Ireland must be a firm data protection advocate or risk losing global trust

As one of the top locations for the tech sector, we need a clearer stance on data obligations

A case before the US Supreme Court, involving a US attempt to force Microsoft to divulge emails held in its Irish data centre, has exposed a worrying level of Irish indifference to Ireland’s wider European data protection obligations

Through a mix of adept national policy-making, an appealing location and a bit of good fortune, Ireland has a globally-envied position as one of the best international locations for the technology sector, a sector that has now become an important pillar for the national economy.

But the Government risks undermining those achievements by backing an uncertain data protection environment that could push companies to seek safer jurisdictions for managing and storing data.

A case before the US Supreme Court, involving a US attempt to force Microsoft to divulge emails held in its Irish data centre, but without using established legal channels, has exposed a worrying level of Irish indifference to the tech sector here, and to Ireland's wider European data protection obligations.

The Irish position has come to light in correspondence sent from the American Chamber of Commerce in Ireland to the Taoiseach, and seen by The Irish Times. The letter was also cc'd to the attorney general and three other Ministers, including Minister for Justice Charlie Flanagan.

READ MORE

The three-page letter from the 400 member organisation explains the importance of the Microsoft case to the global data sector, and the serious damage a finding against Microsoft would inflict against cloud computing and data-handling businesses.

It argues that the state needs to support lawful access using existing treaties, or the negotiation of privacy-respectful new international agreements.

"The American Chamber once again encourages the Irish Government to express its interests in this matter by filing an amicus [friend of the court] brief in the Supreme Court. It is even more important for the Irish Government to confirm, at this stage of the litigation, that data stored in Ireland is governed by Irish law," the letter states.

The Department of Justice responded to the October 27th letter a month later, curiously without copying any of the other recipients or the Taoiseach’s office. The department seems to have been the only respondent to the chamber.

International protocols

Its response hearkens back to long-held defensive positions, without addressing the key points in the chamber’s letter.

It states in part: “[A]ccess to data of the nature sought by US authorities… is vital in the combating of serious crime. While it is essential that the privacy of ordinary law-abiding citizens be protected, the same cannot apply to individuals who use modern technologies to aid their illegal activities. These individuals are a danger to society and pose a threat to the safety of our citizens.”

However, Microsoft is not refusing to produce the emails; but rightly, refusing to produce them outside of established international protocols (a stance backed by former minister for justice Michael McDowell in a brief supporting Microsoft during the case).

The department’s statement supposes guilt may be determined in advance and therefore, data and privacy protections may be selectively applied.

When the Government was pressed on Sunday by The Irish Times to indicate whether it intended to file a supporting amicus brief – as it had in a previous hearing of the case – it responded with similar prevarication.

A spokesman noted the case was “a complex one” … “Access to such data is increasingly becoming an indispensable part of the criminal investigation process, particularly in light of the increasingly transnational nature of organised criminal gangs. Indeed it has played a crucial part in the solving of a number of cases in this jurisdiction, including murder.”

And so what? Microsoft doesn’t dispute such points, but specifically addresses whether a nation should be able to demand data held in another country – in essence, conduct a digital raid – without having to gain the permission of that country.

Wishy-washy position

The statement concludes that “it is essential that the means by which law enforcement agencies may access such data be at all times lawful and proportionate, and fundamentally respectful of the privacy of the individual.”

But again, this ignores that – whatever the position of the US – the direct grab advocated by the US government in this case violates EU legislation, guaranteed fundamental rights in Europe, and goes against EU case law, in particular as handed down by the European Court of Justice.

Europe’s Article 29 group of national data protection commissioners has specifically stated the US stance in this case is “an interference with the territorial sovereignty of an EU member state.”

Yet the Irish government is taking the unacceptably wishy-washy position that the case is “complex” and, bizarrely, that such interference in its sovereignty is, possibly, just fine.

Where does this leave the huge, Irish-based, economically-critical  sector that will be thrown into crisis if any country is able to demand data held in another country? What about Ireland’s large data centre industry? The tech companies being courted to come here? EU citizens whose data is handled by Irish-based companies, who will be relying on Ireland’s specific data protection environment and our Data Protection Commissioner to safeguard their data?

Ireland must be a firm data protection advocate or risk losing global trust – and companies and inward investment.

We urgently need leadership from the top on this issue, not more dithering. Taoiseach, please take note.