Dodgy-box moves ‘must comply with data law’
The data-protection watchdog said last week that it was engaging with Sky on the company’s efforts to clamp down on the use of so-called ‘dodgy boxes’.
These are devices that are illegally used to stream content such as sport and films from television channels.
The Irish Independent last week quoted Sky Ireland’s chief executive JD Buckley as warning of “consequences” for those operating and watching illegal services, saying that the firm continued to “evolve our investigative strategies”.
Sharing of data
The chair of the Data Protection Commission (DPC) Dr Des Hogan told RTÉ that there were legitimate reasons why companies might decide that they want to take action against fraud.
"However, the use of personal data would be the question for us, and whether that has been done in an appropriate, ethical manner.
"Any sharing of personal data, or processing of that personal data outside a company, has to be done in a lawful manner under the GDPR," Dr Hogan said.
‘Social listening’
Elaine Morrissey (chair of the Law Society’s IP and Data Protection Law Committee), notes that any processing of personal data by Sky needs to comply with the GDPR and Ireland’s Data Protection Act 2018.
“This includes having a legal basis to process the data (article 6 GDPR), complying with the article 5 GDPR principles, which include lawful, fair, and transparent processing, ‘purpose limitation’, ‘data minimisation’, ‘accuracy’, and ensuring security of the data,” she states.
It has been reported that Sky may use investigators to gather information about ‘dodgy boxes’ from WhatsApp groups.
Morrissey notes that, while does not make any reference to data collected via WhatsApp groups, it does state that Sky carries out ‘social listening’ on social-media posts and forums.
She adds that the notice states that Sky uses personal data “to prevent and detect fraud and protect or enforce our or any third party’s rights” and “to prevent and detect crime”.
“There is also a reference to sharing personal data with the police or law-enforcement agencies and fraud and crime-prevention agencies,” she adds.
‘Notice updates likely’
“Any third-party engaged by Sky that processes personal data will also need to comply with the applicable data-protection obligations. Sky is responsible for its data processors,” the committee chair says.
“Subject to the outcome of Sky’s engagement with the DPC, we can likely expect to see further updates to Sky’s privacy notice,” she adds.
“While we have limited confirmed information, what is important for the public is that Sky is engaging with the DPC. Given the public commentary and interest in this topic, this is an area where people will be very conscious and protective of their data-protection rights,” says Morrissey.
“When considering compliance with the applicable legislation, consideration needs to be given as to whether civil actions are being taken, versus actions by law enforcement,” she adds.