Blogs

Irish EU Council Presidency proposes destruction of right to privacy

By EDRi · January 16, 2013

This article is also available in:
Deutsch: [Irische EU-Ratspräsidentschaft empfiehlt Abbau des Rechts auf Privatsphäre | https://www.unwatched.org/EDRigram_11.1_Irische_EU-Ratspraesidentschaft_empfiehlt_Abbau_des_Rechts_auf_Privatsphaere?pk_campaign=edri&pk_kwd=20130125]

The Irish Presidency of the European Council has distributed a
“discussion paper” on the protection of citizens’ personal data ahead of
this week’s Justice and Home Affairs Council in Dublin. As the first
Presidency in this “European Year of the Citizen”, we had every reason
to expect the Irish to produce novel ways of protecting citizens. Their
first suggestions are definitely novel, but certainly are not protective
of citizens’ fundamental rights.

For example, based on the current situation in Ireland, the idea is that
all companies can do whatever they want with personal data, without fear
of sanction. Sanctions, such as fines, “should be optional or at least
conditional upon a prior warning or reprimand”. In other words, do what
you want, the worst that can happen is that you will receive a warning.

Of course, policies are often proposed that sound worse in theory than
they are in practice. In this case, however, we just have to look at
current practice in Ireland to see what such an approach looks like. The
Irish police “PULSE” database saga gives a chilling insight into the
brave new world into which the Irish Presidency apparently wants to lead us.

In 2007, the Irish data protection Commissioner agreed on a
“self-regulation” structure with the police. In 2010, a report from a
judge assessing Ireland’s data retention regime identified serious
abuses happening under this “light touch” regulatory system. The abuses
passed apparently unnoticed by the vastly under-resourced data
protection authority (DPA) that had approved the launch of the
“self-regulatory” regime. The Irish DPA availed of its option not to
take immediate enforcement action against the police.

In 2011, a full four years after the system had been set up, the Irish
data protection authority at last came to the conclusion that the system
was falling “short of the standards we expect”. Again, the Irish DPA
chose not to take enforcement action against the police. Finally, after
five years of apparently unremitting abuse of citizens’ data, the data
protection authority announced in 2012 that it would audit the PULSE
database and, from what we can tell, chose yet again not to take
enforcement action against the ongoing breaches of citizens’ fundamental
rights. In the meantime, we can only assume that the abuses continue
unabated.

Under the Irish proposal, this approach would be made mandatory,
warnings would have to be issued first, after citizens’ fundamental
rights were abused, giving companies and state authorities “carte
blanche” to breach our rights until (at the earliest) the data
protection authority twice found a company to be in breach of the law.

If the EU-wide introduction of current unfit-for-purpose Irish
strategies would not be bad enough, the reality would be a little worse.
At the moment, companies are required to register their data processing
with the data protection authority, which at least makes the DPA aware
of the processing that is taking place. Under the new Regulation that
has been proposed, those registration obligations would be substantially
weakened, which makes sense in the context that the Commission
originally proposed. In this context, however it would mean giving even
fewer tools to the eviscerated DPAs. The “race to the bottom” would be
replaced by a synchronised dive.

Two weeks into the European Year of the Citizen and two weeks since the
start of the term of office, the Programme of the Irish Presidency of
the European Union is beginning to look like a lame parody:

“Increased internet usage, social media, globalisation of data transfers
and other technological advances have made life easier for millions, but
also increase the collection, use and processing of personal data
globally. The Lisbon Treaty contains a new legal base for EU data
protection rules and the Charter of Fundamental Rights also enshrines
protection of personal data as a fundamental right. As part of its focus
on the Digital Agenda, the Presidency will work to reach agreement in
the Council on key aspects of the Data Protection package. This is aimed
at ensuring that citizens have more control over their personal data.
Progress made by the Presidency in this area will strengthen confidence
in the digital economy and support the growth of the Digital Single Market.”

Informal Justice and Home Affairs Ministers’ Meeting – Discussion Paper
– Data Protection – certain key issues (17-18.01.2013)
https://edri.org/files/irl_dppaper.pdf

2013 – European Year of the Citizen
http://europa.eu/citizens-2013

Gardaí use database to check up on daughters’ boyfriends (8.08.2011)
http://www.thejournal.ie/gardai-use-database-to-check-up-on-daughters-boyfriends-196134-Aug2011

Data Protection in An Garda Síochána
http://www.garda.ie/Controller.aspx?Page=136&Lang=1

Judge’s report reveals allegations that Garda used phone records to spy
on her ex (20.02.2011)
http://www.tjmcintyre.com/2011/02/judges-report-reveals-allegations-that.html

Irish DPA Report – 2010
http://www.dataprotection.ie/documents/annualreports/2010AR.pdf

Tax official used data on woman to proposition her (24.10.2012)
http://www.independent.ie/national-news/courts/tax-official-used-data-on-woman-to-proposition-her-3270976.html

Programme of the Irish Presidency of the European Union
http://www.eu2013.ie/media/eupresidency/content/documents/EU-Pres_Prog_A4.pdf

(Contribution by Joe McNamee – EDRi)