Last year the European Data Protection Board commissioned me to write a report on legitimate interest as part of the series of One Stop Shop thematic digests and I'm delighted that this has now been published. The report surveys every publicly available OSS decision applying legitimate interest as a legal basis, finding a significant number of interesting decisions applying this concept in areas such as consumer credit, fraud prevention, and regulating user behaviour on online services. One aspect I found surprising was how legitimate interest can diverge between member states, creating what are effectively choice of law issues for supervisory authorities who must decide how far to take into account national law and social norms in different states.
Friday, March 27, 2026
Legitimate interest in practice: EDPB report on one stop shop decisions applying legitimate interest
Last year the European Data Protection Board commissioned me to write a report on legitimate interest as part of the series of One Stop Shop thematic digests and I'm delighted that this has now been published. The report surveys every publicly available OSS decision applying legitimate interest as a legal basis, finding a significant number of interesting decisions applying this concept in areas such as consumer credit, fraud prevention, and regulating user behaviour on online services. One aspect I found surprising was how legitimate interest can diverge between member states, creating what are effectively choice of law issues for supervisory authorities who must decide how far to take into account national law and social norms in different states.
Monday, January 05, 2026
Digital Searches in Ireland: Garda Powers Bill published
The Department of Justice, Home Affairs and Migration has published a draft Garda Síochána (Powers) Bill, with huge implications for digital searches in Ireland.
This follows on from a Heads of Bill originally put forward in 2021. There were clear problems with that proposal, which I discussed in the Irish Times at the time. Many of these were borne out by subsequent judgments which derailed the Bill for some years and ultimately forced a change of approach. In particular, the Supreme Court decisions in Corcoran and Quirke are clearly reflected in the revised Bill. Between them, these judgments have forced much greater emphasis on judicial authorisation of searches and handling legal privilege/journalist source protection, and Parts 3 and 4 are radically changed as a result.
The Bill appears to offer a much improved set of safeguards in relation to digital searches. However the devil is very much in the detail and the text will require close scrutiny. In particular, it will be interesting to see whether the Bill fully takes account of the CJEU judgment in CG v Bezirkshauptmannschaft Landeck, which seems to impose greater procedural safeguards than domestic law. At first glance the Bill also seems to duck the comity and proportionality issues presented by remote searches - which Maria Murphy and I discuss here (p.25).
A summary of the Bill is here.
Wednesday, February 05, 2025
Police powers to demand passwords - Poptoshev v DPP
Does a law violate the privilege against self-incrimination by requiring an individual to reveal a device password when a search warrant is being executed? The Irish High Court recently considered this issue in Poptoshev v DPP, holding that it doesn't.
In Poptoshev the applicant challenged sections 48 and 49 of the Criminal Justice (Theft and Fraud Offences) Act 2001. Section 48 allows gardaí with a warrant under that section to operate any computer at a place which is being searched, and to require any person at that place, who has lawful access to the information in any such computer, to furnish any password necessary to operate it. Section 49 criminalises failure to provide that password.
The applicant refused to provide passwords for two mobile phones and a laptop seized from him during a search of his home. When charged with failure to provide the passwords he brought a judicial review action claiming that this obligation, and the corresponding criminal penalty for failure to comply, amounted to a disproportionate interference with the privilege against self-incrimination under both the Constitution and the European Convention on Human Rights.
The High Court rejected this claim. The court held that the privilege against self-incrimination did not apply on the basis that 'the passwords in relation to each of these three devices existed independent of the will of the applicant', relying in particular on the similar English judgment in R v S (F). (An important aspect was that the applicant admitted ownership of the devices - there would have been a stronger self-incrimination claim otherwise.)
Separately, the High Court also held that mobile phones were included in the term 'computer' in the 2001 Act, which did not specifically define computers, and that the duty to provide a password applies 'there and then' while a search is being carried out and cannot be met by providing a password subsequently.
It is interesting that it has taken over twenty years for the constitutionality of this provision to be considered. There doesn't seem to have been many (if any?) prosecutions for failure to provide a password before now. According to a 2017 EU review of Irish law on cybercrime, Irish officials indicated that 'prosecution for withholding passwords is generally not done due to the right against self-incrimination' (p.68). After this judgment it's likely that these prosecutions will become more common.
Friday, May 03, 2024
Irish state spyware and the law
Ireland featured in that report, but only incidentally as the home of several spyware businesses which had set up shop in Dublin for tax advantages. Consequently the report leaves unanswered the questions of whether the Irish state is using spyware and if so what legal justifications it is using to do so.
Let's have a quick look at those questions.
There's not a lot of direct evidence here - there is no Irish law specifically governing state spyware and the state refuses to comment on its use - but I obtained an interesting document under FOI which might shed some light on this.
This is the Department of Justice's response to a questionnaire from the European Commission looking for "information from all Member States about the use of spyware by national authorities and the legal framework governing such use". (Cianan Brennan had a good summary of the response in the Examiner.)
The letter to the Commission is careful not to confirm or deny that the Garda Síochána or other state agencies agencies use spyware. In fact, it doesn't even mention the word. However, it does suggest that state agencies do. (Unsurprisingly: as far back as 2015 the Defence Forces were in discussion with Hacking Team about purchasing their products.)Data retention in Ireland: When European law meets national recalcitrance
I've just finished writing a chapter on data retention law in Ireland for a forthcoming collection edited by Eleni Kosta and Irene Kamara. It examines how, from the judgment in Digital Rights Ireland onwards, the Irish state has fought a rearguard action against compliance with EU fundamental rights.
Abstract:
This chapter examines the development of data retention in Ireland following the CJEU judgments in Digital Rights Ireland and Tele2 Sverige. It describes how the Irish State continued to enforce national data retention law for six years after Tele2 Sverige confirmed its illegality, attempted to re-litigate the legality of indiscriminate data retention before the national courts, and reformed domestic law only when forced to act by the CJEU decision in GD v Commissioner of An Garda Síochána. It assesses how national oversight mechanisms largely failed to address this illegality and argues that the data retention saga has highlighted significant weaknesses in the criminal justice system, the ‘designated judge’ model of supervising surveillance, and the accountability of the executive to parliament.
Friday, November 10, 2023
The "essence" of the fundamental rights to privacy and data protection in the context of state surveillance
The EDPS has just published a comprehensive study by Prof. Gloria González Fuster on the essence of the fundamental rights to privacy and to protection of personal data, and marked the publication of the study with a one day seminar on the issue earlier this week. As the event wasn't public I won't summarise what the other panellists said, though I'm sure they won't object if I refer to some of their excellent prior work either directly on the topic or touching on it (Prof. Takis Tridimas; Prof. Cecilia Rizcallah; Prof. Maria Grazia Porcedda; Prof. Kathleen Gutman; Prof. Herke Kranenborg (paywalled); Prof. Nóra Ní Loideáin; Prof. Hielke Hijmans).
For my part, I offered some practical thoughts on applying these concepts to state surveillance which I've summarised below.
To set the scene: identifying the "essence" of these fundamental rights is significant because of Article 52(1) of the Charter of Fundamental Rights which provides that "Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms". As the President of the CJEU, Koen Lenaerts, has explained:
Respect for the essence of fundamental rights is laid down in Article 52(1) of the Charter of Fundamental Rights of the European Union, as one of the conditions that must be fulfilled in order for a limitation on the exercise of a fundamental right to be justified. Accordingly, where an EU measure fails to take due account of the essence of a fundamental right, that measure is incompatible with the Charter and must be annulled or declared invalid. Similarly, where a national measure implementing EU law—within the meaning of Article 51(1) of the Charter—fails to respect the essence of a fundamental right, that measure is to be set aside.
While generally fundamental rights can be restricted if a limitation is a necessary and proportionate measure to achieve an objective of general interest or to protect the rights and freedoms of others, a measure which trenches on the essence of the right cannot be justified in this way. As President Lenaerts puts it:
Once it is established that the essence of a fundamental right has been compromised, the measure in question is incompatible with the Charter. This is so without it being necessary to engage in a balancing exercise of competing interests. As the Schrems I judgment shows, a measure that compromises the essence of a fundamental right is automatically disproportionate.
The caselaw on the "essence" of fundamental rights is, however, notoriously terse in its reasoning, especially in relation to state surveillance. That said, we can pick out four key findings:
First, the caselaw recognises a content/metadata distinction: In Digital Rights Ireland legislation requiring telecommunications companies to indiscriminately retain traffic and location data on all users was held not to violate the essence of the right to privacy under Article 7 of the Charter on the basis that "the directive does not permit the acquisition of knowledge of the content of the electronic communications as such". (Tele2 restates this point.) Conversely in Schrems I the CJEU held (regarding US law) that "legislation permitting the public authorities to have access on a generalised basis to the content of electronic communications must be regarded as compromising the essence of the fundamental right to respect for private life, as guaranteed by Article 7 of the Charter".
Second, it seems clear that the caselaw requires an individual legal remedy for wrongful surveillance to include deletion of illegally obtained surveillance material; in Schrems I the CJEU held that: "legislation not providing for any possibility for an individual to pursue legal remedies in order to have access to personal data relating to him, or to obtain the rectification or erasure of such data, does not respect the essence of the fundamental right to effective judicial protection, as enshrined in Article 47 of the Charter". (Schrems II makes a similar finding in relation to the Privacy Shield ombudsman mechanism without explicitly addressing the point.)
Third, the CJEU seems to have implicitly accepted that indiscriminate state access to metadata would not violate the essence of the fundamental rights to privacy and data protection: in Privacy International the Court assessed UK bulk collection of communications data on a proportionality basis without mentioning the question of whether bulk collection violated the essence of these rights.
Fourth, the caselaw accepts (in the two PNR cases) that indiscriminate state access to travel data does not in itself violate the essence of the fundamental rights to privacy and data protection, at least so long as that data is "limited to certain aspects of that private life" and does not "allow for a full overview of the private life of a person" (Opinion 1/15; Ligue des droits humains).
Overall, therefore, the notion of the essence of rights has played a limited role in relation to EU and Member State surveillance measures, and the CJEU has been unwilling to hold that even what it describes as "very far-reaching [and] particularly serious" interference with these rights (indiscriminate telecommunications data retention) constitutes an interference with the essence. While there are many cases invalidating EU/Member State surveillance measures on proportionality grounds, there are none which find that such measures violate the essence of the rights to privacy or data protection.
Why this reluctance? It may be that preserving institutional capital plays a role: a finding that a particular form of surveillance violates the essence of a right would be very difficult to walk back in the case of Member State pushback, while a finding of disproportionality is more easily finessed in future cases. The one area where the CJEU has found a surveillance tactic to violate the essence of a right - generalised state access to the contents of communications - is precisely the area which has not presented a significant clash with Member States, as their bulk interception activities have largely been shielded from scrutiny by the CJEU by the general exclusion of national security measures from the scope of EU law. Instead, direct Member State activities in this area have generally been assessed by the more lenient standards of the ECHR, under which the ECtHR has held that bulk interception is in principle compatible with Article 8 (Big Brother Watch; Centrum För Rättvisa).
My sense is that this position - in which the CJEU has not had to confront wider issues around the essence of the rights to privacy and data retention, particularly in relation to bulk interception - is about to come to an end.
Multiple current controversies are set to put issues about the essence of these rights in front of national courts and ultimately the CJEU. The Encrochat and SkyECC investigations are already presenting significant issues about the legality of bulk collection of communications from all users of particular services. The proposed CSAM Regulation would mandate indiscriminate examination of all communications on particular services and is certain to be challenged on that basis. The fallout from state use of spyware such as Pegasus across Europe continues. (Indeed, the EDPS has already described such spyware as threatening the essence of the right to privacy.) The EDPB has also described growing use of widescale facial recognition in public places as likely to violate the essence of the right to data protection.
What these situations have in common (with a possible exception in relation to state spyware, depending on the exact context) is that they are certainly within the scope of EU law and therefore do not benefit from the national security cloak of invisibility. It may be that some of these cases can be dealt with solely under the Law Enforcement Directive, the e-Privacy Directive, the forthcoming AI Act, or other relevant legislative measures, but it seems inevitable that the CJEU will ultimately have to address whether these types of large scale surveillance are compatible with the "essence" of the Charter rights to privacy and data retention.
Finally, I should mention an issue about procedural approaches to identifying the essence of these rights in the context of state surveillance. Some of the caselaw (such as Digital Rights Ireland and the PNR decisions) suggests that there is no breach of the essence of the right to data protection provided that the law provides some data protection safeguards, albeit that those safeguards might not be adequate. Other judgments (particularly Schrems I and II) place particular focus on the right to effective judicial protection under Article 47 of the Charter. However it seems to me that to concentrate on procedural safeguards risks conflating assessing the essence of the right with assessing the legality of the interference with the right. Article 52(1) of the Charter already provides that limitations on rights must be "provided for by law". This closely resembles Article 8(1) ECHR which provides that restrictions on the right to privacy must be "in accordance with the law" - a formula which has been used by the ECtHR in cases from Klass v. Germany onwards to read in safeguards such as independent oversight of surveillance as essential components of legality of surveillance systems. If the legality assessment already requires some procedural safeguards, then is it redundant to treat those safeguards as also making up (part of) the essence of these rights? To put it another way, what are the additional procedural or oversight elements that comprise the essence of these rights which are not required by the principle of legality?
Thursday, June 17, 2021
Issues with the new Garda Powers Bill
I have a piece in today's Irish Times which identifies some serious concerns with the new Garda Powers Bill. Here's an excerpt:
The sensitivity of your phone means that this week’s proposal from the Department of Justice for a new Garda Síochána Powers Bill requires close scrutiny. That proposal would introduce a new power for gardaí, when carrying out search warrants, to demand your password or PIN and require you to biometrically unlock your phone (or tablet, or computer) using your fingerprint or face.As well as taking a copy of everything on the device itself, gardaí could also use the device to access any other service you use – such as your webmail, cloud storage, or online banking – and then take a copy of that data also.
The way in which the searches would be carried out is concerning. Failure to comply with the demand there and then (with no right to consult a solicitor) would be an offence exposing you to immediate arrest, punishable by imprisonment for up to five years and a fine of up to €30,000. This power would also apply to the devices of “any person present at the place where the search is carried out”, including for example the parents or siblings of a suspect or someone who shares a house with them.
Saturday, February 08, 2020
The GAA and the GDPR
Facebook is not providing WhatsApp for philanthropic purposes, and information about who you communicate with, how and when is immensely valuable. When it bought WhatsApp, Facebook attempted to combine that information with individuals’ Facebook activity – to build up a complete picture of your activity, public and private – despite stating to the European Commission that it would not do so. Facebook was eventually stopped by data protection authorities, and in 2017 it was fined €110 million by the European Commission for its deceptive statements during the merger.
Nevertheless, it has stated that it still aims to use WhatsApp information for Facebook advertising, and presumably will also use your WhatsApp activity for ad targeting as it rolls out advertising on WhatsApp in 2020.
Given the commercial value of this personal information, clubs and other groups who communicate through WhatsApp are still paying for a service – it’s just that they’re shifting the cost to their members, who pay with their privacy.
Full text
Thursday, November 22, 2018
The new Irish ban on social media posts from court
In 2011, the English courts introduced rules preventing anyone other than journalists or lawyers from posting to social media in the courtroom; the new Irish rules are largely identical, and seem to have been prompted now by judicial concern at both the Jobstown trial and the Belfast rugby rape trial. The #JobstownNotGuilty and #IBelieveHer hashtags show a growing popular willingness to second-guess the judicial process and this ban can be seen as a direct response.Full text of the article.
There are certainly good reasons for banning live tweeting in some cases, particularly in criminal trials where much takes place in the absence of the jury.
However, the speech by the Chief Justice did not make the case for the blanket ban which was introduced. All the examples of abuse he gave related to criminal trials - there is no obvious reason why civil trials, which normally do not have a jury, should be treated in the same way. This is equally true of appeal courts, which hear legal argument rather than evidence, and in the UK the Supreme Court allows any person attending a hearing to live tweet except in special circumstances.
The restriction to "bona fide members of the news media profession" is also problematic. In his speech, the Chief Justice equated "hobby journalists" with "the single contrarian in a basement".
However this disregards a number of Irish and European judgments stressing the high constitutional value of citizen journalism; restricting live coverage to those who can produce traditional media credentials has the merit of administrative convenience but will limit many who could provide useful and informed coverage of proceedings.
Thursday, September 28, 2017
Ireland must learn from UK data protection and ID disasters
Ireland must learn from UK data protection and ID disasters
The growth of the public services card as a de facto national ID card has attracted a lot of media attention recently, with special credit due to Elaine Edwards of this newspaper for her persistence in excavating the facts on which most of the later reporting has been based.
The issue continues to rumble on, and the Data Protection Commissioner has asked the Department of Social Protection to explain the legal basis for the claim that the card is mandatory. One month later, despite repeated promises, the department has not yet done so.
More could be written about the public services card, and the varying and sometimes contradictory claims put forward to support it. But if we focus on the card we risk missing the wider picture, which is that the card is not an aberration but exemplifies a systematic disregard for privacy and data protection throughout the State.
Consider the Department of Health. In a remarkable statement to the Dáil earlier this month, Minister for Health Simon Harris admitted that Ireland “remains in breach of both European Union and national data protection legislation” by keeping a database of blood samples from newborn children without the consent of their parents. Following a complaint in 2009, the Data Protection Commissioner ordered that these samples be destroyed. However, the Department of Health has failed to comply and is instead proceeding with plans to retain the database and to open it up for research and possible other uses.
This defiance of the law raises significant questions for the independence of the Data Protection Commissioner, who has taken no enforcement action against this challenge to her statutory authority. The message to the State is that it can ignore data protection law with impunity.
Since 2014, the Department of Health has also been involved in developing health identification numbers and electronic health records schemes, which present significant issues of privacy and confidentiality. For example, by requiring the use of health identification numbers these schemes tie together potentially leak-sensitive information about an individual’s medical history, despite an earlier promise that use of these numbers would be voluntary. It is hard to trust assurances from the department on this issue given that it is already, by its own admission, in deliberate breach of data protection law.
We see the same picture elsewhere.
In 2014, An Garda Síochána started using body-worn cameras in an ad hoc way, without any legislation or formal safeguards. The Garda five-year modernisation plan says that the Garda will start taking video feeds from the National Roads Authority, local authorities and private car park operators to run automatic number plate recognition systems – creating a national database of people’s travel to be stored for an unspecified period.
That plan also says that, from 2017, the Garda will start using “face-in-the-crowd and shape-in-the-crowd biometrics” to identify people on CCTV systems. Again, all of this is to take place without any legal basis, in a manner that appears to be contrary to data protection law. It seems the Garda has not learned any institutional lessons from the 2014 scandal around the recording of calls to and from Garda stations, nor from the ongoing concerns about abuse of the Pulse system.
The common pattern in these cases is that fundamental rights are viewed as inconvenient obstacles. This is a paternalistic view, in which the institution knows best and public concern can be disregarded. However, this approach merely stores up problems for the future. There are lessons for Ireland from the UK, where many of these issues have already been played out.
In 2002, the UK government launched a National Health Service-wide electronic health records system which failed to adequately address patient confidentiality. This was eventually scrapped in 2011, in large part due to concerns about privacy, and replaced with systems which guarantee that patients can opt out of data sharing. The ultimate cost was in the region of £10 billion.
The public services card has a parallel in the UK, where ID cards and a National Identity Register were introduced by legislation in 2006, only to be abandoned and the data destroyed in 2011 following extensive public opposition. Similar to the public services card, the UK ID card had no clear rationale and was ultimately rejected by the Tory/Lib Dem coalition government as “wasteful, bureaucratic and intrusive”, at an eventual cost of about £5 billion.
The increasing Garda use of CCTV, facial recognition and number-plate recognition also echoes the UK, where both the information commissioner and the independent surveillance camera commissioner have described similar practices by UK police forces as intrusive, disproportionate and illegal.
The message from these UK examples is clear. While state authorities may push ahead with plans which ignore concerns about privacy and data protection, the law will eventually catch up with them, usually at significant cost to the taxpayer. Fundamental rights are factors which must be taken into account at the outset, not reluctantly considered when a scheme is already being implemented.
As the Data Protection Commissioner put it in her most recent annual report: “Public-sector bodies and Government departments are in many cases slow to adjust to the reality that data-protection rights cannot simply be legislated away without sufficient necessity and proportionality analysis and prejudice tests being applied.”
The failure of the State to accept these points has already squandered public trust in areas such as the public services card, and seems likely to do so in other areas such as electronic health records.
Dr TJ McIntyre is a lecturer in the UCD Sutherland School of Law, a solicitor with FP Logue Solicitors and the chair of Digital Rights Ireland
Saturday, August 26, 2017
Letter regarding the Public Services Card
The full text of the letter and the signatories are below.
Monday, May 15, 2017
Oversight of phone tapping in Ireland: still inadequate
The reaction of the Department of Justice and An Garda Síochána to the latest phone-tapping scandal has been a predictable circling of the wagons. As usual, those bodies have refused to address the details of the allegations. We have seen generic statements, asserting that there is a legal basis for phone tapping and that it is subject to judicial oversight.
The problem with that response is simple: it is clear that both the Irish law on phone tapping and the way it is implemented fail to meet fundamental international standards.
Take the most basic starting point: who decides whether a phone tap should take place? International human rights law requires that interception of communications be authorised by a judge or an equivalent independent body. In Ireland, however, this power is given to the Justice Minister - leaving it open to allegations of political motivation.
Irish law also falls down on the question of who can have their phones tapped. Contrary to international standards, there are no safeguards on phone tapping targeting lawyers, journalists or parliamentarians.
Unusually for a Western democracy, Ireland does not have separate security and police agencies. Instead, both roles are combined in An Garda Síochána. The result is a blurring of the boundaries between the two functions which means that all surveillance ends up being concealed in unnecessary secrecy.
The Irish oversight system is also out of line with international practice. In almost all EU member states, there are parliamentary committees which can oversee surveillance by security agencies. Ireland is one of only four EU states which does not make its security agency accountable to parliament. Instead, in security matters the Garda Commissioner answers only to the Justice Minister - the same person who is responsible for decisions to tap phones in the first place.I've written more about the issue in the chapter "Judicial Oversight of Surveillance: The Case of Ireland in Comparative Perspective" (2016), full text online at the UCD research repository.
Back in the saddle
Wednesday, April 06, 2016
Search warrants and privacy in Ireland - CRH, Irish Cement & Lynch v. CCPC
The full decision isn't yet on the courts.ie site, but courtesy of the CCPC I've uploaded a scanned copy to Scribd. The full decision will need careful consideration, but at first glance it's a very privacy protective decision which may have far reaching consequences in other areas of criminal procedure. Notably, it cites with approval the 2013 Canadian Supreme Court decision in R. v. Vu on the special privacy issues presented by searches of computers. (And, I'm glad to see, the Digital Rights Ireland litigation.) By requiring specificity in what is seized and how that material is then examined, it puts a question mark over other search powers - such as those under s.48 of the Criminal Justice (Theft and Fraud Offences) Act, 2001 - which are generally used so as to seize an entire computer and not merely specific records.
Wednesday, March 16, 2016
Destroying the history of those victimised by the State
As human rights lawyers we note with great concern the proposal that records of applicants to the symphysiotomy payment scheme would be shredded after March 20th.
This would reinforce the harm done to women by the physical and symbolic destruction of official medical records attesting to the abuse and harm they experienced. Furthermore it would lead to the destruction of vital records and evidence that might be of assistance in future legal, historiographical and political processes of recording the symphysiotomy in Ireland and ensuring accountability for these instances of inhumane and harmful treatment.The UN Human Rights Committee has called for a “prompt, independent and thorough investigation into cases of symphysiotomy” leading to prosecutions where appropriate.It is likely that Ireland is under a positive obligation to hold such an inquiry under the European Convention on Human RightsThat these records would be returned to the applicants to the scheme is, thus, of paramount importance.We note that applicants to this scheme were obliged to provide “relevant supporting records”. They were not informed that these records would be destroyed, that they should send or retain certified copies, or that by applying to the scheme through submission of these records they were at risk of losing this documentary evidence of their medical mistreatmentThe limitations of data storage at hospitals are such that such records, if destroyed, might not be capable of retrieval elsewhere, and in some cases processes for accessing records can be so difficult to navigate as to be almost inaccessible.Thus, we call on Ms Justice Harding Clarke to reconsider this, and to ensure that all records are returned to the applicants to the scheme, by registered post, at the earliest possible date. Under no circumstances should they be destroyed.We also endorse the call from Marie O’Connor of Survivors of Symphysiotomy that applicants to the scheme be asked for their consent to these records being archived.
Thursday, November 12, 2015
How trustworthy is Microsoft's "data trustee"?
[Microsoft] employees will have no access to the data held at the facilities without the German company’s permission. The companies believe this arrangement means Microsoft will not have to respond to governmental demands for information held in these data centres, forcing official requests to go through German authorities instead.This is a direct response to the ongoing US litigation asserting that the Stored Communications Act has extraterritorial effect and captures data which Microsoft holds in Dublin or anywhere else worldwide. The harm to its European cloud operations has forced Microsoft's hand - rather than waiting for the result of the appeal in that case (or proposed amendments which would cut back the extraterritorial effect of US law) it has opted to put itself in a position where it simply can't comply with US demands.
But how trustworthy is Microsoft's trustee? Deutsche Telekom looks like an unfortunate choice. It's probably best known in privacy circles for systematically using its phone records to spy on journalists writing critical stories about it - including tracking journalists' movements using mobile phone data. It's deeply ironic that Deutsche Telekom now sees privacy as a selling point when it previously spied on its users not in response to government demands but simply for its own commercial advantage.
Tuesday, October 13, 2015
Law Society Annual Human Rights Conference
The Law Society will be making available other slides/papers from the conference - including hopefully the very interesting papers from Olivia O'Kane on privacy and the media and Judge Michael O'Reilly on prisoners' rights - and I'll link to those once they are put up.
Tuesday, September 15, 2015
Whitewashing your internet profile: political edition
First Alan Kinsella, of the invaluable Irish Election Literature website, tweets:
Have had a number of requests so far from candidates/election agents to take down their 2011 election material from the site #ge16
— Alan Kinsella (@electionlit) September 14, 2015
Second, an anonymous user from an Oireachtas IP address attempted a systematic (but ultimately unsuccessful) whitewashing of the Wikipedia entry for Senator Jim Walsh, deleting all reference to various gaffes by him through the years.
There's nothing new about attempts to suppress unfavourable information about Irish politicians - and the current stories are nowhere near the seriousness of the recent incident in which the aide to Derek Keating TD dumped several thousand copies of a local freesheet containing a critical story about his boss. But these examples still raise interesting issues for lawyers. In the case of the Irish Election Literature website - should politicians be able to invoke what would presumably be a copyright argument in order to conceal their past promises? In the case of Wikipedia, should edits made by TDs, Senators or their staff about themselves be disclosed? (Wikipedia certainly thinks so.) More generally, how should Irish law deal with sites such as Politwoops which archive deleted tweets from politicians? Is Twitter correct in saying that politicians should be able to delete their ill thought out tweets without that fact being highlighted - or should we accept that what politicians say is inherently newsworthy?
The Irish courts have yet to confront most of these issues - but it will be interesting to see what happens in an ongoing case brought by a Dublin election candidate who has invoked the "right to be forgotten" against online discussion of his election literature. Hopefully this will result in a judicial statement affirming the strong public interest in political discussion.
Tuesday, June 16, 2015
Downloading or accessing certain material could constitute a criminal offence
![]() |
| Poster put up in London internet cafes from 2010 onwards |
It's not about asking owners to spy on their customers, it's about raising awareness," a police spokesman said, speaking anonymously in line with force policy. "We don't ask them to pass on data for us."Still, he said, police were "encouraging people to check on hard drives." He did not elaborate, saying it would be up to cafe owners to decide if or how to monitor what customers left on their computers.
Monday, May 04, 2015
PPS numbers: internet saviours?
In short, the author is shilling her own service under the guise of an impartial opinion piece. This is bad enough in itself, but more fundamentally it is a distraction from what really needs to be done to protect children online.
At the most basic level, gardaí are dramatically under-resourced in dealing with the internet. The 2014 Garda Inspectorate report revealed there have been up to four year delays in analysing seized computers; that the Paedophile Investigation Unit had one (!) computer to receive and download evidence; that 40% of Garda stations are not networked and have no access to PULSE or internal email; that evidence cannot be shared electronically; and that even in networked stations many gardaí have no access to social media or external email.
One might expect that those genuinely interested in child welfare would address these basic points first. But where's the profit in that?
-----------
Some excerpts from the Garda Inspectorate Report - emphasis mine:
The current Garda Síochána IT system restricts the sending of evidence electronically, resulting in investigators having to travel to Dublin to view evidence. PIU only have access to one standalone computer to receive and download evidence, as they are unable to use PULSE. This is a fundamental tool for investigation of these crimes. When evidence arrives, it can take days to download information and this removes the availability of the computer to be used by investigators coming to the unit to view evidence for other cases. PIU gave an example where one case had over 8,000 videos.
Another problem area is the restriction placed on districts accessing social media sites. As a result, the PIU is swamped with requests from districts for help in cases under investigation. Since 2001, the unit has used a paper system for managing investigations and would like to move to an electronic system. Internally, the PIU uses an electronic spread sheet to monitor cases. There is a concern that two investigators could potentially be looking at the same suspect, without knowing that another garda is also investigating a crime against the same suspect. Like the SOMU, all PIU staff work on the same roster and again are all off-duty at the same time.
The delay in obtaining evidence from analysis of computers has contributed to a situation where no PIU investigation case file has been sent to the DPP for directions in the last four years of operation.
A consistent theme throughout the inspection of national and district intelligence units was that outdated IT equipment blocked them from accessing or viewing evidence about a crime. The Inspectorate was informed that the National Intelligence Unit is working on outdated software and is unable to load PDF documents and to view photographs. CIOs in particular experience daily challenges in accessing the necessary IT applications and equipment to perform their role effectively. CIOs often use personal laptops and computers to view CCTV footage, to download stills and to turn those stills into briefing documents and bulletins. This represents a risk of breaching security of intelligence data, but their motive is to ensure that intelligence is provided to local gardaí.
The access of gardaí to external e-mail was very inconsistent across the seven divisions. Some members stated that they had no external e-mail access and other gardaí explained that if you apply for access then it will be given. Many victims would like the option to use e-mail to communicate directly with the garda dealing with their case and it would ensure that the member actually received their message.



