Although there is not an express reference to a right to privacy in the Irish Constitution, the Supreme Court has ruled an individual may invoke the personal rights provision in Article 40.3.1 to establish an implied right to privacy.[1493] This article provides that "The State guarantees in its laws to respect, and, as far as practicable, by its laws to defend and vindicate the personal rights of the citizens." It was first used to establish an implied constitutional right in the case of McGee v. Attorney General,[1494] which recognized the right to marital privacy. This case has been followed by others such as Norris v. Attorney General[1495] and Kennedy and Arnold v. Ireland.[1496] In the latter case the Supreme Court ruled that the illegal wiretapping of two journalists was a violation of the constitution, stating:
The right to privacy is one of the fundamental personal rights of the citizen which flow from the Christian and democratic nature of the State.... The nature of the right to privacy is such that it must ensure the dignity and freedom of the individual in a democratic society. This can not be insured if his private communications, whether written or telephonic, are deliberately and unjustifiably interfered with.[1497]
In 1988, the Data Protection Act was passed in order to implement the 1981 Council of Europe Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data. The Act regulates the collection, processing, keeping, use and disclosure of personal information processed by both the private and public sectors, but it only covers information that is automatically processed. Individuals have a right to access and correct inaccurate information. Information can only be used for specified and lawful purposes and cannot be improperly used or disclosed. Additional protections can be ordered for sensitive data. Criminal penalties can be imposed for violations. There are broad exemptions for national security, tax, and criminal purposes. Misuse of data is also criminalized by the Criminal Damage Act 1991.
As a member of the European Union, Ireland should have amended this Act and extended its scope in order to implement the European Data Protection Directive by October 1, 1998. In January 2000, the European Commission initiated a case before the European Court of Justice against Ireland and four other countries for failure to implement the Directive on time.[1498] In December 2001, certain provisions of the Directive were implemented with the introduction of the European Communities (Data Protection) Regulations, 2001. The regulations took effect in April 2002 and govern the transfer of personal information to third countries (i.e. non European Economic Area countries). The Data Protection (Amendment) Bill was finally published in February 2002 to will implement the remaining provisions of the Directive. It was first approved by the Seanad (the Senate) in May 2002 and later by the Dáil (the House of Representatives). On April 10, 2003, the President signed the Data Protection (Amendment) Act, which now "give[s] effect to the EU Data Protection Directive."[1499]
The bill amends the existing law in several ways.[1500] It extends protection to manual as well as automated files. It broadens the definition of "processing." It improves the rights of individuals in the areas of notice, access and consent. It clarifies, and in some cases increases, the responsibilities of data controllers. It provides additional protection for "sensitive" data, defined as information relating to: racial or ethic origin; political opinions; religious or philosophical belief; trade union membership; physical or mental health; sexual life; the commission or alleged commission of an offence and any proceedings arising there-from. It requires the registration of every data controller, unless specifically exempted under regulations issued by the Data Protection Commissioner. It increases the powers of the DPC to ensure compliance with the Act and to issue Codes of Practice. Finally, it creates specific exemptions for "journalistic, artistic, or literary" processing.
The office of the Data Protection Commissioner oversees the enforcement of data protection laws. The Commissioner has powers to investigate complaints, prosecute offenders, sponsor codes of practice, and supervise the registration process.[1501] The number of complaints received by the Commission has steadily increased since its inception. In 2002, the Commission received 295 complaints, up from 171 in 2001.[1502] Of the 2001 complaints, 35 percent were upheld, 33 percent were rejected and 32 percent were resolved informally.[1503] Examples of complaints during 2002, include: scorn against automated calls from political parties and candidates that the Commissioner found to be akin to direct marketing; fear that police were obtaining and keeping inappropriate personal data and not providing access to data subjects; and concern that heath authorities were requesting medical personnel to turnover the personal information of those seeking tuberculosis drugs. The Commissioner has also initiated many investigations into improper data practices on his own; among these are investigations into: MBNA Bank and Eircom (Ireland's leading communications company) for directing marketing practices; Ryanair (an airline company) for abusive credit card practices and disclosure on national radio of a named passenger; and Concern (amajor charitable organization) for disclosure, without consent, of donors' details to a financial institution.
The number of data controllers registered rose to 3,100 during 2001. In January 2001, the Data Protection Commissioner issued regulations[1504] requiring all telecommunications companies and Internet service providers to register with his office.[1505] This was the first time the Commissioner had exercised his power to create additional categories of operators required to register.
In addition to investigations and regulations, the Commissioner's has issued public criticism of poor data practices. Most notably in November 2001, the Commissioner began an investigation into Irish mobile phone operators Eircell and Digifone, when it was revealed that they were holding customer "locator records" for more than six years, stating that they believed they were required to do so under the law.[1506] Also in 2001, the Commissioner criticized members of the legal profession for their low level of compliance with the registration requirement.[1507] In July 2002, the Commissioner issued a public warning concerning a United Kingdom based company masquerading as an official registration service for Irish data controllers.[1508] In May 2003, the Data Protection Commissioner threatened to initiate charges against the Irish government in the High Court "for using an 'invalid' Ministerial Direction to unconstitutionally store citizens' phone, fax and mobile phone data."[1509]
No codes of practice have been issued under the Data Protection Act. Whereas under the 1988 Act the Commissioner only had the power to approve codes drawn up by trade associations, the latest Data Protection (Amendment) Bill gives the Commissioner the power to propose and prepare codes. In 2001, the Commissioner noted in his annual report that a code of practice for the health sector was needed.[1510]
In May 2002, the European Communities (Data Protection and Privacy in Telecommunications) Regulations were signed into law.[1511] These regulations give effect to EU Directive 1997/66, which concerns data protection in the telecommunications sector. However, in five years, Directive 1997/66 was superceded by Directive 2002/58, which applies the principles of the general data protection Directive, 1995/46, to the communications sector.[1512] The new Directive is scheduled to be implemented by October 31, 2003.
In 1998, the Government passed the Social Welfare Act which creates a unique personal identification number for use in dealing with public agencies. The Personal Public Service Number (PPSN) replaced the "Revenue and Social Insurance" (RSI) number, which for years, was used for social welfare and tax purposes only. The PPSN will eventually be used as a unique personal identifier in all communications between an individual and specified State Agencies. The Act allows for the exchange of personal data between these bodies in certain circumstances, and its provisions are expressly exempt from the Data Protection Act. The only privacy safeguard laid down by the Act is a provision making it an offence for anyone other than a State agency to attempt to obtain an individual's PPSN. The Data Protection Commissioner criticized this scheme while it was being debated, stating that "the proposed sharing of personal data, obtained and kept by legally separate entities, for such diverse purposes is fundamentally incompatible with...the basic tenets of data protection law."[1513]
The development of the PPSN is part of a much larger project to modernize public services and develop a fully functioning e-Government. In 1999, an independent government agency, known as Reach, was established by Government order to oversee this project. Reach is charged with building a central Public Service Broker, which is intended to facilitate transactions between individuals and Public Service Agencies. Personal data about citizens will be held in secure vaults and be released to public agencies in the course of particular transactions. Apart from the normal categories of information required for most services, individuals may chose to store additional data in these vaults for example, birth and marriage certificates, details of income or other means, digital photographs, credit card details, passport details, car registration and insurance details. Data in the system will be updated directly by individuals or by an agent acting on their behalf. Access will be limited to the individual customer or to authorized public servants in the course of a specific transaction. A Public Services Card is being developed as an individual's key to access his/her personal data and the connected public services. The card will display the cardholder's name, signature and PPSN. For basic transactions, the card, along with a personal identification number, will be enough to guarantee access. Technology to protect higher sensitivity transactions has not yet been chosen but may be based on a Public Key Infrastructure (PKI). [1514] The Data Protection Commissioner is in close consultation with Reach concerning the privacy and security implications of this system.
In 2003, the Data Protection Commissioner expressed concern that while "[a] Public Awareness Survey...revealed that people regarded protection of personal privacy as being very important," many people "[were] not fully aware of [their privacy rights]."[1515] The study, which surveyed 1,200 Irish people, found that "people's anxieties about intrusions into their privacy have increased [since a similar study in 1997]."[1516]
Ireland is recognized as having the most modern copyright and electronic signature laws in Europe.[1517] In July 2000, the E-Commerce Act was implemented, granting legal recognition to e-signatures, e-writings and e-contracts. The Copyright and Related Rights Act, which permits surprise searches and enacts stiff penalties against software theft, came into force in November 2000. Ireland's implementation of the European Union's E-Commerce Directive makes it one of the only European countries to place the burden of opting out of 'spam' on the consumer.[1518] This legislation has enabled Ireland to promote itself as an attractive e-commerce location, however, it may now need to be amended to comply with the new Telecommunications Privacy Directive.[1519]
Wiretapping and electronic surveillance is regulated under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act.[1520] The Act followed a 1987 decision of the Supreme Court ruling that wiretaps of journalists violated the constitution (see above). In October 2001, the Taoiseach (Prime Minister) publicly apologized on behalf of the State to three journalists whose phones were tapped during the 1980s as part of an effort to control leaks from the Government. The Taoiseach apologized for "the inappropriate invasion of their privacy and interference by the State with their role as journalists."[1521] In its June 1998 Report on "Privacy, Surveillance and the Interception of Communications," the Law Reform Commission recommended legislation to make illegal the invasion of a person's privacy through secret filming, taping and eavesdropping and the publication of information received from such surveillance.
The issue of employee monitoring is also causing growing concern in Ireland. In March 2002, Amarach Consulting released a survey finding that one in four employees say that their use of the Internet in the workplace is monitored or restricted.[1522] In 2000, the Manufacturing, Science and Finance Union (MSF) recently called for national and European Union legislation to limit the use of electronic surveillance in the workplace.[1523]
In September 2002, the British, Irish, Guernsey, Jersey and Isle of Man data protection authorities hosted the 24th International Conference of Data Protection and Privacy Commissioners was hosted by in Cardiff, Wales.[1524]
The Freedom of Information Act was approved in 1997 and went into effect in April 1997.[1525] The act creates a presumption that the public can access documents created by government agencies and requires that government agencies make internal information on their rules and activities available. The Office of the Information Commissioner enforces the act. On April 11, 2003, the government passed a series of restrictive amendments to the Freedom of Information Act.[1526] The amending legislation was widely criticized by the opposition, press and, indirectly, by the Ombudsman. The amendments resulted in more central control over information and the restriction of all information, instead of just a subset. Specifically, the amendment: doubled the time-restriction on government records, regardless of content; introduced processing fees on information requests under the Act; broadened the definition of "government" under the Act; increased government exemptions to information requests; and granted ministers the ability to suppress information release, without appeal, by another ministry or public body. However, in the same year, the government endorsed Emily O'Reilly as the next Ombudsman and Information Commissioner, an outspoken critic of the recent amendments to the Freedom of Information Act. [1527] Ms. O'Reilly, a well-respected journalist, would be the first replacement commissioner since the office was created.[1528]
Ireland is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108).[1529] It has also signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[1530] However, unlike every other European signatory country, Ireland has not incorporated this Convention into national law. In February 2002, Ireland signed the Council of Europe Convention on Cybercrime.[1531] Ireland is also a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.