The Gist: The Sandcastle Files

The Irish police are opening files on innocent people and their kids, unrelated to any crime, without a legal basis. This is the Gist.

The Gist: The Sandcastle Files

This week, I was on RTÉ's Morning Ireland, beaming in from the end of my couch through my outsized Elvis microphone.

I was willing to approximate expertise at 7.20am in order to explain why the Gardaí have no legal basis for opening files on people unconnected with any crime, and keeping family photos of their children playing on the beach. (For some, cornflakes. For me, this.)

If you are like me, you will have not previously been aware that the Irish police considered it part of their job to build "reference and intelligence" files made up of personal details and copies of 100% non-suspicious and everyday family photos of kids on beaches building sandcastles, or at ballet recitals.

But, earlier this week, RTÉ broke the story that was exactly what had been happening for years. An algorithm in the US had sent these pictures to the Irish police, to check if they were images of child sex abuse, having intercepted them from messages sent through big tech platforms like gmail and Facebook.

About 400-500 people a year were checked in this manner and the Gardaí confirmed their images were completely innocent- what's known in the business as a False Positive.

All of which is fine. What was problematic (and unlawful) was what the Irish police did with those images then. They don't just bin them. They carefully open a file on the people who sent and received them, and keep the copies of the children doing their everyday tree-climbing or paddling etc.

Asked to explain this Extreme Scrapbooking, the police themselves couldn’t cite any applicable legal basis.

Having recited a series of legal powers which applied to the investigation of crime (which these pictures were not part of), they could only say they had a ‘rationale’ for keeping these permanent files.

In cases where no criminal offences identified following a review of material referred to An Garda Síochana for investigation, no crime incident records are created. This means that there is no impact on any person referenced in the data- and no references to them as suspects or victims.  However, there is a rationale for the continued segregated retention of the original referral data, including:  * quality assurance and accountability for the actions taken and decisions made in respect of the referral; * Reference and intelligence material in respect of future investigations in the event that additional information concerning the data subjects (potential witnesses, suspects and victims) included in the referral; and, * Compliance with the provisions of other legislation to which An Garda Síochána is subject, including but not limited to the provisions of the National Archives Act 1986.  Section 71(5) of the Data Protection Act 2018, provides for further processing of data, received for law enforcement purposes, for a separate law enforcement purpose by the receiving controller or a separate data controller provided that data controller is a competent, authority for law enforcement, and the processing is necessary and proportionate for the purpose of the further processing

The Garda statement suggests they might have three uses for keeping a file of the these snapshots of ordinary life- building sandcastles on the beach, and so on.

They also mention Section 71(5) of the Data Protection Act. We’ll get to just how misconceived that is in a moment.

Firstly, we have the suggestion that our police force are holding these holiday pics, forever, for “quality assurance and accountability…of investigating members”.

I’m afraid that is a question of internal management and discipline. Checking police work ought to happen before the investigation ends. If An Garda Síochána aren't confident in their process to decide between child sex abuse imagery and holiday snaps, they have a more serious operational problem than just data protection on their hands.

Next, and most seriously, we have the explicit proposal that the police should keep files on members of the public and their families, who are unconnected with any criminal investigation as “intelligence material”.

We have actually seen this impulse before, in other jurisdictions. The EU, having seen where this impulse led in former Soviet Eastern member states, enshrined data protection as a fundamental right in the EU Charter.

For the full intelligence material files experience, you can visit the Stasi Records Archive online, or in person in Berlin.

Finally, in their third bullet point they close their eyes, say a Hail Mary and cite some unspecified law that neither they nor we know at the moment, and also The National Archives Act.

Let’s leave the Tomb of The Unknown Legislation undisturbed and take a moment of silence, out of respect.

As for the National Archives Act, the Gardaí seem to suggest that
(a) a national law could compel indefinite retention of everything, over-ruling EU law so that
(b) some time in the future people’s holiday snaps of their children would be deposited with the National Archives.

Uh... really?

Iron man saying “I got Nothing”

(Section 2(2) of the National Archives Act defines what are "Departmental Records", to which the act applies. It says that they have to be records "made or received, and held in the course of its business".

Once the police know there is no crime connected to these wholesome family memories, there is no reason to hold them in the course of its business and the National Archives Act doesn't apply.)

Now, let’s come back to that final confident assertion of the powers to hold data granted by S71(5)of the Data Protection Act 2018

This is part of Ireland's transposition of the Law Enforcement Directive (LED), which is the separate, data protection regime covering law enforcement actions.

It makes sense that Law Enforcement actions would need a different set of rules from the GDPR. You couldn’t have suspects able to write in and ask for their files, for example.

The police statement also helpfully quotes when the LED applies.

Law-enforcement purposes is defined under section 70 1A of the data protection act 2018, as processing for the purposes of the prevention, detection, investigation or prosecution of criminal offences, including the safeguarding against, and the prevention of, threats, to public safety, or the execution of criminal penalties.

Once it’s confirmed photographs are harmless and no crime occurred, the LED doesn’t apply.

So citing it here is a misleading nonsequiter. The Law Enforcement Directive applies to law enforcement actions tied to actual crimes. It does not apply generally to any action taken by a law enforcement body.

Once these images and the data around them are confirmed to be false positives, they are covered by the plain old GDPR, not the LED, because there isn't a crime to investigate, prevent or detect.

And so the special LED-only powers granted under Section 71(5), which the Garda statement ends with, simply don’t apply at all.

Now, if data is being stored or otherwise processed without a legal basis, then that is a breach of the GDPR rights of all the people whose data is being processed be they children, parents or proud Grannies who wanted to show off the pictures of their kids doing ballet.

Amongst other remedies, An Garda Síochana are obliged to assess whether the infringement meets the threshold of seriousness that require them to notify all the people whose data rights were breached.

The Irish Council for Civil Liberties have written to the Data Protection Commission, seeking an investigation of these thousands of police files of family photos. It remains to be seen if our regulator feels like doing its job, this time at least.

Radio interview:

First RTE story:

Follow up RTÉ story: