Friday, November 30, 2012

Of hyperbole and credulous journalism

According to an uncritical report in the Irish Times today a court case will have "significant ramifications for Irish society". SiliconRepublic agrees that the case is "significant" and will "send shivers down the spine" of internet users. So what was this latter day Donoghue v. Stevenson of such great importance?

It turns out that it was a run of the mill application to the High Court to identify internet users. These are reasonably common in the Irish courts. The first came in 2005 when the music industry sought to identify filesharers. Since then there have been multiple such applications including several other filesharing cases, a very high profile action by the Red Cross against a whistleblower and one by Ryanair against pilots. This year alone applications were brought to identify internet users by a student wrongly accused of dodging a taxi fare and by solicitor Damien Tansey against the operators of the Rate Your Solicitor website.

This is far from being a full list - these are just the most high profile examples - and this is certainly not any sort of new area of law.

So why the hyperbole in the current stories? Both pieces quote the solicitor responsible for the action, and it's entirely understandable that he might seek to talk up the significance of the case. But journalists should know better than to accept self-serving claims at face value.

Monday, November 26, 2012

High Court confirms standard of review in data protection appeals

The recent decision in Nowak v. Data Protection Commissioner will be essential reading for all data protection practitioners as in it the High Court finally confirms the test to be used in hearing appeals against decisions of the Data Protection Commissioner, along with providing some interesting observations regarding examination scripts as personal data and the meaning of "frivolous and vexatious" complaints to the DPC.

Under s.26 of the Data Protection Acts 1988 and 2003 there is a general right of appeal to the Circuit Court against decisions of the DPC - that section does not, however, specify the standard which the court should take in hearing appeals. In particular, it left open the question of whether an appeal should be treated as a full rehearing of the matter, an appeal on the merits, an appeal limited to a point of law, or some other approach falling short of a hearing de novo. In practice, the Circuit Court has generally followed the decision in Ulster Bank v. Financial Services Ombudsman which is deferential towards the decision maker and requires the appellant to show a serious and significant error in the decision. However, given the scarcity of written judgments at Circuit Court level and the lack of any High Court precedent the matter remained open until now.

In this case, Mr. Nowak was an unsuccessful student with Chartered Accountants Ireland (CAI) and sought access to information held by CAI including a copy of his examination script. While other information was provided to him, the examination script was withheld on the basis that it did not constitute personal data. Mr. Nowak complained to the DPC, who ultimately declined to investigate his complaint on the basis that the complaint was frivolous or vexatious.

Mr. Nowak then brought an appeal to the Circuit Court under s.26, where Judge Linnane held that the court had no jurisdiction to hear the appeal where the DPC had declined to investigate the complaint on this basis. On subsequent appeal the High Court (Birmingham J.) agreed, ruling that:

I find myself in respectful agreement with Judge Linnane that the jurisdiction of the Circuit Court is to hear an appeal against a decision that has been arrived at after there has been an investigation. I share her view that absent investigation of the complaint and a decision in relation to the investigation, that the Circuit Court has no jurisdiction. The entitlement of an aggrieved party in the first place to submit an appeal and then of the Court to hear and determine an appeal arises only where there has been a decision of the Commissioner in relation to a complaint under section 10(1)(a). However, the Commissioner reaches a decision in relation to a complaint only if, not having decided that the matter is frivolous and vexatious, he proceeds to investigate the complaint and reaches a decision in relation thereto.

More importantly, however, Birmingham J. nevertheless went on to consider the substantive issue raised by the appellant and held that:
15. Had an appeal been possible, it would then have been necessary to consider how a court should approach the hearing of an appeal from a body such as the Data Protection Commissioner. How a court should approach an appeal from a statutory body was addressed by Finnegan P. in the case of Ulster Bank v. Financial Services Ombudsman [2006] IEHC 323 (Unreported, High Court, Finnegan P., 1st November, 2006). In the course of his judgment he commented:

"To succeed on this appeal the Plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In applying the test the Court will have regard to the degree of expertise and specialist knowledge of the Defendant. The deferential standard is that applied by Keane C.J. in Orange v The Director of Telecommunications Regulation & Anor and not that in The State (Keegan) v Stardust Compensation Tribunal."...

17. I am satisfied that the approach identified by Finnegan P. is the one that would have been appropriate to apply had an appeal been available. In particular, it seems to me that it would have been appropriate for the court to have regard to what Finnegan P. referred to as the deferential standard, when deciding whether to substitute its own view for that of the Data Protection Commissioner on the issue of whether an examination script constituted personal data. The Data Protection Commissioner is concerned with issues involving data protection on a daily basis. He is required to be in regular contact with his colleagues in other EU member states and is likely to be fully au fait with developments internationally. Pointing to the expertise of the Data Protection Commissioner does not mean that a court will abdicate its responsibilities and there may be cases where decisions of the Commissioner will be set aside, but if that happens, the decision to set aside the decision of the Commissioner will have been taken by a court that is conscious of the experience and expertise of the Commissioner. [Emphasis added.]
Applying this standard, Birmingham J. went on to hold that examination scripts did not, per se, amount to personal data and that the DPC was entitled to find that the examination scripts in this case did not contain personal information. He also held that the DPC was entitled to find the complaint frivolous or vexatious on the basis that:
Th[e] section refers to complaints that are frivolous or vexatious. However, I do not understand these terms to be necessarily pejorative. Frivolous, in this context does not mean only foolish or silly, but rather a complaint that was futile, or misconceived or hopeless in the sense that it was incapable of achieving the desired outcome...
The decision of the Circuit Court was therefore affirmed.

While the points raised regarding examination scripts and frivolous and vexatious complaints are significant in their own right, for me the most important part of the decision is its clear statement that the courts should be slow to set aside decisions of the DPC. The standard applied - that of a serious and significant error - sets the bar quite high for any challenges.

Monday, November 12, 2012

Scenes from the history of the IEDR

The .ie Domain Registry (the IEDR) has been in the news lately following a compromise which left Google.ie and Yahoo.ie redirected to an Indonesian server controlled by hackers. This reminded me to scan and upload some documents from a 2003 Freedom of Information Act request to the Department of Communications about the IEDR - while of little contemporary relevance, they are very informative indeed for anyone with an interest in the history of the .ie space and hopefully will be a useful follow on to the massive set of documents Michele Neylon obtained under FOI relating to the formation of the IEDR.

ENN has some background about the precarious state of the IEDR in 2003.

Apologies for the poor formatting - the documents are as received from the department: FOI re IEDR, 2003

Saturday, November 10, 2012

High Court orders Quinns to reveal passwords to receiver

Time to reset your password

In an interesting decision the High Court (Kelly J.) yesterday ordered that members of the Quinn family must provide passwords to personal email accounts and other information to a receiver appointed over their assets. The order was made in support of the injunctions already granted aimed at recovering assets following a "mesmerisingly complex" asset-stripping scheme in breach of court orders.

This is significant and may well be the first time an Irish court has made an order requiring a party to civil litigation to reveal their passwords to the other side - while there's extensive caselaw in the related area of electronic discovery, none of the reported cases seem to have required the production of passwords. [Update - the ever knowledgeable Andy Harbison tells me that this isn't in fact the first case where an Irish court has made an order requiring that passwords be disclosed - this has been done in at least one Anton Piller order, though unfortunately there's no reported judgment.]

Given the invasiveness of the procedure - especially the fact that personal emails would be involved - the court built in protections into the order, so that:
[T]he information must only be seen by the receiver and a named solicitor..

The judge approved a protocol proposed by the receiver for obtaining and categorising information from the phones and computers. It involves material being downloaded in the presence of the Quinn defendants by a representative of a company hired by the receiver.
That material will then be categorised by the receiver into three categories -- relevant and not privileged, irrelevant, and apparently privileged. Disputes over privilege issues will be decided by the court.
More details in the Irish Times|Irish Independent.

For the related issue as to whether password disclosure can be compelled in criminal matters see this post from 2010.)

Friday, November 09, 2012

Irish newspapers have some curious views about search engines

The Irish newspaper industry seems to have chosen today for a bout of collective hyperbole about search engines. Here's what the Examiner had to say:
Work generated through effort, skill, imagination, professionalism, and usually considerable capital investment, is pirated by businesses with no connection to the creative process as a means to win revenue without risk or outlay. This process is hardly different to what we more commonly describe as theft. The scale of the piracy is astounding. In 2010, while every media company in the country shed jobs and cut costs to the bone, a single search engine operating in Ireland offered around 150,000 newspaper articles that cost publishers an estimated €46.5m to generate. Last year that site offered more than 350,000 articles at a cost equivalent to more than €110m. And all without paying one cent to those who created those articles.
There's more in the same vein from the Irish Times and the Independent.

Incredible, isn't it, that the newspapers are powerless to defend themselves against this "theft" and "piracy". Oh, wait - they're not. Instead, they've deliberately chosen to allow in search engines and to profit from the traffic which they generate.

Here's a non-technical explanation. You don't have to allow your site to be indexed by search engines. If you don't want your site to appear on Google you can use a simple file, known as robots.txt, which tells search engines what they can and can't do. The Examiner has one, as does the Irish Times and the Independent. So do they tell these "pirates" and "thieves" to keep out? Absolutely not. In fact, all three provide sitemaps for search engines which summarise their sites and make them easier to index, while both the Irish Times and the Independent provide specific instructions for the "Mediapartners-Google" searcher. Why do they do this? Because of a business decision that they benefit from the readership which added visibility in search engines generates.

The tone of the piece in the Examiner is entirely deceptive: far from being the helpless victim of "theft" and "piracy", the newspaper has chosen, for its own commercial advantage, to allow its site to be indexed and to benefit from the resulting visitors. Should the newspaper object, it is free to opt-out at any point. But it is shoddy work to misrepresent the position to its readers in this way.