Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


Chapter: 

III. Privacy topics

Internet and consumer privacy

Online copyright enforcement

The Copyright and Related Rights Act 2000 permits surprise searches and enacts stiff penalties against software theft. In 2005, a number of record companies used the provisions of the act to require Internet service providers to turn over details of customers whom the record companies believed had been involved in illegal file sharing.1 Irish ISPs refused to reveal this information to plaintiffs without a court order. The High Court ordered disclosure of identities in several cases.2 However, the court also imposed safeguards, directing that the information disclosed could only be used to seek redress for the users' alleged copyright infringement activities, and the identities of the alleged infringers could only be made public after the plaintiffs had started proceedings.3

In March 2008, some major music companies took action against Ireland's largest ISP, Eircom, demanding that it install filters to prevent users from illegally sharing or downloading music.4 Eircom replied that it was not on notice of specific illegal activity that infringed the rights of the companies and had no legal obligation to monitor traffic on its network.5 Previously, the Internet Service Providers Association of Ireland (ISPAI) had stated that it opposes any filtering of this sort.

The case was settled and did not reach judgment, with Eircom agreeing to introduce a "graduated response" approach to Internet users accused of illegal file sharing.6 In accordance with this agreement the Eircom will be provided with IP addresses which the music industry has identified as being involved in illegal file sharing.7 Warnings will be issued by Eircom to the respective subscriber which, if ignored, will result in disconnection for seven days. On a subsequent alleged infringement, service will be withdrawn for 12 months.

While privacy groups approve of the move away from filtering subscribers' content they contend that this settlement is also highly problematic.8 The agreement has been described as unreliable as the companies employed by the music companies to identify offenders have a history of being inaccurate. The agreement is also secretive, and has been labelled disproportionate and undemocratic.9 Nevertheless, the agreement was referred to the High Court to evaluate compliance with the Data Protection Acts and was approved by Mr. Justice Charleton.10 The same record companies are pursuing similar legal actions against other ISPs to force them to adopt the graduated response system.11

Identification of Internet users in civil litigation

Ireland has recently seen a number of cases in which plaintiffs seek to identify anonymous or pseudonymous Internet users – usually in the context of defamation or file sharing.12 Irish ISPs have generally taken the view that the Data Protection Acts preclude them from providing this information except in relation to a request from the Garda Síochána in the context of a criminal investigation, or as required by a court order.13

The first case to consider this issue was EMI Records (Ireland) Ltd. and others v. Eircom Ltd. and BT Communications Ireland Ltd,14 in which the plaintiffs sought to identify a number of subscribers who were alleged to be infringing copyright by uploading music. In this decision the High Court confirmed that the Norwich Pharmacal15precedent applied and that the court had jurisdiction to order ISPs to disclose the identities of their subscribers.16

In doing so, it accepted that ISPs owed a duty of confidentiality to their subscribers but went on to hold that a balancing exercise had to be carried out against the rights of the plaintiffs and that "[t]he right to privacy or confidentiality of identity must give way where there is prima facie evidence of wrongdoing". However, it approved of the earlier decision, which held that "the remedy should be confined to cases where very clear evidence of a wrong doing exists." The court also noted that the plaintiffs did not have any other means of acquiring this information.

The court therefore ordered disclosure of the identities of the subscribers, subject to safeguards built into the order. In particular, the plaintiffs were required to undertake not to disclose those identities to the public unless and until they started proceedings, on the basis that "it may turn out that they were not in fact guilty of any wrongdoing or that the named person was not the operator at the time when any wrongdoing was in fact carried out."

EMI v. Eircom has therefore been relied upon in a number of applications to court to disclose user identities. There is, however, a significant limitation to that judgment from a privacy perspective – it does not require that the user be notified in advance. In this it differs from e.g. the US practice outlined in Dendrite International, Inc. v John Doe No. 3,17 which requires that users should, as far as possible, be given notice of the application and a reasonable opportunity to oppose it. Consequently there is a real risk that hearings to disclose user identities will be determined based entirely on the case of the plaintiff, as there is generally no incentive for the ISP to fight such applications.18

In March 2008, the major music labels sued Ireland's largest ISP, Eircom, demanding that it install filters to prevent users from illegally sharing or downloading music.19 After initially fighting the action, Eircom settled out of court in January 2009 on the basis that it would introduce a "three strikes" system for Internet users accused of illegal file sharing, and would also block access to The Pirate Bay website.20

This agreement envisages that Eircom will be provided with IP addresses which are claimed to be involved in illegal file sharing. The subscriber will then be issued a series of warnings before ultimately being disconnected if further accusations are received.21 As with other "three strikes" systems, this agreement has been the subject of strong criticism on the basis that it jeopardises the fundamental right of Internet access. In this case, in addition, those criticisms are compounded by the fact that the system is established by a purely private agreement with no democratic or legislative basis and no judicial oversight.22

Implementation of the system was delayed after the DPC raised concerns about the processing of IP addresses and user data involved in the system. Consequently the parties applied to the High Court to rule whether the intended operation of the system was in breach of data protection law. In particular, the High Court was asked to answer a number of questions including: whether IP addresses processed by the music industry constituted "personal data"; whether processing of IP addresses by Eircom would be unwarranted; and whether the "three strikes" process would involve the use of "sensitive personal data" or would involve finding that a person had committed a criminal offence – by uploading music.

In a significant judgment the High Court answered each question in the negative, holding that: IP addresses processed on behalf of the music industry were not personal data, as the subscriber could not be identified from the IP addresses or other information held by the music industry; terminating an Internet user's subscription was a legitimate action to protect the property rights of a third party; and operating the three strikes system did not involve either determinations of criminal liability or the use of sensitive personal data.23

Following this judgment, Eircom has now begun to implement this three strikes system.24 Litigation by the music industry against other Irish ISPs is pending with a view to forcing all the major ISPs to implement similar systems.25

E-commerce

Ireland's implementation of the EU E-Commerce Directive (2000/31/EC) makes it one of the only European countries to place the burden of opting out of "spam" on the consumer.26 However, this must be considered something of an anomaly in light of the implementation of the Directive on Privacy and Electronic Communications.

Unsolicited communications are governed by the European Communities (Electronic Communications Networks and Services) (Data Protection and Privacy) Regulations 200327 which implement the E-Privacy Directive28 into Irish law. The regulations set out a number of rules concerning direct marketing. In particular, unsolicited communications to individuals by means of fax, email, SMS, or automated calling are prohibited unless the individual "opts in" to receiving such.29 Where the recipient of the call is a company, they may "opt out" by stating that they do not wish to receive the communications.30

In the case of unsolicited telephone calls made by human operators, persons may not be contacted if they have opted out, or if they have registered with the National Directory Database (NDD)31 that they do not wish to receive such calls.32 The regulations provide for an amended version of the NDD, which lists those unwilling to receive unsolicited telephone calls. On 21 July 2005, more than 12 months later than originally planned, the NDD became fully operational. The four mobile telephone operators in Ireland chose to opt all their customers out.33

The sanctions available for unsolicited communications were significantly enhanced by statutory instrument in 2008.34 This increased the financial penalty for offences relating to unsolicited communications, which may now be tried on indictment as well as summarily.35 The statutory instrument also allows for the prosecution of an officer of a body corporate, whether or not any action has been taken against the body corporate. It also reverses the burden of proof regarding consent by providing that the onus rests on the defendant to prove that a subscriber consented to receive a communication. In addition, each unsolicited communication now constitutes a separate offence, so that the aggregate financial penalty may be very high.

The Data Protection (Amendment) Act 2003 provides for a number of measures concerning those involved in direct marketing. Under previous data protection legislation, information garnered from sources required by law to be publicly available (such as the electoral register or companies registration information) was exempt and could, therefore, be harvested for direct marketing.36 Following the 2003 Act, an individual now has the right to object to use of this data for direct marketing purposes, and the data controller must inform the individual of this right.37

Cybersecurity

Between June and October 2007, the unencrypted personal data of about 10,000 customers of the Bank of Ireland were stolen.38 They included medical history, life insurance details, bank account details, names, and addresses.39 However, the bank did not notify the Data Protection Commissioner of the privacy breach until April 2008, ten months after the first theft, and only days before the European Data Protection Supervisor (EDPS) suggested the creation of a mandatory security breach notification system.40 By that stage, the Bank of Ireland had still not warned individual customers whose information had been lost despite the obvious potential for abuse.41

Before that event, Ireland did not have a mandatory data breach notification law, but in July 2010 the Data Protection Commissioner ("DPC") published a Personal Data Security Breach Code of Practice,42 which will not be binding until it is approved by the Oireachtas. There is as yet no Government commitment to introducing criminal sanctions for deliberate or reckless acts in relation to the data protection principles.

The code provides that where there is a data security breach, the data controller must give immediate consideration to informing those affected and that, if appropriate, other organisations should be informed such as An Garda Síochána (the police force) and financial institutions. It states that if the data is encrypted to a high standard the data controller "may conclude that there is no risk to the data and therefore no need to inform data subjects". Data processors must report loss of control of personal data to the relevant data controller as soon as the processor becomes aware of the incident. All data security breaches should be reported to the DPC as soon as the data controller becomes aware of the incident, and at least within two working days of becoming aware, unless the breach affects less than 100 data subjects who have all been informed of the breach without delay, and where the data is not sensitive nor of a financial nature. The DPC may require a detailed report of the incident and may carry out its own investigation.

Developments at European level may overtake national laws in this area. In 2009 the e-Privacy Directive was revised to require data breach notification by telecommunications providers and Irish law will have to be amended to implement this obligation by 25 May 2011.43 A review of the Data Protection Directive is also underway at the time of writing, and it seems likely that in the revised Directive mandatory data breach reporting will be included.44

With respect to government departments and State agencies, the Government's Centre for Management and Organisation Development published guidelines on data protection in December 2008 which apply to the public service in Ireland.45 These include guidelines on data security breach management which are similar to the Code of Practice published by the DPC and which recommend immediate notification of a breach internally and to the DPC (along with An Garda Síochána if appropriate).

Online targeted advertising and search engine privacy

Nothing to report.

Online social networks and virtual communities

Nothing to report.

Online youth safety

Nothing to report.

Workplace privacy

Statutes governing the processing of genetic data and its use in testing have an impact on privacy in the workplace: the Data Protection (Processing of Genetic Data) Regulations 2007 provide that the processing of genetic data in relation to the employment of a person can only take place with the DPC's prior approval. Then the Disability Act 2005 places certain restrictions on genetic testing and the use of data resulting from it. Consent to such testing must be obtained and the results cannot be used in relation to employment, insurance, pensions or housing loans.

(See more details under the "Genetic privacy" section.)

Health and genetic privacy

Health privacy

Nothing to report.

Genetic privacy

There is, at the time of writing, no statutory DNA database in Ireland although Irish law does permit the collection of genetic samples for evidential use at trial, based in part on both common law police powers and in part on the Criminal Justice (Forensic Evidence) Act 1990.46

In 2005 the Law Reform Commission published a report which recommended the establishment of a DNA database on a legislative basis.47 That report was followed by the publication of proposals for a Criminal Justice (Forensic Sampling and Evidence) Bill 2007. These proposals were, however, the subject of strong criticism from the Irish Human Rights Commission, which expressed concern over a number of features of the proposed Bill, particularly the provisions which would allow indefinite retention of samples.48

However, before those proposals could progress any further the decision of the European Court of Human Rights in S. and Marper v. UK49 intervened. That decision, which found the law on DNA collection and retention in England, Wales, and Northern Ireland to be in breach of the ECHR, forced a reconsideration of the Irish proposals, which appeared to share many of the same failings. Consequently, the 2007 proposals were not taken further. Instead, after further consideration in light of S. and Marper, a substantially revised scheme was put forward in 2010 in the Criminal Justice (Forensic Evidence and DNA Database System) Bill 2010.

This 2010 bill is before the Houses of the Oireachtas at the time of writing and, if enacted, will establish a statutory system for the collection of DNA samples, the creation of DNA profiles, and the establishment of a DNA database against which profiles can be matched. It is described as a bill which will authorise the taking of bodily samples from those suspected of certain criminal offences and those who volunteer to have such samples taken from them for the purpose of the investigation of offences, or incidents that may have involved the commission of offences.

Although a detailed consideration of the 2010 Bill is beyond the scope of this country report – and in any event would be premature as the Bill is likely to be amended in the course of being passed – it should be noted that the Bill in many ways is improved over the 2007 proposals. In particular, it reverses the earlier presumption in favour of indefinite retention, and instead establishes default periods for the destruction of samples (three years) and the deletion of profiles (ten years), except in the case of convicted offenders.

The Irish Human Rights Commission has however expressed some concern about aspects of the 2010 Bill50 as such legislation obviously raises significant data protection issues. The DPC has made submissions to the Minister for Justice relating to the Bill in light of the European Court of Human Rights decision in S. and Marper v. United Kingdom.51

Outside of the law enforcement field, the Data Protection (Processing of Genetic Data) Regulations 2007 provide that the processing of genetic data in relation to the employment of a person can only take place with the DPC's prior approval.

The Disability Act 2005 places certain restrictions on genetic testing and the use of data resulting from it. Consent to such testing must be obtained and the results cannot be used in relation to employment, insurance, pensions or housing loans.

Financial privacy

Between June and October 2007, the unencrypted personal data of about 10,000 customers of the Bank of Ireland were stolen.52 They included, in addition to medical history, life insurance details, names, and addresses, customers' bank account details.53 However, the bank did not notify the Data Protection Commissioner of the privacy breach until April 2008, ten months after the first theft.54 (See more details under the "Internet & Consumer Privacy" section.)

Footnotes