Irish law needs urgent update for digital age to give worldwide users protection over data
THE Irish Government does not normally involve itself in litigation battles in the United States. Nor does the US government normally seek to take part in litigation in Ireland. Yet, in the past two years, both of these things have happened in a way which shows how significant Ireland has become to the global internet.
In 2014, the Government applied for permission to take part in a case brought by the US against Microsoft in New York that sought to force the firm to disclose customer data held in Dublin. The Government argued that it would be improper for a US court to make an order affecting data held in Dublin, and said US investigators should instead make a request to the Irish Department of Justice for access to the data under an existing treaty.
This application reflected the importance of technology firms to the Irish economy — as well as the fears of those firms that European customers might abandon them if the US government can assert control over data held in Ireland.
In June this year, the traffic was in the opposite direction, with the US government coming to the High Court in Dublin to seek permission to take part in litigation brought by the Data Protection Commissioner against Facebook.
The Facebook litigation follows on from a case brought by Austrian lawyer Max Schrems challenging the transfer of personal data to the US. A central part of that case was the finding that US law provided almost no protection to European users against state surveillance. By taking part in the Facebook litigation, the US government sought the opportunity to claim before the Irish court that its law has been misrepresented.
The US government made the argument that European concerns were addressed by reforms following the Snowden revelations, particularly by providing new remedies for “non-US persons”. Commercial motives are again at the core — the profitability of Silicon Valley is threatened by rules that require data to be stored within Europe.
Neither of these cases is yet concluded but between them they neatly encapsulate the challenges of applying principles of privacy and territoriality to a borderless internet which is largely run by multinational corporations.
These cases also highlight how Ireland — quite by accident — has become a central, if reluctant, participant in the global debate on online privacy and surveillance. The data at stake goes far beyond Microsoft and Facebook: Ireland is home to headquarters of almost all the internet giants and Irish law affects the privacy of users worldwide.
Our legal system has stepped up to this challenge to a limited extent. Prompted in large part by the Schrems case, the Government has given adequate resources to the Data Protection Commissioner following years of underfunding. Steps have been taken to adopt a national cybersecurity strategy and to establish a cybersecurity centre. A Cyber Crime Bureau has finally been established.
Despite this, many fundamental areas of cybersecurity and privacy law are still neglected.
Ireland signed the 2001 Convention on Cybercrime but there is no sign of legislation that would allow it to be ratified. And Ireland has failed to implement multiple EU laws on cybercrime, putting us in breach of our international duties.
Irish law on the interception of communications has not been updated since 1993 — and proposals from the Department of Justice would extend this Act to the web without reform. If these proposals go ahead, the internet communications of millions of people would be exposed to surveillance based only on the signature of the Minister for Justice, with no judicial authorisation required and no effective oversight after the fact.
The extent of user data based in Ireland makes Dublin an appropriate venue for the 2016 Info Sec conference. But it should prompt us to ask if Irish law is up to the job of protecting those users. Currently, the answer is no. The failure to update cybercrime law has left firms and users exposed and a failure to update surveillance laws means user data stored here does not have adequate protection against State surveillance. Reform is needed if Irish law is to be worthy of trust.