Schedule of Reco rd s for FOI Request No. 156/455/2012 Record Bri ef Description Page No Grant/H.cfuse Basis of Refusal; Section of No FOI Act I Data Protection and Page I Part Granted Part of page 1 ref used under Facebook Section 28(1) 2 B ri efing for Mi nister re Page 1 Part Granted Part of page 1 refused under Facebook meeting - Refonn Section 28( 1) of ED Data Protection Pages 2. 3, 4 Granted Regime 3 E-mail - Proposals for Page 1 Part Granted Part of page 1 refused under General Data Protection Section 28(1) Regulation 4 Briefing note prepared for Page I Part Granted Part of page 1 refused under meeting with Facebook Section 28(1) Pages 2. 3, 4 Granted 5 E-rnail - Facebook's Cover page. Part Granted Part of (cover) page refused submission on the European under Section 28(1) Data Protecti on Proposals Submission Granted 6 Not e of Meeting with Pages 1 & 2 Part Granted Part of page 1 and 2 refused Facebook under Section 28( I) 7 Update to Facebook 's data Page I Pa rt Granted Part of page I refused under use policy Section 28( I) 8 Meeting with Facebook Page I Part Granted Part of page 1 refused under Section 28(1) 9 Proposals for general Data Page I Part Granted Part of page I refused under Protection Regulation Section 28(1) 10 Proposals fo r general Data Page I Part Granted Part of page 1 refused under Protection regulation Section 28(1) 11 Briefing for meeting with Page I Part Granted Part of page 1 refused under Face bo ok on 9 February Section 28(1) 12 EU Data Protection Pages 1 & 2 Part Granted Part of page 1 and 2 refused re gulations - more detailed under Section 28( 1) perspecti ve 13 Major developments in the Page I Part Granted Part of page 1 refused under Data Protection field Section 28(1) 14 Major developments in the Page I Part Granted Part of page 1 refused under Data Protection field Section 28(1) 15 Major developments in the Page I Part Granted Part of page refused under Data Protection field Section 28(1) 16 Major developments in the Page I Part Granted Part of page refused under Data Protection field Section 28( 1) 17 Major developments in the Page I Part Granted Part of page refused under Data Protection field Section 28(1) 18 Major developments in the Page I Part Granted Part of page refused under Data Protection field Section 28(1) Page 2 Granted 19 Major developments in the Page I Part Granted Part of page refused under Data Protec ti on field Section 28( I) Page 2 Granted 20 Catching up Page I Part Granted Part of page refused under Section 28(1)
Transcript
Schedule of Records for FOI Request No. 156/455/2012
Record Brief Description Page No Grant/H.cfuse Bas is of Refusal; Section of No FOI Act
I Data Protection and Page I Part Granted Part of page 1 refused under Facebook Section 28(1)
2 Briefing fo r Minister re Page 1 Part Granted Part of page 1 refused under Facebook meeting - Refonn Section 28( 1) of ED Data Protection Pages 2. 3, 4 Granted Regime
3 E-mail - Proposals for Page 1 Part Granted Part of page 1 refused under General Data Protection Section 28(1) Regulation
4 Briefing note prepared for Page I Part Granted Part of page 1 refused under meeting with Facebook Section 28(1)
Pages 2. 3, 4 Granted 5 E-rnail - Facebook's Cover page. Part Granted Part of (cover) page re fused
submission on the European under Section 28(1) Data Protection Proposals Submission Granted
6 Note of Meeting with Pages 1 & 2 Part Granted Part of page 1 and 2 re fused Facebook under Section 28( I)
7 Update to Facebook's data Page I Part Granted Part of page I refused under use pol icy Section 28( I)
8 Meeting with Facebook Page I Part Granted Part of page 1 refused under Section 28(1)
9 Proposals for general Data Page I Part Granted Part of page I refused under Protection Regulation Section 28(1)
10 Proposals fo r general Data Page I Part Granted Part of page 1 refused under Protection regulation Section 28(1)
11 Briefing for meeting with Page I Part Granted Part of page 1 refused under Facebook on 9 February Section 28(1)
12 EU Data Protection Pages 1 & 2 Part Granted Part of page 1 and 2 refused regulations - more detailed under Section 28(1) perspecti ve
13 Major developments in the Page I Part Granted Part of page 1 refused under Data Protection field Section 28(1)
14 Major developments in the Page I Part Granted Part of page 1 refused under Data Protection field Section 28(1)
15 Major developments in the Page I Part Granted Part of page refused under Data Protection field Section 28(1)
16 Major developments in the Page I Part Granted Part of page refused under Data Protection field Section 28( 1)
17 Major developments in the Page I Part Granted Part of page refused under Data Protection field Section 28(1)
18 Major deve lopments in the Page I Part Granted Part of page refused under Data Protection field Section 28(1)
Page 2 Granted 19 Major developments in the Page I Part Granted Part of page refused under
Data Protection fie ld Section 28( I) Page 2 Granted
20 Catching up Page I Part Granted Part of page refused under Section 28(1)
.--..;:-I I ''';' Data Protection and Facebook
1010412012 12:30
I refer to your recent e-mail in relation to the above,
The position is that paragraph 1 of the Second Schedule to the Data Protection Act 1988 provides that the Data Protection Commissioner "shall be independent in the peliormance of his functions".
From:
To: i nfo@jusl ice.ie
cc:
Date, 26/03/2012 Subject: Data Protection and Facebook
Hi, I'm working on an article regarding Data Protection on li ne and Facebook. l have in that regard made Data Access Req uests to facebook and numerous other companies, and I know by fact that Facebook won't give me (or anyone else asking for access) the amount of data I am entitled to. Everyone are, according to EU-regulations, entitled to be given the total amount of information held on them within 40 days. This also applies to a company like Facebook, but I've been in touch with the Iri sh Data Protection Commisioll. They told me that Facehook has been allowed to not hand out all the information they ho ld about their users until this July_ Meaning that the Irish Data Protection Commision effectively are allowing Facebook to operate outside of the legal borders until thi s summer, and that Facebook at the time being are iIlegaly withelding information about its users.
What does the department of Just ice think of this? The lrish Data Protection Commision is allowing Facebook to avoid data request from throughout Europe for several months in order to give FB time to make sure everything else is complying to Irish and European laws and regulations. Does the department of Justice agree that this is the right way to do it?
Thanks for your response.
With regards;
·=-1 I L __ I
---~
Briefing for meeting with Facebook on 9 February 08f02/20121 3:23
«< Attachment 'Briefing for Minister - Facebook meeting.doe' has been archived by user LR/JSECTOR' on '09/081201218:24:06'. >>>
•
Reform of EU data protection regime
Briefing Note
Existing EU Data Protection Framework I. The centrepiece of existing EU legislat ion on personal data protection is
Directive 95/46/EC (Data Protection Directive) which seeks to reconc-ile the protect ion of personal data wi th the free now of such data wi thin the internal market and to countries outside the EU. The Direc tive has been transposed into national law in the Data Protection (Amendment) Act 2003
2. This Directive is comp lemented at EU-Ievel by Framework Decision 2008/977IJHA (Data Protection Framework Decision) which makes provision for the protect ion of personal data in the context of police and judicial cooperation in criminal matters. The Framework Decision app lies to the crossborder exchanges o f personal data within the EU and not 10 domestic processing operat ions in Member States.
Lisbon Treaty 3. The Lisbon Treaty contains new data protection provisions which are in tended
to fu rther strengthen EU data protection sa feguards. Art ic le 16 of the Treaty on the Functioning of the European Union (TFEU) has introduced a speci fic legal basis for the adoption of rules on the protection of personal data. I n addition, Article 8 of the Charter of Fundamental Rights of the EU enshrines protection of personal data as a fu ndamental right.
European Commission proposals 4. Foll owing completi on of an extensive consultation process, the European
Commission has tab led an ambit ious package of proposals that are intended 10
replace both the Directive and Framework Dec.ision referred to above. The proposals were adopted on 25 January.
5. The proposals are due to be discussed by national data protection experts in a Council Working Group: the first meeting is scheduled for 23124 February. These discussions will take place under the Danish and Cypriot Presidencies during 2012 and wi ll continue under the Irish presidency of the Work ing Group in 2013. The European Parliament will also become involved in discussions at a later stage under co-decision arrangements.
6. The Commission's proposals are lengthy, detai led and complex (while the 1995 Directive contains 34 sect ions, the proposed replacemenr contains 91 sections). It is also notable that the Commission is proposing to rep lace a Directi ve. which mLlst be transposed into national law. with a directly-applicable Regulation . While the Commission \vil l seek to justify th is on the basi s that uneven transpositi on of the Directive across member States has created barriers for
e. The Comm ission wants to 1:1cilitate 'data porlabi lity". i.e. make it easier in future for individuals to transi't: r their own personal data from one service provider to another (art icle 18). It remains to be seen whether this requi res resolution of any tcchn ieal difficu lti es.
f. The Commission is proposing that in certain cases data contro llers will be requ ired to perform 'data protec tion impact assessments' (a rticles 22 and 33). Here also. it w ill be necessary to respect propol1ionality.
g. Where, for whatever reason. breaches of security lead to unauthorised or accidental loss or disc losure of data. the Commission is propos ing the companies and bodies concerned report them imm ediate ly to national Data Protection Commissioners. Thi s may encounter problems and involve additional expense because. for example, an unauthorised breach may only come to light some time a tte r it has happened. Moreover, individuals wi l! be permitted to report such breaches even where the infringements have happened outs ide the EU.
9. For the benefit of US companies with establi shments in the EU, the European Commission is organising a conference 0 11 "Privacy and Protection of personal data" on 19 March in Washington D.e. This wil l provide an opportunity for US-based executives to interact with relevant Commission officials; the Commission also wants member state representatives to attend and has issued an invitation. No decision has been taken here yet on whether to attend .
Next steps 10 . The Department of Justice and Eq uality is seeking the views and input of
relevant stakeholders in the coming weeks prior to the commencement of detailed di sclIssions in late February. Any su bmission from Facehook would be welcome. The overall objective in the f011hcoming negotiations will be to ensure that an appropriate balance continues to be mainta ined between the need to sa feguard personal data and ensuring the free flow ofsllch data within the intemal market and, subject to appropr iate safeguards_ to countries and destinations outside the EEA. We must also seek to ensure that the interests and jobs created by stakeholders operating in Ire land are protected.
February 2012
3
Fw: Proposals for General Data Protection Regulation 10102/201209:44
Facebook met w ith the Minister yesterday and will make a submission to us on the DP proposals.
Regards ••••• Forwarded by D2/2012 D9:42 •••••
From: To: ICE Date: Subject: --.-----
For info .
.RfJSECTOR on 09/02/2012 17:21·····
From: To: Cc: Date : ~ubjec!..-. ___ "
t he message to Apo l og i es f or not getting ba c k to you - I've forwarded Goog1e (a n d ·.-lil l folIo .... up \ .... i t h t hem by phone tomor ro .... · · ... ·a i ting on contact deta i ls for Facebook, but I ' ll h a ve also a n d wi ll dea l wit h the~ t hen .
t o confirm) .. I ' m t hose i n the morni ng
I ' ll confi ::m bo t h of t h ese \"i t h you v i a e:na i l i n t he ::lo rr.'..ng.
Rega!:d~
Fro:n Sen t To : I S'..:.bject : P:-oposals fcr Gene r al Data Pro te c t:' on Re gula::ion
Hi
: a :n ... ·or.de r ing if yo u r Depa :::: trr .. en t has decided to consu l t in re l at i on : 0 the Data Protect i on Regu':"ation or i: yO\; 'd':' :"'l give us co n tact detai l s so : 01.at ;,-.'e ca n do t r .. e necessary cons'Jl t a ,:i or.?
Re gards
Fw: Briefing for meeting with Facebook on 9 February 13/02f2012 10:48
Here is the briefing note Seam us prepared for the meeting with Facebook. It is probably too detailed for your purposes but you may be in terested in the first 5-6 paragraphs.
Regards
Noreen
Noreen Walsh Civil Law Reform Division
-- Forwarded b~ on 13102120 12 10:42 -----
From: To: '@JUSTICE Cc: USTICE, I I/JELRlJSECTOR@JUSTICE Date: 08l02r2U1213:23 Subject Briefing for _meeling with F~~.,:k on 9 Februa~ __ , ______ • _ _ ____ _ _ _ __ ._
~.~ Briefing for Minister - Faeebook meeting.doe
Reform of EU data protection regime
Briefing Note
Existing EU Data Protection Framework 1. The centrepiece of existing EU legis lation on persona! data protection is
Directive 95 /46/EC (Data Protection Directive) which seeks to reconcile the protection of personal data with the free flow o f such data within the internal market and to coumries outside the EU. The Direct ive has been transposed into nat ional law in the Data Protection (A mendment) Act 2003
2. This Directive is complemented at EU~level by Framework Decis ion 2008/977/JHA (Data Protection Framework Decision) which makes provision for rhe protection o f personal data in the context of police and judicia l cooperation in cr imi nal matters. The Framework Decision app lies to the cross~
border exchanges of personal data \vithin the EU and not to domestic processing operations in Member States.
Lisbon Treatv 3. The Lisbon Treaty contains new data protection provisions which are intended
to further strengthen EU data protection safeguards. Article 16 of the Treaty on the Functioning of the European Union (TFEU) has introduccd a specific legal basis for the adopti on of rules on the protect ion of personal data. In addi tion, Arl icle 8 of the Charier of Fundamenta l Rights of the EU enshrines protection of personal data as a fundamenta l right.
European Commission proposals 4. Following completion of an extensive consultation process. the European
Comm ission has tabled an ambitious package of proposals that are intended to replace both the Directi ve and Framework Decision re ferred to above. The proposals were adopted on 25 January.
5. The proposals are due to be discussed by nati onal data protection experts in a Council Working Group; the first meeting is scheduled for 23/24 February. These discussions will take place under the Dani sh and Cypriot Presidencies during 2012 and will continue under the Irish pres idency of the Working Group in 2013. The European Parliament will also become involved in discussions at a later stage under co-decis ion arrangements.
6. The Commission' s proposals are lengthy. detailed and complex (while the 1995 Directive contains 34 sect ions. the proposed replacement contains 91 sections). Tt is also notable that the Commi ssion is proposi ng to replace a Directive. which must be transposed into national law. with a di rect ly-applicabl e Regulat ion. While the Commiss ion wil l seek to justify this on the basis that uneven transposition of the Directive across member States has created barri ers for
e. The Commission wants 10 facilitate 'data portab ility", i.e. make it easier in future for individual s to transfer their own personal data from one service provider to another (al1icle 18). It remains to be seen whether thi s requires resolution of any technical di fficu lt ies.
f. The Comm ission is proposing that in certain cases data controllers will be required to perform 'data protection impact assessments ' (artic les 22 and 33). Here also, it wi ll be necessary to respect proportionality.
g. Where, for whatever reason, breaches of security lead to unauthorised or accidental loss or disclosure of data, the Commission is proposing th e companies and bodies concerned report them immed iately to nat ional Data Protection Commissioners. Th is may encounter problems and involve add itiona l expense because. for example, an unauthorised breach may only come to light some time after it has happened. Moreover, individuals will be permitted to rep0l1 such breaches even where the infringements have happened outside the EU.
9. For the benefit of US companies with establishments in the EU. the European Commission is organising a conference on " Privacy and Protection of personal data" on 19 March in Washington D.e. This wi ll provide an opportunity for US-based executives to interact with relevant Commission officia l s~ the Commission a lso wants member state representatives to attend and has issued an invitation. No decision has been taken here yet on whether to attend.
Next steps 10. The Department of Justice and Equa lity is seeking the views and input of
re levant stakeholders in the com ing weeks prior to the commencement of detailed di scussions in late February. Any submission from Facebook would be welcome. The overall objective in the fort hcoming negotiations will be to ensure that an appropriate balance cont inues to be maintained between the need to sa feguard personal data and ensuring the free 11 0w of such data within the internal market and. subject to appropriate safeguards. to countries and destinat ions outside the EEA . We must also seek to ensure that the interests and jobs created by stakeho lders operating in Ireland are protected .
February 2012
3
From:
To: "data p rOlCClion p [email protected]" <da taprotect ion proposal s@j ustice ,ie> cc: Date: 30103/2012 Subject: Facebook's submission o n the European Data Protection Proposals
Dear Sir/Madam
Please fi nd attached Facebook 's submission to the Irish government's consultation on the EU Data Protection proposals. Please don't hesitate to contact me should you have any further enquiries.
Best
Facebook's view~ on W Data Protect ion ReglJlatlon - 30" Ma"h 2012
This pap~ r sets out the views of Facebook on the Europear. Commiss ion's proposal for a R~gulat i on "on the protect ion of individlJals with regard to the processing of personal d~ta and on the fr ee movement of such data" (hereafter referred to as the 'Regu latilm') ,
Facebook's mission Is to give people the power to share and ~ake the world mor~ open and connected, With over 800 million users worldwide, the impact on people's lives ranging from act ive participation in poHtica l dia logue to personal stories of familiu being reunited is unpreceden~ed.
facebook is also a driver of economic growth and Job creation. A recent study f rom Deloitte found that Facebook adeed more than US bil lion in value in the European Union in 2011, support ing more than 230,000 jobs. Facebook th~r~for~ 'Nt'lcom~s th ~ fact that one of t he obj~ct ives of the European Commission in proposing the n~w leg islative framework on Data ?ro t~ctio n is to foster growth ~nd jobs,
The revis ion 01 the Data Protect ion Directive has the potentia l to facl l itat~ innovation, and prov ide .onsumers with greater transparency ar,d control. Fa~~boo k bel ieves that it il possible to have sound privacy regulat ion and a thriving digitalsectof, The new legisla tive framework 5ho~ld focus on encouraging best pra~t i ces by companie~ like Ficebook rathe,. than on set1 ing out detai led teChnical rule~ that will not stand the test of time and may be frustrating and costly for both service providers and users.
This paper addresses tM key aspects of the Regulation indicating which elements i'acebook encourages policy makers to consider revising. We stand ready 10 discuss points of detail about how the legislation might be improved with policy makers, In ternet user group~ and other organisations In the Inte, ne! eco-wstem.
We hope that these comments wil l assist the Ir ish Governmer.: in making its input to tne debate at EU level.
1. Rata Protection Authority (OPAl competence
The core principl~ of a ~ingl e OPA having competence acroSS the EU for multinational companie~ Is we lcome, though w e have ,0ncerrlS about related provisi"", which could undermine this, It should also be Clarified that th~ "one stop shop" principle applies to a co-eontr()lI~r bas~d outsid~ the EU when there Is already an EU based contro ller within the same corporate group,
The proposed Regulation pro','idn thilt the DaU ProtC'Ction Authori ty (OPAl of the ~ou n try hosll the European HeadQuarte" of a bu si nen it hu jurisdict ion on behalf of the rest of the EU.
Facebook we lcomes th is provi sion and the Eu ro pean Commlulon' s inl ll.t ive to bring about more harmonilatl~n to EU Dau Protection legis lati on and upecially DPA jurisdiction by creating a 'one-stop·shop' - ie iI single regu lil tory authori ty tor the who le EU market . Since 2010, Facebook Ireland Ltd hiS provided facebook use rs In Europe with their service, ilnd has been subject to oversight by tMe Office of the Duta Pro tectio n Commissioner [D PC) for compliance wIth Irish dilla protec tion law.
FlCeboo~ is a leader among global Internet service providers Irl lts transparency ilnd willingness to engage with European OPAs and will continue to take this COfl$!ructive approach to meeting its ob ligations to its users. 8eine eJtablish~ in Iretand. the o pe h Fi(eboo~'sleild DPA. facebook hils rece ntly been the subject of i thorough IInd det ail~ audit by the ope, published at our volition on 21 December 2011, on Itl pr.cHces and policies. Sul»lanl i.1 resout~~S were dedicated to ensure that the ope Mad ill the Information it needed to ccnduct a comprtheMm audit. The iudlt Involved three mor.ths of rigorous e xamination, and tile final DPC report demOt"lstrated how F~cebook adhe res to Eu(ope~n data protection principles and complies with Irish taw. Facebook believes that these practices are e~tremely important in demonstrating compliance with the law and would like to obtain tegal certainty tnat a true 'one-stopshop' will be apptied in Europe.
Artiele SI provides that when a datil controller and/or dala pre<essor Is established In sever. 1 Member States of the European union the responsible DPA wll! be the one ot the main e stab lishment. However, it remil lns undear whethe r the 'one-nop-shop' principle applies in the case where a controlle r or pro~e$Sor Is bued oUl$ide of the W. In the case of Facebook, facebook Inc (based In the US) is a dUi procusor for Fi cebook Irela nd . If the relationship between these entit ies was 10 chinle, Ind Facebook Inc were to be regarded as it data cont rolle r for the purposes 01 the regulation, It would not be uble to benefit fro m the "one-stop-shop" princi ple. in order to bring about more clar ity Bnc le g, 1 cert3 inty F".ebcok wcu lc urge po li;y makers to amend the rules deal!ng with the applicabil ity 01 Ihe 12W (Artic le 3). 50 that il t here is already an EU based contro ller within a corporate group, that contro lle r .hould be respons ible for compliance in respect of the relevant ca:a processing, as tha t pro~id!5 t he grntest degree 01 certainty for both In ternational cempanies .. nd individuals. Facebook believes that t~11 would ~nhane~ the objectives th~t the EUlopean Commission had In mind In ensuring tha t the 'one-stOP-IMOP' ;s ro::ust and applies to illI cont.ollers and proceuorl regardless of where they .. e established when the ~egul ation applies.
2
FacebOOk I~ also concerned th~ 1 the re ~re I ~ e,ie § of articles that undermine the power of the leading OPA, which could lud to incon!i5!en,lu in the application of Ine regulalion "nd create legal uncertainly lor businesses. In pa'liculaor:
Mutual ils sistance· Un.:! er Art icle 55(8), an W OPAcan la ke a provisiona l measure, 11 tt.e lead OPA does not answer the ir reque51 witnin one ,"o:'l\n. rne OPA ol lt.e main es:abllst.ment milht t. ave legitimate reasons for delaying It.e adoplion of a provisional measure 3nd Ihls should nct undermine 115 tompetencQ .
Joint ope, allOn! cf supervisory authorities (Atticle ~61- The tight for each OPA to pa rticipa te to JOint operations equally raise. sign ificant risks witt. regards to the 'one-stop-shop' principle. As we unders l3nd it the propon l ls that a ny EU OPA would have the right 10 be Involved in I joint inves\lgation wilh tne IHd OPA. The lead OPA could even confer their investlgalive: and e~ecutive power to ano tner OPA. This creales signlflcant iegal unl;ertalnty for busineues. which have been dedica ting resources to !;oope rat in g I nd dealing with the ir lud DPA.
Consistencv mech~n lsm {Articles 57 - 631· This provision is aimed at ensurlng unity of application of Ihe Regul!tlo n in ,,,Iatlon to process ing oper~ lions, which ma y concern da ta ~ubJect! in several Member States. flCehook $upport5 the obj~ctive, however some of tt.ese provlS'or., raise a risk for the le~d OPA havin, its po",er undermined by the European Ollta Protection Board (fOPSl. the Europllln Commission and et her DPAs. This is another potentia l a rea of legil l unce.til in:y fe r bUlinesses and risks ereatinlleng delays in key decisions, whith could have a s.>gnlfitanl imp.ct on innovation CVde!>.
2. ~!rlProCluor
Propo"ls ' !I.ardlnl the dellnitlon of the dala ~ntroller need to be narrowed down to ensure that u mpanles can operate efficie nt ly with lel al ce rtainty.
For the purposO"S of Ihl!> Regulation, Ihe (lata controller for EU Fuebook use's Is :o.~ slder4d 10 be Facebook Ire!~nd Lld and F~cebook Ireland Ltd's data ;:>rocesso rs In cl~de facebook Inc in Californ ia. Facebook wou ld like 10 main t' in the clar ity 01 thi s SfrUtlure. Facebook has lor a lo.,g time ful ly iltI;epted its responsibility 10:15 users in Europe and since 2010. these users ""'e been p.ovided with theif service by Facebook Ireland rh .s Sl'uc:u.e is compl iant with Irish da:a protection law and is subject to ove rsight by the ope.
Facebook Is concerned, however, that Ihe concept of dlta processor In the Relula lion Is not cleartydefined and, as , resul t, the re ~Iy be situations where a d ~l a pro!;e~~or may unjultiflab 'y be r!garded as a data controller. For example, under Arl icle 2614), if a
3
;>rocenor is considered to be taking Independent decilionl tllen tlla! proceuof will be deemed as a controller. Faceboo~ believes thU Ihe interaction between the two concepu might raise prat tle.! diff icu lties wllen a datil controller "nd iI da! iI procenor are part of the same company group and both parts of the Iroup collaborate on a (hily basis. The policies ilnd protocols will be de~in ed by the data control ler, but oft en interpreted and implemented Independently by the data pratessor . To avoid any legal uncer tainty, Facebaok sugges ts therefore \hilt the definition of data procenor is mOdified to Il low certa in e lementl of decis l on·m.~ in8.
Article 22 int roduces new ~ccount f bIlit y provisions on cont rollers. These include requiremenu 10 demonnrate compliance witll the Regula tion tllroullI t ile Ic!option of inte rn.t policies, assignment of Intern.1 relponsibilit iel and ve rific 41 ion of compliance. Facebook agrees with thest provis ions. 1I0wever tllere may be some di fficulty in situations where Ihe levef of prescription in th! Regulation Is such that lhey may nOt renect practices thU are otherwise appropri ate to safeguard personal dau .. F~ ceboo k
the refore suu:es ts tllat t his Article requires further consideration by policy makers.
1. Privacy by default/privau b!f dulUl
'Priv~cy by design' is a wekome princip le but Ihe accompanying 'privacy by default' principle takes Ins ufficient .cco~nt of the t Morlnc ethos underplnnlni social network servlcfl. The ReCU!aUDn should have resped for th. 'Dnte~t In whlctl dall Is coll.cted and prtKessed.
facebock welcomes the mtroduet!on of the 'privacy by design' prindple in Article 23. Privacy is at the core 01 everything that Facebookdoes and, in part of ih work wi~h the ope. facebook has made privacy by design a key component of 115 privacy programme.
Facebook believes that people should lIave control over each piece of content tlley post. That is why fleebook empowers people witll robust tools and educates them with tool tips and confirmation dial081 the II,.,tt lme they share, which he lps to ensure tnat th~ ue sh.ring with the people they want and that they know how to adjust :~elr settings fer the future.
Facebook regrets however thlt Ihil provision does no t take into account the specific natvre of social networking wlle re the ve r·,. rU!On Ih" moU people join is to share and tonnect with others. Specific,lIy, Article 23 1150 intreduces the notion of 'priva=v by dehult' and requires :lIal, by default, only perSOna l da ta that are necessary for a speCIfic p~ r pose are to be processed. It further requlre~ t h ~t by default 'pe/sonal data a.e not m~de a~cessible:o an indefinite number of Individuals' .
•
At Facebook, the recomt':1ended Initial account seWng, are chose n to alTow people to ea l llv find and connec t with tftel, friends whi le protect ing more le"s,!ive informnion. More importantly, with the Inline conlrol, Introduced in August 2011 , people are ah!e to choose their privit~y settin,s each ~no every time they pOSI conlent by deciding the audience 10 whom il ls vi ewlllle.
Facellook allo Ileliev!s that se tt ings shou ld be age-appropriate . This Is why special limitations are in phtce for uleu under the ~se of Ig. These automatltllly limit the under 18's sha rlns to a much sm~lIer sullset of people, which substantia lly reduces Ihel, vlslllllity. Under lBs ilso cannot have pullli~ ~earch listings, so :helr profiles do not show up 1~ pullllc search engin es unt il they have lu rned 18.
Facebook therefore 5uggUtS that thiS provision I~ revisited 10 take Into account services Ihtlre e~preuly designed for the Iharlng of per~onal d~u . such as $CClal networking sites. The Regu l ~tjo n sho uld have relpeet for the context In which data is colleCleo and procused.
4. ChJ.!1kt.!!. hcellook broadly supports the specifk proposals ;lfOUnd children Ind eau pro tection and $ugge$ls that a hl rmorllzed definition of I child for rhe purpose of doto prQcesslrIIJ Is SIt at uncler 11.
FacebooK b~lieves that Internet services should Ile desi,ned In an age·appropriate w~y. Our p,e sent policy Is thl! yo~ must be 13 to have" flCebco k account and the,e ale d ifferent privacy set:in,s in pl.ce for users aged Iletw!f'n 13-l7 IS t!escrilled' above.
The Regula tion defines a "chi:d" as Ile ing ~nyonl under lB. F~, ebook quest ions wh<!llIer "gene,al definition is .pproprlale In the context of this re&ulation and whelher this is the approp ria te aG e in re lation:o da ta processing of a chi ld In all conte-a. If the deflnilion Is to rl!main In the regul'l ion facellook would recommend' ha,rnolliled definition of a childfor Ihe purposes of dO la prrx:esslng, set al the ag l! of unde' 13. in line with current practices.
Facellook welcome s the specific prOYlSiOIl ill Article 8 that for onllne services paren ta l consent is only requ ired for chi ldren under 13. Under {he same provision ·verifiilllle pa'en: ~l (o"sent" is reQuired "taking in lO consideration availallle technology" Although helpf.Jl . ill s stili unc lur In what form verifiable consen t sllo", ld "Ke lino this isleh to be defined Ily the iu,opun Commission ill i luer dlte. Facellook believe< thlt many innovat ive so lu:lol15 can be fOlind for challen,es on Ihe Internet, including the provision
5
of parental con~nt.. and would therefore wish to ~ee the~e provision, implemented in such. way that they ellcourage rather thin !Imlt this innovation.
Facebook supports init i<ltivu aimed ilt providillg children with specific educational ma te rl.1 using simple I"r,guale. e ~pl';l'Iinl the privacy pol icy and ",mpowering them to live informed consent about th e protenin, of their dau.
5. HOlM to be IOf1Ql!!!l..
The ri&hllo be lor,onen needs very nrelul consld ~r'lion. As drll ft ed, il raises major conearns with re, .rd to the fl l ht of others to remember and of fr eedom of expreu lon on t he Illte rnet. There Is aiso a risk that It could resul! In measures which are technlully Impoulble to apply In praC1ke and therefore m"ke fot bad '''1''. A ri,hl b, lance shou'd be foune! between datalubJert's . isht to ,et their daU deleled, the fund.me",il l n,hts of other Indlvlduals.nd the fuli\)' of Ihe enline environment.
i he pro posal prescribes a ,ight for people to have the ir dall deleted IInd also requ ires data (onlrollers, to take 1111 reuon<lble steps. 10 obt"in e.asure 01 content copied 10" third plrty website or a ppli~Jllon. It Is ImpClrtant to differentiate between three quite different asp~cts to the 'right ICl be forlotten' :
The pm Is how people who have posted perSCInallnformJtion online can la ler delete Ihl1lnlClrmatiClIl . Faceboo~ believes thlt thi s i1 ~ righ t people ~ho~ld have 81 any time I nd the ir decisions shoy ld be com plied with in d rn pecled. TIlII b somethln, that Facebook alrudy offe rs - ys.trs can de lete individual items of conlelll they have posted on :o the service including their w~.ole accoynt "I illly t ime.
The suond rela tes 10 the provlsion ytlder Art ide 17(2). which woyld require delet ion 01 dala that hils been copied to iltlother urvlce. Such obligations are ullreilsonabte and not feaS ible tor services li. e Filcebook since we cantlol control data that has been copied to another service. In order to meet such obligat ior.1 It wClu ld mun Ihll service providers would be obliged 10 'monitor' peoples' IClivhles acr01S Ih'" I~ternet. FaceboClk 's strurtglV concerned th31 il could also lu~ to :he interpr~tI:.o'" that hlermediarv services could be considered res ponsible for erasing any c:o nlen! relaled to Ihe da~a subject that req~;e$n it. Thi , is technica lly Impossible and di rect ly confl icts with the way the In tern et works and how Ihe currenl liability Ilatus 01 Inlermediaries Is designed.
The th ird Is the Idea that you can insist that Information l lial o~hels have posted about YOy be de leted ·thi s is partlcular lv contentious, It is tiel r that there is a potelltial conflict betweelllhe right lor people 10 upress Ihemselves "nd the
6
pdVl()l rights of others. Facebook urges poli()l mahrs to co"slder fully the implications 0" the open In terne t .nd persor,~1 expreuio" .1 they determi"e the ri,h! bal.",e. The ddi"ition of freedom of exple~sio" cont.lned in Mlcle 81 and !u"her clu;fied in Redt.1 121 Is defined quite n.rrowly .nd should be extended to cover for en mple mere expresl.ions of opinion, user generated conten t ilnd more gener. lly recognise the nawre of new form$ of communicat ion such IS bloUlng and sOda l networking,
Finally, the debate on the ' right to be fO'IOlten" affects a number of Internet se ..... icu. which rely on use r·gene ra:ed conten t, This inue Is nOt unique to hcebook or social networking. Policy makers should lake Into ilCCOunt the "right of others to remem!J.ef" ind reach' balanced conclusion which respects freedom of upreulon.
6. ~!lI!H..ffi
Users sho"ld be able to eurclse conlrol o~e r what personal diltil companies collect from them . nd how they "n it but the requlremenl for consent sho" ld not lead 10 an overly disrupted or disJointI'd Inlernet experience.
The Regr,illlion provides enhanced requlte ments when controllers rely on d~tl sutject consenllo lesilimlre data proceuin,.
It is impo""nl to kup in mind thal service5 like Facebook I re de signed for people to be ~b le to connec t and ~ hare information. The a ud it .;onducted by Ihe DPe itt the end of ZOll determined that in the t,lIe of J soel , l ne twork. a u~er provldu con5ent upon registering with the se ..... i:e. Furthermore. Face bock provides e~t enslve informat ion on Ihe site aboul how Infcrr.'I3tion is used ilnd people unde rstand how the service worb. In addit ion, users need to provide their specific and eX>""5! con5ent 10 developers at Ihe time when Ihey downloa:l a new applicallon.
The highly p:escrlp live nal~re of the requirements for connnt contili.,ed in Articles 4(8) 5(2) and reclt, I25 could ~otential l y r equ~re mor .. intrusive mecha nisms to Isk for con5e nt for specific It:t ivi:ies, Th i5 c~rr i el tn! risk of in"nd3tlng user,S with tick boxes and warn ing! As well ilS ~tfect i r., the us!' experience, thiS inevitably will lead to it
potenl . ~1 'dt ... I~ation· of troe prirciple. and may make it I'.lder for ustrs 10 ma<e judgrrents Ibout when I1 is approj:ri.te 10 live consent or withhold il.
Facebook urges poll()l ma~erl 10 con51der fully the implications ef s"ch overly ~relicriplive provisions rh a! would hilve in adverse effect on u5er-experience and could ri sk und ermining the object ives 50",hl,
7. Security I O~la Breach notifjmlon
7
Conlumers should h~ve ~ rilM 10 secure and responsible hand linl of personal dlta tho~ ,h there 15 iI rl5k th~t the overly prucrlptive nature of the Re(ul"tlon could crea te 3 level of bure ilucruy thit distracts orcanlliltions and relulnors from uhievlnc the principII ob/ectl .... of nwrlng persona l diltl .
facebook takes th~ 5~wri ly of Its IlSers very seriously. The OPC commenceo Filcebook on its onBoing focus on the proteClion Ind security of user d.Jl • . It acknowledged thl! Facel100k ma~e5 IMova"ve use of technology to iden tify un~ s ~ 11 or suspicious actiyity on an account , Facebook be lieves that policy makerlshould recognize innova ll',e ip]:lr<)lChes to secur ity. for e_ample Filcebook OIro mptly w"rns users if their itccount hlls been tompromi!.ed. It allows .teen to the last 10&-11'1 ilttempu , nd providl'$ users with one-time pilSswords when the y log in from unS<!cured locatioi'l l . We work closely with a n~ l ystS, engineers, fraud e_pe rts l nd security investigators to prevent abuse, defut crimini ls and help mil lnlitin Fi Ce!:.ook is I trusted environment .
Facebook is concerned about the overly prescriptive nature of the proposed security provi sions and ques tions whether they ildd il nythin, 10 actuaHy enhancing SKurity. Under Ar ticle 31 datl bruches must be not ified to Ihe relevllnt DPA where fusible within 24 haurs. The DPA nOl lfiU lion requirement Is an absol~te requirement, wh ich means that. ;n theory, ev~n the mo~t minor bread'les must be re ported to the DPA. Facel!ook Is concerned thalth ls will nOl l llaw for effective priorill.at lon of the most serious breaches. The obligations also cont"in prescriptive requlremena for Ihe provision of informUion to the OPAs. wnr~h creates an . ddit ional laye r of b u re au.r l~y.
Furthermore, then require ments will force OPAl to redirect rtlaU rCl'S away fro m pr ivacy e nforcemenl and towilrds Ihe procenlng of notlfiC.ll i('lM. Thi~ new obligat ion, imposed with 1'1::0 regud 10 the scale or Impacl of the breach, will likely neceSSitate the provision of at:!d il lonal fun~in, to OPAs. In the absence of such government fundin g, OPA's may not h've approprille resources to promptly dui with the!.e continua l. a nd often de m/nimus, not ifications IInd this would undermine their effecti~neS5 and the confidence in their role in ensuring that data <ontrolleno properly har,dle Important personal dala breaches,
S'MiTa,'y, ur~er Article 32 oata bre ac~es r eee' to be notifIed to da~a $ubJects where the creach Is likely to adversl'lv affect the personal data or privacy of the data subject. In th is instance. the no tification mus t be made wlthout undue de lay. Th is provision ra i!es the same conce rns as In Art icle 31 namely Ihat, the 24 hour dead i'ne is too short, the information to pfovld~ 10 tile da ta subjeet;s extensive ind the Ihe doti breach i$ nOI elearly defined .
f urthermore, l iven the b-o, d defini tion 01 dilit subje<:ls ir. the regu l;!tion there;s a risk that Flceboo~ WOY!!! be obliged to Inform all users who have '''essed a ~ . ge, group or
,
plofile Ihat has been compromised. In order 10 avoid such ~ co~lly and cumber~ome pr(l,e~~. facebook ~uggesls Ihal the s,o~e of Ihis article i~ narrowed down.
8. Inletn/l!IQnllJtllt!r.!!l1ful
Progress hiS been made on the International ~aU transfer front. But the Regulation fails to re~o,nlle the Safe Harbor ilnd ~reates severill requIrements thilt wi ll be of (on~ern for Inte'~ti(ln al orgilnintions.
The Regulltlon only allows data transfen outside of the HA if thOl con~ltions set out in Art icles 40-41 lie complied with.
As with the umenl DireCli"e, transfers to non·EEA territories with In adequacy finding "e permItted . Under A41 (3) ,nd (S) the Europun Commission can decide Ihill a country, bUI also, an organililtion (Ior e~ample. iI private company) does not meet the adequale level of prOIKtiD<l. Filcebook urses policy makers to amend thIs provisio~ and exclude international organitatlons flom Article 41. The (Ulfent practice is that a DPA is responsible for dec iding the adequacy of a privue or,anllation to execute Internationa l transfe rs and this should remain the case.
To ensure Ihe complian(e ot Its Iruern,lI!ional data transfers. Fatebook employs differen: mechalllsms Including: users' consent; strong dilUI transfer dauses III Its data processi"g ag,~ement; and also rel ies on the EU·US Safe HarbDr Agree""ent. FilC1!book regrets the fact thal the regulllion does not make any refe rence to this inst rumenl, which has he lped many 5tart·up companie5SrOw and offer their services to more people in Ir.! confidence Iha llheir legal obligations ~re met facebook has for a Ions lime fully ac~epled Its responsibilil'{ to Its UH'S in Europe and pa"kipil ted in the EU·US Sa:e Harbor Agrl!'emenl for da ta processing for sevelal yurs. This was a cood way to meet ilS obligations 10 protect th e privacy rights of users in Ihe EU before il had ils operaliom wel l established In Europe .
Fa(fboo~;s also concerned about the extra layer of bu~ eaucracy, which Is crutec b'; the req~ irement unde r ""title 42(4). Th is refer~ to the situallcn in wh ', n the c on:fa~t,- a l
tiauses intiuded In the data processing agrl'emenl are not s:anda,d and the controller is required to ,et the prior authori"tion from the lead ilulhorily (Article 34), or from Ihe European Dal' PrOleclion Bo.rd (Arlicle~ 57. 58).
fina !ly, Article 44 specifi"s Ihe derogiltions from the general prohibition en international data t,ansfers , The data transfer will be authoriIl'd if (1) it is bilsed on a legitimate in lerest of Ihe ~ontroller or pllxnsor and (2) the transfer cannot be qualified as frequent or muslW'. ant: (3) Ihe controller or procenor hn asseued alllhe tir(umSlanceS ""d ~ddu(ed ilp~ropriMe s~feBuardl with rupe(t 10 t~ e protecllon of
9
per lonal da ta, Wh ilst thi s is a pO$ itive development, the rele rence to "not being frequent Or m,nb,e" is unht lpfullV vague and subjective and re du~u the potenti . 1 beneficial effect of allowin& Ot&anizations to determine the appropriate safeguards that mav otherwise leJilimil(' an int ern ~tional dau transfer,
9, ~jl nctio D1
The high levcl of potentlil l silnctlons for bru~hel of the Reguloltion risks tumine relations between complnies and reeulltors Into iI com~tive one ilnd miy undermine the Incentive of Inte rnet compil nles to Invest In the EU,
The new prOPOSil' ha~ a re&lme that Includes very harsh fines for bluches of data protection law, These cl.'uld be ilS high ilS 2" 01 the cloba' r~venue of ill commercial enterpr ise,
flcebook is concerned tha t the magnitude of potentl.1 fines will create I disincentive for innovation ilnd ilsscx:iated Job creat ion . mon& internet service compilnies. This could be a major blow for the turopu n Union liven thallne In ternet sector is widely recognized as the major driver of job ueatlon and growth in an otherwise moribu"d economic environment.
Moveover, it should be borne In mind th ' t the level of potential sanctions might create a dl~lncentive lot o.,en . ng~g.ment by com~anies with regu lators. Face book' s Interaction with the ()f'( and other regulators across the EU has shown thal a lot can be achieved through Optn ilrld tran1parerl t dia logue, even en difl ltulllnue$. Irish datil protection law, al present, obllge~ the ope to see~ an amicable resolution to d~spu tes. This ap proach, with its fOCU i on developing solutions and Implementing bes: prac tice, is partkularly benefiCial when grappling with the data protection challengu whien flow oul of technological ;nnoviltlcn. A regime Ihat threltens bUSinuses with such heavy fines would imperii this cooperat ion and drive ~eople away horn an open relationship with OP Al. Ultimate ly Ini, will not de liver privacy be nefits as effect ive ly a~01 less litigio~\
modrllikely to be engendered bV the proposed sanct iOnS recimes. The proposed regime will Jj~ ely lead to 'ength) court cases, pc:tenllally al censiderah!e COlt for the state.
10. Powers ot th~ Commllslon to extend the; Regula tion Proposals to Crant the Commission wide-ranging powers to extend the Regulation should be considered carefully.
The Regula tion Incl ude! 26 instances wnere the Commiss:cn hal granted Inelf the power to extend the Regulation by adopting delegated acts in Hcordance with Artide 86. Faceboolt is concerned !hi! this appro~c h mlsht com:lromises the level of legal
10
(~lJS
ctrt~in tv .fforded bV the I'I tBula tion Ind (ould undermine the legislat ive competence! of the European Plrliament and the Council of the European Union.
fa(ebook urges P'Olicy ma~en to ensure gruter certain ty bV design;"B the proce .. is trimpa re nlly as possible and give Ihe opportunity to the Industry and othe r $llkeilolders to piul,lpate In It.
hcebook Ireland
10 March 2012
11
Note of Meeting with Facebook
Attendance: Facebook: Civi l Law Reform Division: Seamus Carroll ; Noreen Walsh.
Date: 2 May 2012
Subject: European Commission Proposal for a General Data Protection Regulation
Mr Carroll explained that discussions on the Proposal for a General Data Protection Regulation at EU Working Group level were progressing slowly. Depending on progress made during the Cypriot Pres idency we wo uld hope to seek to achieve agreement on some aspects of the Proposal during the Irish Presidency.
We launched a public consultation process on the Proposal in March.
Mr Carroll explained that there are a number of important issues that need to be clarified during the discussions on the Proposa l as fo llows:
(1) Definition of personal data - there arc concerns that the proposed definition is 100 broad; any reference to a person appears to be personal data. Based on the definition and the recitals it appears that context is important in determining whether or not data is personal data e.g. an IP address is not personal data per se but in certain circumstances it can become personal data.
(2) Scope of the ' household exemption'. The meaning of <gainful' is not clear, in particular it is not clear if it is only monetary reward or if it is broader. Mr Carroll raised the question of targeted advertising by Facebook, in particular the question as to whether Facebook remains the data controller in the case of targeted advertising. explained that an advertiser would indicate who they wished to target; Facebook would tell the advertiser how many members fall within the target audience; the advertiser will never know who the recipients of their targeted advertising are.
(3) Requirement to have explicit consent - there are a number of concerns in relation to this issue in particular that th is requirement could result in reduced protection arising from 'click fatigue'; consumers may simply click 'yes' to everything. In this context the Commission is anxious to distinguish between contractual and non~contractual situations; the issue of consent does not arise if processing is based on a contract. In this context . ~~ ___ said that there is a contractual relationship between Facebook and Facebook users. wondered what happens when the terms of the contract are revised; Facebook are concerned about what should happen every time they add a new fea ture/application. They are concerned that they will have to seek consent far more often that is reasonable in the context of a social network site.
(4) Profil ing: the Commission is proposing much stronger controls in relation to profi ling; profiling is useful in some contexts but there are also concerns that in some cases it can be damaging.
explained that Facebook does not carry out profiling; it does not follow people around on the web or look at search histories; what it does is to use infonnation provided to Facebook but if a person 'l ikes' a particular page on Facebook it will be taken into account. If a Facebook user sees an advertisement that he/she would rather not see he/she can block it.
(5) The meaning of the right to be forgotten will need to be clarified e.g. how it will operate where data is no longer under the control of the data controller, how it wi ll apply to public authorities, etc .
. indicated that the scope of the right to be forgotten is of concern to Facebook. Facebook has no problem removing personal data posted by an individual about himse lflherself within Facebook over which they have contro l but there are difficu lt ies in relation to data posted by others and data copied onto third party sites over which Facebook has no control.
(6) There are enforcement issues in relation to the proposed territorial scope of the Proposal.
More generally Mr Carrott expressed the view that privacy by design and anonymising data should be encouraged and there should be a greater emphasis on risk assessment than on size of organisation in the Proposal.
. indicated that Facebook would have concerns in relation to the large number o f delegated acts provided for in the draft Regulation; this appears to defeat the objective of replac ing the 1995 Directive with a more detailed and comprehensive Regulation.
Noreen Walsh Civil Law Refonn
2
Update to Facebook's data use policy
11105/201217:16
- - . ~ -.. - --. ~"-. - ._"._._-. ,"_._,"-This message has been replied to.
Hi Seam us
I hope you've had a good week. I wanted to let you know about proposals for updates to Facebook's Data Use Policy (aka privacy policy) which have just been made public.
We are making improvements to our Data Use Policy in response to feedback from users and the results of a comprehensive aud it of Facebook's international HQ, Facebook Ireland, recently undertaken by the
Irish Data Protection Commissioner. The audit concluded overall that Facebook has a "positive approach and commitment ... to respecting the privacy rights of users" and encouraged us to enhance our Data Use Policy to be even more detailed about how we use information.
Today we're proposing improvements that respond to this feedback. We're adding more examples and detailed explanations to help users understand our polici es. For example, we include additional t ips, marked w it h a light bulb so users ca n find them easily . We've added new links to our Help Centre. We created a new section expla ining how we use " cookies" and similar technologies and updated the corresponding explanations about cookies in our Help Centre. We also provide more
information about how we use data to operate Facebook, to advertise, and to promote safety and security for Facebook users. These examples and explanations are designed to help users understand what the Data Use Policy means in every day practice.
In terms of process, Facebook 's new draft policy will circu late through our site governa nce process. We have a t ransparent process for proposing updates to our govern ing documents. We post changes for not ice and comment before they become effective on the site. If the comments reach a certain threshold, users have an opportunity to vote on t he changes. Our users will be notified about these updat es from an announcement on t he left-hand side of our home page or from a megaphone announcement on mobile devices.
The changes bui ld upon the privacy policy format we rolled out last year. Facebook thinks we've struck the right balance with our layered, flexible format. You can get the most important information up f ront and then drill down if you want more details in plain English.
For more information about today's rol lout, you can f ind our blog post to users here which includes a li nk to deta iled information and a step by step guide for users.
And of course, do not hesitate to let me know if you have quest ions or concerns. I'm happy to explain more abou t these changes.
Many thanks.
F~1
: 1 - __ J
Paul,
Re: Meeting with Facebook ~~: ~~('l:;:1US s . C,,;moll .,' Pau l.O'Brien (, :
bLC: Noreen X. Walsh
I am happy to attend. Regards
From: Paul. To: "$eamus S. Carroll" Cc: Daie : 02/021201212:25 S ubje;;:c,-t __ Meeting with Face;;:b;;:o;;:o'-k _ _ _ _
Hi Seam us, Jane,
02/02t201 2 13:47
Arising from a meeting between Facebook senior management and the Taoiseach in Davos the Taoiseach promised to facili tate a meeting between
- .. I wi th Facebook, and with Minister Sherlock and relevant officia ls from D/JEI and D/Justice to discuss both data protection and copyright legislation.
This meeting has been arranged for 7pm, Thursday 9th February in Ihe Sycamore Room in Government Buildings.
Seamus, can the Department send the most appropriate officia l?
Jane, either you rself or Tom may wish to attend on beha lf of the Minister.
Best regards,
Pau l
Paul
:'a Roinr. a n Ta o: s:gh rr_eaite a r sel. lbi",i s p.~roif isiunta ,
eifeachtach agus ch''::'irteisea c h a sho1atha::: dar gcustaill'.ei:::i go 1ei::: . Chun a:nharc ar an Cha irt do Chustaii..eiri , clice a~ l ar ht tp : 1 Iww· .... · . taoise ach . gov . iel 1 i::: ish/i ndex . asp?docIO-l 763
Is le haqhaidh an duine ~6 an aonain a r seoladh d6/di an t - eo l as a seachadadh , agus d'fheadadh abhar fa oi run ag'..ls/n6 abhar faoi ph:::ibhleid a bheith ist:"gh 1ei5 . Ta
..
•
RE: Proposals for General Data Protection Regulation Noreen X. Wa lsh 09/02/2012 17:19
_._--_._--_._---- - -History: Th is message has been lorwaraeo.
Noreen,
Apo l ogies '::0:: n o t getting back to you - I ' '''e fonJardee the IT.essage to Google (omd wi ll fol l Q'. ... up wi th t hem by phone tomorrow to confirm) . ! ' m waitir:.g on c o ntact details for Facebook, but I ' l l h a ve Lhose in the Dorning also a nd · .... ill deal with them then .
1'11 confirm both of these · ... ,ith you via e:r.ai 1 i n the morning.
Regards
R
-----Original MessageFrom: Noreen X. Wals h Sent : 09 Feb r uarv 2 01 2 14 : 28 To : Subject : ~roposals tor General Data ?rotection Regulation
Hi Richard
I am · .... onderin g if your Departme nt ~as decided to cor:.sul t i n relation to the Dat a Protection Re qulation or if you wi l l give us contact detai l s so t hat we can do the necessary consultation ?
Regards
Noreen
N::n:een i'lalsh Ci vil :' a·.-/ Re ': o r :n Di vi sio :1
I s le hagh aidh an duir,e no an ei:1titis ar a b t":. fu i l si di.ri.t~e , agus l e haghaicih an d'..line no an eintitis sin aDhain, a bheartaitear a n fha i sneis a t archu':':rea::ih agus feadfa idh se go bhfu':' l a::,har fa:)i r(;.:;. agc.s/n6 faoi p~ribti l eici i n ti . Toirmisc t ear ao:l. a thbh:rei t hniu , ata:rchu :r no leathacih a dheanar:-.h ar an bhfaisr.eis sea , aor, usa i d e il e a b:'1aint aisti. no aon ghniomh a dheanamh ar a hi:):1taoibh, ag daoir.e no ag ei:l. ti ;: i s seachas a n faigr.teci r beartait r.e . tIJa fuair tu e sec t ri dhearmac, teigh i dteagrr,hail l e is an seclt6 ':' :::, :" e do tr.oil , agL:s scrios an "[-abhar as aon rio:r.ha ire . Is e bea:r tas !"":,:;. Roinne DI i a gus Cirt ag 'Js CDm~ion':;'-.:l.dis, na nO i figi a;us r.3 nGniomhai reachta'.. a usa.ideann sei:rbh i si Tr" na Roin r.e seoladh abr.air choluiJ.. a dhicheadu . Mas rud e go ~easan:l. tu gur abha~ cc luil a t a san a~r. ar ata sa teacht ai:r e ach t: sec is c ear t duit du l i d t eag:-:\~ai l leis an seo:"t6ir l ai threach agus le :nai lminder [agJ j us':.ice. i e cnor:-.h mai th .
The i nfo::: IT.ation transIT.it ted is i ntended on ':' y : or the p e:::s on or e:1tity to
Tha nks for t hat . I ' ve confirmed ' .... itr. my cor.tact fr oIT. Googl e . She i s going to dis cuss w~th ma~a gemen t and will revert to me be:o re c l ose of play today to l et me know if they will be maki:lg a scbm~ss ion .
Regards
R
---- -O=iginal Message- - --From: Seamus S. Carroll [mai l '.:.o Sent : 10 Feb r uary 2 0 1 2 09 : 4 4 To : Cc : Noreen X. Walsh Subject: Fw: Proposals for General Dat a Prot ect ion Regula tion
Richard, Facebook met with the Minister yesterday and will ma ke a subr.,ission to us on t he DP proposals .
Rega r ds Forwarded by :012 0 9 : ';'2 -----
From : To : Date : Subj ect :
=0::- info.
No ree n
No reen X. Wals h Se affi'.lS S . Carro l l 09/02/2012 17 : 22
fw: Proposals for General Data Protection Regulation
Forwarded by Noreen X . 'i;a lsh.
From : " Richa r d ... _ ' >:j,-,v • ..t. e> To : " Noreen X. Wal s h " Cc : " Date : 0~/U4'LV ~ ~ ~, . ~~
Subj ec t : RE : Proposals :or General Data ?rotect:on Regulation
Noree:1,
Apo logies for not ge tt i:;g back :0 yo u - I ' ve f crt~ard.ed the me ssage to Google (ar:.d l'>:i11 fo 1 101 .... ut' \·d c::h cher.. by p~one tor.-.crr:o· ..... tc con:irrr .. ) . I ' IT:
waitir:g on contact details fa::: facebook, but !'l': have those i:1 t:-te mor:ling also and ",.ill deal with them ther. .
I'll conflrm both of these wit.h you vi a e:nail ~n t::'e n orning .
Regards
10
,
Re: Fw: Briefina for meeting with Facebook on 9 Februal)' ,-"1 I: Noreen X. Watsh 1310212012 10:55 - _._-_ .. -... ----_._._-
History This message has been replied to .
Thanks Noreen, will be in touch about date for meeting with Faeebook.
Anne
Anne Farre ll
Anne Here is the briefing note Seamus prepared f .. 1310212012 1oA.il05
From: Noreen X. Welsh •••••• To: Date: 13/02/2012 ' U:4~ Subject_' _ __ y w: Briefing for~g w~h Facebook on 9f ebruary _ _ _
Anne
Here is the briefing note Seamus prepared for the meeting with Facebook. It is probably too detailed for your purposes but you may be interested in the first 5-6 paragraphs.
[attachment HBriefing for Minister - Facebook meeting. doe"
•
·--.., . :::"':-.. )
'~j Re: EU Data Protection regulations - more detailed perspective [:,
07/03/201214 :23
Jlook forwa rd to receiving your paper. Perhaps we can meet up next time. Regards
From: To: "Seamus S. Ca rroll" Date: 07/03120121 4:17 Subj e2c~t ___ " __ "~e: EU Data Protection regu l atio~m~_e_de lailed per"' "p"e2cCtiC'e=-____ _
That ' s a shame . Un f o r t u na t el y I ' m on ly in Dubli n o n 1 4 an d 1 5 . We ' re f ina l is i ng a p£per se t ting our F'aceboo k ' s v i e\~ s on t h e p r oposals · ... ·hich I 'l'Ii ll s e nd t o you at the end o f this ·"'eel<: . Hopeful l y us e fu l fo r YO'.l r me e t ing i n Brusse l s .
Tha nk s
On 3/7/12 2 : 10 PM, " Searnu s S . Cil. r ro l l "
> > Unfortu~ a tely I wil l be i n Brus s el s at a mee~i n g t o di s c uss t h e d a t a >pro t ec t i on proposa l s on 14 t h and 15 t h ; \or' i l l b e hen~ on 1 6 t h i f t hat sui t s >you . > >Re ga rds > > > > >Fro!l\ : >Tn :
e> >D a t e : 07 / 03 / 2012 12 : 37 >S u b j ec t : EU Da t a ?=otecti on r egu l ation s - mo r e detailed pe r spect i v e > > > >Ei Seamu s > >I a.n go':o g to be i n Du)Jl.i n next "'"e e :<: fer a cO\Jp l e e f d a y s a n d if >c o nven i ent >I ' d l ike t o c atch u p 'di t h yO \J t o d i s c uss more deta i l e d as p e ct s of t h e >d r af t >D P regu l a tic-n f oll owi ng ou r meet i ng wi t h you and yo u r Mi n iste = last ~onth .
>
.'
;
>Ar e you ava ilable on the morning of 15 ~a=ch? > >Many than k.s
>*~*~.* •• * ••••••• ~ ••• * •• *.* ••••••••••••••••••••• * ••••••• ** • • ** •••• * •••••••• >* ... ,. •• * •• >15 le hagha idh an duine n6 an eintitis ar a bhfuil si dirithe , agus le >haghaidh an duine no an ein t itis sin amhain , a bheartai tea r an f haisneis >a tarchuireadh agus feadfaidh se go bhfuil abhar fa01 r un agus / n6 fao i >phr i b hl e id inti. Toi r misctear aon athhhr e i thniu , a tarchur n6 leathadh a >dheanamh ar an bhfaisneis s eo , aoo usaid e11e a bhaint aisti n6 aon >ghniomh a dheanamh ar a hiontaoibh, ag daoine n6 ag eintitis seachas an >faight eoir beartaithe . M~ f~air tu e sec tri dhearmad, tei9hJ. dteagmhail >leis "/rl seol t 6i r, l e do thoil , agus serios an t-abhar a s aon riomhaire . >ls e beartas na Roinne 01i agus Cirt agus Comhionannais , oa nOi f 1gi ag us >na nGniomhaireachta i a usaideann seirbhisi TF na Roinne seoladh abhai:!" >ehol~il a dhicheadu. >Mas :!" ud e go measann tu gur aohar colui1 a ta san Abhar a ta sa " >t eachtaireacht seo is ceart duit duI i dteagmhail 1eis an seolt6':"r >la i th reach agus le rnailminder[ag]justice .ie chomh ma i th. > >The information transmitted is intended on l y f or the pe:!"son or entity to >which it is addressed and may contain confidenti al andlor pri vileged >m~terial. Any review, retransm':"ssion, dissemination or ot her use of, or >taking of any action i~ reliance upon , this infor~at':"on by persons or >entities other than the intended recipient is p r ohibited. If yeu r ece ived >t his in error, please contact the sender and delete the ma t erial from any >comp uter. It is the policy o f t:he Department of J ust i ce and Equali t y a nd >t he Agencies a nd Offices using its I T services to disallow the s endi ng of >o: fensi ve material . >Should you cons i der that the materia l co .. tained in this message is
•
Cc: Dale: 03/041201 214:22 Subject: Major developments in the data protection fie ld - Developpements majeurs intervenus dans [e
domaine de la protection des donnees ---.::======~.------
Mesdames, Messieurs,
Nous travai1lons actueIJement a la preparation de la prochaine reunion pleniere d u T-PD qui aura lieu du 19 au 22 juin 2012 a Strasbourg et sur les documents qui vous seront soumis a cette occasion. Je vous serais reconnaissante de bien vouloir nous informer des que possible des developpements majeurs survenus dans le domaine de la protection des donnees dans votre pays depuis la derniere reunion pleniere du T-PD qui s'est tenue du 29 novembre au 2 decembre 2011. Vas envois seront compiies dans un document figurant a I'ordre du jour de la pleniere du mois de juin. Grand merci par avance de nous faire parvenir votre contribution avant le 16 mai 2012. Cordialement
Le Secretariat
Dear All,
We are currently working on the preparation of the next T -PO Plenary Meeting which will take place in Strasbourg from 19 to 22 June 2012 and on the documents which will be made available on this occasion. I would be grateful if you could inform us. as soon as possible . on the major developments in the data protection field in your Country since the last T -P D Plenary which was held from 29 November to 2 December 201 1. Your contribution will be included in a documen t mentioned in the draft agenda of the Plenary of June. Thank you very much in advance. Best regards
The secretariat
13,
>
•
Fw: Major developments in the data protection field - Developpements majeurs intervenus dans le domaine de la protection des donnees Noreen X. Walsh to: I - 03/04/20121 4:26
See e-mail below from the Counci l of Europe. Is there anything you wou ld like to inc lude in the document on major developments in the data protection field since November 2011?
Regards
Noreen
Noreen Walsh Civil Law Reform Division
Re: Major developments in the data protection field - Developpements majeurs intervenus dans le domaine de la protection des donnees !
Gary . 0: Noreen X. Wa lsh 03/04/20 1215:32
History: This message has been replied 10.
What sort of things get reported on to give me an idea as obv ious ly we concluded our Facebook Ireland audit report as an example?
Noreen X. Walsh
••••• Origina l Message ••••• From: Noreen X. ~al sh
Sent: 0 3/04/2012 14: 26 GDT To: Subject: Fw : ~ajor developments in the da~a protection field -
Developpe~ents majecrs intervenus dans le domain e de la protection des donn~es
Gary
See e·mail below from the Council of Europe. Is there anything you would like to include in the document on major developments in the data protection field since November 2011 ?
Regards
Noreen
Noreen Walsh Civil Law Reform Division
<.
IS
Re: Major developments in the data protection field - Developpements majeurs intervenus dans le domaine de la protection des donnees I J Gi~ ry )' Noreen X, Wa lsh 15/05/201220:00
Hi5Lt: ry : This message has been replied to.
Noreen,
Apologies for not replying sooner. In that case I would suggest that we reference our audit of Facebook as a sign ificant development perhaps espeCia lly in light of the recent communication on social networks. 11 you want me to send you a few lines I can do that tomorrow.
Regards
Gary Noreen X. Walsh
--- Original Message -----FrOD: No~een X. Walsh Sen t : 1 0 / 05/2012 12 :1 3 GDT '!'o: Gary Sub j ect: Fw : Major developments in the data protection field -
De veloppernents maj e u rs intervenus dans l e do~aine de la protection des donnees Gary
I am wondering if you have anything that you would like to include in the CoE report on developments since November 2011 (see e-mails below) .
Thanks
Noreen
Noreen Walsh Civil Law Reform Division
- I-orwaraeo ay Noreen J'.. vvalsn
From: To: Date:
Noreen X. Walshl Ga" 041041201215:22
10/051201212:12 ----
Subject: Re: Major developments in the data protection field - Oeveloppements majeurs intervenus dans le domaine de la protection des donnees _______ , _ _____ , -,-- - -----
Gary
Here is the report that was issued by the CoE for last December's T-PO meeting.
Regards
Noreen
( r.::. ttachment "CoE Maior Developments National Reports December 2011.pdf' deleted by Gary
\ ,
Noreen Walsh
r;;:- l , '-.-J
Re: Major developments in the data protection fi eld - Developpements majeurs intervenus da ns le domaine de la protection des donnees Nor':H':11 X. V,'1Ie:1 t( Gary 16/051201209:41
Thanks Gary, it would be great jf you could send me a few lines on the Facebook audit.
Regards
Noreen
Noreen Walsh Civil Law Reform Division
n------Gary T. Davi!? ~o!~~n, ~pologjes for not replying sooner. In _1~§lJ :: ...
From: To: Date: Subject:
Gary Noreen X. Walsh. 15/05120 12 20:00 Re: Major developments in the da ta protection field· Developpements majeurs intervenus
______ dans le d~_ai_n~~::~_p_'_ot_e_cti_on~es don:cn~.~es,-____ _ -------------Noreen,
Apologies for not replying sooner. In that case I would suggest that we reference our audit of Facebook as a significant development perhaps especially in light of the recent communication on social networks. If you want me to send you a few lines I can do that tomorrow.
Regards
Gary
Nomen X. Walsh
---- Original Message --••• From: Noreen X. Wa:sh Sent: 10/05/2012 12 : 13 GDT To: Subject : Fw : Major developments in the data prctection field -
Deve loppements majeu!'s intervenus dans le do:nai:1e de la protection des donnees Gary
I am wondering if you have anything that you would like to include in the CoE report on developments since November 2011 (see e·mails below) .
Thanks
Noreen
Noreen Wa lsh Civil Law Reform Div ision 11-
•
Re: Major developments in the data protection field - Oeveloppements majeurs intervenu5 dans le domaine de la protection des donnees G1
My apologies. You should not have had to remind me twice never mind three times.
I hope this is sufficient.
Regards
Gary
~ FB Developments.doe
From: To: Date:
Noreen X. Waist · Gary 181051201209:53
Subject: Re: Major developments in the data protection field· Oeveloppements majeurs rntervenus dens le domaine de la protection des donnees
Gary ,
Would it be possible to send me a short nole on the Facebook enquiry for the CoE major developments report by early afternoon today as I have received an e-mail from the CoE indicating that today is the deadline for sending in malerial.
Thanks
Noreen
Noreen Walsh Civil Law Reform Division
[ '1 ' .• ~N.oreen, Apologies for not reply ing sooner. In t~at...
Noreen X. Walsh
----- Original Message -----From : Noreen X. Walsh Sent: 10 / 05/ 2012 12:13 G~T To: Gary Subjec t: Fw: Maj or de velopments iI'. the data protecticn field -
Devel o9pements majeu r s intervenus dans l e domaine de la protec~ion des donn~es
Gary
I am wondering if you have anything that you would like to include in the CoE report on developments
•
-' -The Ollice of the Data Projec tion Commissioner publ ished on 21 December 201 I the outcome of its audit of face-boo k Irc!<llld( FH· I) which ~\as conducted du ring the last quarter of 10 I J including olH,i tc in Faccbook Irebnd' s I kadqunrtl.' rs in Dublin. The Repol1 was stated to be a comprl.'hcnsi ve assessmel1t of Facebook Ireland's compliant!! wi th Irish Data Protect ion law and by cxt~nsi(lI1 EU la_w in this an~a. facebook Ireland has responsibili ty [or all Faccbook users outside of the USA and Canada.
The audi t [ound a positive app roach (Lnd commitnll:!llt Oil the part ofFB~I to respectin g: the privacy rights of its lIsers. Arising from the audi t. FS· I agrel'd to a wide range of ;·bcst practice" improvemc:nts to be impkmented during the first 6 months o f 20 12 with a fo rmal review of progress to take place in July 2012.
The Audit \vas the most' comprehensive and ddai lcd ever undertaken by the Olliee of the Data Protcc,tion Commissioner.
The Report records significant recommendat ions and commitments from Facebook Ireland in relation to:
a mechanism for users to convey an informed chl)ice for how their i.nfomlation is used and shared on the si te including in relation to Third Party Apps a broad update to the Data Use Policy/ Pri vacy Policy to take account of rccommendatil)ns a.<; to where the information provided to use rs could be further improved transparency and control lor llse rs via the provision of all personal data he ld to them on request and as part of their everyday in teraction with the site the de letion of i.nformat ion held on llsers and non ~uscrs via what arc known as social plugill s and more generally the de leli{)1l of data held from user interactions \\/ i lh the si te much sooner than presently increased transparency and contro ls ror the use of personal data for advcl1ising purposes an add itional form of Ilotification for lIsers in relarion to facial recognitionf' tag suggest" that is considered will 'ensure- Facebook Irdancl is meeting best practice in this area from an Iri sh law perspective (In enhanced ability for users to control t3gging and posting on other user profiles an enhanced ability lor users to control whether the-ir addition to Groups by fr iends the Compliance management/Governance function in Dublin which will be further improved and enhanced (u ensure thal the introduction of new products or new uSeS oJ" user data take full accoun t of Irish data protection law. •
J
Corinne
Re: REMINDER/RAPPEL : Major developments in the data protection field - Developpements majeurs intervenus dans le domaine de la protection des donnees .:. Noreen X. Walsh to: 1810512012 15:48
Material in relation to major developments in Ireland is attached as requested.
Regards
Noreen Walsh Civil Law Reform Division
~ Major Developments Report - l B.OS. 12.doc
"' '.' _.
Ireland
Major developments in the data protection field since 28 th T -PD Meeting (November - December 2011)
On 21 Decemb.;-r 20 11 the Office oftht: DnHll'rotl..'c lion Commissioner publishtd its Report on the ouli..':OIllC of its ~udif of Faccbook Ir('lnnd (FB-I). The Report prvvides a compre.hensive assessme nt of Facl;'hllok Ircl and ' ~ COml)li .. n~e wi th Irish Data Protection law and by extension EU \av,: in this urea. F~lcebook Ireland has responsibility for all Faeebook lI sers outside or the USA and Canada.
The audit found a positive approach and C(lmlllitmcnt o n the part or FB-.I to respecting the privacy rigbts of its lIsers. Arising from tilt.' audit. FB-l agreed to a v,' ide range of "best practice" improveme nts to be implemented during the first 6 months o f 2012 \ .... ith a formal rev iew ofprogrcss to take place in Jldy 20 12.
The Audi t was the mostl..'omprehens iw and Jt.'tu iled ever undertaken by the o nice of the Data Protec tiQn CQmmissioner.
The Report records s ignificant re-comnh::nlh.tti oIlS and commi tments from Fucebook [reland in relation LO:
a mechani sm for users tl) convey an in lo rmed choice for how the ir infonnation is used and shared on the site induding in rdat ion to Third Party Apps a broad upd<ll~ to the Data US\! Policy/Pri vacy Policy tQ lake accounl or recomme ndations as 10 wher~ the inf • .)nmllion provided 10 users could be further improved tmnspurency and control for lIsers via the provision of all persona l data held to them on request and as pal1 ol'tllcir cwryday interaction \vith the site the de le tion ofinforrnation l1eld on users ::md non·uscrs via what are kno\Nn as s~)cial plugins and marc gCllcnlll)· th(! (.klction of data hdd from lIscr interactions with the site much SOQner than pre~ently increased transparency and conlwls for the us.: of personal data to r advertising putvoses an additional fo rm of notificat ion for llsers ill rdat ion to facial recogn itionf'tag suggest"' that is c\)lls iJcred will ensure Facebook Ireland is meeting best pr::lctice in this area from an Irish lav.' perspective an enham;ed ability for users to control lagging and posting on other user protiles an enhanced ability for users to control their addition to Groups by friends th~ Compl iallt:t: managemem/Govc rnanct' function in Dub li n which \\ ill be further improved and ~nhanced 10 l'nSllrt" that the introductioll oCne\\' products or new lISCS of user dnta take fu ll account of Iri sh data protection law.
The repo11 is available o11 ll1e Data Protection Commissioner's wcbsite: hltp :lldmaprotcction. i c.
,
Re: Catching up CJ
Yes, 11.30 will be fine; you know where our office is. See you then. Regards
From: To: "Seamus S. Carroll~' Dale: 14/08/20 1214:31 "S"ub",i"ec:.:':.., ___ Rc:e:;,,,C:.:a:::tc::h=in~!p_~._~ ____ , ______ •
Thanks p r efer
SeaMUs. I have an event at b r eakfast time so I a t ine after 11am . Shall \<>'e say 11.30 to be on
On 8/1 4/12 2:26 PH, " Sea~us S. Carroll "
>All well here ; just back from holidays . >
14/081201214:34
----.--would most likely the safe side?
>Friday 14th September , at whatever time suits you , wi ll suit 1:'.e . >Regards > > > >From : >To :
>Date : >Subject : > > > >~i Seamus >
" Seamus S . Carroll "
14/08/201 2 13: 53 Catching up
>I hope you ' ve been ab l e to have a break over the surr~er. I ' ll be in Dublin >12-14 September a~d it would be great to catch up with you on all things >DPD. I'd also like ' to introduce you to who a lso works on policy >i ssues for Irela:1d. Can you plea se let me know whe~ is good in your diary >over those days? > >Man y t ha nks
> >Description: Descr iptio~: Llescr ipt ion: c id: imcgeOO 1. [email protected] 88 . 8 f'CCE:63 0 " Id ! reiand I face book , , , , , , , > > > >
