The New European Law of Surveillance - Implications for Ireland as a Data Hub

7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

1/40

The New European Law ofSurveillance: Implications forIreland as a Data HubDr TJ McIntyre, Digital Rights Ireland and

UCD Sutherland School of Law

ICEL, Dublin, 1 July 2016


2/40

Outline

After Snowden, we can seethe emergence of a newEuropean law of surveillancein cases such as Digital RightsIreland, Schrems and Zakharov

Ireland has become a keylocation for data storage but Irish laws have not keptpace with Europeandevelopments

This talk will discuss the stateof Irish law and implicationsfor privacy rights of usersworldwide

CC BY-SA 2.0 Brian Robert Marshall
http://www.geograph.org.uk/profile/7420http://www.geograph.org.uk/profile/7420


3/40

Significanceof Ireland?

EMEA headquarters/keyoffices/data centres ofmany internet firms

Google, Facebook,

Yahoo, LinkedIn,Microsoft, Twitter, Apple

Increasingly so followingcollapse of Safe Harbor(and also Brexit?)

Irish law affects 100s ofmillions of usersworldwide

Image from Newenham, ed., Silicon Docks (2015)
http://www.libertiespress.com/shop/silicon-docks-the-rise-of-dublin-as-a-global-tech-hubhttp://www.libertiespress.com/shop/silicon-docks-the-rise-of-dublin-as-a-global-tech-hub


4/40
http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768


5/40

Quite by accident,

Ireland has becomea central if reluctantparticipant in theinternationalsurveillance debate
http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768


6/40

Where aresurveillancestandardsadjudicated?


7/40


8/40

What do thosesurveillancestandards require?


9/40

Foreseeability, controls ondownstream use, deletion

Weber and Saravia v. Germany (2006)

In its case-law on secret measures of surveillance, the Courthas developed the following minimum safeguards that shouldbe set out in statute law in order to avoid abuses of power:

the nature of the offences which may give rise to an interceptionorder;

a definition of the categories of people liable to have theirtelephones tapped;

a limit on the duration of telephone tapping;

the procedure to be followed for examining, using and storing the

data obtained; the precautions to be taken when communicating the data to

other parties;

and the circumstances in which recordings may or must be erasedor the tapes destroyed.
http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586


10/40

Adequate and effectiveguarantees against abuse,including remedies for abuse

Uzun v. Germany (2010)

Adequate and effective guarantees against abusedetermined by:

all the circumstances of the case, such as the nature, scope andduration of the possible measures, the grounds required forordering them, the authorities competent to permit, carry out andsupervise them, and the kind of remedy provided by the nationallaw

Case C-362/14 Schrems (2015)

Likewise, legislation not providing for any possibility for anindividual to pursue legal remedies in order to have access topersonal data relating to him, or to obtain the rectification orerasure of such data, does not respect the essence of thefundamental right to effective judicial protection, as enshrinedin Article 47 of the Charter.
http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdfhttp://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdfhttp://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdf


11/40

Possibility of notificationafter surveillance

Klass v. Germany (1978)

Notification is strongly desirable: there is in principle littlescope for recourse to the courts unless the individual isadvised of the measures taken without his knowledge and thus

able retrospectively to challenge their legality.

Association for European Integration and Human Rights andEkimdzhiev v. Bulgaria (2007)

as soon as notification can be made without jeopardising thepurpose of the surveillance after its termination, information

should be provided to the persons concerned National laws contrary to Article 8 & Article 13 (right to

effective remedy) where they didnt provide for notificationand expressly prohibited any disclosure of informationwhether a person subject to surveillance
http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-57510http://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://hudoc.echr.coe.int/eng?i=001-57510


12/40

Possibility of notificationafter surveillance

Zakharov v. Russia (2015)

The fact that persons concerned by secret surveillancemeasures are not subsequently notified once surveillance hasceased cannot by itself warrant the conclusion that the

interference was not necessary in a democratic society, as itis the very absence of knowledge of surveillance which ensuresthe efficacy of the interference.

As soon as notification can be carried out withoutjeopardising the purpose of the restriction after thetermination of the surveillance measure, information should,

however, be provided to the persons concerned. Availability of an inquisitorial remedy may suffice as an

alternative (citing Kennedy v. UK)
http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-98473&filename=001-98473.pdfhttp://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-98473&filename=001-98473.pdfhttp://hudoc.echr.coe.int/eng?i=001-159324


13/40

Judicialauthorisation/oversight

Klass v. Germany (1978)

Judicial authorisation and supervision preferable

Other supervisory bodies permissible if independent of theauthorities carrying out the surveillance, objective and

vested with sufficient powers and competence to exercise aneffective and continuous control

Kennedy v. United Kingdom (2010)

Accepted executive (ministerial) authorisation of phonetapping where the totality of the oversight system provided

adequate safeguards against abuse.

Significant that the Investigatory Powers Tribunal system wasavailable to any person and could provide a remedy based onan inquisitorial system
http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-57510


14/40

Judicialauthorisation/oversight

Joined Cases C-293/12 and C-594/12 Digital Rights Irelandand Seitlinger(2014)

Data Retention Directive invalid as, inter alia,

Above all, the access is not made dependent on a prior review carriedout by a court or by an independent administrative body whose decisionseeks to limit access to the data and their use to what is strictly necessaryfor the purpose of attaining the objective pursued and which intervenesfollowing a reasoned request of those authorities

Szabo & Vissy v. Hungary (2016)

Rejects political authorisation in cases of mass surveillance:

Given that the scope of the measures could include virtually anyone,that the ordering is taking place entirely within the realm of theexecutive and without an assessment of strict necessity, that newtechnologies enable the Government to intercept masses of dataeasily concerning even persons outside the original range of operation,and given the absence of any effective remedial measures, let alonejudicial ones, the Court concludes that there has been a violation
http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484


15/40

Direct access to networks isdisfavoured

Zakharov v. Russia (2015)

the requirement to show an interception authorisation tothe communications service provider before obtainingaccess is one of the important safeguards against abuseby the law-enforcement authorities

a system, such as the Russian one, which enables thesecret services and the police to intercept directly thecommunications of each and every citizen without requiringthem to show an interception authorisation to thecommunications service provider, or to anyone else, isparticularly prone to abuse.


16/40

Protection of journalistssources

Telegraaf Media v. Netherlands (2013)

Surveillance (seizure of records) to identify journalist sourcesrequires prior review by an independent body with the powerto prevent or terminate it

review post factum, whether by the Supervisory Board, theCommittee on the Intelligence and Security Services of theLower House of Parliament or the National Ombudsman,cannot restore the confidentiality of journalistic sources once itis destroyed.

The Court thus finds that the law did not provide safeguards

appropriate to the use of powers of surveillance againstjournalists with a view to discovering their journalistic sources.There has therefore been a violation of Articles 8 and 10 of theConvention.


17/40

Restrictions on bulkcollection

Weber & Saravia v. Germany (2006)

Strategic monitoring acceptable subject to adequatesafeguards against abuse

Case C-362/14 Schrems (2015) legislation permitting the public authorities to have access on

a generalised basis to the content of electroniccommunications must be regarded as compromising theessence of the fundamental right to respect for private life, asguaranteed by Article 7 of the Charter

Szabo & Vissy v. Hungary (2016)

Expresses serious concern about indiscriminate capturingof vast amounts of communications.
http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/eng?i=001-76586


18/40

Does Irish law meetthose standards?


19/40

Context: No separateintelligence agency

National security is primarily a police responsibility

Blurred lines between criminal and national securityinvestigation

E.g. dissident republican fundraising

No general legislative basis for intelligence gathering /sharing with other states

Police force is responsible only to Minister, not PolicingAuthority, in relation to security services

Data protection law including role of DPC does not applyto personal data which Minister certifies is kept for thepurpose of safeguarding the security of the State

No parliamentary oversight of intelligence


20/40

Four types of surveillanceregulated:

1. Interception of communications

Interception of Postal Packets and TelecommunicationsMessages (Regulation) Act 1993

Limited to authorised undertakings essentially, traditional

telecoms providers

2. Data Retention

Communications (Retention of Data) Act 2011

3. Surveillance devices (covert bugs, cameras)

Criminal Justice Surveillance Act 2009

4. Tracking devices (GPS trackers on cars, containers)

Criminal Justice Surveillance Act 2009


21/40

Not regulated by statute:

Access to stored communications (e.g. webmail)

Use of malware (government Trojans)

Irish Defence Forces recently attempted to purchase malware

from Hacking Team firm no legal basis for use

Use of open source information (e.g. data mining of socialmedia)

Use of informants / undercover police

Remote searches (e.g. use of computer in Ireland to accessinformation held in cloud elsewhere)

Cf. s.48, Criminal Justice (Theft and Fraud Offences) Act, 2001


22/40


23/40

Prior judicial authorisationrequired?

Interception ofcommunications

No. Ministerial warrant only.

Data retention No. Internal authorisation only.

Surveillancedevices (covertbugs, cameras)

Yes.

(Except in cases of urgency.)

Tracking devices No. Internal authorisation only.


24/40

Notification aftersurveillance?


No.

Data retention No.


No.

(S.10(3) permits regulations for notification but these were

never made.)

Tracking devices No.

(S.10(3) permits regulations for notification but these werenever made.)


25/40

Protection for journalistssources?


No.

Data retention No.


No.



26/40

Protection for legalprivilege?


No.

Data retention No.


Yes.

(Only prohibits surveillance primarily targeting privileged

communications s.5(4))

Tracking devices N/A.


27/40

Protection forparliamentarians?


No.

Data retention No.


No.



28/40
https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/


29/40

Judicialoversight?

Two separate designatedjudge roles

Intercept/data retention

Surveillance & tracking

devices One produces detailed

reports with statistics andassessments of practice

The other, identical one-

page reports Both are part-time jobs of

busy judges with nospecialist support

See Digital Rights Ireland, Surveillance Library
https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/


30/40


31/40

Other surveillanceoversight?

Data Protection Commissioner audit of An Garda Sochna(March 2014)

Examined access to retained communications data

Identified misuse of 2011 Act Wrongfully used to make access requests to technology

companies not covered by it

Data access being made by junior garda and retrospectivelyrubberstamped by Chief Superintendent

Once-off audit no continuous supervision
http://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdfhttp://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdfhttp://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdf


32/40

Remedies?

Complaints Referee

Circuit Court judge

Investigates complaints in inquisitorial manner

Can direct payment of compensation

(Capped at 5,000 for surveillance and tracking devices)

May conceal finding of breach if in public interest to do so

No successful complaint to date

Complaint to Data Protection Commissioner

Subject to national security exclusion

Ordinary civil actions


33/40

Factors promotingreform?


34/40

Some media pressure forsource protection


35/40

Technology firms seekingchange to Irish law


36/40

Data retention litigationcontinues

Digital Rights Ireland continues before the High Court inrelation to domestic law

Davis & Watson will provide guidance on application of CFRto national data retention laws

AGs Opinion due 19 July
http://curia.europa.eu/juris/liste.jsf?num=C-698/15http://curia.europa.eu/juris/liste.jsf?num=C-698/15http://curia.europa.eu/juris/liste.jsf?num=C-698/15


37/40


38/40

What should reform looklike? Preliminary thoughts

Abolition of generalised data retention

Independent judicial authorisation of surveillance measures,applying proportionality test

Notification provisions introduced Stored communications given same protection as those in

transit

Designated judge roles merged into a judicially chairedoversight body with specialist expertise

Oversight extended to downstream use (especially sharing)of surveillance information

Greater cooperation between surveillance oversight bodyand DPC


39/40

Background reading

T.J. McIntyre, Judicial Oversight of Surveillance: The Caseof Ireland in Comparative Perspective, inJudges asGuardians of Constitutionalism and Human Rights, ed. MartinScheinin, Helle Krunke, and Marina Aksenova (Cheltenham:Edward Elgar, 2016).

T.J. McIntyre, Implementing Information Privacy Rights inIreland, in Implementing Human Rights in Ireland, ed.Suzanne Egan (Dublin: Bloomsbury Academic, 2015).

T.J. McIntyre and Alexandrine Pirlot de Corbion, The Right

to Privacy in Ireland: Stakeholder Report for the UniversalPeriodic Review 25th Session (Privacy International andDigital Rights Ireland, 2015)
http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206https://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttp://ssrn.com/abstract=2701206http://ssrn.com/abstract=2694512


40/40

Thank youQuestions or comments?DigitalRights.ie | TJMcIntyre.com | @TJMcIntyre

The New European Law of Surveillance - Implications for Ireland as a Data Hub

Documents

Transcript of The New European Law of Surveillance - Implications for Ireland as a Data Hub