The Irish Data Protection Commissioner (DPC) recently doubled its budget, and is busy hiring and building capability. It’s an encouraging sign, the function had been significantly under-resourced in recent times; but one wonders whether there needs to be more done. The DPC is responsible for three areas right now – privacy in relation to Internet Services companies like Facebook and Google; privacy in relation to state organisations like the Gardaí; and privacy in relation to private national companies who possess data. That all three domains are vested in this single organisation says something for the breadth of work that these guys have to take on. But nowhere in their mandate does it suggest that they may have a role in commercial or security issues, for which there is no competent authority in the state, and certainly no strategy to address them.
Naturally the Gardaí have a role to play in security issues. The secret services – whoever they are – presumably have some function in relation to securing the functions of government; but it’s a growing issue. In terms of commercial issues, such as data residency, taxation, and data trading, including issues related to financial trading and advertising businesses on the Internet, they are almost exclusively dealt with it would appear by the Industrial Development Authority and the Department of Finance. This recently published (and redacted) memo from a meeting between Minister for Finance Michael Noonan and Urs Holzle – Google employee number 8 – illustrates the importance well. As Holzle put it, “[T]he strength of a country’s competent authority for data privacy [is] now as important an issue for a country’s competitive edge as their competent authority for taxation.” Holzle also said that Iceland’s legislation on Government access to information was a good example to follow. We shall see how the legislative program develops, but the phrase ‘pushing an open door’ comes to mind.
The Icelandic Data Protection Commissioner has very kindly offered a version of its website in English. It is headed by the Icelandic word “Persónuvernd”, which simply means “Privacy”. There is of course a significant difference between data protection – which means protecting something which may be of objective value, like bank account details – and privacy, which means something of subjective value, like knowledge of a love affair. But we’ll get to these subtleties later. The relevant legislation governing the access of data by Government is Chapter III of Act on the Protection of Privacy as Regards the Processing of Personal Data, No. 77/2000, from May 2010. A useful cross-country guide from Lawyers Norton Rose Fullbright describes its policy as regards international transfer of data thus:
The transfer of personal data to a country that does not provide an adequate level of personal data protection is prohibited, unless an exemption applies. These include that the data subject explicitly consents, the transfer is necessary for the performance of a contract for the data subject and the transfer is necessary to serve an important public interest.
The laws in Ireland, it turns out, are similar. Again from Norton Rose Fullbright:
Under the DPA, transfers of personal data to countries outside the EEA are prohibited unless either:
• the destination country in question ensures an adequate level of protection for the processing of personal data; or
• one or more pre-conditions are satisfied thereby allowing the transfer to take place.
Examples of pre-conditions include:
• where the data subject has consented to the transfer;
• the transfer is necessary for the performance of a contract between the data subject and the data controller; or
• the rights of the data subject are protected by a contract based on the EU Model Clauses for the transfer of personal data to countries outside the EEA which has been entered into between the sender and the recipient of the personal data.
It appears therefore that we will have to examine interpretations of “adequate” in each case, in order to determine how hard these laws are in practice. However, this may be a distraction. Verne Global, an Icelandic Data Center provider, recently published a paper on ‘Data privacy and security in the post-Snowden era‘, where they argue (though they would, wouldn’t they) that hosting data in the US undermines corporate secrecy, and that in order to comply with EU Directive 95/46/EC they need to house their data in secure locations – like Iceland.
It remains unclear, however, how Iceland differs from other EU states in its application of its privacy laws. The Icelandic legislation – passed in 201o shortly after the reconstitution of the Icelandic State, following its near collapse in the Global Financial Crisis of 2008 – was brokered by the IMMI, formerly the Icelandic Modern Media Institute (renamed the International Modern Media Institute in 2011).
The IMMI sought to have Iceland ‘strongly position itself legally with regard to the protection of freedoms of expression and information.’ To that end, it set about amending thirteen different pieces of legislation not just dealing with privacy, but with media and information law generally. They included freedom of information; whistleblower protection; source protection and journalist protection; limits to prior restraint; ISP protection; protection from libel tourism; publishing liability laws; virtual company structures; and process protections where the legal process it itself used to delay (and therefore deny) certain freedoms. This was not just about data, or privacy, but about recognising the changed environment within which we live today.
Challenges of Scope
This gives one pause. In peeling the onion on data protection, I had initially considered that we should move beyond personal privacy, and consider taxation and security in addition. However, it seems that it may be necessary to broaden still further the scope of considerations, into areas such as intellectual property and copyright law, freedom of information, freedom of the press, libel and defamation, and legal process reform. Wikileaks originally were strong supporters of the IMMI, which was created in the wake of the financial devastation wrought by the crash. One can argue that Wikileaks today is an extreme organisation, relegated to the fringe by the erratic behaviour of its eccentric founder Julian Assange. For Google to cite the Icelandic régime as some kind of poster child for the world in which they would like to do business, however, places that Wikileaks agenda (c.2010) firmly at the center of progressive legal thought.
There is a tension too between corporate interests and State interests. This has been clear in the US in the wake of the Snowden revelations, where major US corporate titans have been at odds with their Government. We must seek to understand where those State interests lie; for some, it is in placating the corporations in the interests of foreign direct investment. For others, it is in addressing privacy concerns such as the right to be forgotten. Governments must balance economic, security and political imperatives, and there are land mines in every direction. Building a new data protection régime is not, therefore, merely about data protection, but about modern media, and the future of the Digital State.