You are on page 1of 29

Privacy online: current

developments
Dr TJ McIntyre, Digital Rights Ireland and
UCD Sutherland School of Law

Ireland has given


rise to some
important European
cases

Data
Retention
Challenge
Digital Rights Ireland v.
Minister for
Communication and ors.

(c) David Rooney

Data
Retention
Challenge
Digital Rights Ireland v.
Minister for
Communication and ors.

(c) David Rooney

Internet Map, 2005. CC BY 2.5 Opte Project

Safe
Harbor
Challenge
Schrems v. Data
Protection Commissioner

CC BY-NC-SA 2.0 Network Cultures

With some interesting


domestic law along the way
Digital Rights Ireland Ltd v. Minister for Communication & ors
[2010] IEHC 221
Permitting the action to proceed as an actio popularis
Refusing security for costs

Schrems v. Data Protection Commissioner (unreported, 16


July 2014)
Granting Irelands first protective costs order limiting exposure
to 10,000

Amici curiae appointed in both cases

And wide international


impact

But what other lessons can


we draw from these cases?

Some aspects are parochial

Privacy is
vital for
Irish tech
industry
Ireland has become a
battleground for access
to user data

But will
Irish
surveillance
law stand up
to scrutiny?

No judicial approval
for access to internet
communications
No stored
communications law
Misc. bodies have
power to demand
communications
records without
external approval
Inadequate judicial
oversight

Compare the Report of the


Designated Judge (March 2014)

with the Data Protection Commissioner


audit of AGS (March 2014)
The Team referred to an audit it conducted of a technology
company and how it had viewed a request from AGS to that
company which cited the 2011 Communications (Retention
of Data) Act as the legal basis to seek the data. The Team
explained to AGS that the ODPC had advised the company
that it was not covered under the 2011 Act.
The situation where a request is made without the Chief
Superintendents knowledge and signed/authorised
retrospectively by the Chief Superintendent did notfollow
the requirements specified in the 2011 Act. The Team
advised AGS that all requests for call and internet traffic
data should be authorised by the Chief Superintendent on a
case by case basis rather than on an aggregate basis at the
end of a particular time period.

Some aspects are


Europe-wide
We now have two European human rights
jurisdictions: What is the relationship between
them?

CC BY-SA 3.0 CherryX

CC BY-NC-SA 2.0 Gwenael Piaser

Article 52(3) Charter of


Fundamental Rights
In so far as this Charter contains rights
which correspond to rights guaranteed by
the Convention for the Protection of
Human Rights and Fundamental
Freedoms, the meaning and scope of
those rights shall be the same as those laid
down by the said Convention. This
provision shall not prevent Union law
providing more extensive protection.

Review of surveillance measures


ECtHR v. CJEU
1.

Privacy the main right

1.

Art. 8 ECHR

Art. 8 CFR

But also Art. 10

2.

Political authorisation of
surveillance is acceptable

2.

Strategic monitoring acceptable


subject to adequate safeguards
against abuse

Access to metadata must be


approved by a judge or equivalent
Digital Rights Ireland

Kennedy v. UK

3.

Data protection als0 a


fundamental right

3.

Access on a generalised basis to


content compromises the
essence of the right to privacy
Schrems

Weber & Saravia v. Germany

4.

Applies margin of appreciation

4.

5.

Can review national security


measures

5.

6.

A court with teeth: supremacy and


direct effect of EU law, guarantee
of adequate and effective
remedies, etc.

6.

A court of moral victories?

Will surveillance by EU
states be held to the
same norms?

US critics accuse the EU of


hypocrisy
The US official refused to
address claims that there
had been hypocrisy in
Europe. But he stressed
that the EU ruling would
not address the concerns
of European citizens
worried about the
surveillance by their own
governments, since the
ruling only covered
transfers of data across
the Atlantic.

A US tech executive said


the decision would be
highly disruptive to the
industry in the US and
Europe. A lot of these
issues of America using
surveillance also apply in
Europe, said the
executive. So its
ridiculous to see this as a
one-way street.

US tech companies overhaul operations after EU data ruling, Financial Times 6 Oct. 2015

Winston Maxwell, Hogan Lovells Chronicle of Data Protection, 6 Aug. 2015

Some
aspects
are
worldwide
Digital Rights Ireland and
Schrems contribute to
pressures for internet
fragmentation
Data localisation,
blocking, geo-located
censorship more
common

(c) Kaspersky, Kaspersky Security Bulletin, 2013

Some
aspects
are
structural
Outsourcing surveillance
reduces costs &
encourages
disproportionate use
Giant private databases
are a rich target for
states and hackers alike
Law is only a partial
remedy
Time for a move towards
a decentralised internet?

Thank you
Questions or comments?
DigitalRights.ie | TJMcIntyre.com | @TJMcIntyre