parties.

The full decision isn't yet on the courts.ie site, but courtesy of the CCPC I've uploaded a scanned copy to Scribd. The full decision will need careful consideration, but at first glance it's a very privacy protective decision which may have far reaching consequences in other areas of criminal procedure. Notably, it cites with approval the 2013 Canadian Supreme Court decision in R. v. Vu on the special privacy issues presented by searches of computers. (And, I'm glad to see, the Digital Rights Ireland litigation.) By requiring specificity in what is seized and how that material is then examined, it puts a question mark over other search powers - such as those under s.48 of the Criminal Justice (Theft and Fraud Offences) Act, 2001 - which are generally used so as to seize an entire computer and not merely specific records.