Who’s got your number?

28 Nov 2002

Revelations and illumination on contentious issues are most often guaranteed to come from the most unexpected places.

Hence, it was no surprise when Ireland’s two mobile providers, O2 and Vodafone, recently unveiled their multimedia messaging-enabled camera phones that the issue of privacy and technology intertwining reared its ugly head.

Fitness instructor to the stars, Pat Henry, imposed a strict ban on camera phones in his Pembroke Street gym in order to save clients the embarrassment of being secretly photographed and images ending up flashing from phone to phone or over the internet.

It was just one new issue amongst a myriad of developments that Ireland’s third data protection commissioner, Joe Meade, has to add to his list of objectives in protecting privacy and ensuring that Ireland’s e-society is a progressive and fair place to do business.

Ireland’s Data Protection Commission only came into being in 1998 following the passing of existing data protection laws in the same year. Meade has been exemplary in insisting that firms that fail to respect the privacy of consumers and safeguard confidential information with which they have been entrusted could face having their databases destroyed, websites shut down as well as a hefty fine of €63,000.

However, Meade wants to be perceived as a fair man and has made it clear that he understands that many firms tend to offend inadvertently, through lack of awareness of existing laws on data protection. His belief is that complying with privacy protection rules is an “enabler, not a hinderer, of e-commerce”.

With a growing number of firms engaging in e-commerce, whether through simply marketing via electronic means to full-blown credit card transactions, such indifference to existing legislation could prove fatal to Irish firms.

With data protection laws becoming more specific with the Data Protection (Amendment) Bill, 2002 due to be passed as well as the recent Directive 2002/58/EC from the European Commission concerning the processing of personal data and the protection of privacy in the electronic communications sector, the rules of engagement are harsher. All EU countries currently comply with the EU directive, with Ireland and Luxembourg due to pass the legislation before the end of this year.

Already, Meade’s office has come under flak because of the stricter regulations that face firms involved in e-commerce and, indeed, any firm that has a database containing personal and confidential information on customers. In recent weeks, solicitor firm A&L Goodbody called on the Government to amend the forthcoming Data Protection Bill, because it believes the laws to be excessive and potentially confusing for Irish firms, describing the wording as “complicated” and requiring “explicit consent” for the processing of all personal information.

But there are other issues that technology in Irish society is bringing to the fore, apart from digital camera phones in gyms and intrusive email and SMS (short service messaging) marketing. Among these, for example, is the proliferation of CCTV cameras in Ireland, from sophisticated systems operated by the Gardaí to the more basic cameras that are perched on the walls of banks, petrol station, shops and schools. The Data Protection (Amendment) Bill, 2002 and EU Data Protection Directive currently before the Dáil may subject these systems to the law of data protection.

If a tape is made and the content of that tape may constitute legal evidence it could be called up in court. As well as this, if a recording was made in a washroom or restaurant, where people expect privacy, consequences may flow from unfairness and illegality. Under all the new legislation, contents of such a tape would have to be acquired fairly and lawfully.

Another potential storm over data protection may erupt as a result of the implementation of a €15m computer system by the Gardaí capable of tracking the movement of criminals, illegal immigrants and drug dealers across Europe as part of a pan-European initiative. The Schengen Information System, due to be implemented this month, will hold personal data on suspects, including their names, sex, date of birth, nationality and other information and will be based in Strasbourg.

Some 13 European states have joined the system, as part of a European aim to set up a common police force, raising the ire of civil rights groups. It is understood that Meade’s commission is currently engaged in an independent supervision of the national section of the system and will ensure that the processing and use of the data does not violate the privacy rights of individuals concerned.

In recent weeks, Meade addressed PricewaterhouseCoopers’ Operational Risk 2002 conference in Monaghan, where he insisted Irish firms adhere to privacy rights of individuals if they want to be successful in e-commerce. “There are obligations posed on anyone who processes data that it has been obtained fairly and legally and that information is not disclosed to anyone other than the purpose for which it has been collected,” he said. “Individuals have also the right to get a copy of personal information held by firms, correct that information if it is wrong, opt out of direct marketing and complain to me if their rights are infringed.

“Firms must also ensure that the data they hold on an individual is kept safe and secure, be accurate and up to date, and be relevant, not excessive. It’s about common sense and striking a balance,” Meade added.

In looking at the challenges data protection poses for Irish business and the overall good of Ireland’s e-society, Meade says that the increasing pervasion of IT as a routine factor in everyday life poses inherent risks to privacy. “Individuals risk firms building a profile of them that they aren’t aware of. For example, if someone gets turned down for a bank loan for which they believe they may have been entitled to, they have a right to find out what factor influenced the bank’s decision to decline them a loan. A mismatch in information could have happened and people are not aware of what’s happening to their data. The rules are specific and firms that want the good will of their customers should pay attention.

“I’m all for e-commerce. I’m not a Luddite holding back e-commerce. The success for e-commerce would be public credibility,” Meade adds.

He said that e-commerce is increasingly being held back by fear of personal information being sold or published and the risks to credit card numbers. “Privacy and human rights, and assurance that safeguards are in place are vital. There are practical implications for firms, but companies ought to be transparent so that customers can make clear and informed choices.”

Meade points to a new website privacy template drawn up by his office in conjunction with the Irish Internet Association in recent weeks that firms can use to help them draft their own policies and reassure the buying public about how their data will be protected.

“Data protection is not a barrier to anything. Once the information is collected in an open, transparent, unambiguous manner, it makes business sense because it empowers a customer to know what’s being done with their data and that inspires trust,” he explains.

The enforcement powers that Meade enjoys are straightforward and pragmatic. “If I receive a complaint, I can issue a notice requiring information to be furnished and can issue an order requiring a firm to stop processing the data. I make formal decisions on complaints I receive and investigate. Any decision of mine can be appealed to the circuit court. It is a criminal offence to disobey the orders I issue and carry such penalties as the destruction of a database and a maximum fine of €63,000,” he warns.

In determining the success of the Data Protection Commission’s efforts so far, Meade believes that businesses have become more conscious of their responsibilities. “Many offend unintentionally due to misadministration or inexperienced staff and are very quick to correct matters. Firms are free to come to us and discuss their concerns. My view is that data protection is a competitive advantage; embrace it!” he enthuses.

On the issue of intrusive SMS marketing and the proliferation of camera phones, Meade says that the issue has yet to become a formal matter and referred to the new communications directive from the EU in July, which strongly advocated allowing individuals to opt out of campaigns. He also pointed to a forthcoming directive due from the European Parliament in October 2003 that will deal with whole area of SMS and multimedia messaging.

“Any piece of technology can pose an issue if it is abused. I have a great regard for companies that are honest, upright and adhere to data protection and privacy. There are cowboys everywhere, but companies will find that ultimately it is not in their interest going forward,” Meade concludes.

By John Kennedy