Privacy storm: Respect the power of data in dangerous times

13 Feb 2017

Ireland’s High Court: the battleground for the biggest privacy issues of our age. Image: Patryk Michalski/Shutterstock

Ireland is receiving harsh but necessary lessons in data privacy and the responsibilities that come with it, writes John Kennedy.

In the past fortnight alone, I received two emails that were sent to me in error.

One was, on the face of it, a reasonably harmless email between a PR rep and a journalist. Nevertheless, it could have given me an insight into the inner workings of a rival news business – dangerous!

The other was a highly sensitive email that if I even hinted at what it was about, it would be explosive. And no one would come out well from it. Not one bit.

So I did the right thing and informed the various parties of their errors.

But these are just tiny examples of what can go awry in a world where the machines have never been more sophisticated and the weakest link of them all is still human.

It is Data Week here at and the overriding theme is the sophisticated data infrastructure industry that has emerged in Ireland. I liken it to a sophisticated tapestry that grows in complexity and detail all the time.

It is a growing industry that connects everyone from software workers to telecoms professionals, data centre operators, mobile phone companies, ISPs – you name it. It is a multibillion-dollar industry and the fabric is expensive and complex.

Think about it: whether you send an email, post a Facebook message, put an image on Instagram or conduct a Skype call in real time with friends or relatives in Australia, the magic that is happening would have been unthinkable to previous generations.

I won’t bore you with the details, but just imagine thousands (if not millions) of bytes or packets of data instantaneously zapping from the device in your hand, bouncing off mobile masts, hurtling down fibre lines, smacking off servers in data centres, buzzing over transatlantic cables, flying through social networks, communicating with artificially intelligent ad bots – and all of this happening faster than the beating of your heart. Soon, if not already, this data will buzz between internet of things machines in your car, your home and business – with or without you.

But in the midst of all this science are human beings. And to err is human. Or is it?

Will Privacy Shield actually shield the little guy?

Whether we realise it or not, we are all being gifted a front row seat to two of the most expensive lessons in data privacy. One concerns what internet companies can do with our data, while the other relates to what governments can do with it.

These are expensive and valuable lessons, because they concern every single person.

About four or five years ago, an Austrian law student called Max Schrems was in the US doing what students do, attending a lecture.

He witnessed executives from a prominent US internet company laugh and joke about how they could do what they wanted with the private data of EU citizens. “They were saying, ‘F*** the European rules, nothing is ever going to happen if you break them’,” Schrems told me last year.

Remember, this was before Edward Snowden made his revelations about PRISM and collusion between US and UK spy agencies in tapping the private data of European citizens.

Outraged, Schrems decided to take legal action. He took a David v Goliath case that was dubbed the largest ever class action privacy suit, and quintessentially destroyed the long-standing Safe Harbour rules, bringing about a new regime called the EU-US Privacy Shield.

While the merits of the Privacy Shield have yet to be truly tested, Schrems actually did Ireland a favour by kick-starting a chain of events that saw the Data Protection Commissioner’s office get the correct resources it needed to handle the responsibilities of having the world’s biggest data companies based in Ireland.

It also saw Ireland become one of the first countries in Europe to appoint a Minister for Data Protection (Dara Murphy, TD).

Since last week, Schrems and the Data Protection Commissioner have been back in the High Court in Dublin in a related case over the validity of standard contractual clauses (SCCs), which companies such as Facebook are using to send data from Europe to the US.

The case is pivotal because it could affect the privacy of hundreds of millions of European citizens. It is so pivotal that the US government is part of the case, along with Facebook.

Behind the legal jargon and confusing rhetoric is one real question that stands out in my mind: if a European citizen had to seek redress over a breach of their privacy, just how far would they get in a US court?

The case actually shows that the Data Protection Commissioner, Helen Dixon, and Max Schrems aligned on the issue. It raises practical questions over the real power of Privacy Shield.

At the heart of all data privacy matters is the individual.

We are all still learning how to behave online; not to reveal too much information, not to fall victim to scammers via email phishing attacks or mobile attacks (smishing), and so on.

And we are all lambs to the slaughter.

Citizens and State: Who protects whom?

Ireland is creating a new role with the introduction of a social media watchdog, or Digital Safety Commissioner, as he or she will be known. The idea is to accelerate the protection of individuals in digital matters such as bullying or defamation of character.

A key aspect of this will be teaching younger generations how to behave online, how not to be a bully, how not to defame etc.

But if you become a victim, what can you do? The big social network companies such as Twitter and Facebook make their revenues from a raw ingredient called people. You are the product.

They exude a warm, friendly appearance and encourage you to use their products. And that is fine – until something goes wrong.

Look closely at these companies and the doors to their fancy, shiny buildings that are bristling with security. An urgent matter such as a post of a video or image that defames you or your business suddenly gets mired in emails or notifications. There is no phone number you can ring, no other human you can talk to – just a process that could take days or weeks to resolve, or could even end up in court.

The big corporate machine that makes revenues from you being a human, posting human things and experiences, becomes a faceless machine that rarely shows empathy.

But what if your data privacy was eroded, not by a corporate entity, but instead by the very country that you are a citizen of?

There is a curious juxtaposition between what the Data Protection Commissioner and campaigners such as Schrems are currently fighting for in terms of people’s rights, and one of the most grotesque cases ever to emerge in Irish legal history. This latter case concerns Garda whistleblower Sgt Maurice McCabe.

On the one hand, you have people fighting to clarify rules over what people can do when their privacy is eroded.

But on the other, you have a glaring example of how lives can be destroyed when data or information is mishandled by those who are supposed to protect you.

Current revelations are gripping the Irish nation over how McCabe became the victim of false allegations.

Unbeknownst to McCabe and his family, false and horrendous allegations were put on the system of child protection agency Tusla, but it has been claimed that the whole situation was down to a supposedly honest cut-and-paste mistake. The error was compounded when an apology from the HSE meant for McCabe was delivered in error to a neighbour.

The case is causing chaos among the highest echelons of the Irish political establishment and for this reason, we should pay very close attention.

It calls to mind how up to 70 officials at the Department of Social and Family Affairs were reprimanded in 2006 for breaching the confidentiality of Dolores McNamara, for snooping on her files just days after she won €115m in the EuroMillions lottery. Officials were alerted to the situation when information that could only have existed in McNamara’s files were published in a newspaper.

The McCabe case is only beginning, and it raises all kinds of questions about people in positions of power and how they handle information responsibly and safely.

We are in an age where a multibillion-dollar business with the most sophisticated cyber defences against hackers could become a highly publicised data breach victim, if just one employee clicks on a phishing email by mistake.

Before Christmas, Meath County Council almost lost €4m to hackers when it became the victim of identity theft by hackers.

It proves that no matter how sophisticated technology is, the human link is still the most dangerous weakness of them all.

Everyone needs an education on data and we are being gifted expensive lessons, whether we want them or not.

In 2018, the EU’s General Data Protection Regulation will come into effect and it will require every business to have someone with the role of data protection officer – with hefty fines for failures.

The lessons of 2017 are harsh and they are still being doled out. So pay attention.

All information is data.

And with data comes great responsibility.

This will be the lesson of our lives.

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years