The New European Law of Surveillance - Implications for Ireland as a Data Hub
-
Upload
tj-mcintyre -
Category
Documents
-
view
218 -
download
0
Transcript of The New European Law of Surveillance - Implications for Ireland as a Data Hub
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
1/40
The New European Law ofSurveillance: Implications forIreland as a Data HubDr TJ McIntyre, Digital Rights Ireland and
UCD Sutherland School of Law
ICEL, Dublin, 1 July 2016
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
2/40
Outline
After Snowden, we can seethe emergence of a newEuropean law of surveillancein cases such as Digital RightsIreland, Schrems and Zakharov
Ireland has become a keylocation for data storage but Irish laws have not keptpace with Europeandevelopments
This talk will discuss the stateof Irish law and implicationsfor privacy rights of usersworldwide
CC BY-SA 2.0 Brian Robert Marshall
http://www.geograph.org.uk/profile/7420http://www.geograph.org.uk/profile/7420 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
3/40
Significanceof Ireland?
EMEA headquarters/keyoffices/data centres ofmany internet firms
Google, Facebook,
Yahoo, LinkedIn,Microsoft, Twitter, Apple
Increasingly so followingcollapse of Safe Harbor(and also Brexit?)
Irish law affects 100s ofmillions of usersworldwide
Image from Newenham, ed., Silicon Docks (2015)
http://www.libertiespress.com/shop/silicon-docks-the-rise-of-dublin-as-a-global-tech-hubhttp://www.libertiespress.com/shop/silicon-docks-the-rise-of-dublin-as-a-global-tech-hub -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
4/40
http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
5/40
Quite by accident,
Ireland has becomea central if reluctantparticipant in theinternationalsurveillance debate
http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
6/40
Where aresurveillancestandardsadjudicated?
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
7/40
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
8/40
What do thosesurveillancestandards require?
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
9/40
Foreseeability, controls ondownstream use, deletion
Weber and Saravia v. Germany (2006)
In its case-law on secret measures of surveillance, the Courthas developed the following minimum safeguards that shouldbe set out in statute law in order to avoid abuses of power:
the nature of the offences which may give rise to an interceptionorder;
a definition of the categories of people liable to have theirtelephones tapped;
a limit on the duration of telephone tapping;
the procedure to be followed for examining, using and storing the
data obtained; the precautions to be taken when communicating the data to
other parties;
and the circumstances in which recordings may or must be erasedor the tapes destroyed.
http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
10/40
Adequate and effectiveguarantees against abuse,including remedies for abuse
Uzun v. Germany (2010)
Adequate and effective guarantees against abusedetermined by:
all the circumstances of the case, such as the nature, scope andduration of the possible measures, the grounds required forordering them, the authorities competent to permit, carry out andsupervise them, and the kind of remedy provided by the nationallaw
Case C-362/14 Schrems (2015)
Likewise, legislation not providing for any possibility for anindividual to pursue legal remedies in order to have access topersonal data relating to him, or to obtain the rectification orerasure of such data, does not respect the essence of thefundamental right to effective judicial protection, as enshrinedin Article 47 of the Charter.
http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdfhttp://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdfhttp://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdf -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
11/40
Possibility of notificationafter surveillance
Klass v. Germany (1978)
Notification is strongly desirable: there is in principle littlescope for recourse to the courts unless the individual isadvised of the measures taken without his knowledge and thus
able retrospectively to challenge their legality.
Association for European Integration and Human Rights andEkimdzhiev v. Bulgaria (2007)
as soon as notification can be made without jeopardising thepurpose of the surveillance after its termination, information
should be provided to the persons concerned National laws contrary to Article 8 & Article 13 (right to
effective remedy) where they didnt provide for notificationand expressly prohibited any disclosure of informationwhether a person subject to surveillance
http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-57510http://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://hudoc.echr.coe.int/eng?i=001-57510 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
12/40
Possibility of notificationafter surveillance
Zakharov v. Russia (2015)
The fact that persons concerned by secret surveillancemeasures are not subsequently notified once surveillance hasceased cannot by itself warrant the conclusion that the
interference was not necessary in a democratic society, as itis the very absence of knowledge of surveillance which ensuresthe efficacy of the interference.
As soon as notification can be carried out withoutjeopardising the purpose of the restriction after thetermination of the surveillance measure, information should,
however, be provided to the persons concerned. Availability of an inquisitorial remedy may suffice as an
alternative (citing Kennedy v. UK)
http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-98473&filename=001-98473.pdfhttp://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-98473&filename=001-98473.pdfhttp://hudoc.echr.coe.int/eng?i=001-159324 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
13/40
Judicialauthorisation/oversight
Klass v. Germany (1978)
Judicial authorisation and supervision preferable
Other supervisory bodies permissible if independent of theauthorities carrying out the surveillance, objective and
vested with sufficient powers and competence to exercise aneffective and continuous control
Kennedy v. United Kingdom (2010)
Accepted executive (ministerial) authorisation of phonetapping where the totality of the oversight system provided
adequate safeguards against abuse.
Significant that the Investigatory Powers Tribunal system wasavailable to any person and could provide a remedy based onan inquisitorial system
http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-57510 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
14/40
Judicialauthorisation/oversight
Joined Cases C-293/12 and C-594/12 Digital Rights Irelandand Seitlinger(2014)
Data Retention Directive invalid as, inter alia,
Above all, the access is not made dependent on a prior review carriedout by a court or by an independent administrative body whose decisionseeks to limit access to the data and their use to what is strictly necessaryfor the purpose of attaining the objective pursued and which intervenesfollowing a reasoned request of those authorities
Szabo & Vissy v. Hungary (2016)
Rejects political authorisation in cases of mass surveillance:
Given that the scope of the measures could include virtually anyone,that the ordering is taking place entirely within the realm of theexecutive and without an assessment of strict necessity, that newtechnologies enable the Government to intercept masses of dataeasily concerning even persons outside the original range of operation,and given the absence of any effective remedial measures, let alonejudicial ones, the Court concludes that there has been a violation
http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
15/40
Direct access to networks isdisfavoured
Zakharov v. Russia (2015)
the requirement to show an interception authorisation tothe communications service provider before obtainingaccess is one of the important safeguards against abuseby the law-enforcement authorities
a system, such as the Russian one, which enables thesecret services and the police to intercept directly thecommunications of each and every citizen without requiringthem to show an interception authorisation to thecommunications service provider, or to anyone else, isparticularly prone to abuse.
http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/eng?i=001-159324 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
16/40
Protection of journalistssources
Telegraaf Media v. Netherlands (2013)
Surveillance (seizure of records) to identify journalist sourcesrequires prior review by an independent body with the powerto prevent or terminate it
review post factum, whether by the Supervisory Board, theCommittee on the Intelligence and Security Services of theLower House of Parliament or the National Ombudsman,cannot restore the confidentiality of journalistic sources once itis destroyed.
The Court thus finds that the law did not provide safeguards
appropriate to the use of powers of surveillance againstjournalists with a view to discovering their journalistic sources.There has therefore been a violation of Articles 8 and 10 of theConvention.
http://hudoc.echr.coe.int/eng?i=001-114439http://hudoc.echr.coe.int/eng?i=001-114439http://hudoc.echr.coe.int/eng?i=001-114439 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
17/40
Restrictions on bulkcollection
Weber & Saravia v. Germany (2006)
Strategic monitoring acceptable subject to adequatesafeguards against abuse
Case C-362/14 Schrems (2015) legislation permitting the public authorities to have access on
a generalised basis to the content of electroniccommunications must be regarded as compromising theessence of the fundamental right to respect for private life, asguaranteed by Article 7 of the Charter
Szabo & Vissy v. Hungary (2016)
Expresses serious concern about indiscriminate capturingof vast amounts of communications.
http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/eng?i=001-76586 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
18/40
Does Irish law meetthose standards?
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
19/40
Context: No separateintelligence agency
National security is primarily a police responsibility
Blurred lines between criminal and national securityinvestigation
E.g. dissident republican fundraising
No general legislative basis for intelligence gathering /sharing with other states
Police force is responsible only to Minister, not PolicingAuthority, in relation to security services
Data protection law including role of DPC does not applyto personal data which Minister certifies is kept for thepurpose of safeguarding the security of the State
No parliamentary oversight of intelligence
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
20/40
Four types of surveillanceregulated:
1. Interception of communications
Interception of Postal Packets and TelecommunicationsMessages (Regulation) Act 1993
Limited to authorised undertakings essentially, traditional
telecoms providers
2. Data Retention
Communications (Retention of Data) Act 2011
3. Surveillance devices (covert bugs, cameras)
Criminal Justice Surveillance Act 2009
4. Tracking devices (GPS trackers on cars, containers)
Criminal Justice Surveillance Act 2009
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
21/40
Not regulated by statute:
Access to stored communications (e.g. webmail)
Use of malware (government Trojans)
Irish Defence Forces recently attempted to purchase malware
from Hacking Team firm no legal basis for use
Use of open source information (e.g. data mining of socialmedia)
Use of informants / undercover police
Remote searches (e.g. use of computer in Ireland to accessinformation held in cloud elsewhere)
Cf. s.48, Criminal Justice (Theft and Fraud Offences) Act, 2001
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
22/40
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
23/40
Prior judicial authorisationrequired?
Interception ofcommunications
No. Ministerial warrant only.
Data retention No. Internal authorisation only.
Surveillancedevices (covertbugs, cameras)
Yes.
(Except in cases of urgency.)
Tracking devices No. Internal authorisation only.
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
24/40
Notification aftersurveillance?
Interception ofcommunications
No.
Data retention No.
Surveillancedevices (covertbugs, cameras)
No.
(S.10(3) permits regulations for notification but these were
never made.)
Tracking devices No.
(S.10(3) permits regulations for notification but these werenever made.)
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
25/40
Protection for journalistssources?
Interception ofcommunications
No.
Data retention No.
Surveillancedevices (covertbugs, cameras)
No.
Tracking devices No.
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
26/40
Protection for legalprivilege?
Interception ofcommunications
No.
Data retention No.
Surveillancedevices (covertbugs, cameras)
Yes.
(Only prohibits surveillance primarily targeting privileged
communications s.5(4))
Tracking devices N/A.
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
27/40
Protection forparliamentarians?
Interception ofcommunications
No.
Data retention No.
Surveillancedevices (covertbugs, cameras)
No.
Tracking devices No.
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
28/40
https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/ -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
29/40
Judicialoversight?
Two separate designatedjudge roles
Intercept/data retention
Surveillance & tracking
devices One produces detailed
reports with statistics andassessments of practice
The other, identical one-
page reports Both are part-time jobs of
busy judges with nospecialist support
See Digital Rights Ireland, Surveillance Library
https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/ -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
30/40
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
31/40
Other surveillanceoversight?
Data Protection Commissioner audit of An Garda Sochna(March 2014)
Examined access to retained communications data
Identified misuse of 2011 Act Wrongfully used to make access requests to technology
companies not covered by it
Data access being made by junior garda and retrospectivelyrubberstamped by Chief Superintendent
Once-off audit no continuous supervision
http://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdfhttp://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdfhttp://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdf -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
32/40
Remedies?
Complaints Referee
Circuit Court judge
Investigates complaints in inquisitorial manner
Can direct payment of compensation
(Capped at 5,000 for surveillance and tracking devices)
May conceal finding of breach if in public interest to do so
No successful complaint to date
Complaint to Data Protection Commissioner
Subject to national security exclusion
Ordinary civil actions
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
33/40
Factors promotingreform?
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
34/40
Some media pressure forsource protection
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
35/40
Technology firms seekingchange to Irish law
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
36/40
Data retention litigationcontinues
Digital Rights Ireland continues before the High Court inrelation to domestic law
Davis & Watson will provide guidance on application of CFRto national data retention laws
AGs Opinion due 19 July
http://curia.europa.eu/juris/liste.jsf?num=C-698/15http://curia.europa.eu/juris/liste.jsf?num=C-698/15http://curia.europa.eu/juris/liste.jsf?num=C-698/15 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
37/40
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
38/40
What should reform looklike? Preliminary thoughts
Abolition of generalised data retention
Independent judicial authorisation of surveillance measures,applying proportionality test
Notification provisions introduced Stored communications given same protection as those in
transit
Designated judge roles merged into a judicially chairedoversight body with specialist expertise
Oversight extended to downstream use (especially sharing)of surveillance information
Greater cooperation between surveillance oversight bodyand DPC
-
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
39/40
Background reading
T.J. McIntyre, Judicial Oversight of Surveillance: The Caseof Ireland in Comparative Perspective, inJudges asGuardians of Constitutionalism and Human Rights, ed. MartinScheinin, Helle Krunke, and Marina Aksenova (Cheltenham:Edward Elgar, 2016).
T.J. McIntyre, Implementing Information Privacy Rights inIreland, in Implementing Human Rights in Ireland, ed.Suzanne Egan (Dublin: Bloomsbury Academic, 2015).
T.J. McIntyre and Alexandrine Pirlot de Corbion, The Right
to Privacy in Ireland: Stakeholder Report for the UniversalPeriodic Review 25th Session (Privacy International andDigital Rights Ireland, 2015)
http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206https://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttp://ssrn.com/abstract=2701206http://ssrn.com/abstract=2694512 -
7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub
40/40
Thank youQuestions or comments?DigitalRights.ie | TJMcIntyre.com | @TJMcIntyre