Wednesday, December 12, 2007

Time to put up the decorations...


...so here's a picture I took this time last year. Merry Christmas all.

More confusion about the legal status of eBay

New internet services sometimes don't fit neatly into the categories drawn by the law. eBay has been and continues to be a prime example. Is it an auction house? On its user agreement page it goes to some lengths to disclaim this status, for the good reason that it does not want the legal baggage that would go with it:
Although eBay is often referred to as an online auction web site, you acknowledge that we are not a traditional auctioneer. Instead, the Site is a venue to allow anyone to offer, sell, and buy just about anything, at any time, from anywhere, in a variety of pricing formats, which include auction-style and fixed price formats. At no point do we have possession of anything listed or sold through the Site.
But the French authorities don't agree and claim that it is subject to the same obligations as traditional auctioneers:
France's auction watchdog is taking eBay to court, arguing the Internet auctioneer does not do enough to protect consumers.

The regulatory authority, called the Council of Sales, said Monday that eBay's French site should be held to the same standards as France's auction houses, which need a special permit from authorities, partly to ensure consumers are protected.

In a statement, eBay's French branch, eBay.fr, said the legal action was "totally unjust." The French site has argued for years that it should not be subject to the same regulations as France's auctioneers.

eBay.fr says it is merely an intermediary, not a traditional auction house, because customers put objects up for sale themselves, and because the site is not involved in negotiating contracts or in delivery and payment.

"eBay has invented a new way of buying and selling, which has been adopted by 10 million French people, and which is not at all the same as that of auction houses," it said.

The Council of Sales, whose members are state-appointed, said it was not trying to crack down on online auctions.

eBay "has been an extraordinary success, which we recognize," said Ariane Chausson, the Council's spokeswoman. "We recommend that all auctioneers do sales on the Internet, because it's a fabulous tool."

But the regulatory authority hopes a judge will rule that eBay.fr is an auction house like any other. It argues that eBay.fr currently has an unfair advantage because it avoids strict regulations set out in a 2000 law.
Similar issues arise when we ask whether eBay is a "host" within the meaning of the E-Commerce Directive and if so whether it will be liable for the wrongdoing (such as trademark infringement or the sale of illegal goods) of its users. In one UK case the General Optical Council commenced a prosecution of eBay for aiding and abetting the illegal sale of contact lenses - but dropped that action after receiving advice that eBay would benefit from the hosting defence in Article 14 of the Directive. Lilian Edwards has more on this case - and suggests that eBay might lose the hosting defence on the basis that it is in a position to exercise control over its users:
[C]ould it be argued that the EBay sellers of contact lenses were acting "under the authority or the control of" EBay? EBay do contractually allow sellers to sell on its site, and take a cut of the profits for doing so. Is this not "authority"? As I have noted before, they are hardly in the same position as a traditional ISP handling myriads of communications in a hands off way. EBay furthermore do at least present something that looks rather like "control" in that they have various Acceptable Use policies relating to what can and cannot be sold on EBay. Contact lenses are specifically mentioned under the "prohibited" list. EBay do their best to make these warnings look advisory -

"eBay is here to help, but you are ultimately responsible for making sure that buying an item or selling your item(s) is allowed on eBay and is not prohibited in the eyes of the law. Follow these steps to find out whether or not your item can be listed on eBay."

- but such words cannot detract from the fact that it seems a reasonable interpretation that eBay's various "prohibited" policies for buyers and sellers are incorporated by reference as part of the terms of the contract with eBay.
More recently, Lilian has also blogged about a current French case which suggests that eBay (and many Web 2.0 sites) might not qualify as a "host" in any event:
[A] French humorist successfully sued MySpace before the Paris first instance tribunal for infringement of his author’s rights and personality rights, as his name, image and some of his sketches were published on a MySpace webpage without his authorisation.

The court found that MySpace performed the role of an Internet host. However it also did other things: it provided "a presentation structure with frames, which is made available to its members" and significantly, it also "broadcasts advertising upon each visit of the webpage, from which it profits".

As a result MySpace did not benefit from the hosting immunity of the EC Electronic Commerce Directive, Art 14 , implemented in Article 6.I.2 of the French law “on Confidence in the Digital Economy” (dated 21st June 2004) . The French law provides that a hosting provider:

“may not be held civilly liable for the activities or information stored at the request of a recipient of these services if they are effectively unaware of the illegal nature thereof or of the facts and circumstances revealing this illegality or if, as soon as they become aware of them, they have acted promptly to remove these data or make access to them impossible"

MySpace were however deemed not a host but a "publisher". Lacking immunity, MySpace were thus ordered to pay substantial damages.
The legal status of auction sites - along with search engines, content aggregators, hyperlinkers, bulletin boards, and Web 2.0 sites generally - is an area that was largely neglected in the E-Commerce Directive. Hopefully the forthcoming Commission review of the application of the Directive will give more guidance as to how national courts have dealt with these issues.

For more discussion on the legal issues surrounding eBay and similar sites see Andrés Guadamuz González - eBay Law: The legal implications of the C2C electronic commerce model.

Update - 11.02.2008 Lilian has more, this time on eBay's liability for the sale of knives.

Update - 4.07.08 Lilian has still more on the French rulings finding eBay liable for the sale of counterfeit goods by its users.

Copyright Association of Ireland Annual Lecture

The Copyright Association of Ireland Annual Lecture takes place on Monday next (17th December) at 6.30 in the Westin Hotel, Dublin. The lecture will be given by Ronan Deazley with the title "Plagiarist and Prophet: Walter Arthur Copinger and the Anglo-American Copyright Tradition". Ronan Deazley is an expert in the historical development of copyright and the author of the fascinating Rethinking Copyright: History, Theory, Language so this promises to be a very interesting evening. Admission is free and a reception will follow.

Thursday, December 06, 2007

Admissibility of recorded telephone conversations?

The Barristers' Professional Conduct has made an interesting ruling on the admissibility of telephone conversations recorded by one party. (The decision was in 2006 but appears not to have attracted much attention then.) From the Sunday Business Post:
The Barristers Professional Conduct Tribunal has ruled that a recording of a phone call by a barrister allegedly racially abusing his Romanian client is admissible in proceedings for professional misconduct...

The Bar Council is investigating claims that the barrister, who was acting for the wife, divulged private information about him in a phone call to his secretary. The woman tape-recorded the remarks...

The barrister’s counsel argued that the tape was inadmissible because it had been made without his consent, so was in breach of the Postal and Telecommunications Services Act 1983.

He also claimed that it violated the barrister’s constitutional right to privacy and breached the European Convention on Human Rights. But the tribunal ruled that the 1983 act had been amended by the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993.

Under that legislation, a telephone conversation can be legally recorded by one of the parties involved, without the other’s consent. Tribunal chairman John Gleeson SC said:
"The fact that one party to a telephone conversation records it does not, in the opinion of the tribunal, give rise to a constitutional difficulty or a breach of the European Convention on Human Rights.

"After all, a party to a telephone conversation is always capable of giving evidence of the contents of that conversation without any recording apparatus, whether by making a contemporaneous note or by simply recalling in evidence what was said during the conversation."

René Rosenstock has more discussion of the legal issues associated with recording telephone calls in Ireland. The Data Protection Commissioner has a case study on the data protection issues involved here.

(Many thanks to Ronan Lupton for pointing out the Sunday Business Post story.)

Wednesday, November 14, 2007

Privacy law roundup

Garda Code of Practice

The Data Protection Commissioner has announced the launch of a data protection code of practice for the Garda Siochána, which will include random audits of the use of the PULSE system. This is the first code of practice to be approved by the Commissioner. More coverage in the Examiner.

Landlord spied on students


The Irish Times reports that 10 students were awarded a total of €115,000 against their landladies who had installed electronic surveillance equipment to spy on them:
Two Dublin landladies have been ordered to pay damages totalling more than €115,000 to 10 students who were tenants in their house after the Circuit Court found they had kept the students under secret electronic surveillance...

The students became concerned in late 2004 that their conversations and activities were being monitored when the McKennas referred to details the students had discussed in private in the house. When they raised the issue with the McKennas, the students were evicted....

Judge Gerard Griffin yesterday found that the evidence in the case left him "in no doubt whatsoever that the defendants had kept these plaintiffs under electronic surveillance".

The judge said he could not say whether it was audio or video surveillance or both, but he was concerned that yellow wires found in the house were of the international standard used for video recording.
This isn't the first instance of this in Ireland - in 2003 a Galway landlord was found to have installed miniature cameras in the ceilings of his female tenants' bedrooms and bathrooms.

Australian proposals for privacy reform

The Australian Law Reform Commission has published a discussion paper on Australian Privacy Law. This substantial document (stretching to 1995 pages in PDF!) proposes root and branch overhaul of Australian privacy laws and given its scope and ambition is likely to be influential on this side of the world also. Some highlights:
Deceased people
The ALRC proposes that some aspects of privacy protection should apply to personal information concerning deceased persons.

In particular:
• data quality and security requirements should apply, so that organisations that hold information about deceased persons must ensure that it is accurate and protected from misuse, loss, unauthorised access or disclosure; and
• there should be some right of access to information for family members. The ALRC has heard that people who had a relationship to the deceased—such as family members — may sometimes need to access information in order to know about medical conditions, or to document family history. Under the proposed changes, any person would be able to apply for access to information relating to a deceased person.

Before releasing information, the organisation would have to consider whether this would have an unreasonable impact on the privacy of others, including the deceased person.

Sensitive information
The ALRC proposes that the definition of sensitive information be changed to include
certain types of biometric information.

Biometric information—which can include photographs, fingerprints, iris scans or voice recordings—is like some other sensitive information because it is often linked to an individual’s physical characteristics. It also carries greater risks than some other forms of information—such as the risk of revealing an individual’s cultural origins, or providing information that can allow an individual to be impersonated.

For these reasons, the ALRC proposes that biometric information should be given
the same level of protection as other information that is currently treated as sensitive information. This should only apply in certain circumstances, such as where biometric information is collected for purposes of identification.

Email and IP addresses
Technology has changed the types of information that may reveal facts about an
individual. For example, an email address or internet protocol (IP) address may reveal much about an individual, but these categories of information may not be covered by the Privacy Act because they may not specifically identify the individual.

The ALRC proposes that the definitions of ‘personal information’ and ‘record’ in the
Act be broadened to cover information such as email and IP addresses in some
circumstances.

Personal information published on the internet
The internet creates greater opportunity for personal information to be published, sometimes anonymously.

The ALRC is interested in feedback on whether there should be a ‘take down notice’
scheme that would require a website operator to remove information that may constitute an invasion of an individual’s privacy. This could be similar to—or an extension of — a scheme that currently operates for removal of prohibited content, based on decisions of the Classification Board.

Data breach notification
Agencies and organisations are not currently obliged to notify individuals where there has been unauthorised access to their personal information.

The ALRC proposes that individuals be notified where there has been unauthorised access to personal information that could lead to a real risk of harm to any affected individual.

Under this proposal the Privacy Commissioner would oversee the decisions of agencies
and organisations about the level of risk and whether individuals should be notified. If the Privacy Commissioner formed the view that there was a real risk of serious harm, he or she could direct that the agency or organisation notify the affected individuals.

Sunday, September 23, 2007

This is why cybersquatters are still in business

According to today's Sunday Business Post, the Berkeley Court, Jury’s Hotel and Jury’s Towers in Ballsbridge are to be reopened under the D4hotels.com brand.

D4hotels.com was registered on Wednesday, but all the other extensions (.ie, .net, etc.) are still free, as are D4hotel.com, .net, etc. Although I'd be more than happy to act for the owners to try to evict the inevitable cybersquatters and typosquatters, it would be substantially cheaper simply to register the other extensions and variants in the first place.

Update: Well, that was quick. D4hotels.net and D4hotels.org were anonymously registered one day later at GoDaddy.com. D4hotel.com was registered on the same day also.

Wednesday, August 29, 2007

"The New Surveillance" in Ireland

I've written a short piece for the Irish Security Industry Association's Risk Manager magazine about "The New Surveillance" and its growth in Ireland:
The recent trial of Joe O’Reilly for the murder of his wife Rachel attracted huge public interest for a number of reasons – the gruesome nature of the crime and the demeanour of the killer among them. But another cause of this public attention was the way in which the trial revealed the extensive digital footprints we leave behind in our day to day activities. In a first for the Irish courts, the prosecution case was built for the most part on digital evidence – including CCTV footage, mobile phone location data, details of calls and text messages and the content of emails.

Though this was the first case to attract such attention, in the background there has been a move towards greater surveillance of everyday life for some time now. For example: since 2002 Irish law has required that telephone companies log details of every telephone call made, every text message sent, and the movements of every mobile phone and that they store that information for three years. European law will extend this to the internet, requiring ISPs to log details of users’ emails, instant messages and web use. Recent legislation has permitted the random breath testing of drivers as well as random drug testing of employees. Within the last month alone Government plans were announced to roll out extensive CCTV schemes to sixteen additional towns, to introduce a national DNA database, to introduce mandatory registration of pre-pay mobile phones, and to introduce automatic number plate recognition systems which will automatically scan all passing cars to see whether they are reported stolen or untaxed.

What do these developments have in common? US academic Gary Marx has described them as “the new surveillance”. Traditionally we might think of surveillance as being something which is unusual or uncommon, carried out by the State, targeted towards a particular individual or group, labour intensive (and thus expensive), and focused on solving or preventing a particular crime. Technological developments (making surveillance easier and cheaper) and changes in social norms (including greater acquiescence to being monitored) have now turned this on its head.

The new surveillance is pervasive – far from being unusual surveillance has become the norm. It is not necessarily carried out by the State – for example, the obligation to track mobile phone users has been effectively outsourced to the mobile phone companies. This, along with increased automation, means that the cost to the State of surveillance can be minimised, doing away with any incentive to restrict surveillance to those situations where it is essential. It is untargeted – in the new surveillance every driver, web user, mobile phone user or pedestrian passing a CCTV camera is scrutinised as though they were a suspect and irrespective of whether any crime has been or is likely to be committed. The new surveillance is also largely invisible, allowing it to fly under the radar of public inspection and concern.

Should this concern us? The underlying technology is neutral in itself – for example, CCTV can be used to prosecute crime or (as in a recent English case) it can be used by its operators to spy on a woman through her bedroom and bathroom window. What matters is the use to which it is put and the legal controls which are in place. At an absolute minimum we should ensure that surveillance is democratically approved; that it is proportionate (going no further than necessary for a particular purpose); that information gained from surveillance be retained for the minimum period necessary; that it be subject to adequate independent oversight; and that sanctions should be in place for individuals or operators who violate these controls.

Unfortunately, Irish law generally fails these requirements. In 1996 the Law Reform Commission identified a range of deficiencies in Irish law on surveillance and over ten years on those problems remain unaddressed. Instead, official surveillance and technology have developed in what is often a legal vacuum. For example, there is no law governing the interception of emails, no law providing for criminal sanctions for the misuse of CCTV systems and no effective oversight of police surveillance. In short, the new surveillance has not been matched by new legal controls, which must raise doubts as to whether many aspects of the new surveillance are compatible with the right to privacy under the Constitution and under the European Convention on Human Rights.
PDF version here.

Friday, August 10, 2007

Australia to mandate ISP level filtering

The Sydney Morning Herald reports:
INTERNET service providers will be forced to filter web content at the request of parents, under a $189 million Federal Government crackdown on online bad language, pornography and child sex predators.

The Prime Minister, John Howard, said that the Government would increase funding for the federal police online child sex exploitation team by $40 million, helping investigators to track those who prey on children through chat rooms and sites such as MySpace and Facebook.

In a separate development, convicted sex offenders in NSW will have to register their email address with police as part of State Government efforts to stop them using the internet to prey on children.

Mr Howard will also confirm a previous announcement that the Government will pay $90 million to provide every household that wants it with software to filter internet content.

Those unable to install the software or who have concerns about their children's internet use will be able to get advice by phone, another proposal previously suggested by the Government.

The more efficient compulsory filtering of internet service providers (ISPs) was proposed in March last year by the then Labor leader, Kim Beazley. At the time, the Communications Minister, Helen Coonan, and ISPs criticised his idea as expensive.

Three months later Senator Coonan announced the Government's Net Alert policy, which promised free filtering software for every home that wanted it. She also announced an ISP filtering trial to be conducted in Tasmania. That trial was scrapped.

Today Mr Howard will hail the ISP filtering measure as a world first by any Government, and is expected to offer funding to help cover the cost. Parents will be able to request the ISP filter option when they sign up with an ISP. It will be compulsory to provide it.
This is a remarkable about face from the Australian government's previous position. No details yet on how the filtering systems will operate or be funded, but presumably the filtering categories will be based on the existing system under which the Australian Communications & Media Authority (ACMA) classifies content and issues takedown notices / notices to filtering software makers. Electronic Frontiers Australia has detailed criticism of the plan.

Monday, July 30, 2007

Computer generated evidence and defence access to source code

Today's Irish Times reports on an interesting clash between the rights of an accused person to a fair trial and what breathalyser manufacturers see as their commercial interests:
A solicitor from Co. Louth is seeking a judicial review of a drink driving conviction...

Paul Moore, a solicitor in Monaghan, is arguing that because the manufacturers of the Lion Intoxilyzer breath testing machine did not provide him with a hard copy of the software it uses that a conviction was made in the absence of full disclosure and therefore the constitutional rights of the accused person were not upheld...

At an earlier court hearing Judge Flann Brennan had made an order of disclosure. When pressed on why the software was not disclosed pursuant to that order, Mr. Blythe [a senior manager with the manufacturers] told Alan Doherty, defending, that "the company is adamant that it does not disclose software documentation". He also said he believed that this was for commercial reasons.
This is the first Irish case that I'm aware of where disclosure of source code has been sought in the context of a criminal prosecution, though there has been a good deal of litigation on this point in the United States, where companies have also refused to turn over source code with the result that many cases have been dismissed.

This is certainly the correct result - if a person may lose their liberty based on a number generated by a machine, they must be able to challenge the accuracy of that number - which they cannot do unless they know how that machine operates. The manufacturer's failure to comply with a court order on the basis of "commercial reasons" is astonishing - if they believe that their commercial interests are superior to the right of an accused person to a fair trial and are unwilling to comply with the order of the court then they should not be manufacturing this equipment nor should our justice system be purchasing it.

Ethan Zimmerman of the EFF has some insightful comments on the US cases, and draws an analogy with electronic voting:
Matt Zimmerman, a staff attorney for the Electronic Frontier Foundation (EFF), said it is just as important for people to know that products like breathalyzers or voting machines work correctly as it is for companies to protect their trade secrets.

"It's one of the few cases that we've seen recently where a court has come out and said it really is appropriate, if you're going to be making important decisions that affect someone's liberty, then you should be able to understand what's going on with these technologies that are helping make these decisions," Zimmerman said.

He said that in addition to various fears over losing proprietary advantages, companies may also fear that public examination of software would let the public know "there may be some flaws in the design, in the coding, that otherwise they wouldn't have to reveal."

"The government is outsourcing a governmental process," Zimmerman said of both e-voting and the breathalyzer questions. "It's not a case where you're alleging that a certain harm has been done to a specific person. You're making the allegation that the technology doesn't do its work quite as well as it could."

The key to both concerns is the potential for these devices to affect people's liberty and freedom, while the manufacturers do not provide the public with the information to know what is going on, Zimmerman said. Both cases, he said, should tell the government that the public has a right to know how technologies actually work when they have to do with individual liberty.
Update (10/8/07): Declan McCullagh has details of a recent Minnesota decision ordering disclosure.
Update (5/9/07): The code of one US breathalyser has now been analysed and found to be extremely sloppy:

1. The Alcotest Software Would Not Pass U.S. Industry Standards for Software Development and Testing: The program presented shows ample evidence of incomplete design, incomplete verification of design, and incomplete “white box” and “black box” testing. Therefore the software has to be considered unreliable and untested, and in several cases it does not meet stated requirements. The planning and documentation of the design is haphazard. Sections of the original code and modified code show evidence of using an experimental approach to coding, or use what is best described as the “trial and error” method. Several sections are marked as “temporary, for now”. Other sections were added to existing modules or inserted in a code stream, leading to a patchwork design and coding style…

It is clear that, as submitted, the Alcotest software would not pass development standards and testing for the U.S. Government or Military. It would fail software standards for the Federal Aviation Administration (FAA) and Food and Drug Administration (FDA), as well as commercial standards used in devices for public safety…If the FAA imposed mandatory alcohol testing for all commercial pilots, the Alcotest would be rejected based upon the FAA safety and software standards…

4. Catastrophic Error Detection Is Disabled: An interrupt that detects that the microprocessor is trying to execute an illegal instruction is disabled, meaning that the Alcotest software could appear to run correctly while executing wild branches or invalid code for a period of time. Other interrupts ignored are the Computer Operating Property (a watchdog timer), and the Software Interrupt.

6. Diagnostics Adjust/Substitute Data Readings: The diagnostic routines for the Analog to Digital (A/D) Converters will substitute arbitrary, favorable readings for the measured device if the measurement is out of range, either too high or too low. The values will be forced to a high or low limit, respectively. This error condition is suppressed unless it occurs frequently enough…

7. Flow Measurements Adjusted/Substituted: The software takes an airflow measurement at power-up, and presumes this value is the “zero line” or baseline measurement for subsequent calculations. No quality check or reasonableness test is done on this measurement…

10. Error Detection Logic: The software design detects measurement errors, but ignores these errors unless they occur a consecutive total number of times. For example, in the airflow measuring logic, if a flow measurement is above the prescribed maximum value, it is called an error, but this error must occur 32 consecutive times for the error to be handled and displayed. This means that the error could occur 31 times, then appear within range once, then appear 31 times, etc., and never be reported…

Data protection roundup

New guidance on meaning of "personal data"

The Article 29 Working Group has given a very comprehensive and helpful opinion on the meaning of personal data. It goes much further than the narrow approach in Durant v. Financial Services Authority, and specifically rejects the view that information must "have the data subject as its focus" before it can constitute personal data.

Data Retention Directive implemented in UK - but only for telephone data

The UK has now implemented the Data Retention Directive in respect of telephone records, choosing a one year retention period. The implementation of the Directive in respect of internet activity has been deferred pending further consultation.

Manual data to be treated in the same way as computerised data

The Data Protection Acts will apply in full to manual data from 24 October 2007. When the 2003 Act extended the data protection principles from computerised data to include manual data (such as paper files) it provided for a four year transitional period in which existing manual data would be exempt from sections 2, 2A and 2B of the Acts (dealing with the collection, processing, keeping and use of personal data and sensitive personal data). That transitional period ends on 24 October, which may cause problems for organisations which have older files which are not compliant with the new law.

Tuesday, July 24, 2007

Australian judges - uncut

The Australian outlines what some of Australia's most senior judges said about their roles when promised anonymity:
[S]ome judges are committed activists who believe those who criticise their approach are "vociferous red-neck people"...

"Perhaps it's illegitimate to pull the rabbit out of the hat, but it's nice to see it emerging," said one High Court judge...

While some judges see judicial activism as their duty, others are still seething over what they see as the High Court's illegitimate law-making under former chief justice Anthony Mason.

"Madness let loose," is how one judge described the Mason court. The Mason court, which recognised Aboriginal native title and implied constitutional rights, was also denounced for cooking up "some pretty funny menus".

Its decisions on implied rights were "silly", "sneaky" and "the worst single feature of Australian constitutional law in the last 20 years", the judge said.

The court's Mabo decision on native title received particular criticism. Another judge said the Mason court's development of implied constitutional rights had created a "looseleaf constitution". "We've said bugger the constitution. We'll tell you what should be there. It's very distressing," one judge said.
The story is based on research carried out by political scientist Jason L. Pierce for his PhD, which was ultimately published as Inside the Mason Court Revolution: The High Court of Australia Transformed. [The full PhD thesis is available online.] The central theme is summarised in this review:
Orthodoxy expects certainty in judicial decisions that narrowly apply the law to the resolution of disputes between private parties. Politics and the law occupy separate realms where judges serve as caretakers guarding the boundaries between the two. Without a bill of rights and given the federal structure of Australia, orthodoxy presumed the High Court’s responsibility dealt almost exclusively with the division of powers between the states and federal government. Legal reasoning was declaratory in nature, closely bound by the text of the law, and governed by precedent. Evolution in legal rules occurred interstitially according to common law tradition as existing rules were applied to novel situations. The “politicized” role turned orthodoxy on its head. Uncertainty was acknowledged. New rationales for decisions besides text and precedent were put forward. A “public model” of High Court litigation encouraging a wider range of participants emerged. The High Court stretched its jurisprudential horizons to include public policy questions of justice and personal rights that parliament had failed to address. MABO and implied rights naturally followed. And so did political challenges and eventually the High Court’s retreat from this politicized role.
I'll be reading this with interest, bearing in mind possible parallels with what Keane CJ described as Ireland's own "tide of judicial lawmaking", albeit one that has "receded somewhat in recent years". And, I confess, I'll also be enjoying the candour of the Australian judges:
Q: What impact did the retirement of Justices Brennan, Dawson, and Toohey have on the High Court?
Judge: A slight swing to the right. Toohey was a terrible communist. Brennan wasn’t much better.
Q: What do you mean by ‘communist’?
Judge: [Toohey] is always dripping with sympathy for the underdog, whether it was deserved or not. He always thought that the employee should win against the employers. He was a ghastly mistake.
Q: What impact will the retirement of Chief Justice Brennan and appointment of Chief Justice Gleeson have, in your mind?
Judge: Well, we’ll get back to law and not sociology. Gleeson’s a very good lawyer and since he hasn’t got a heart, there’s no danger of him being sort of over muffling to anyone. He’ll just apply strict rules. Bang, bang, bang. That’s it. [p.73 of the Thesis PDF]

Monday, July 23, 2007

Mobile phone registration: Of limited benefit, will not solve problems and not practical

The Independent reports:
ALL mobile phones will have to be registered as part of a Government plan to improve surveillance on drug dealers.

Currently, any person can buy a pay-as-you-go mobile phone anonymously, which makes it harder for the gardai to track those involved in the drugs trade.

In an interview with the Irish Independent, new Drugs Minister Pat Carey said registry would help to tackle the "rampant use" of mobile phones in prisons, as well as small-time dealers working in the "shopping-centre carpark, the church car park or the local football field".

"If you've nothing to hide, you've nothing to fear. There may well be confidentiality or civil liberties issues but there are lives of people at stake as well, which I believe overrides any of those."
This policy is a nonsense. But don't take my word for it. Here's an email which Antoin received from the Department of Communications, Marine and Natural Resources in January of this year:
The idea for a Register of mobile phones was extensively reviewed by officials in the Department. There were many complex legal, technical, data protection and practical issues to be considered. In theory, a Register of mobile phones might seem like a good idea. However, having looked at the situation in other administrations, considered the ease with which an unregistered foreign or stolen SIM card can be used and the difficulties that would be posed in verifying identity in the absence of a national identification card system, and having consulted with the Office of the Attorney General and other interested parties, it was concluded that the proposal would be of limited benefit, in that it would not solve the illegal and inappropriate use of pre-paid mobile phones and was not practical.
Incidentally, I'd be intrigued to know how this will stop the "rampant use of mobile phones in prisons". Perhaps Pat Carey might think about preventing prisoners from having mobile phones in the first place?

Wednesday, July 18, 2007

Can ISPs be required to block file-sharing?

EDRI has a very good summary of the remarkable decision in SABAM vs SA Scarlet which requires a Belgian ISP to monitor its network so as to block the sharing of copyrighted files over peer to peer networks:
In an unprecedented decision, the Court of First Instance in Bruxelles has ordered Scarlet, a Belgium ISP, to implement technical measures in order to prohibit its users to illegally download music files.

The decision comes after a complaint initiated in 2004 by Sabam (Belgian Society of Authors, Composers and Publishers) against the Belgium ISP Tiscali, now renamed as Scarlet. A first intermediary ruling of 26 November 2004 accepted the possibility for an ISP to disconnect customers if they violate copyrights, and block the access for all customers to websites offering file-sharing programs. But further technical clarifications were needed, so an expert was appointed in order to present its opinions.

In a report published on 3 January 2007, the expert presented 11 solutions that could be applied in order to block or filter the file-sharing, and seven of them could be applied by Scarlet.

The court has decided that Scarlet need now to implement one or more technical measures in order to stop the copyright infringement, by making it impossible for its subscribers to send or receive music files from the repertoire of Sabam via p2p software. Scarlet also needs to inform Sabam on the technical measures that will be implemented. The decision needs to be implemented in 6 months, or the ISP must pay 2 500 euros /day as damages for non-compliance.

The decision did not consider the issues regarding privacy, freedom of expression or the right to the secrecy of the correspondence. Scarlet also claimed that the duty imposed by the court is a general obligation to monitor the network, that is contrary to the EU E-commerce Directive. But the court stated that the decision was not an obligation to monitor the network and that the solutions identified by the expert were just technical measures allowing blocking or filtering certain information sent through the Scarlet's network.
There is a tension here between different aspects of European law. Copyright law requires member states to give copyright holders effective remedies against infringement - including injunctions against intermediaries who facilitate infringement. On the other hand, the E-Commerce Directive recognises that it would be impossible to operate a regime where ISPs were responsible for the activities of their users, and establishes protections for ISPs including a provision which prevents member states from imposing a general duty on ISPs to monitor their networks for illegal activity. This decision appears to privilege copyright law over the safeguards of the E-Commerce Directive, privacy of users, and freedom of expression and, if upheld, will result in ISPs become privatised censors (at their own cost, no less). Once the technology is put in place to prevent one type of material being distributed, we can expect function creep as other interest groups seek to censor other material also.

Tuesday, July 17, 2007

Australian challenge to Google advertising practices - implications for Ireland?

Silicon Republic reports that the Australian Competition and Consumer Commission has launched a challenge to how Google (and, by implication, other search engines) serve up advertising with search results:
Search giant Google, including named subsidiaries in Ireland and Australia, is being taken to court by the Australian Competition and Consumer Commission over the way it sells and displays its sponsored links.

Google is being sued by an Australian body over the practice of buying adverts next to search terms.

The Australian Competition and Consumer Commission (ACCC) is alleging that Google and one of its advertisers, the Australian shopping portal Trading Post, purchased ads next to the search terms “Kloster Ford” and “Charlestown Toyota”, two of its leading competitors.

The nub of the issue is that Google failed to make it clear that these words were not “organic” search results.

“This is the first action of its type globally,” the ACCC said in a statement. “Whilst Google has faced court action overseas, particularly in the United States, France and Belgium, this generally has been in relation to trademark use.

“Although the US anti-trust authority the Federal Trade Commission has examined similar issues, the ACCC understands that it is the first regulatory body to seek legal clarification of Google's conduct from a trade practices perspective.”

The ACCC says it has instituted legal proceedings in the Federal Court, Sydney, against Trading Post Australia Pty Ltd, Google Inc, Google Ireland Limited and Google Australia Pty Ltd alleging misleading and deceptive conduct in relation to sponsored links that appeared on the Google website.

“The ACCC is alleging that Trading Post contravened sections 52 and 53(d) of the Trade Practices Act 1974 in 2005 when the business names ‘Kloster Ford’ and ‘Charlestown Toyota’ appeared in the title of Google-sponsored links to Trading Post's website. Kloster Ford and Charlestown Toyota are Newcastle car dealerships who compete against Trading Post in automotive sales.”

The ACCC is alleging that Google, by causing the Kloster Ford and Charlestown Toyota links to be published on its website, engaged in misleading and deceptive conduct in breach of section 52 of the Act.

It is also alleging that Google, by failing to adequately distinguish sponsored links from “organic” search results has engaged and continues to engage in misleading and deceptive conduct that breaches Australian law.

Google Australia has described the lawsuit as an attack on all search engines and vowed to defend itself.

Google has won similar cases in the US courts brought by car insurance company Geico and IT support company Rescue.com.

The search giant lost a case in France whereby a fashion company accused the company of running links to counterfeit goods alongside legitimate results.

A US home furniture company, American Blind & Wallpaper Factory, is currently embroiled in a legal battle with Google alleging searches for the company brought up sponsored links brought by competitors.
While the ACCC press release and the stories about it aren't entirely clear, it seems that three separate issues are involved - (a) the use of competitors' names / trademarks as keywords to trigger advertising; (b) the use of those names / trademarks in the advertisement itself; and (c) whether the search results make clear the distinction between paid advertisements and "organic" search results.

How significant is this challenge from an Irish law perspective? Issues (a) and (b) have already been heavily litigated elsewhere, and I've discussed them in an article on keywords and metatags (with Paul Lambert). In that article we point out that in Europe the courts have leaned against the use of competitors' trademarks in the text of advertisements and have generally prohibited the use of competitors' trademarks as keywords. Consequently search engine policies here already refuse to allow the use of competitors' trademarks in the text of advertisements, and either refuse to sell trademarks as keywords or impose restrictions on so doing. To that extent it's unlikely that this ACCC action will have any great effect here. It is true that the majority of cases to date have been taken from a different legal perspective (trademark infringement or passing off rather than trade practices) but the issue is essentially the same regardless of the legal theory - have consumers been deceived as to the affiliation of the result?

Issue (c) may be more interesting. What does a search engine have to do to distinguish paid from organic search results? As the ACCC points out, the industry norm is developed from a 2002 recommendation of the US Federal Trade Commission which arose from this complaint against Altavista and others. That recommendation has led to most search engines using terms such as "sponsored results" or "sponsor results" to distinguish advertising from organic results, usually with either a different colour background or a line separating the advertising from the results. However, it's frequently said that consumers still have difficulty distinguishing between them. (Although one English judge has asserted that "The web-using member of the public knows that all sorts of banners appear when he or she does a search and they are or may be triggered by something in the search. He or she also knows that searches produce fuzzy results – results with much rubbish thrown in.")

If the ACCC can establish consumer confusion between results and advertising, the outcome is likely to be that search engines will be required to take steps to further segregate advertising from results, potentially reducing click through rates and revenue substantially - and this may have knock on effects for other jurisdictions, including Ireland.

Thursday, July 12, 2007

Your private information is for sale: Telephone Records ctd.

From the Sunday Independent, still more evidence that your telephone records are for sale to the highest bidder:
IRELAND has become a centre for commercial espionage with Dublin "like Berlin in the Cold War", according to a former top CIA operative.

The claims were made by Robert Baer who began his career as a spy when he became case officer with the CIA Directorate of Operations.

During a 20-year career as a covert operative, he had field assignments in India, Beirut, Tajikstan and northern Iraq .

"Let's say I wanted to know about you. The first thing I want is cell-phone records. Let's say I've got your landline number. From your landline I can do a data search and I can get your cell phone number in Ireland very easily," he said.

Mr Baer claimed that if he wanted to find a list of calls made from any mobile phone in the last six months, he could buy that information from a Dublin-based firm.

Monday, July 02, 2007

Defamation, search engines and the E-Commerce Directive

I'm quoted in the Sunday Tribune on the impact of Irish defamation laws on search engines. Unfortunately I have to quibble slightly with how the law is described in the article, which may be due to a breakdown in communications between myself and the author. Full text and my comments follow:
GOOGLE is facing a landmark defamation suit in Britain that could have repercussions for Ireland's attractiveness as a destination for online businesses.

The search giant has been sued by London businessman Brian Retkin, who claims the US company is responsible for providing links to inaccurate or malicious information about him and his business posted anonymously on the internet.

Irish legal observers, and Google's Dublin based legal eagles at its European headquarters, are watching the case unfold as defamation laws in the Republic are significantly less up-to-date than English laws on online libel.

The main difference is that internet service providers and online product providers such as Google have specific legal devices available to them under British defamation law and the EU's e-commerce directive, whereas in Ireland the laws have not been updated to take account of the information revolution.

"It's ridiculous because we're advertising ourselves as a knowledge economy and aiming to attract more companies like Google and Ebay here, but we're not giving them the legal protection they need in terms of defamation, " says barrister and digital rights campaigner TJ McIntyre.

The law lecturer claims there is a danger of Dublin courts attracting "libel tourism", much as London attracts so-called divorce tourism because of the reputation of English judges in awarding large pay-outs.

"Ireland's defamation laws are rooted in the middle of the last century, and even if [Michael] McDowell's proposed reforms in his defamation bill went through there would still be no mention of specific defences for online publishers."

The Retkin allegations are believed to have originated in America, where it is much more difficult to succeed in a libel claim because US judges have ruled that search engines and other internet service providers are immune from defamation lawsuits.

In Ireland, an online publisher could be treated as a disseminator of libel in much the same way as a newsagent can theoretically be sued for distributing newspapers containing defamatory content.

With Google linking to 11.5 billion web pages, potential financial damages in an Irish court could be staggering.

A spokesman for Google would not comment on the specifics of the case. "The company would reiterate that is has no connection or ability to direct or influence the content of web pages which may be shown as links within any given set of search results."
My quibble is with this passage:
[D]efamation laws in the Republic are significantly less up-to-date than English laws on online libel.

The main difference is that internet service providers and online product providers such as Google have specific legal devices available to them under British defamation law and the EU's e-commerce directive, whereas in Ireland the laws have not been updated to take account of the information revolution.
In fact, Irish and UK laws on intermediary liability are quite similar - both the Irish and UK Regulations adopt a minimalist approach to implementing the E-Commerce Directive (which has been transposed into Irish law, contrary to what the article might suggest). The problem for search engines and other intermediaries is that the E-Commerce Directive does not go far enough. Under the Directive a limited immunity is given to three classes of intermediaries - caches, hosts, and mere conduits. This, however, leaves other internet intermediaries out in the cold. Search engines, providers of hyperlinks and content aggregators are analogous to hosts or mere conduits (they facilitate access to material but do not control it or have knowledge of its content) - but they do not enjoy comparable protection under the Directive.

Several European countries have decided that the Directive is too narrow - Austria, Hungary, Portugal and Spain, amongst others, have created additional protections for search engines. The European Commission has also encouraged Member States to extend protection to other internet intermediaries. The risk for Ireland is that we may become less attractive as a destination for these businesses if Irish law does not follow suit. The Defamation Bill 2006 should have provided an opportunity to consider this issue - but that Bill would not have changed the law in this area had it been enacted.

On the libel tourism point, possibly the best Irish example is USA Rugby Football Union Limited v. Ivan Calhoun. In that case, although the plaintiffs ultimately failed to have the Irish courts accept their case, they succeeded in subjecting the defendant to two years of litigation (in both the Circuit Court and High Court) despite the lack of any real connection to Ireland, and despite the fact that the material published would not have been actionable in the United States.

Wednesday, June 20, 2007

First computer game banned in Ireland

Manhunt 2 has achieved the dubious honour of becoming the first game to be banned in Ireland. From the Irish Film Censors Office:
MANHUNT 2 VIDEO GAME PROHIBITED

A prohibition order has been made by IFCO in relation to the video game Manhunt 2. The Order was made on 18th June 2007 under Sec 7 (1) (b) of the Video Recordings Act 1989 which refers to ‘acts of gross violence or cruelty (including mutilation and torture)’.

IFCO recognizes that in certain films, DVDs and video games, strong graphic violence may be a justifiable element within the overall context of the work. However, in the case of Manhunt 2, IFCO believes that there is no such context, and the level of gross, unrelenting and gratuitous violence is unacceptable.
The Irish Times points out that this parallels a ban by the British Board of Film Classification:
Manhunt 2 has also been banned by the British Board of Film Classification, which has made it illegal for the game to be supplied anywhere in the UK.

A statement from the board yesterday said: "Rejecting a work is a very serious action and one which we do not take lightly. Where possible we try to consider cuts or, in the case of games, modifications which remove the material which contravenes the board's published guidelines.

"In the case of Manhunt 2 this has not been possible. Manhunt 2 is distinguishable from recent high-end video games by its unremitting bleakness and callousness of tone in an overall game context which constantly encourages visceral killing with exceptionally little alleviation or distancing.

"There is sustained and cumulative casual sadism in the way in which these killings are committed, and encouraged, in the game."
The system for censoring / self-classification of games in Ireland is a curious one - in part statutory, and in part based on voluntary cooperation between the games industry and the Film Censor. Marie McGonagle has outlined the system in detail here (PDF, pp. 23-30). The ban reflects a worrying worldwide trend towards greater censorship of games, in many cases whether or not aimed at adults.

Monday, June 11, 2007

Sharing out online liability: sharing files, sharing risks

My colleague Bob Clark has just published a very interesting article on legal implications of filesharing in the Journal of Intellectual Property Law & Practice. In comments that will be of particular interest to the 23 filesharers recently identified by the High Court, he suggests that the methods used by the music industry to monitor p2p networks might themselves be illegal:
The privacy interest
When the issue of a rightholder's ability to compel disclosure of the details of the person standing behind an IP address arises, personal privacy arguments have not succeeded in either the Irish or Canadian courts. In contrast, it is widely reported that the French Data Protection Authority has ruled that the automated monitoring of users of P2P filesharing systems may not be permitted since it results in the accumulation of ‘a massive collection of personal data’, on the basis of exhaustive and continuous surveillance' of P2P sites that goes ‘beyond that which is necessary for the fight against piracy’. While the impact of the new French Copyright law remains to be assessed, the IFPI is optimistic that data protection law does not bar discovery of identity orders in French courts. The view of the English and Irish courts is that, because data protection legislation in each jurisdiction permits personal data to be obtained following court orders, as long as the rightholder uses a Norwich Pharmacal or similar civil procedure the ISP will be able to disclose personal data about suspected filesharers. In EMI v Eircom Kelly J said, of the rights of privacy:
"the statutory entitlements, whether they arise under the Data Protection legislation of the Postal and telecommunications legislation are subject to a provision which permits the confidentiality to be legitimately breached by an order of the Court."
While he conceded that the law did not prescribe the conditions under which an order may be made, the ‘necessity’ test vis-à-vis Norwich Pharmacal is flexible enough to afford a basis for such an order.

What may remain unexplored is the difficulty rightholders may have in some jurisdictions in collecting evidence. Case-law suggests that the standard methodology is to engage a US agency, MediaSentry, to monitor volume uses of MP3 files, taking a 10 minute snapshot of real time users in order to identify potentially infringing filesharers on a high volume basis. In BREIN, the collection of personal data by MediaSentry on behalf of BREIN was held unlawful, MediaSentry not having signed up to the EU/US Safe Harbor Agreement. The Utrecht Court's ruling was upheld on appeal on the basis of infringement of privacy by MediaSentry and because MediaSentry's software was not sophisticated enough to identify users or acts of infringement correctly. This manner in which information is collected was also considered in Sharman, when Wilcox J put it to the MediaSentry witness: ‘so what you are doing is, you are in effect spying on a person who is in the act of downloading’.

In the context of Irish law, intrusive methods of collecting data may be challengeable under the privacy provisions in the EU Telecommunications Data Protection Directive, as well as under the constitutional guarantee of privacy in respect of the communication of messages. It is also uncertain whether rightholders are illegally using telecommunications technology to intercept communications as MediaSentry, at the time of the interception, clearly had no authority to do this. Thus, one may need to distinguish between activities that employ privacy intrusive techniques to collect evidence (no legal process having yet taken place) and a subsequent court application to complete the chain of evidence, to secure the names and addresses of persons behind the IP address. In the former case, serious statutory and constitutional law issues may need to be addressed. Until more light is cast on the methods of data collection used initially to identify suspects by organizations such as MediaSentry, this uncertainty will remain.

Rightholders may be aware that some collection techniques are legally suspect. In November 2005, the Creative and Media Business Alliance attempted to persuade the members of the European Parliament to extend the draft Data Protection Directive to cover offences that arise from copyright infringement. This attempt failed, the lobbying being attacked as both an infringement of civil liberties and an attempt to transfer the cost of protecting copyright from well-funded industries to European taxpayers and telecoms subscribers.

Wednesday, June 06, 2007

Copyright in custom code: Who owns commissioned software?

Commissioned or bespoke software can raise difficult issues of ownership if there is no clear agreement in place between the client and the developer. Who will own the copyright? Can the developer reuse code written for a particular client? Is the client entitled to modify or update the code? Can the client resell the software? Might the client be limited to using the code in a particular market sector or in a particular jurisdiction? Who owns any database rights in bespoke software? Does it matter whether the client is given the source code? Does it matter how much the client has paid for the software? Can a client claim joint authorship on the basis of their role in providing detailed specifications and taking part in beta testing? Might the moral rights of the developer limit what the client can do with the software?

I discuss the legal issues involved in this article which has just been published in the Journal of Intellectual Property Law & Practice.

Update: Out-Law have a report of a recent case exactly on point.

Sunday, May 27, 2007

SMS spammers forced to delete database

Another interesting case from the Data Protection Commissioner's 2006 Annual Report involves spam SMS sent by Opera Telecom to people who had texted support for the "Global Call Against Poverty Campaign". In this case the Commissioner used the enforcement powers to require Opera to delete that database in its entirety:
I received a complaint from an individual regarding the receipt of an unsolicited text message in November 2005. The message, sent by Opera Telecom, was a promotional message for a subscription service.

When my Office investigated the matter it was discovered that the complainant had attended a major music concert in Croke Park in June 2005. During the concert, those attending were encouraged to text support for the Global Call Against Poverty Campaign. The complainant did so. The information collected from these texts was stored in a database held by Opera Telecom and was subsequently used by the company for the purpose of sending unsolicited direct marketing SMS messages.

In October 2005 Opera Telecom sent a direct marketing text message to the complainant. Regulation 13 of Statutory Instrument 535 of 2003 refers to unsolicited communications, making it an offence in certain circumstances to send direct marketing messages. The message the complainant received was contrary to this Regulation. It also contravened Section 2 of the Data Protection Acts as the personal data in question had not been obtained and processed fairly and was further processed in a manner which was incompatible with the purpose for which it was originally collected.

During our investigation, my Office discovered that 16,000 concert goers had used their mobile phones to text support for the Global Call Against Poverty Campaign. My Office recognised the potential risk of all of these people being subjected to direct marketing in the same way as the complainant had been. Conscious of this risk, I initially requested in a letter to Opera Telecom that they delete the related Database. When it did not comply with this request, I used my powers under Section 10 of the Data Protection Act and issued an Enforcement Notice. An Enforcement Notice is a legal document and it is an offence not to comply with this. Opera Telecom complied with the Enforcement Notice and deleted the database.
This case highlights an important commercial point - customer and marketing databases may make up a great deal of the value in a business. Abuse those databases and you run the risk of destroying that value.

Meanwhile, if you're on the receiving end you might be interested in the Digital Rights Ireland guide to dealing with SMS spam.

Sunday, May 20, 2007

New developments in applying data protection law to the media

One aspect of the Data Protection Commissioner's 2006 Annual Report that will be of acute interest to media lawyers is its application of data protection principles to media coverage of the glitterati and in particular the children of celebrities.

There is an inevitable tension between privacy rights in general (including data protection law) and the interests of the media - particularly when it comes to the insatiable public desire for information about celebrities. Section 22A(1) of the Data Protection Act attempts to resolve this tension by providing a limited exemption from the Act for certain media activities:
Personal data that are processed only for journalistic, artistic or literary purposes shall be exempt from compliance with any provision of this Act specified in subsection (2) of this section if—

(a) the processing is undertaken solely with a view to the publication of any journalistic, literary or artistic material,

(b) the data controller reasonably believes that, having regard in particular to the special importance of the public interest in freedom of expression, such publication would be in the public interest, and

(c) the data controller reasonably believes that, in all the circumstances, compliance with that provision would be incompatible with journalistic, artistic or literary purposes.
This exemption incorporates a balancing test - the person publishing the information must reasonably believe that publication is "in the public interest" and that complying with the data protection principle at stake would not be compatible with their "journalistic, artistic or literary purposes".

The 2005 Annual Report indicated that the Data Protection Commissioner would not simply defer to an editor's decision that something was in the public interest:
While this section refers to the reasonable belief’ of the data controller, it does not, in my opinion, give a newspaper editor the sole discretion to judge if something is in the public interest. This point is perhaps more clearly expressed in Article 9 of the Data Protection Directive (95/46/EC) on which section 22A is based. This states that “Member States shall provide for exemptions or derogations from the provisions of (the Directive) for the processing of personal data carried out solely for journalistic purposes or the purpose of artistic or literary expression only if they are necessary to reconcile the right to privacy with the rules governing freedom of expression.”[emphasis added]

In the case of a complaint received by me, I must therefore judge if the data controller properly balanced the right to privacy with the public interest in disclosure. I must have regard to the nature of the facts, including whether the data relates to a public figure or a relative of a public figure, the age of the data subject and whether sensitive data within the meaning of the Acts is involved.
The 2005 Annual Report went on to say that this balancing exercise would be carried out in light of the European Court of Human Rights decision in Von Hannover and the relevant media codes of conduct, and that particular scrutiny would be applied in matters involving children under 16 where editors "should demonstrate the existence of an exceptional public interest in order to over-ride the normally paramount interest of the child."

These principles were applied in the 2006 Report to make two separate findings of a breach of the Data Protection Acts against the News of the World and the Sunday World. The facts of the News of the World case are typical:
I received a complaint on behalf of a data subject, a well-known individual, arising from material published in the News of the World (Irish edition) in 2005. The complaint related to the subject matter of the material published and the manner in which it was obtained. The material published consisted of a photograph of the data subject and child while shopping, together with related text expressly identifying the data subject's child by name and age, and referring to a third party's perception as to how parent and child were getting along. The complainant alleged that consent was neither sought nor obtained prior to the taking of the photograph. The complainant further alleged that consent was not sought nor obtained prior to the publication of the material subsequently in the News of the World newspaper. In particular, the complainant alleged that the publication contravened Sections 2(1), 2A (1) and 22 of the Data Protection Acts. The complainant considered that their right to privacy outweighed any purported journalistic purpose or public interest in the publication of their photograph and accompanying text which was the subject of the complaint.
The News of the World argued that the parent had, in the past, invited this attention and therefore there was a public interest in publishing. This was rejected, however, with the Data Protection Commissioner applying Von Hannover to find that there was no public interest in this case:
I am obliged by Section 3 of the European Convention on Human Rights Act, 2003, to perform my functions in a manner compatible with the State's obligations under the Convention's provisions. Accordingly, in arriving at my conclusion on the applicability of the Section 22A exemption to the facts of the case, I had regard to the provisions of Articles 8 and 10 of the European Convention on Human Rights and any guidance that the European Court of Human Rights (ECtHR) had provided on how the rights to privacy and freedom of expression should be balanced - the same balance that was at issue in relation to the applicability of Section 22A of the Acts.

In this regard, I noted the Decision of the ECtHR in the case of Von Hannover v. Germany (Application No. 59320/00) - the Princess Caroline case. The Court held that the German courts, in refusing to grant Princess Caroline of Monaco injunctions against newspapers taking and publishing photographs of her, had infringed her rights under Article 8 of the Convention. The photographs in question had shown Princess Caroline engaged in various activities such as shopping, playing sport and at the beach. The Court, noting that the material related exclusively to details of the applicant's private life, considered that "the publication of the photos and articles in question, of which the sole purpose was to satisfy the curiosity of a particular readership regarding the details of the applicant's private life, cannot be deemed to contribute to any debate of general interest to society despite the applicant being known to the public." In that case, the Court considered that “anyone, even if they are known to the general public, must be able to enjoy a "legitimate expectation" of protection and of respect for their private life."

While data protection law is not specifically dealt with in the Von Hannover Decision, this case was of assistance in helping me to come to a decision as to the appropriate balance between the public interest in freedom of expression and the individual's right to protection of their personal data, as required by Section 22A of the Acts.

Section 22A(3) of the Acts provides that, in evaluating whether a publication would be in the public interest, regard may be had to codes of practice approved by the Data Protection Commissioner pursuant to the Acts. While no such code has been approved, it seemed appropriate, in reaching a determination, to take note of the newspapers' own codes of practice. In making my assessment, I therefore took account of the National Newspapers of Ireland Code of Practice. In relation to children, the Code provides that they should not be identified unless there is a clear public interest in doing so. Relevant factors are identified as the age of the child, whether there is parental permission, and whether there are circumstances that make the story one of public interest, "or, if the person is a public figure or child of a public figure, whether or how the matter relates to his/her public person or office." I also noted that the UK Press Complaints Commission Code of Practice provides that editors must not use the fame of a parent as sole justification for publishing details of a child's private life and that "in cases involving children under 16, editors must demonstrate an exceptional public interest to over-ride the normally paramount interest of the child”. I was of the view that these provisions represent a fair expression of how the principles of data protection legislation ought to be applied in relation to children and minors.

In coming to my decision, I also noted the allegation, which was not refuted by the data controller, that the photograph was taken without the consent of the data subject. I issued a Decision on this case under Section 10(1) (b) (ii) of the Acts. Among other things, I found that it did not appear to me that the public interest claimed by the data controller in publication of the material in question could be such as to justify setting aside the right to respect for a person's private and family life.
This decision is significant in a number of regards. From a practical point of view it creates a low cost and effective route for a complainant to allege an invasion of their privacy. It makes life significantly more difficult for the media - notably it goes much further than the UK Press Complaints Commission Elle McPherson decision. But it also changes the privacy landscape more generally. Until recently it seemed that privacy issues in the media would primarily be governed by the regulatory package to be implemented by the Privacy Bill 2006 and the new Press Council of Ireland. With the lapse of that Bill (and its uncertain prospects in the new Oireachtas) the Data Protection Commissioner may end up assuming, by default, a role which that Bill had envisaged for the courts. A great deal will depend on whether the Commissioner is willing to leave these complaints to be dealt with by the Press Council - and that in turn will probably depend on how effective the Press Council proves itself to be.

Friday, May 18, 2007

Creative Commons Ireland goes live

Darius Whelan and Louise Crowley at UCC have been working hard on localising the Creative Commons licences for Ireland, and they've now launched a Creative Commons Ireland site with a draft Irish licence. Eoin O'Dell has more on why this matters.

Private use of public information - using public records for marketing

Suppose you are a direct marketer. You learn that all sorts of interesting and lucrative personal data must be made public by State bodies. (For example, the Companies Registration Office must provide details of company directors.) Can you use that information for marketing purposes? Can you package and resell that information to others?

The 2006 Annual Report of the Data Protection Commissioner includes a guidance note which goes into this in detail. The crucial point is that although the Data Protection Acts don't apply to disclosure by state bodies of information which must be made available to the public, they do apply once that information passes into the hands of a third party (such as a marketer). Consequently, if you wish to reuse that information, you must notify the individuals concerned in advance and you must give them a cost free opportunity to opt-out from having that information used for direct marketing.

Full guidance note:

Guidance Note on the Use of Publicly Available Data for Direct Marketing

Last year my Office was contacted by a number of people who had received direct marketing material by post as a result of the publication of their names and addresses on various lists and registers. The authors of these lists and registers were obliged to make them available to the public under law. For example, the Companies Registration Office must make its Register publicly available. Similarly, planning authorities must publish a weekly list of planning applications and planning decisions. All of these documents contain personal data. Section 1(4)(b) of the Data Protection Acts provides that the Acts do not apply to personal data consisting of information that the person keeping the data is required by law to make available to the public. A key point here is that the exemption from data protection requirements only relates to the information in the hands of those public bodies that are obliged to make it available. Any other entity seeking to use such information once in the public domain must comply with the standard requirements of data protection.This is a point that my Office needed to highlight on a number of occasions and I am glad to say it was readily accepted in all instances by those entities in receipt of the advice.

As a result of the level of complaints made to my Office on this issue, I was asked to provide guidance on the re-use of personal data contained in publicly available documents. Set out below, as an example, is the text of an information note which I provided as guidance to the Companies Registration Office:

This information note sets out the position of the Office of the Data Protection Commissioner on the re-use of personal data contained in information in the CRO Register which the CRO is obliged by law to make available to the public. The published information contains "personal data" and each living individual is a "data subject" within the meaning of the Data Protection Acts, 1988 & 2003. Accordingly, the recipients of this information are "data controllers" within the meaning of those Acts. If those data controllers intend to use or further process this personal data in any way, they should be aware of the following Data Protection requirements:

Personal data must be processed fairly. Section 2D (1) (b) of the Data Protection Acts obliges a data controller to ensure, as far as practicable, that the data subject has, is provided with, or has made readily available to him or her, at least the following information not later than the time when the data controller first processes the data or, if disclosure of the data to a third party is envisaged, no later than the time of such disclosure:

● the identity of the data controller
● if he/she has nominated a representative for the purposes of the Act, the identity of the representative
● the purpose(s) for which the data are intended to be processed
● any other information which is necessary to enable processing in respect of the data to be fair to the data subject
● the categories of data concerned
● the name of the original data controller.

The Office of the Data Protection Commissioner considers that it would be reasonable for data controllers to meet these requirements as the information in their possession contains the contact addresses of the data subjects concerned.

In addition, in accordance with Section 2(8) of the Data Protection Acts, a data controller who anticipates that the personal data within the CRO published information, for which they are now the data controller, will be processed for the purposes of direct marketing must offer those persons whose data will be so processed a cost free opportunity to object in advance to receiving direct marketing. This applies both to data controllers who intend to use the personal data for direct marketing potential customers and to data controllers who intend to process the personal data for distribution to third parties for direct marketing by the third parties.

The Office of the Data Protection Commissioner considers that there is no scope for data controllers to target for direct marketing purposes those individuals whose personal data has come into their possession in this way without first having applied this procedure.

Furthermore, data controllers who may have intentions of processing the personal data by placing it on a website (in any format) should be aware that such processing does not meet any of the conditions set down in Section 2A of the Data Protection Acts (processing of personal data) as there is no consent from the data subjects for such processing of their personal data.

The Office of the Data Protection Commissioner holds a strong position on this matter. The Office cannot envisage any case where the processing of personal data obtained in this way is necessary for the purposes of the legitimate interests pursued by the data controller. Such legitimate interests must be balanced with the fundamental rights and freedoms of the data subjects themselves. The Office considers that this balance is not reflected in the posting of such personal information on a website.

Data Controllers who fail to comply with all of the requirements set out above may be deemed to have breached the Data Protection Acts. Breaches of Data Protection legislation may be reported to, and investigated by, the Data Protection Commissioner. Where the Commissioner forms the opinion that a data controller has contravened or is contravening a provision of the Acts, he may use the enforcement powers conferred on him under the Acts. This includes the power to require a data controller to destroy the database concerned.

Wednesday, May 16, 2007

A day in the life of the surveillance society

The Data Protection Commissioner's Annual Report, following the lead of his English counterpart, has a very interesting account of a day in the life of our surveillance society and how we can expect it to make terrorist suspects of law abiding individuals:
A Day in the Life

07:00 Annie Wun wakes up and turns on her computer to access the internet. She begins by checking the news using her account on an on-line news source. She had checked the privacy policy of the website before registering and was satisfied with the uses made of her data.

07:15 Annie searches for some personal items online. The searches together with her IP address (a unique address assigned to Annie's PC by her internet service provider (ISP)) are recorded and retained by the ISP for an unknown period of time and without a specified purpose. Searches made by Annie are also retained by the search engine and sometimes clearly used for targeted marketing purposes.

07:30 Annie phones her father to talk about a story on the news. The record of her call to her father is retained by her phone provider for a period of 3 years as required by law. It will be available to An Garda Síochána (and hopefully nobody else) should the need arise as part of any criminal investigation.

08:00 Annie leaves her house and drives to work. She passes through a toll booth using her easy travel card. Information is stored about the time her car passes through the booth and other booths along the journey each time. Again this information is retained and may be accessed for law enforcement or other purposes.

09:00 Annie reaches her workplace. CCTV cameras record her arrival as her employers are concerned about the security of the workplace. The use of CCTV was communicated to employees in advance of implementing the system and it was made clear to them that images from the system would only be used for security purposes and would be kept safe and secure.

Annie's employers were also concerned about their ability to properly track their employees in terms of time worked in the workplace so, after considering many options, they introduced a biometric thumb print clock-in system which records each employee each time they enter and leave the workplace. Annie was concerned that such a system was a bit intrusive into her personal space but most of her colleagues seemed unconcerned so she went along with it. There are no details available to Annie as to what other uses her employer might make of the information or indeed what security is in place to protect her personal data stored in the system.

09:15 Annie logs onto her email to check for any emails received. She has received a number of work related emails which require her attention and one personal email. Her employer has an email and internet usage policy in the workplace stating that some limited personal use of these facilities is permitted but that inappropriate usage is not permitted. Annie understands that this means that her employer may check her emails and internet usage from time to time or in response to a genuine suspicion of inappropriate usage. However, her employer may not check her mail or internet usage on an ongoing basis since this would intrude on her legitimate, limited personal use of these systems.

11:15 Annie uses her coffee break to check her bank balance using her bank's on-line service. Her bank knows how much use she makes of her account and has credit-profiled her based on this use for a €10,000 loan which is offered to her upon log-in. She doesn't accept.

Annie had spoken to her younger brother the previous evening and agreed to send him some additional funds. He is back-packing around Europe. Annie chooses the fund transfer option. Her bank, in common with all other major financial institutions, uses the SWIFT exchange system for such transfers. It is not made clear to Annie that details of the transfer may be accessed by the US Government as part of its efforts to combat the financing of terrorism.

13:00 Annie pops out for lunch and visits her local supermarket to pick up some things for the house as she is planning a major spring clean at the weekend. She hands in her store card to collect loyalty points as part of the purchase. Her supermarket accesses her information to monitor her buying habits and offers some suitable products in her next mail shot. She doesn't mind as she personally doesn't care what the supermarket knows about her buying habits. She was, of course, recorded on the shop's CCTV system as she entered and exited the shop.

13:20 Annie visits her local library to return a self help book “Male and Female Chemistry” and takes out a book on building self esteem “Love Bomb People”. She uses her library card which stores her usage pattern on the local authority database.

13:45 Using her lunch-break, Annie phones the Revenue Commissioners to query her tax allowances. She gives her personal public service number (PPSN) to the person on the other end of the phone line. They use her PPSN to pull up her name and address and a complete record of her dealings with the Revenue Commissioners for the past number of years. This reveals that she is a member of a Trade Union (a fact that her employer is unaware of), pays her refuse charges and claimed a substantial amount in medical
expenses the previous year.

16:00 Annie has to leave work early today to attend hospital for an appointment with her specialist. Annie still suffers from pain from an accidental shotgun wound in her leg suffered in an accident while on her family farm 3 years ago. Upon arrival, she gives her details. Her full medical file is with her specialist. This is not a concern as she wishes this to be the case. She is also aware that her full medical history is entered on an electronic system in the hospital. She does not mind this either but assumes that her records are only accessed by those persons who need her information to treat her.

18:00 Annie arrives home. She picks up her post which arrived after she left the house in the morning. Her credit card company is offering her another loan and has increased the credit limit on her card (without her asking) based on their analysis of her usage. She has also received direct marketing from a company with which she had no previous dealings offering her services for the property for which she has just made a planning application. She is very surprised at this as the local authority had not informed her that her personal details would be made public as part of the planning process. She has also received an unwanted text message offering her similar services. She is also very surprised by this but remembers that her local authority had asked her for her mobile phone number as a means of contacting her.

19:00 Having eaten dinner, Annie logs onto the internet again and books a flight to New York (she will in fact have minor plastic surgery undertaken). In doing so, a large amount of her personal details, which she was required to make available to book the flight, will be made available to the US authorities, in advance of her travelling, as part of its security procedures. Using this information, an assessment will be made as to whether she poses a threat to US security. The airline, through on-screen information, had provided some details of this but Annie does not normally read all such optional information, so is not aware of this.

20:00 Annie receives a call on her mobile phone. She doesn't recognise the number but answers it in any case. Upon hearing her name the person hangs up and Annie thinks nothing more of it. Unknown to Annie, the person who had phoned her number by accident is suspected of criminal activity by An Garda Síochána. They will shortly make a formal request under the provisions of the Criminal Justice Act 2005 for all records of phone activity by that person. This will highlight that Annie's number was phoned. As a result, An Garda Síochána will also request all details of her mobile phone usage for the past 3 months to ascertain whether she is relevant to their inquiries. This will ultimately reveal that she is not but only after all her mobile phone usage - including her location when she made and received calls - is thoroughly examined. Annie finishes her day by watching Big Brother on television. Her personal data is not made available to anybody else for the rest of the day.

Surveillance Society?

Well, why would law-abiding Annie Wun have anything to worry about? Her daily life has been made easier by the use of modern technology and she has willingly shared her personal information to get these benefits. Then again, perhaps she should worry. What if the information retained about her were pulled together in one place? The profile which emerges, and the conclusions that could be drawn from it, might give her an unpleasant surprise. Step forward Annie Wun, terrorist suspect?

ANNIE WUN:

Internet News Search: Articles of Interest include “London Terrorists Charged” (internet records).
Web searches: Plastic surgery.
Fund Transfer: Made out to a male in Hamburg.
Medical records: Operated on for gunshot wound.
Criminal records/offences committed: Yes. (Two speeding fines)
Local Authority library files: A word search threw up two hits - “chemistry” and “bomb”.
Phone records: Call received from known criminal.
Shopping habits: Large variety of hazardous cleaning materials purchased.
Holiday plans: Travelling on a flight to New York next week.