Subscriber OnlyTechnology

Where did Sinn Féin’s nuanced understanding of data protection issues go?

Party’s history of being well informed over privacy issues makes database saga baffling

As numerous General Data Protection Regulation experts have pointed out, this database seems far from compliant with Irish or EU data laws, on numerous points. File photograph: Getty
As numerous General Data Protection Regulation experts have pointed out, this database seems far from compliant with Irish or EU data laws, on numerous points. File photograph: Getty

Ever since the start of the Sinn Féin Abú electoral database saga, I’ve watched and listened in a synchronous state of dropjaw disbelief.

What? How? Why? And again, just . . . what!

For some context, let me tell you a story.

In 2005, I was in California visiting my parents when the phone rang one day. It was a Sinn Féin politician.

READ MORE

“The government has just passed a Bill allowing data retention,” the person said. I was incredulous. “Are you sure?” The person was sure.

For years, the Irish Data Protection Commissioner (DPC) of the time had been demanding the State address a gaping legal and ethical hole, and bring in legislation to establish a legal framework that could allow communications data – for calls, faxes, and some internet usage – to be lawfully retained.

Ireland had no such legislation, meaning non-compliance with EU data protection laws. There were none of the mandated protections for this sensitive data, nor any legal structure to permit data to be accessed for investigations or for use as evidence. This meant any data obtained during an investigation might not be admissible in court, putting investigations and convictions at risk.

I knew that no formal Bill had been presented to cover such an important area of data protection, much less been subject to the full and open Dáil debate that legal experts told me was required under the Constitution, because retention impacts the data rights of the entire population.

The Sinn Féin representative told me that a last-minute amendment allowing data retention had been introduced on another Bill that evening by then minister for justice Michael McDowell, in a sparsely populated Dáil chamber. It passed. We now had data retention, by stealth.

Every aspect of this was alarming. I started working on a story, contacting the DPC, digital rights advocates, and others. I found myself in the bizarre position of having to persuade them – experts who were closely following this legal and digital rights issue – that we now had data retention.

EU challenge

Years later, this would become part of the evidence placed before the European Court of Justice in a landmark case brought by Digital Rights Ireland, challenging Ireland's and the EU's data retention framework. On April 8th, 2014, in a scathing opinion, the ECJ dramatically invalidated the EU Data Retention Directive (https://www.eff.org/node/81899) on the grounds that although some data may to be collected for reasons that included some law enforcement investigations, the directive fundamentally interfered with private life and was disproportionate in allowing for the compilation of enormous databases of personal data and effectively imposing mass surveillance on national populations.

Without that critical Sinn Féin phonecall in 2005, weeks might have passed before anyone realised what had happened with the amendment. We might never have known the context of its dubious introduction.

Sinn Féin’s most disappointing defence is its feeble riposte that ‘all the others are at it, too’. File photograph: Niall Carson/AP
Sinn Féin’s most disappointing defence is its feeble riposte that ‘all the others are at it, too’. File photograph: Niall Carson/AP

During the decades that I have been writing on data protection and privacy issues, the political party that has taken substantive, long term interest in data protection and digital rights in Ireland is Sinn Féin. Its representatives have raised concerns over many years, as Dáil records demonstrate.

And that’s why I’ve been utterly baffled at how this party could have stumbled into the current fiasco over the Abú database.

As numerous General Data Protection Regulation (GDPR) experts have pointed out, this database seems far from compliant with Irish or EU data laws, on numerous points. Yes, parties and politicians can make some limited use of information available in the electoral register, but it's another thing entirely in GDPR, data protection and privacy terms to then start collecting, recording, and adding in additional data on individuals from other sources such as doorstep comments or from social media. Profiling people – apparently without their informed consent – using political opinion data, is considered particularly sensitive under GDPR and requires additional protections.

No wonder the database has raised the concern of data protection officials here and in the UK.

For me, it’s inexplicable that a party that could get its collective head around the complexities of data retention, nonetheless created and defends the Abú database. Which could, possibly, be technically compliant. But not in a way that includes the kind of transparency Sinn Féin has often demanded of others. The slow trickle of minimal responses given by its politicians to questions about the database is also exasperating.

Sinn Féin’s most disappointing defence is its feeble riposte that “all the others are at it, too”. There’s no evidence that this is true. But even if it were, it’s a preposterous justification. Sinn Féin would be savagely shredding such an excuse had it come from any other party in a similar context, or had it been used by the government to condone national data retention back in the day.

What happened? What in the world was Sinn Féin thinking when it decided that just because something could be done, it should and would be done? Did no alarm bells ever go off? Where did its once nuanced, informed understanding of data protection issues go?