Privacy online: current

developments
Dr TJ McIntyre, Digital Rights Ireland and
UCD Sutherland School of Law

Ireland has given
rise to some
important European
cases

Data
Retention
Challenge
Digital Rights Ireland v.
Minister for
Communication and ors.

(c) David Rooney

Data
Retention
Challenge
Digital Rights Ireland v.
Minister for
Communication and ors.

(c) David Rooney

Internet Map, 2005. CC BY 2.5 Opte Project

Safe
Harbor
Challenge
Schrems v. Data
Protection Commissioner

CC BY-NC-SA 2.0 Network Cultures

With some interesting
domestic law along the way
• Digital Rights Ireland Ltd v. Minister for Communication & ors
[2010] IEHC 221
• Permitting the action to proceed as an actio popularis
• Refusing security for costs

• Schrems v. Data Protection Commissioner (unreported, 16
July 2014)
• Granting Ireland’s first protective costs order limiting exposure
to €10,000

• Amici curiae appointed in both cases

And wide international
impact

But what other lessons can
we draw from these cases?

Some aspects are parochial

Privacy is
vital for
Irish tech
industry
Ireland has become a
battleground for access
to user data

But will
Irish
surveillance
law stand up
to scrutiny?


No judicial approval
for access to internet
communications
No stored
communications law
Misc. bodies have
power to demand
communications
records without
external approval
Inadequate judicial
oversight

Compare the Report of the
Designated Judge (March 2014)…

… with the Data Protection Commissioner
audit of AGS (March 2014)
• “The Team referred to an audit it conducted of a technology
company and how it had viewed a request from AGS to that
company which cited the 2011 Communications (Retention
of Data) Act as the legal basis to seek the data. The Team
explained to AGS that the ODPC had advised the company
that it was not covered under the 2011 Act.”
• “The situation where a request is made without the Chief
Superintendent’s knowledge and signed/authorised
retrospectively by the Chief Superintendent did notfollow
the requirements specified in the 2011 Act. The Team
advised AGS that all requests for call and internet traffic
data should be authorised by the Chief Superintendent on a
case by case basis rather than on an aggregate basis at the
end of a particular time period.”

Some aspects are
Europe-wide
We now have two European human rights
jurisdictions: What is the relationship between
them?

CC BY-SA 3.0 CherryX

CC BY-NC-SA 2.0 Gwenael Piaser

Article 52(3) Charter of
Fundamental Rights
• “In so far as this Charter contains rights
which correspond to rights guaranteed by
the Convention for the Protection of
Human Rights and Fundamental
Freedoms, the meaning and scope of
those rights shall be the same as those laid
down by the said Convention. This
provision shall not prevent Union law
providing more extensive protection.”

Review of surveillance measures
ECtHR v. CJEU
1.

Privacy the main right

1.

• Art. 8 ECHR

• Art. 8 CFR

• But also Art. 10

2.

Political authorisation of
surveillance is acceptable

2.

“Strategic monitoring” acceptable
subject to “adequate safeguards
against abuse”

Access to metadata must be
approved by a judge or equivalent
• Digital Rights Ireland

• Kennedy v. UK

3.

Data protection als0 a
fundamental right

3.

Access “on a generalised basis” to
content “compromises the
essence” of the right to privacy
• Schrems

• Weber & Saravia v. Germany

4.

Applies margin of appreciation

4.

?

5.

Can review national security
measures

5.

?

6.

A court with teeth: supremacy and
direct effect of EU law, guarantee
of adequate and effective
remedies, etc.

6.

A court of moral victories?

Will surveillance by EU
states be held to the
same norms?

US critics accuse the EU of
hypocrisy
• “The US official refused to
address claims that there
had been hypocrisy in
Europe. But he stressed
that the EU ruling would
not address the concerns
of European citizens
worried about the
surveillance by their own
governments, since the
ruling only covered
transfers of data across
the Atlantic.”

• “A US tech executive said
the decision would be
“highly disruptive” to the
industry in the US and
Europe. ‘A lot of these
issues of America using
surveillance also apply in
Europe,’ said the
executive. ‘So it’s
ridiculous to see this as a
one-way street.’”

“US tech companies overhaul operations after EU data ruling”, Financial Times 6 Oct. 2015

Winston Maxwell, Hogan Lovells Chronicle of Data Protection, 6 Aug. 2015

Some
aspects
are
worldwide
Digital Rights Ireland and
Schrems contribute to
pressures for internet
fragmentation
Data localisation,
blocking, geo-located
censorship more
common

(c) Kaspersky, Kaspersky Security Bulletin, 2013

Some
aspects
are
structural
Outsourcing surveillance
reduces costs &
encourages
disproportionate use
Giant private databases
are a rich target for
states and hackers alike
Law is only a partial
remedy
Time for a move towards
a decentralised internet?

Thank you
Questions or comments?
DigitalRights.ie | TJMcIntyre.com | @TJMcIntyre