Category: Data Protection

Closing off the Warren of Negligence Claims for Data Breaches

| No Comments
| Cyberlaw, Cyberlaw, Data Protection, Digital Rights, Privacy, Privacy, Tort

Data and Private Law bookcoverI have just published “Closing off the Warren of Negligence Claims for Data Breaches” in Damian Clifford, Kwan Ho Lau & Jeannie Marie Paterson (editors) Data and Private Law (Hart Studies in Private Law, Bloomsbury, 2023) chapter 10; pp161-174 (available via SSRN). Here is the abstract:

Large databases of personal data are increasingly vulnerable to hacks. Arising out of the biggest data breach in the United Kingdom’s history, the claimant in Warren v DSG Retail Ltd [2021] EWHC 2168 (QB) (30 July 2021) sought damages for distress for breach of data protection legislation, misuse of private information, and breach of a duty of care in negligence. Saini J dismissed the negligence claim because there is neither need nor warrant to impose such a duty of care where there exists a bespoke statutory regime. But this is an incoherent policy, inconsistently applied. Moreover, it ought not to operate at all in cases where the defendant has voluntarily assumed responsibility towards the claimant. Nevertheless, after Warren, the tort of negligence provides no incentive for the controllers of large databases to protect them.

The cover of the book is above, right. It is very elegant. And this is one time where you really can judge the book by its cover.…

Read More »

Recent developments with traffic data retention – variously updated

| No Comments
| Data Protection, data retention, ECJ

EyePhoneIn my post on the Communications (Retention of Data) (Amendment) Act 2022: ignore the warnings, legislate in haste, repent at leisure, I sketched how the Government came to enact Communications (Retention of Data) (Amendment) Act 2022 (also here) last Summer.

Since then, there have been several developments.

First, the 2022 Act was intended to buy the government some time to complete a thorough overhaul of the Communications (Retention of Data) Act 2011 (also here). A Bill to that effect has been listed in every Legislation Programme since 2018. So, it is unsurprising that, on 19 April 2023, a Communications (Data, Retention and Disclosure) Bill, to consolidate and replace the 2011 Act, was listed in the Government’s Legislation Programme for the Summer Session 2023 (pdf). However, not only is that Bill not listed as a priority, but we are told simply that the Heads are still “in preparation” (p21).

Still? Still?? Since 2018??? (Indeed, even 2018 was slow, because the underlying Directive was struck down by the CJEU in 2014). Give me a break. Better still, give us all a break by publishing the Bill already!

Second, earlier this month, on 6 June 2023, Minister McEntee signed the Communications (Retention of Data) (Amendment) Act 2022 (Commencement) Order 2023 (SI No 287 of 2023) (also here) to bring most of the Act into effect on 26 June 2023.…

Read More »

The Communications (Retention of Data) (Amendment) Act 2022: ignore the warnings, legislate in haste, repent at leisure – variously updated

| 1 Comment
| Data Protection, data retention, ECJ

Data Retention; via Dall-E 2; modifiedThe headline in the Irish Examiner is stark: “European Commission says Ireland’s new data law may be ‘inapplicable’.” Cianan Brennan reports that the European Commission “has dismissed Ireland’s new controversial data retention law as possibly ‘inapplicable and unenforceable’, as it was not submitted to the Commission before its enactment”. The legislation in question is the Communications (Retention of Data) (Amendment) Act 2022 (also here); and it was, as Brennan says, rushed through the Oireachtas last summer with minimal scrutiny.

It is worth pausing for a moment to see where the Act came from, and to consider why it was so rushed. The Department of Justice repeatedly failed to take the right path, even as it has had plenty of opportunity to do so. When it finally did something, it acted hastily; and it now seems that the hasty solution hasn’t worked.

The legal story starts on 27 March 2015, when Graham Dwyer was convicted of murdering Elaine O’Hara in 2012. Much of the evidence had been gathered pursuant to Section 6(1) of the Communications (Retention of Data) Act 2011 (also here), which provides:

A member of the Garda Síochána not below the rank of chief superintendent may request a service provider to disclose to that member data retained by the service provider in accordance with section 3 where that member is satisfied that the data are required for—

(a) the prevention, detection, investigation or prosecution of a serious offence, …

That Act had been introduced to implement the Data Retention Directive (Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC (OJ 2006 L 105, 13.4.2006, p.

Read More »

It’s good to TalkTalk – Part 2: negligence claims for data breaches

| No Comments
| Data Protection, Privacy, Privacy, Tort

It's still good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In my previous post, I looked at the limits of claims for misuse of private information for both breaches in Smith. In this post, I want to look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.

2. Negligence claims in Smith

The main problem in Smith is that TalkTalk did not take steps to secure the data involved in the 2014 breach and the 2015 hack. This sounds like a failure to take reasonable care. But a negligence claim in such circumstances was not pleaded, as it was probably precluded by authority.

In Swinney v Chief Constable of Northumbria Police Force [1997] QB 464, [1996] EWCA Civ 1322 (22 March 1996), the plaintiff saw a car which had hit and killed a police officer, and provided that information to the police.…

Read More »

It’s good to TalkTalk – Part 1: misuse of private information claims for data breaches

| 6 Comments
| Data Protection, Privacy, Privacy

It's good to TalkTalk

1. Introduction

Two recent cases demonstrate two very different privacy issues arising out data breaches suffered by the telecommunications company TalkTalk in 2014 and 2015. Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) concerned claims for damages for both breaches; whilst Sterritt v Telegraph Media Group Ltd [2022] NIQB 43 (09 June 2022) concerned the privacy of one of the hackers involved in the second breach. In this post, I want to look at the limits of claims for misuse of private information for both breaches in Smith. In the next post, I will look at Smith (again) and at Sterritt, to consider the limits of a claim in negligence in such cases.


2. Smith and the 2014 TalkTalk breach: no misuse of private information

In Smith v TalkTalk Telecom Group plc [2022] EWHC 1311 (QB) (27 May 2022) (noted on Panopticon), in September 2014, TalkTalk customers began to receive scam calls purporting to be from TalkTalk, which were ultimately traced to data obtained by users of Wipro, a third party providing network services to TalkTalk. However, Wipro put no adequate controls in place to prevent unauthorised access by its users to the data supplied by TalkTalk.…

Read More »

Seán Quinn, the Streisand Effect, and improving the operation of the right to be forgotten – updated

| 5 Comments
| GDPR, Right to be Forgotten

Google search RtbF notice

I have just conducted a search on a popular search engine for “Seán Quinn”, and the above message – that Some results may have been removed under data protection law in Europe – appears at the bottom of each page of results. Over the past weekend, there was widespread media coverage of attempts by Seán Quinn to rely on the EU’s right to be forgotten to remove newspaper articles from search listings that highlighted significant aspects of his bankruptcy and of his family’s lavish pre-bankruptcy lifestyle. This attempt at reputation management backfired spectacularly on him, and stands as an example of the Streisand effect, which is:

… a phenomenon that occurs when an attempt to hide, remove, or censor information has the unintended consequence of increasing awareness of that information, often via the Internet. It is named after American singer Barbra Streisand, whose attempt to suppress the California Coastal Records Project photograph of her residence in Malibu, California, taken to document California coastal erosion, inadvertently drew greater attention to it in 2003.

On Saturday, in the Irish Independent, Shane Phelan published the following story:

Revealed: Quinn family succeeds in campaign to erase press coverage of lavish lifestyle

Google delists dozens of articles on court battles and even €100,000 wedding cake

Members of ex-billionaire Seán Quinn’s family have mounted a successful campaign to have press coverage about their past ‘forgotten’ by Google.

Read More »

Neither a pretty face nor a beautiful game — of football pitches, data protection impact assessments, artificial intelligence, facial recognition, and closed-circuit television surveillance

| No Comments
| Data Protection

CCTV at a chinese playing pitchI read this morning that, in a wide-ranging letter to Congress on racial justice reform, IBM CEO Arvind Krishna wrote that IBM will no longer offer “general purpose facial recognition or analysis software”. Of course, “general purpose” is doing a lot of work in that sentence. But let’s see where it goes. [Update]: two days later, Amazon followed with a one-year moratorium on police use of their facial recognition technology, to give Congress enough time to implement appropriate rules. Again, let’s see where this goes.[End update]

These developments reminded me of a recent local story about Dublin City Council. Not content with seeking to post freeze-frame closed-circuit television (CCTV) images of people dumping their rubbish in litter black-spots, in the hope of shaming them or others into desisting from doing so in the future, now they want CCTV cameras with facial-recognition capabilities. Nearly three months ago (in the world just before lockdown) Sean Finnan reported in the Dublin Inquirer [with added links]:

Council Installed Cameras with Facial Recognition on Football Pitch

Before the refurbishment of the football pitch at Bluebell Road in the west of the city, it was an anti-social blackspot, says Michael O’Shea, chairman of Inchicore Athletic FC.

Read More »

© cearta.ie 2024. Powered by WordPress