Privacy online: current developmentsDr TJ McIntyre, Digital Rights Ireland andUCD Sutherland School of Law

Ireland has given rise to some important European cases

Data Retention ChallengeDigital Rights Ireland v. Minister for Communication and ors.

(c) David Rooney

Data Retention ChallengeDigital Rights Ireland v. Minister for Communication and ors.

(c) David Rooney

Internet Map, 2005. CC BY 2.5 Opte Project

Safe HarborChallengeSchrems v. Data Protection Commissioner

CC BY-NC-SA 2.0 Network Cultures

With some interesting domestic law along the way

• Digital Rights Ireland Ltd v. Minister for Communication & ors[2010] IEHC 221

• Permitting the action to proceed as an actio popularis

• Refusing security for costs

• Schrems v. Data Protection Commissioner (unreported, 16 July 2014)

• Granting Ireland’s first protective costs order limiting exposure to €10,000

• Amici curiae appointed in both cases

And wide international impact

But what other lessons can we draw from these cases?

Some aspects are parochial

Privacy is vital for Irish techindustryIreland has become a battleground for access to user data

But will Irish surveillance law stand up to scrutiny?• No judicial approval

for access to internet communications

• No stored communications law

• Misc. bodies have power to demand communications records without external approval

• Inadequate judicial oversight

Compare the Report of the Designated Judge (March 2014)…

… with the Data Protection Commissioner audit of AGS (March 2014)

• “The Team referred to an audit it conducted of a technology company and how it had viewed a request from AGS to that company which cited the 2011 Communications (Retention of Data) Act as the legal basis to seek the data. The Team explained to AGS that the ODPC had advised the company that it was not covered under the 2011 Act.”

• “The situation where a request is made without the Chief Superintendent’s knowledge and signed/authorised retrospectively by the Chief Superintendent did notfollowthe requirements specified in the 2011 Act. The Team advised AGS that all requests for call and internet traffic data should be authorised by the Chief Superintendent on a case by case basis rather than on an aggregate basis at the end of a particular time period.”

Some aspects are Europe-wideWe now have two European human rights jurisdictions: What is the relationship between them?

CC BY-SA 3.0 CherryX

CC BY-NC-SA 2.0 Gwenael Piaser

Article 52(3) Charter of Fundamental Rights

• “In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.”

Review of surveillance measuresECtHR v. CJEU

1. Privacy the main right

• Art. 8 ECHR

• But also Art. 10

2. Political authorisation of surveillance is acceptable

• Kennedy v. UK

3. “Strategic monitoring” acceptable subject to “adequate safeguards against abuse”

• Weber & Saravia v. Germany

4. Applies margin of appreciation

5. Can review national security measures

6. A court of moral victories?

1. Data protection als0 a fundamental right

• Art. 8 CFR

2. Access to metadata must be approved by a judge or equivalent

• Digital Rights Ireland

3. Access “on a generalised basis” to content “compromises the essence” of the right to privacy

• Schrems

4. ?

5. ?

6. A court with teeth: supremacy and direct effect of EU law, guarantee of adequate and effective remedies, etc.

Will surveillance by EU states be held to the same norms?

US critics accuse the EU of hypocrisy

• “The US official refused to address claims that there had been hypocrisy in Europe. But he stressed that the EU ruling would not address the concerns of European citizens worried about the surveillance by their own governments, since the ruling only covered transfers of data across the Atlantic.”

• “A US tech executive said the decision would be “highly disruptive” to the industry in the US and Europe. ‘A lot of these issues of America using surveillance also apply in Europe,’ said the executive. ‘So it’s ridiculous to see this as a one-way street.’”

“US tech companies overhaul operations after EU data ruling”, Financial Times 6 Oct. 2015

Winston Maxwell, Hogan Lovells Chronicle of Data Protection, 6 Aug. 2015

Some aspects are worldwideDigital Rights Ireland and Schrems contribute to pressures for internet fragmentation

Data localisation, blocking, geo-located censorship more common

(c) Kaspersky, Kaspersky Security Bulletin, 2013

Some aspects are structuralOutsourcing surveillance reduces costs & encourages disproportionate use

Giant private databases are a rich target for states and hackers alike

Law is only a partial remedy

Time for a move towards a decentralised internet?

Thank youQuestions or comments?DigitalRights.ie | TJMcIntyre.com | @TJMcIntyre