The New European Law of Surveillance - Implications for Ireland as a Data Hub

download The New European Law of Surveillance - Implications for Ireland as a Data Hub

of 40

Transcript of The New European Law of Surveillance - Implications for Ireland as a Data Hub

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    1/40

    The New European Law ofSurveillance: Implications forIreland as a Data HubDr TJ McIntyre, Digital Rights Ireland and

    UCD Sutherland School of Law

    ICEL, Dublin, 1 July 2016

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    2/40

    Outline

    After Snowden, we can seethe emergence of a newEuropean law of surveillancein cases such as Digital RightsIreland, Schrems and Zakharov

    Ireland has become a keylocation for data storage but Irish laws have not keptpace with Europeandevelopments

    This talk will discuss the stateof Irish law and implicationsfor privacy rights of usersworldwide

    CC BY-SA 2.0 Brian Robert Marshall

    http://www.geograph.org.uk/profile/7420http://www.geograph.org.uk/profile/7420
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    3/40

    Significanceof Ireland?

    EMEA headquarters/keyoffices/data centres ofmany internet firms

    Google, Facebook,

    Yahoo, LinkedIn,Microsoft, Twitter, Apple

    Increasingly so followingcollapse of Safe Harbor(and also Brexit?)

    Irish law affects 100s ofmillions of usersworldwide

    Image from Newenham, ed., Silicon Docks (2015)

    http://www.libertiespress.com/shop/silicon-docks-the-rise-of-dublin-as-a-global-tech-hubhttp://www.libertiespress.com/shop/silicon-docks-the-rise-of-dublin-as-a-global-tech-hub
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    4/40

    http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    5/40

    Quite by accident,

    Ireland has becomea central if reluctantparticipant in theinternationalsurveillance debate

    http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768http://www.irishtimes.com/business/technology/government-files-supporting-brief-for-microsoft-in-us-case-1.2047768
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    6/40

    Where aresurveillancestandardsadjudicated?

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    7/40

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    8/40

    What do thosesurveillancestandards require?

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    9/40

    Foreseeability, controls ondownstream use, deletion

    Weber and Saravia v. Germany (2006)

    In its case-law on secret measures of surveillance, the Courthas developed the following minimum safeguards that shouldbe set out in statute law in order to avoid abuses of power:

    the nature of the offences which may give rise to an interceptionorder;

    a definition of the categories of people liable to have theirtelephones tapped;

    a limit on the duration of telephone tapping;

    the procedure to be followed for examining, using and storing the

    data obtained; the precautions to be taken when communicating the data to

    other parties;

    and the circumstances in which recordings may or must be erasedor the tapes destroyed.

    http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    10/40

    Adequate and effectiveguarantees against abuse,including remedies for abuse

    Uzun v. Germany (2010)

    Adequate and effective guarantees against abusedetermined by:

    all the circumstances of the case, such as the nature, scope andduration of the possible measures, the grounds required forordering them, the authorities competent to permit, carry out andsupervise them, and the kind of remedy provided by the nationallaw

    Case C-362/14 Schrems (2015)

    Likewise, legislation not providing for any possibility for anindividual to pursue legal remedies in order to have access topersonal data relating to him, or to obtain the rectification orerasure of such data, does not respect the essence of thefundamental right to effective judicial protection, as enshrinedin Article 47 of the Charter.

    http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdfhttp://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdfhttp://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-100293&filename=001-100293.pdf
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    11/40

    Possibility of notificationafter surveillance

    Klass v. Germany (1978)

    Notification is strongly desirable: there is in principle littlescope for recourse to the courts unless the individual isadvised of the measures taken without his knowledge and thus

    able retrospectively to challenge their legality.

    Association for European Integration and Human Rights andEkimdzhiev v. Bulgaria (2007)

    as soon as notification can be made without jeopardising thepurpose of the surveillance after its termination, information

    should be provided to the persons concerned National laws contrary to Article 8 & Article 13 (right to

    effective remedy) where they didnt provide for notificationand expressly prohibited any disclosure of informationwhether a person subject to surveillance

    http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-57510http://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://www1.umn.edu/humanrts/research/bulgaria/AEIHR_M_Ekimdjiev_en1.pdfhttp://hudoc.echr.coe.int/eng?i=001-57510
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    12/40

    Possibility of notificationafter surveillance

    Zakharov v. Russia (2015)

    The fact that persons concerned by secret surveillancemeasures are not subsequently notified once surveillance hasceased cannot by itself warrant the conclusion that the

    interference was not necessary in a democratic society, as itis the very absence of knowledge of surveillance which ensuresthe efficacy of the interference.

    As soon as notification can be carried out withoutjeopardising the purpose of the restriction after thetermination of the surveillance measure, information should,

    however, be provided to the persons concerned. Availability of an inquisitorial remedy may suffice as an

    alternative (citing Kennedy v. UK)

    http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-98473&filename=001-98473.pdfhttp://hudoc.echr.coe.int/app/conversion/pdf/?library=ECHR&id=001-98473&filename=001-98473.pdfhttp://hudoc.echr.coe.int/eng?i=001-159324
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    13/40

    Judicialauthorisation/oversight

    Klass v. Germany (1978)

    Judicial authorisation and supervision preferable

    Other supervisory bodies permissible if independent of theauthorities carrying out the surveillance, objective and

    vested with sufficient powers and competence to exercise aneffective and continuous control

    Kennedy v. United Kingdom (2010)

    Accepted executive (ministerial) authorisation of phonetapping where the totality of the oversight system provided

    adequate safeguards against abuse.

    Significant that the Investigatory Powers Tribunal system wasavailable to any person and could provide a remedy based onan inquisitorial system

    http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-57510http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-98473http://hudoc.echr.coe.int/eng?i=001-57510
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    14/40

    Judicialauthorisation/oversight

    Joined Cases C-293/12 and C-594/12 Digital Rights Irelandand Seitlinger(2014)

    Data Retention Directive invalid as, inter alia,

    Above all, the access is not made dependent on a prior review carriedout by a court or by an independent administrative body whose decisionseeks to limit access to the data and their use to what is strictly necessaryfor the purpose of attaining the objective pursued and which intervenesfollowing a reasoned request of those authorities

    Szabo & Vissy v. Hungary (2016)

    Rejects political authorisation in cases of mass surveillance:

    Given that the scope of the measures could include virtually anyone,that the ordering is taking place entirely within the realm of theexecutive and without an assessment of strict necessity, that newtechnologies enable the Government to intercept masses of dataeasily concerning even persons outside the original range of operation,and given the absence of any effective remedial measures, let alonejudicial ones, the Court concludes that there has been a violation

    http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964484
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    15/40

    Direct access to networks isdisfavoured

    Zakharov v. Russia (2015)

    the requirement to show an interception authorisation tothe communications service provider before obtainingaccess is one of the important safeguards against abuseby the law-enforcement authorities

    a system, such as the Russian one, which enables thesecret services and the police to intercept directly thecommunications of each and every citizen without requiringthem to show an interception authorisation to thecommunications service provider, or to anyone else, isparticularly prone to abuse.

    http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/eng?i=001-159324http://hudoc.echr.coe.int/eng?i=001-159324
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    16/40

    Protection of journalistssources

    Telegraaf Media v. Netherlands (2013)

    Surveillance (seizure of records) to identify journalist sourcesrequires prior review by an independent body with the powerto prevent or terminate it

    review post factum, whether by the Supervisory Board, theCommittee on the Intelligence and Security Services of theLower House of Parliament or the National Ombudsman,cannot restore the confidentiality of journalistic sources once itis destroyed.

    The Court thus finds that the law did not provide safeguards

    appropriate to the use of powers of surveillance againstjournalists with a view to discovering their journalistic sources.There has therefore been a violation of Articles 8 and 10 of theConvention.

    http://hudoc.echr.coe.int/eng?i=001-114439http://hudoc.echr.coe.int/eng?i=001-114439http://hudoc.echr.coe.int/eng?i=001-114439
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    17/40

    Restrictions on bulkcollection

    Weber & Saravia v. Germany (2006)

    Strategic monitoring acceptable subject to adequatesafeguards against abuse

    Case C-362/14 Schrems (2015) legislation permitting the public authorities to have access on

    a generalised basis to the content of electroniccommunications must be regarded as compromising theessence of the fundamental right to respect for private life, asguaranteed by Article 7 of the Charter

    Szabo & Vissy v. Hungary (2016)

    Expresses serious concern about indiscriminate capturingof vast amounts of communications.

    http://hudoc.echr.coe.int/eng?i=001-76586http://hudoc.echr.coe.int/eng?i=001-76586http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://hudoc.echr.coe.int/eng?i=001-160020http://curia.europa.eu/juris/document/document.jsf?text=&docid=169195&pageIndex=0&doclang=en&mode=lst&dir=&occ=first&part=1&cid=964518http://hudoc.echr.coe.int/eng?i=001-76586
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    18/40

    Does Irish law meetthose standards?

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    19/40

    Context: No separateintelligence agency

    National security is primarily a police responsibility

    Blurred lines between criminal and national securityinvestigation

    E.g. dissident republican fundraising

    No general legislative basis for intelligence gathering /sharing with other states

    Police force is responsible only to Minister, not PolicingAuthority, in relation to security services

    Data protection law including role of DPC does not applyto personal data which Minister certifies is kept for thepurpose of safeguarding the security of the State

    No parliamentary oversight of intelligence

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    20/40

    Four types of surveillanceregulated:

    1. Interception of communications

    Interception of Postal Packets and TelecommunicationsMessages (Regulation) Act 1993

    Limited to authorised undertakings essentially, traditional

    telecoms providers

    2. Data Retention

    Communications (Retention of Data) Act 2011

    3. Surveillance devices (covert bugs, cameras)

    Criminal Justice Surveillance Act 2009

    4. Tracking devices (GPS trackers on cars, containers)

    Criminal Justice Surveillance Act 2009

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    21/40

    Not regulated by statute:

    Access to stored communications (e.g. webmail)

    Use of malware (government Trojans)

    Irish Defence Forces recently attempted to purchase malware

    from Hacking Team firm no legal basis for use

    Use of open source information (e.g. data mining of socialmedia)

    Use of informants / undercover police

    Remote searches (e.g. use of computer in Ireland to accessinformation held in cloud elsewhere)

    Cf. s.48, Criminal Justice (Theft and Fraud Offences) Act, 2001

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    22/40

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    23/40

    Prior judicial authorisationrequired?

    Interception ofcommunications

    No. Ministerial warrant only.

    Data retention No. Internal authorisation only.

    Surveillancedevices (covertbugs, cameras)

    Yes.

    (Except in cases of urgency.)

    Tracking devices No. Internal authorisation only.

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    24/40

    Notification aftersurveillance?

    Interception ofcommunications

    No.

    Data retention No.

    Surveillancedevices (covertbugs, cameras)

    No.

    (S.10(3) permits regulations for notification but these were

    never made.)

    Tracking devices No.

    (S.10(3) permits regulations for notification but these werenever made.)

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    25/40

    Protection for journalistssources?

    Interception ofcommunications

    No.

    Data retention No.

    Surveillancedevices (covertbugs, cameras)

    No.

    Tracking devices No.

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    26/40

    Protection for legalprivilege?

    Interception ofcommunications

    No.

    Data retention No.

    Surveillancedevices (covertbugs, cameras)

    Yes.

    (Only prohibits surveillance primarily targeting privileged

    communications s.5(4))

    Tracking devices N/A.

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    27/40

    Protection forparliamentarians?

    Interception ofcommunications

    No.

    Data retention No.

    Surveillancedevices (covertbugs, cameras)

    No.

    Tracking devices No.

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    28/40

    https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    29/40

    Judicialoversight?

    Two separate designatedjudge roles

    Intercept/data retention

    Surveillance & tracking

    devices One produces detailed

    reports with statistics andassessments of practice

    The other, identical one-

    page reports Both are part-time jobs of

    busy judges with nospecialist support

    See Digital Rights Ireland, Surveillance Library

    https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/https://www.digitalrights.ie/irish-surveillance-documents/
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    30/40

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    31/40

    Other surveillanceoversight?

    Data Protection Commissioner audit of An Garda Sochna(March 2014)

    Examined access to retained communications data

    Identified misuse of 2011 Act Wrongfully used to make access requests to technology

    companies not covered by it

    Data access being made by junior garda and retrospectivelyrubberstamped by Chief Superintendent

    Once-off audit no continuous supervision

    http://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdfhttp://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdfhttp://www.garda.ie/Documents/User/An%20Garda%20S%C3%ADoch%C3%A1na%20ODPC%20Report%20Final.pdf
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    32/40

    Remedies?

    Complaints Referee

    Circuit Court judge

    Investigates complaints in inquisitorial manner

    Can direct payment of compensation

    (Capped at 5,000 for surveillance and tracking devices)

    May conceal finding of breach if in public interest to do so

    No successful complaint to date

    Complaint to Data Protection Commissioner

    Subject to national security exclusion

    Ordinary civil actions

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    33/40

    Factors promotingreform?

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    34/40

    Some media pressure forsource protection

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    35/40

    Technology firms seekingchange to Irish law

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    36/40

    Data retention litigationcontinues

    Digital Rights Ireland continues before the High Court inrelation to domestic law

    Davis & Watson will provide guidance on application of CFRto national data retention laws

    AGs Opinion due 19 July

    http://curia.europa.eu/juris/liste.jsf?num=C-698/15http://curia.europa.eu/juris/liste.jsf?num=C-698/15http://curia.europa.eu/juris/liste.jsf?num=C-698/15
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    37/40

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    38/40

    What should reform looklike? Preliminary thoughts

    Abolition of generalised data retention

    Independent judicial authorisation of surveillance measures,applying proportionality test

    Notification provisions introduced Stored communications given same protection as those in

    transit

    Designated judge roles merged into a judicially chairedoversight body with specialist expertise

    Oversight extended to downstream use (especially sharing)of surveillance information

    Greater cooperation between surveillance oversight bodyand DPC

  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    39/40

    Background reading

    T.J. McIntyre, Judicial Oversight of Surveillance: The Caseof Ireland in Comparative Perspective, inJudges asGuardians of Constitutionalism and Human Rights, ed. MartinScheinin, Helle Krunke, and Marina Aksenova (Cheltenham:Edward Elgar, 2016).

    T.J. McIntyre, Implementing Information Privacy Rights inIreland, in Implementing Human Rights in Ireland, ed.Suzanne Egan (Dublin: Bloomsbury Academic, 2015).

    T.J. McIntyre and Alexandrine Pirlot de Corbion, The Right

    to Privacy in Ireland: Stakeholder Report for the UniversalPeriodic Review 25th Session (Privacy International andDigital Rights Ireland, 2015)

    http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2694512http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206http://ssrn.com/abstract=2701206https://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttps://www.digitalrights.ie/dri/wp-content/uploads/2015/12/Ireland_UPR-Stakeholder-Submission-DRI-and-Privacy-International_FINAL.pdfhttp://ssrn.com/abstract=2701206http://ssrn.com/abstract=2694512
  • 7/25/2019 The New European Law of Surveillance - Implications for Ireland as a Data Hub

    40/40

    Thank youQuestions or comments?DigitalRights.ie | TJMcIntyre.com | @TJMcIntyre