Tuesday, 18 February 2014
I thank the Minister of State for coming to the House. I am concerned over the personal data from individuals, who are using leaky smartphone apps, which can be gathered and used for surveillance or sold on for commercial reasons. It is becoming quite serious. I believe there has to be surveillance of some sort from a security point of view in the fight against terrorism. However, do we need to go as far as apps such as Angry Birds requesting the user's location and unique device code? This app has been downloaded more than 1 billion times. Candy Crush Saga, which is the most popular game on Facebook, Google Plus and Google Maps all ask for locations and individuals' private information which has nothing to do with the mobile phone app.
This came to light recently through documents acquired by Edward Snowden, who has hit the headlines in the past 12 months. It suggests that information from these apps is being gathered. The US Government targeting of leaky apps was disclosed in documents published by The New York Times, The Guardian and ProPublica. There have been discussions at EU level and I have raised the issue previously. It is important that people should be aware of the potential risk from using these apps. I agree that individuals must put the correct structures in place to prevent their personal information from getting into the public domain.
There is a data protection issue if information is being leaked and sold on for commercial gain. Some 25% of social networking apps request an e-mail address, 92% ask for the user's address book and 84% inquire about physical locations. The Minister for Justice and Equality has responded to me in the past 12 months on the issue and it is a matter that needs to be kept to the fore. I know the European Parliament is expected to adopt proposals in April. However, I wish to hear the Government's approach to this and how we are moving to protect personal data.
That is the entire group. They are more than welcome. I am very fond of any organisation that organises women.
I am standing in for my colleague the Minister for Justice and Equality who is unavailable at present. The reply is fairly lengthy, as one would expect from the Department of Justice and Equality.
I thank Senator Clune for raising this important issue. It is important to all of us that our personal data, including personal data on our smartphones, are safe and secure and that we do not feel that the use of apps will lead to misuse of our data, including misuse for purposes we might never have envisaged when we decided to use a particular app.
Communication networks and information systems have become an essential component of both our economic systems and social life. All of us here today have witnessed an information technology revolution in our lifetimes and the pace of change shows no sign of slackening. The development of smartphone technology and the widespread use of such phones is a good illustration of this phenomenon.
Specific safeguards for the protection of personal data are in place at European Union level. I take this opportunity to briefly set out the background. The centrepiece of existing EU legislation on personal data protection is Directive 95/46/EC which seeks to reconcile the protection of personal data with the free flow of such data within the Internal Market and to countries outside the EU. It has been transposed into Irish law in the Data Protection (Amendment) Act 2003 which supplements the Data Protection Act 1988.
This legislation requires all those handling personal data to take appropriate security measures against unauthorised access to, or unauthorised alteration or disclosure of, the data, in particular where processing operations involve the transmission of such data over a network. In determining what is appropriate in any particular case, account must be taken of the risk of harm that might result from security breaches and the state of technological development and costs of implementation. These security measures also apply where data are transferred to a destination outside the European Union.
The Data Protection Commissioner, who is independent in the performance of his duties, deals with complaints about companies and organisations established in this jurisdiction where there are allegations that they may not be meeting these security requirements. The commissioner has extensive investigative and enforcement powers, including the power to take summary proceedings for offences under the Act. The commissioner also carries out audits of organisations, which include an assessment of data security systems.
The 1995 directive has been supplemented by other more specific legislative measures, such as the e-privacy directive which applies to providers of publicly available electronic communications services, namely, telecom providers and ISPs. This directive requires such companies to take appropriate measures to safeguard security of their services and to protect the confidentiality of communications and related traffic data.
It is generally recognised that the 1995 data protection directive's standards need to be updated to take account of more recent developments such as increased usage of mobile phones, cloud computing, social networking and increasing globalisation of data transfers. In January 2012, the European Commission tabled proposals for a reform of the current data protection framework and these proposals are currently being discussed at EU level, as the Senator mentioned. The proposed regulation's enhanced data protection standards will, when agreed, apply directly in all member states without the need for transposing national legislation.
In addition to the responsibilities of those who develop and supply apps to incorporate appropriate security measures to secure data transmitted between the app and end-user, many basic steps are available to those who choose to download and use apps, including limiting the amount of data stored on the smartphone to which apps are given automatic access. Users should be also vigilant in terms of the security of the Wi-Fi networks to which they connect.
We cannot ignore the important fact that there is a recognised need to protect our citizens from terrorist threats and dealing with this requires access to certain data. However, in doing so it is necessary to ensure that the information is lawfully obtained and subject to appropriate safeguards. Any security surveillance undertaken must be balanced and appropriate. Moreover, it must take account of individual rights to privacy and ensure the respect for human rights contained in the European Convention on Human rights. For these reasons we have in place statutory provisions with judicial oversight governing police surveillance and access to these data.
I fully agree with the Minister of State in respect of the last point she made. Had she not, I would have made the point that it is important for security reasons to protect against terrorism threats. We have surveillance but it must be controlled. I also agree with the Minister of State that there is a sense of personal responsibility in all of this in terms of using free Wi-Fi and so on.
The Minister of State said there are regulations to be put in place. The obvious question is the timeframe. When will we see it? The legislation referred to by the Minister of State originally was the Data Protection (Amendment) Act 2003. Apps have only been around for the past ten years and therefore things are moving at a faster pace and they always will be. Legislators and regulators must be seen to be chasing fast on the heels.
I suppose it is unfortunate that we are considering this legislation now given the run-in to the European elections. I imagine we will see it a good deal sooner than expected as soon as that is out of the way. We should bear in mind the revolution that has taken place. I remember one election where I had a mobile telephone and I almost had to hire someone to carry it around. Nowadays, we have apps which look after our health and our banking and which control the heating and surveillance of homes and so on.