As reported in the Irish Times by Elaine Edwards on Monday, the Irish Central Statistics Office has spent the best part of the last decade attempting to get its hands on mobile telephone data from visitors to the state and Irish travellers abroad, despite being told, essentially, to please stop by the office of the Data Protection Commissioner.
Communications between the Data Protection Commissioner (DPC) and the statistics office over a period of almost nine years up to late last year reveal the statistics body wanted to compel mobile operators to transfer to it on an ongoing basis the details of phones or users roaming on the networks, as well as the dates and times of their calls.
As a result of Elaine’s tenacity in getting hold of these exchanges between the offices of the CSO and the DPC one doesn’t have to be highly adept at reading between the lines to make a stab at what the current Data Protection Commissioner might have been referring to at last month’s Data Summit.
I posted this tale from the Data Summit: the Irish Data Protection Commissioner on the State's approach to data-grab projects. pic.twitter.com/gIizTEi4vK
— Simon McGarr (@Tupp_Ed) July 18, 2017
Picture The Headlines
Why did nobody stop and think how exceptionally bad this would look? Come to Ireland, the lush green island where, for some vague reason, the statistics authority wants to track you wherever you go.
If this madcap plan had been implemented and there had subsequently been coverage of it internationally – in the media outlets where prospective visitors to Ireland get their news – it would likely have had a detrimental impact on tourist numbers. People don’t like being tracked and surveilled with no reasonable justification at any time. They are likely to be especially displeased with blanket state surveillance when they’re on their holidays.
✈ So there’s one chunk of entirely unnecessary reputational damage suffered by Tourism Brand Ireland abroad.
The Central Statistics Office relies on a large amount of public trust to do its job properly. Trust is a strange currency. Once you squander it it’s pretty difficult to get it back.
The failed Care.data project in the UK is a good example of a large data project heavily reliant on public trust which went very wrong. A notable difference between the care.data project and what the CSO has been attempting for the last number of years is that the NHS at least made efforts to inform citizens that their data was being collected. Unfortunately they did this very badly. There is no evidence that the CSO planned to do this for visitors to Ireland or Irish tourists travelling abroad. People really do get angry with this sort of approach.
✈ So there’s a potential chunk of entirely unnecessary reputational damage suffered by the CSO.
If you’re interested in what happens when a state statistics body loses public trust I recommend reading this on last year’s Australian census debacle.
Joining The Dots
It doesn’t matter how you get there if what you end up with is all the architecture of a surveillance state, neatly bundled up and ready to be used by any subsequent government for less than benign purposes. One of the main reasons we have data protection authorities and laws is to prevent this happening. In correspondence with the CSO a representative of the Data Protection Commissioner describes this project as “disproportionate”, “extraordinary”, and that should the tracking of visitors to Ireland go ahead despite all advice to the contrary the then Commissioner would be noting in his annual report that he strongly objected to it “because of the interference in the privacy rights of visitors to this country”.
That was in 2013. Despite this the CSO has persisted, is persisting and apparently plans to persist into the future.
In a press statement published simultaneously with the release of the records to The Irish Times last week, the CSO indicated it was continuing the project and was in the process of developing “an innovative technical solution” to anonymise the phone information.
This determination to ignore the advice of the data watchdog over a period of close to a decade is both baffling and concerning, especially when considered alongside other large state data projects that rumble on with next to no transparency.
Data protection consultant Daragh O’Brien posted a thread about this on Twitter, which I’ve paraphrased below in order to add in a bit of commentary and a few more links for context. My additions in italics.
- The CSO wants mobile roaming data.
- The Department of Social Protection wants your mobile number as part of the registration process for the voluntary-but-needed-if-you-want-to-do-anything Public Services Card.
- The State also wants omnibus Data Sharing legislation despite four years of being told by the Data Protection Commissioner and experts that it’s a bad idea and despite the Bara ruling.
- Here’s Daragh’s most recent submission to pre-legislative scrutiny of the Data Sharing and Governance Bill in May of this year – ‘Opening Remarks to Oireachtas Joint Committee Meeting, Daragh O’Brien’ [PDF]
- So, the State wants to know who owns your phone, be able to link that knowledge to the tax and social welfare system and potentially link that to travel.
- This will apply to all citizens and residents without any basis in legislation and without an independently conducted Privacy Impact Assessment.
- ‘Privacy Impact Assessment’ [Wikipedia]
- The state proposes exempting itself from administrative sanctions under the Draft Data Protection Bill.
- The Data Protection Commissioner has advised against this. A succession of data protection experts have advised against this. ‘Digital Rights Ireland submissions at the Justice Committee on the Data Protection Bill’, [YouTube video, 6 minutes]
- All of these things are happening in isolation and may be unconnected. But the overall impression for the state is not good.
- Transparency is essential. As is a well resourced and empowered independent Regulator who actually uses those powers against the civil service.
The story attracted quite a bit of disbelief in international data protection circles.
Beyond belief! What's the matter with this CSO? https://t.co/69eFx1Wbh4
— Ann Cavoukian (@AnnCavoukian) July 17, 2017
Say No! Irish Data Protection Commissioners have consistently advised against taking this path. https://t.co/9y1dXCjk5M
— Ann Cavoukian (@AnnCavoukian) July 17, 2017
Many levels of wrong…..
— Paul Bernal (@PaulbernalUK) July 17, 2017
From official Ireland so far, not even the sound of crickets chirping.
[Image credit: Brian Gaid on Unsplash]