This is commentary was written jointly by: Tom Hayesand Derek Mooney write: Is the purpose of the General Data Protection Regulation (GDPR) to create a legal framework to ensure that the personal data of EU citizens is properly protected or is it a mechanism to find ways to sue multinational companies, particularly US companies, for multimillion amounts of Euros?
This is a short article I wrote for the BEERG (Brussels European Employee Relations Group) weekly newsletter on some interesting recent developments on data protection, particularly the criticisms of the Irish Data Protection Commission. Though unconnected, I had a short Twitter exchange with renowned privacy advocate, Max Schrems, on a related topic, a few days later.
In early December one of the five directors at Belgium’s Data Protection Authority (APD/GBA) resigned, citing the same concerns about a “lack of independence” at the authority which the EU Commission had raised several weeks earlier.
In November VRT (public-service broadcaster for the Flemish Community of Belgium) ran a story saying that the European Commission was commencing infringement proceeding against Belgium claiming that:
some members of the APD/GBA cannot currently be considered free from outside influence, as they either report to a management committee dependent on the Belgian government, have participated in government projects for the detection of COVID-19- contacts, or are a member of the Information Security Committee.
This column which looks (eventually) at Ireland’s ongoing political/policy neglect of data protection and cyber security and why the Defence Forces have a vital role to play in defending Ireland’s vital national infrastructure from cyber attacks. This column first appeared on Broadsheet.ie on July 20th 2020
Since I wrote my last Broadsheet column, An Taoiseach Michéal Martin has sacked a cabinet minister and reassigned three junior portfolios. According to his supporters this action, a mere 17 days after his first round of appointments, is proof of An Taoiseach’s cool decisiveness and a major rebuff to those who consider him a self-interested ditherer.
They may well be right, but either way his unplanned reshuffle does afford us the chance to look again at the choices made by An Taoiseach on June 27th and July 1st when he chose his team of senior and junior ministers.
Technically, of course, An Taoiseach did not choose most of them. Martin himself only got to name 5 cabinet and 8 junior ministers. 13 out of the 32 positions to be appointed. The rest, 6 Green and 13 Fine Gael were chosen by their respective party leaders and, we are told, beyond the allocation of portfolios, there was no consultation on the identities of any of those to be named.
So let’s look at some of those decisions. Actually, let’s not.
This column appeared on Broadsheet.ie on September 24th and looks at the current government’s ongoing issues with grasping the critical importance of data and data privacy to our continuing economic growth and development. While the governments response to the Data Protection Commissioner’s findings that it broke its own laws in expanding the scope of Personal Service Cards shows a cavalier attitude to data protection, the total inadequacy of the states response to real cyber-security threats is frightening. The State must immediately given the Defence Forces a lead role in building cyber security capacity and give it the resources right now, including the ability to recruit and train the next generation of cyber security experts.
Twenty years ago (last Sunday) the first ever episode of The West Wing premiered on US TV.
Though anyone who has ever served in government can confirm that The Thick of It or Yes, Minister are more realistic portrayals of life along the corridors of power, The West Wing still represents the ideal, the way we would like to think it is.
This is due, in part, to the excellent characterisations, but it is mainly down to the quality of writing. The dialogue not only fizzed, it was informed by actual policy debates.
There were prescient. Much of it is still cogent despite all that has happened in the intervening two decades.
This is a brief overview of some data protection issues for business to watch out for in 2018. It first appeared in this week’s BEERG weekly newsletter under the heading: #GDPR – 132 Days to go… but there is a lot more ahead.
Note my GDPR countdown clock to the right (or below on Mobiles) of the screen
Derek Mooney writes: No one needs reminding that the General Data Protection Regulation, 2016/679 (GDPR) the EU’s new pan European data protection law comes into force on May 25 – in 132 days, or 94 business days, (from Jan 12) 2018 will be the year of data protection as everyone -regulatory authorities and individual organisations alike – struggles to get used to the new regime.
Will Data Protection Authorities and individual companies be able to source sufficiently experienced Data Protection Officers to oversee the new laws? And if having the GDPR come into effect in 2018 is not a sufficient strain, you can add the issue of what happens to data transfers to the UK post Brexit?
This is a piece I wrote for the March 14th issue of the BEERG global labour newsletter. It examines the consequences of the EU Parliament’s overwhelming vote on the General Data Protection Regulation and acknowledges the hard work and valid concerns raised by the Irish MEP Sean Kelly (EPP & Fine Gael)
Though it is now accepted across the EU that the Data Protection Regulation is not likely to be approved until 2015 at the earliest, the European Parliament has scheduled a debate on the legislation on Tuesday (11 March) with a full First Reading vote on it on Wednesday.
The vote comes just 10 weeks before voters across Europe go to the polls to elect the next European Parliament.
The plenary vote on Wednesday is no mere gesture, however. It is the outgoing Parliament setting out its position so that the incoming one can start negotiations with the Council of Ministers, as soon as they have adopted their position, though the timetable for the Council’s part of the process remains uncertain
It is not the European Parliament’s only debate on Data Protection this week as it is also set to approve the final report of its own inquiry into alleged mass surveillance by the US National Security Agency.
That report not only demands that the US/EU trade talks not lead to a softening of data protection standards, it also calls for the suspension of a programme to share bank transfer data with the US, and calls on member states to strengthen oversight of their intelligence services.
As mentioned earlier, the ball now lies with the member states governments via the EU’s Council of Ministers. The Justice Ministers met last week and held a policy debate on outstanding issues relating to the data protection regulation framework.
ASs the communique issued after the meeting said: “Ministers broadly supported the draft provisions as regards the territorial scope of the regulation and confirmed the understanding that international transfers of personal data to third countries should take place on the basis of key principles contained in chapter V of the draft regulation.”
It then went on to diplomatically express the ongoing delays and problems saying:
“Ministers agreed that more technical work will need to be done on important aspects of this chapter and that the question of alternative models for international data transfer will need to be studied in depth.”
“The Council confirmed that the work will continue at a technical level on the basis of the progress achieved so far on: pseudonymisation as an element of the risk-based approach, portability of personal data for the private sector and obligations of controllers and processors.”
“Whilst a majority of delegations appeared to be of the opinion that the scope of the profiling provision in the future regulation should, like the current Directive 95/46/EC, limit itself to regulating automated decision-making that has legal effects or significantly affects individuals, some other delegations pleaded in favour of specific provisions on profiling. Work at a technical level should therefore continue on that basis.”
Others involved in the process expressed their frustrations with the Council’s difficulties in reaching a consensus less delicately. Ralf Bendrath, the Green Party’s data protection expert and an adviser to the German Green MEP who is the Rapporteur who has steered the Regulation through Parliament thus far said on Twitter: “Germany again – embarrassingly – less supportive than all other member states on progress”. He went on to dismiss Germany’s observations that the issue will “need more debate” and chided them for not specifically stating their objections.
While Ministers are still a long way off reaching agreement on their draft of the Regulation, that is not to say that a great deal of technical work and progress is going on behind the scenes.
The Greek EU Presidency has been working away very assiduously in recent months with a series of DAPIX and other Data Protection officials meerting. The Greeks have also been engaging with the Italian government (it is the the next country to hold the 6 month rotating Presidency of the EU) to work out a road map for agreeing on the data protection reform swiftly.
While their original objective of agreeing on a mandate for negotiation with the European Parliament before the end of the Greek Presidency looks unlikely to be achieved, they are busily dotting all the “i”s and crossing all the “t”s they reasonably can awaiting some direction from the member states.
Meanwhile in the UK, the Liberal Democrat Junior Minister at the Justice Ministry, Simon Hughes MP, has announced a review of the criminal sanctions available for breaches of the UK’s Data Protection Act. He said the review would help the UK government “decide whether to increase the penalties as the law permits”.
Feeding into this process Pinsent Masons’ specialist in data protection law Kathryn Wynn has suggested that the government should go further than reviewing the criminal sanctions and should also consider strengthening the civil monetary penalty regime too, arguing that a previous increase in the maximum level of fine in 2010 had prompted organisations to take the issue of data protection seriously.
Using the draft EU’s General Data Protection Regulation as an example she suggests that the review take the approach envisaged there, where the level of penalty for a data breach is calculated on the basis of a percentage of their annual turnover.
So, even before it is passed, we could see the draft EU’s General Data Protection Regulation is influencing domestic legislation across Europe.
A light hearted piece, penned by a couple of us in BEERG, on the employment data aspects of data protection from the festive/end of year edition of the BEERG Newsletter
The BEERG Team write:According to usually unreliable sources in Brussels, Commissioner Reding is to ask the European Parliament to investigate allegations that the head of a global enterprise operating from an unspecified Artic territory just within EU borders has been holding and using data files on a range of individuals world-wide. There are also suspicions that the enterprise may have links to the US’s National Security Agency (NSA). The company concerned has been identified as Claws Enterprises, headed by the mysterious Sanity Claws.
Commission Reding is said to have been alerted to the operations of Claws after hearing a rhyming couplet broadcast on several EU and US radio stations in recent weeks. According to the aforementioned sources the recording said that Claws has been
“…making a list and checking it twice / he’s going to find out who’s naughty and nice…”
Leading data protection sources informed BEERG that no information commission or data protection authority anywhere in the EU can trace any records of any non-judicial or non-policing enterprise or individual registering with them for the purpose of checking who is “naughty or nice”.
The recording is causing understandable concern in the EU capital coming so soon as it does on the heels of the Snowden revelations. The suggestion that both this enterprise and Mr Snowden are based in neighbouring Polar Regions is also causing concern and raising questions of some collusion.
Commission Reding is said to be considering immediately raising this issue as part of the EU-US Trade talks given this enterprise’s seasonal global operations, particularly the suggestion that Claws (spelling of the name to be checked) is expected to be “coming to town” soon. Tea Party sources in the US refused to confirm or deny rumours that they are hosting a reception for Mr Claws when he gets to DC. A Tea Party spokesperson said: “We will be having an end-of-year get together. Come all ye faithful”.
Questions are now being asked if this Mr Sanity Claws will be visiting the NSA offices near Washington DC during his impending visit and what is the nature of his relationship with the NSA given the rumours that he has a team of elves and minions strategically placed across the planet. French officials have questioned as to whether Claws Enterprises are operating in conformity with the Posting of Elves Directive.
One official commented: “We suspect that some of the elves posted by Claws to France may be below the minimum height requirement for elves in France. Further, we have suspicions that they may also be working on Sundays”.
The CGT union has called an emergency meeting of its Elves and Safety Committee and says it will oppose any moves to downsize French elves. Meanwhile, a spokesperson for UNI Global said that while they had never heard of Claws Enterprises and had no idea what they did. Nevertheless, the spokesperson called on the company to open negotiations for an International Framework Agreement. The spokesperson added that they had commissioned a leading NGO to produce a report on “poverty pay” in Elf Land. We believe that the report is provisionally entitled: “Hi-Ho, Hi-Ho our wages are too low”.
German media sources quoted Chancellor Angela Merkel saying: “Thankfully, as part of the program for government with our SPD colleagues we have just agreed a national minimum height for elves in Germany”.
Sources totally disconnected with Commissioner Reding’s office have been expressing concerns that this Sanity Claws enterprise has been gathering personal data with neither implicit or explicit written consent – either on file or online.
“Where does this leave the right to be forgotten?” said one of the sources. “We believe that the right to be completely forgotten must be applied and that these lists being held by Mr Sanity Claws and the personal information held on them must be destroyed within the next 10 days. We know that the people of the EU and the US, especially younger people, will thank us for this before the end of the month if we have our way”, they continued.
When asked if the Commission position meant that Claws should destroy his lists and not deliver presents to children on December 25th our source responded that “austerity was for life and not just for Christmas” and the sooner that children realised this the better.
Another anonymous legal source, specialising in the area of contract law and service level agreements, has told BEERG over the phone that they do not believe the specified enterprise could legally or credibly offer a reward-based service determined solely on a subjective assessment of an individual’s niceness or naughtiness. “It sounds like madness to us lawyers” they said. “We have examined the text, the content and provisions of hundreds of contracts over the years and, based on this experience, we can state with near certainty that there is no sanity clause.”
PS… since writing this piece we are hearing reports that the Commission have also learned of another enterprise holding and using unapproved personal oral hygiene data trading under the name: The Tooth Fairy.