ONLINE PRIVACY: Rules to be implemented on April 1st will make significant alterations to the 1988 Data Protection Act, writes Denis Kelleher.
Europe's data protection laws are supposed to protect the privacy of individuals when data relating to them is processed. If privacy is not protected the effects can be costly: last year, the EU suggested that unsolicited e-mails or "spams" cost internet users around €10 billion (£7.9 billion) a year.
The EU has responded to concerns about such activities by enacting the Data Protection Directive. Last month, the Minister for Justice, Mr O'Donoghue, took the first steps in enacting this within Irish law by signing the European Communities (Data Protection) Regulations, 2001.
These regulations implement some of the directive's provisions, but full implementation of the directive will require more extensive Irish legislation. The regulations come into effect on April 1st, and will make two significant alterations to the Data Protection Act 1988.
Firstly, the 1988 Act puts controllers of data such as banks, Government agencies and other institutions under a duty to provide appropriate security measures to ensure personal data is not accessed without authorisation or altered, disclosed, lost or destroyed.
Securing data against threats such as computer viruses can be difficult and costly.
It has been estimated that viruses cost some $10.7 billion in the nine months up to September 2001, compared to $17.1 billion for all of 2000 and $12.1 billion in 1999.
The "Love Bug" virus alone has caused some $8.7 billion of damage.
If a data controller does not properly protect the personal data in his care he can be sued, or face enforcement proceedings from the Data Protection Commissioner.
The regulations limit exposure to this risk by stipulating that data controllers may balance the cost of security measures and the technology available to implement them with the nature of the data concerned and the harm that may result if it is accessed. This means data controllers will not have to spend thousands of euros to protect personal data that is of little value, or is publicly available.
Secondly, the regulations make it harder to object to transfers of data outside Europe. This is highly significant for the Republic, given the very large numbers of non-European multinationals that do business in the State.
In future, the ability of the Data Protection Commissioner to prohibit such transfers will be more limited than previously. He will not be able to prohibit transfers to countries that the EU believes are suitable, or where the controller has agreed a contract to protect the privacy of the data in a format that is sanctioned by the EU.
Where the Data Protection Commissioner can prohibit a transfer, before doing so he must examine whether the transfer would cause damage or distress to any person, balancing this with the desirability of facilitating international transfers of data and a range of other criteria - such as the nature of the data concerned and the suitability of the destination country.
These changes in the law reflect changes in technology and the global economy. The 1988 Act is based upon the Strasbourg Convention of 1981, when the internet and the international data transfers were limited and easily controlled.
The problem for Ireland and Europe's data protection laws is that the threat to the privacy of individuals is also changing.
New laws such as Europe's Cybercrime Convention may require the State to monitor the online activities of citizens, as may new anti-terrorism laws, and concerns about global terrorism may force a dilution of the EU's data protection laws themselves.
This may put pressure on the Republic's e-commerce laws, which have been built around the concept of strongly protecting the privacy of individuals online.
Denis Kelleher is a practising barrister and co-author with Karen Murray BL of Information Technology Law in Ireland, published by Butterworths; http://www.ictlaw.com.
