Data privacy will remain a talking point in 2015

Privacy will be a big issue in 2015. In Ireland as well as internationally, three big "Ps" are aligning around the topic, building on developments in 2014: politics, policy and populism.

That is significant, as for years data and online privacy concerns were viewed primarily as backseat issues, of relevance mostly to businesses (for their governance and reputational aspects).

But much has shifted. To the forefront has been the drip-drip of revelations from National Security Agency (NSA) whistleblower Edward Snowden that began in the summer of 2013. Because of his leaks, governments, businesses and citizens truly began to understand the scope of what was possible in large-scale surveillance and secret data access.

Those eye-opening disclosures, which have forced national leaders to open a public dialogue on privacy and surveillance with citizens, businesses and with other countries, look set to continue into 2015. Journalists familiar with Snowden’s hoard of documents said last year that much earth-shaking information had yet to be revealed. If that is true, those leaks will influence the twists and turns of key political and policy decisions in 2015.

To the forefront for Europe and Ireland are ongoing discussions on two major pieces of legislation. The first is the former EU Data Retention Directive, on which most European countries, including Ireland, have based laws requiring that a vast swathe of citizen and business communications data be retained for varying periods of time.

In 2014, that directive was thrown out by the European Court of Justice (ECJ), following the referral of a case brought by privacy advocates Digital Rights Ireland (DRI), that questioned the legality of Ireland’s data retention law. The ECJ ruled the entire EU directive was grossly invasive on privacy and human rights grounds.

The ruling creates a limbo that must be addressed, as the scrapping of the directive means uncertainty for investigations and court cases. Law enforcement needs clear provision to gather data, albeit for shorter periods, with firm oversight.

Presumably, that means a new retention directive in 2015, or fresh legislation in Ireland. Meanwhile, the DRI case that prompted the European court’s decision is ongoing and comes back to the High Court here, so action could be forced more quickly on the Government.

Legislative juggernaut

Ireland also has a connection to another EU legislative juggernaut, a new data protection regulation proposed by former commissioner Viviane Reding, which began a long process of consideration under the last Irish EU presidency. The intention of the regulation is to remove the multiple and varied EU jurisdictions for data protection law, which make business difficult.

But Reding’s intention was even broader – to greatly strengthen data protection for European citizens by imposing significant penalties on companies for data breaches; to allow for easier data portability between, say, social media sites; and, most controversially, to enact a “right to be forgotten” that would allow people to have personal data removed from databases, including social media and search engines as well as company databases.

Ardent argument

That’s thrown the proposed regulation into the centre of ardent argument and international lobbying. It had seemed likely that many of these controversial elements would be removed, but then along came Snowden, highlighting exactly why citizens might want more protections and personal control over data.

The regulation will be the subject of further debate this year. Whatever version wins out could come into law at the very tail end of 2015, unless it is bounced into the early part of 2016. But it is coming.

Ireland also has a connection to another key international piece of privacy politics and policy – the forthcoming ruling on Microsoft’s US court case appealing the direct demand to the company by another US court for emails held on the company’s Irish data centre servers.

Many of the technology industry's heavyweight companies have rowed in to support Microsoft – as has the Government, in a rare legal move – because the principle at stake is enormous.

If the appeals court agrees with the original demand, the nascent cloud computing industry will be dealt a serious blow. That effectively means ecommerce in its broadest sense, because theoretically companies will be unable to block national governments and courts from demanding data. In other words, no company could say any longer that client data is truly kept private, raising the spectre of widescale surveillance as well as easy industrial espionage by governments.

Microsoft has highlighted that existing treaties between the US and Ireland enable courts and law enforcement to seek data lawfully, with due respect to national and international laws. The case will be closely watched internationally.

Finally, 2015 may be the year in which data privacy becomes a popular, populist issue for Irish citizens, thanks to troubled Irish Water’s demands last year for citizens to disclose PPS numbers.

That requirement seems to have crystallised some complex abstract privacy concerns. People understand that their PPS number is the door into highly sensitive personal data. A general rebellion against Irish Water over this demand seems to be prompting wider discussion on how PPS numbers are used across departments and agencies, who should have access to to them, and why.

All of which is good. Privacy advocates struggle at times to make such important issues tangible to citizens and governments. More discussion leads to more informed decision-making, to the benefit of democracy.