It looks like 2014 will be a good year for data protection

Two important initiatives to improve data protection and data privacy look set to be decided this year

Edward Snowden: most of us have a much better sense of why we all should value adequate data protection and privacy due in part to the drip-drip revelations of surreptitious surveillance coming from the whistleblower. Photograph: AP Photo
Edward Snowden: most of us have a much better sense of why we all should value adequate data protection and privacy due in part to the drip-drip revelations of surreptitious surveillance coming from the whistleblower. Photograph: AP Photo

Tuesday was International Data Protection Day, recognised around Ireland with events to raise awareness among businesses and consumers on an issue that has an increasingly high profile.

(No) thanks to highly-publicised data breaches affecting consumer data, as well as the drip-drip revelations of surreptitious surveillance coming from whistleblower Edward Snowden, most of us have a much better sense of why we all should value, and fight for, adequate data protection and privacy.

It is appropriate, then, that two important initiatives to improve data protection and data privacy look set to be decided this year, each with significant Irish input.

There is an ongoing effort to bring in more specific and consistent European data protection regulation.

READ MORE

This would replace the outdated EU data protection directive (95/46/EC), which underlies national data protection legislation across the EU.

The directive is long overdue for a revamp, given that it was drafted in 1995. This was before widespread use of the internet, before the gathering, storage and sharing of electronically stored data, and long before the issue of the privacy – or not – of photos and posts on social networks.

Draft legislation moved forward significantly under the Irish EU presidency term, but the indications at that point were that many of its more stringent elements might be watered down in a concession to business and US government lobbies.

However, then came Snowden.

Widespread European political frustration at the level of data gathering that has been revealed led to many of the stricter
provisions being reintroduced.

There is now a far stronger sense of intent to effectively protect personal data from snooping government agencies (inside or outside Europe) and lackadaisical corporate attitudes.

The indication is that fresh data protection legislation will be passed before the year ends. It will also be implemented in a regulation that will require consistent compliance across Europe, removing the piecemeal implementation that occurred with the directive.

That is good news for consumers and businesses, even though ensuring compliance is likely to remain a challenge, as it has been with the current directive.


Call data
The other significant development on the privacy front is the likelihood that Europe will need to extensively rethink its data retention programme –the gathering and storage of large amounts of call data, including location information produced by mobile phones and some internet data.

Such data is collected primarily on behalf of law enforcement agencies, on the basis that citizens might at some future point commit a crime, when these
details could be useful evidence.

However, data privacy advocacy organisation Digital Rights Ireland challenged this legislation at European level.

At the European Court of Justice, Digital Rights Ireland argued that it amounted to mass surveillance of citizens not accused of any crime, and that holding data for all individuals for long periods – two years in the case of Irish call data – is disproportionate to the needs of law enforcement.

An initial legal analysis for the judges of the court, released publicly in December by the court’s advocate general, advised throwing out the EU’s data retention legislation.

The advocate general wrote that the directive constituted a serious interference with the fundamental right of citizens to privacy and was incompatible with the EU Charter of Fundamental Rights.

He said it should be overturned and carefully rebuilt with greater controls and protections.


First case of its kind
The European Court of Justice usually follows the guidance of its advocate general. For various political reasons – including the fact that this is the first case of its type, with human rights implications, to come before this court rather than the European Court of Human Rights – some insiders feel the court of justice could take an even tougher position.


Final decision
The final decision of the European Court of Justice – which has surely been influenced by the Snowden leaks – is due within weeks. Given the already strong opinion of the advocate general, it seems unlikely that the court will opt for the status quo.

It is important to note that Digital Rights Ireland’s challenge has not been about whether law enforcement should have managed access to call and other data records for use as evidence.

The complaint, largely upheld in the opinion of the advocate general, regards the sheer amount and breadth of data collected, the length of storage time, the management of that data, and the oversight and governance of access requests.

On foot of these significant developments, it is hard to imagine that either the data protection or data retention regimes will remain the same, much less be weakened.

If both are overhauled – as each needs to be – to give greater regard to the protection and privacy of personal data, Europeans will be celebrating an international data protection year, rather than just one day, in 2014.