Data Retention Ireland

The Minister for Justice in Ireland published the Communications (Retention of Data) Bill last week: it was made available on the Oireachtas website (and brought to my attention by the ever-helpful Darius Whelan), although curiously, some reputable (and normally reliable) newspapers wrote on Monday morning about the legislation being due to be published! It will presumably be debated in the Oireachtas (parliament) when its honourable members return after the summer. Data retention legislation requires service providers to keep certain types of data on the activities of their subscribers and users, and to disclose it to relevant authorities on request. I hope that this post is of interest to Irish and non-Irish audiences, though, as the issues are arising in many jurisdictions, whether through the EU’s data retention directive of 2006 or independently. I also point to this extremely helpful status report on transposition as of January 2009: it shows very clearly that many states have included both judicial authorisation and cost recovery, which are absent from the Irish proposals.

The publication of the Bill isn’t a major surprise. A draft had been leaked, and of course this is but the Irish implementation of the 2006 Directive – so we cannot blame the Irish government alone for bringing forward these proposals. The underlying Directive remains an unconvincing one. I am not opposed to all attempts to use new forms of communication in conjunction with crime prevention, detection and prosecution. Nor am I unsympathetic to the way that some in law enforcement will feel that they are falling behind those who they pursue in terms of the use of technology. But data retention carries with it a financial burden, an administrative nightmare and, most importantly, a shift in the balance between the citizen and the state that may be presumed to be irreversable: surveillance powers, once granted, are rarely rolled back. These are broad powers, requiring retention of everyone’s data even if those having data disclosed are a subset of this (rather than the alternative of notifying a service provider to retain data on a given subject for a limited, specific purpose). As is so often the case, specific information from law enforcement on the problems with existing legislation has not been forthcoming, and public statements focus on the most extreme of cases (the Irish Minister for Justice gave us international terrorism and child pornography in his public comments today). Anyway, to ten questions that occur to me after giving the Bill some consideration. (Edit: Ronan Lupton has responded to the questions with some very useful points, including his knowledge of how the Bill is less extensive than the versions previously proposed – a fair point, but read his full comments here).

(1) We are reassured that the legislation, as with the Directive, doesn’t apply to ‘content’, but getting information on who you are communicating with and (particularly in the case of mobile telephony) where you have been over the course of two years is more than trivial – it is a very intrusive way of finding out what a person (unconvicted of any crime) has been doing in their private life. How is this acceptable?

(2) The proposals follow in the disreputable tradition of sidelining the judicial branch – making the powers in essence a general authority for digital search and surveillance operations without a warrant. Nothing in EU law requires that the powers of accessing data be exercisable by senior Gardai (not to mention principal officers in the Revenue Commissioners, a new addition to the Bill that was not part of the earlier draft) – although it does appear tighter than the UK version, which appears to let anyone with a tanard or a lanyard to make a request. There are some safeguards supposedly in place (annual statistical reporting, a judge with the job of monitoring the system), but we’ve seen that they are quite weak: see for example TJ McIntyre’s recent discussion of the current judicial ‘oversight’ of phone intercept and data retention legislation. Furthermore, the officer authorising the access to data merely has to be satisfied that it is required for preventing, detecting, investigating or prosecuting a serious offence – which, for example, carries no need for reasonable suspicion of criminal behaviour on the part of the person whose data is being disclosed. It’s a dragnet-style provision that gives powers to police, Army and revenue officials and enables them to carry out large-scale investigations without any disclosure of such to the affected individuals nor any effective right of appeal or transparency. Why could this system not be restricted to cases approved by an independent judge after specific evidence of necessity is presented by the requesting officer?

(3) Data retention remains doubtful in terms of fundamental rights compliance: in the ECHR, S & Marper v UK questions mass monitoring of the unconvicted, Copland v UK reiterates that traffic data is covered by Article 8 (as I argue here); the German courts are considering various challenges (summarised by Digital Rights Ireland: 1 | 2), and DRI itself is engaged in a challenge to the Directive. The prior case brought by Ireland against the Directive related purely to legal basis and did not address fundamental rights at any stage. Does this legislation comply with the high standards of the protection of fundamental rights that Ireland aspires to meet?

(4) Under the Directive, retention is required for between six months and two years. The UK provisions (SI 2009/859) require a standard 12 month period. The Irish proposals would require it for a year for Internet and two years for telephone. Supporters of the legislation are spinning this as a reduction from the existing (and supposedly stopgap) three year period under 2005 legislation, conveniently neglecting the requirement under EU law to reduce it to a maximum of 2 years in any event. Why is a 2-year period necessary, particularly where other implementing States are able to adopt shorter periods?

(5) No information is provided in the Bill, explanatory memorandum or press release on who will bear the costs of retention. Compare this with, for example, the UK regulations which at least empower the Home Secretary to reimburse ‘any expenses incurred’ (which are well into the millions) in complying with the regulations. Bear in mind, too, that while some providers will keep billing data for obvious reasons, this is not the case for all providers. Who will pick up the bill and why has it not been ‘costed’ in a published impact assessment?

(6) The Bill applies without more to all providers of publicly available electronic communications networks and publicly available electronic communications services. These are wide (and imprecise) definitions that, given that specific statutory obligations are created (‘a service provider shall retain’), causes doubt for many (webmail? webmail-like? open wifi? voice IM?). This will cause panic and confusion across the sector and will have seriously damaging consequences for Ireland’s ability to promote itself as a destination for high-tech industries. Compare with s 10 of the UK regulations, which provide that the obligation is only activated when the Home Secretary notifies the provider (although the Secretary does have a statutory duty to notify all relevant providers!) Why does the Government wish to create new duties without precision on who the duties will affect?

(7) There is a ‘redundancy’ provision in the UK regulations (again s 10), which states that the Home Secretary doesn’t have to notify providers where the data is retained by another provider. Presumably, this protects downstream ISPs and similarly situated others. There is no such provision in the Irish legislation and the clear terms would require the same data to be collected at multiple locations. Why are the supporters of data retention so generous with the time, money and effort of others?

(8) The detailed instructions (Sch 2, Part 1, 5(d)) requires retention of the date, time and (cell ID) location of the activation of a ‘pre-paid anonymous (mobile telephony) service’. Is this the end of pay-as-you-go anonymity through the back door?

(9) The definition of ‘serious offences’ is broad (although it is an improvement on the draft, which would have allowed the powers to be used for any offence with a 12-month sentence attached to it). Any offence carrying a five-year sentence along with selected other offences (from poisoning to the false reporting of child abuse) count. How were these offences selected and what is the basis for their inclusion?

(10) The complaints procedure under s 10 of the Irish bill is bizarre – you can find out if a disclosure request has been made about you by making a request (if you believe that your data has been disclosed!!), but you will only be told if it has been made if it turns out that the rules have been contravened. Translation: meaningless. And there’s a broad barring of legal action other than the required constitutional right of action. And ‘a decision of the (referee who deals with complaints) … is final’. And evidence obtained in violation of the statute is not automatically excluded, as it should be. Given the argument that those with nothing to fear have nothing to hide, why does the Government fear challenges so much as to bar them?

Read more, from Cearta (Dr. Eoin O’Dell, who also spoke on the subject on RTE news), and of course Digital Rights Ireland. I’m sure there will be more.

7 comments

  1. Ronan says:

    Daithi – I am lobbying on this for almost 8 years now. I of course get the various incompatibilities and know the cases and law you cite in relation to same.

    In some way, this Directive has been problematic in other EU states, e.g., Italy and Germany, in re. Constitutional and Civil Law compatibility.

    I put some quick answers in below:

    How is this acceptable? EU legislation which has been knocking about since 9/11 forced on by Madrid bombings etc.

    Why could this system not be restricted to cases approved by an independent judge after specific evidence of necessity is presented by the requesting officer? Too slow.

    Does this legislation comply with the high standards of the protection of fundamental rights that Ireland aspires to meet? Does Ireland really aspire?! I am not convinced. The 2003 ECHR Act requires judicial notice, nothing more.

    Why is a 2-year period necessary, particularly where other implementing States are able to adopt shorter periods? That is the upper max allowed in the Directive. Note: Ireland used to have six year retention. Telco traffic retention is now 3 years. So there is a net reduction.

    Who will pick up the bill and why has it not been ‘costed’ in a published impact assessment? Indeed, and there was a weak RIA. TIF and ALTO tried to do this, but it’s almost impossible to assess the costs. The UK regime is costed and has been put forward as a good model to stop the police and other allowed organs of state from sending over frivolous data requests to telcos, and to allow same to recover some cost.

    Why does the Government wish to create new duties without precision on who the duties will affect? I tend to agree, but in general terms the duties are wholly on telcos and ISPs.

    Why are the supporters of data retention so generous with the time, money and effort of others? Not sure what you mean as this was EU legislation. I’m yet to find an overt supporter, but then again in the context of a bombing or terror attack a proportionality argument must stand and indeed be made.

    Is this the end of pay-as-you-go anonymity through the back door? Probably.

    How were these offences selected and what is the basis for their inclusion? – Let me tell you that this was 6 months and included regulatory offences in advance of Minister Ryan’s intervention. I am also interested to point out that this was to come in via SI and was moved to a Bill due to various AG considerations. This was a major one, and frankly may exclude or inhibit phone harassment prosecution under the NFOAPA 1997, S 10 is a 12 month toll summarily, 7 years on indictment.

    Given the argument that those with nothing to fear have nothing to hide, why does the Government fear challenges so much as to bar them? The government listened to some degree.

    Just some of my quick and dirty replies.

    Ronan

  2. Oisín says:

    Thanks for the summary Daithí! Three other “quick” points that occurred to me reading this bill and re-reading this directive.

    1. Although its very old-hat at this point, the legal basis under which the directive was adopted (now, according to the ECJ, appropriately) is really worrying and calls for more concern. Article 95EC was purportedly designed to deal with barriers to trade emerging from things like different national health standards, by harmonizing the relevant law. However, it now seems that it can be used for what is primarily a law enforcement purpose, where that purpose leads to some cost being imposed on a commercial undertaking.

    Essentially, the Commission’s reasoning was that where one or more member states are ‘likely’ to adopt an illiberal measure, and that measure imposes an economic cost, the same measure can be imposed on the rest of the EU (without the protection of national vetos as Article 95 works on QMV) under Article 95. This is quite a worrying development, particularly where you bear in mind that EU law has to be applied, even if it is inconsistent with national human rights guarantees.

    2. A related issue, in light of German developments, is what is going to happen if the Directive is declared to be in breach of the ECHR. This would put all member states in technical default of their ECHR obligations (as this being an EU law measure is no defence here) and, if Lisbon is ever passed, would put the EU in breach of the ECHR too. This could be an interesting one to watch.

    3. S5 of the Bill setting out when an ISP/telco is allowed to ‘access’ the data is poorly drafted and unclear, and this gives rise to two major problems.

    First, the bill prevents the ISP/telco from accessing the data set out in Schedule 2 (i.e. all the various categories of retained data) unless the conditions in the bill are met. However, it imposes no time limit on this restriction. Thus, it would seem that if an ISP/telco was to offer services such as listing the numbers called on a phone bill (a not uncommon practice), they would be ‘accessing’ the relevant data and would be in breach of the act.

    Second, the exceptions to the ‘no access’ rule (consent, court order, DPC permission) are also vague. Could a telco/ISP be obliged to hand over the relevant data using one of the these channels instead of going through this disclosure request approach set out in s6? Much of this retained data would be ‘personal’ data under the Data Protection Acts so a person may be able to insist on seeing it. However, if this section is read as allowing the retained data to be accessed (for law enforcement purposes) at the discretion of the DPC (with no guiding principles) this is going cause no end of administrative law problems, and essentially circumvents most of the Bill. Moreover, its worth considering how this massive store of retained data is going to play out in civil litigation, if it can become a target of a discovery order. I’m not up on my Irish civil procedure, but if you could get this retained data handed over in civil proceedings it could be a vitally useful weapon in commercial proceedings (a record of every communication into and out of your opponents business!) or family law proceedings (where online browsing habits could become a factor).

  3. [...] MacSithigh has put together a summary of problems with the Bill – cross posted here with his [...]

  4. Ronan: Ireland never had six years of mandated data retention. Phone companies were *illegally* retaining data which should only have been held for 6 *months* under EU data protection legislation at that time. I discovered this, wrote about it, and the data protection commissioner then demanded they comply and also noted gardai had no legal right to data in absence of any legislation or access framework. A ‘reduction’ to three years was actually an increase from 6 month to three years! Lowering that to two — the EU limit for call data — is not a net reduction reflecting thoughtful lawmaking. It is grabbing as much as possible under the circumstances.

  5. Ronan says:

    Karlin:

    What is said above was:

    ” ….Note: Ireland used to have six year retention. Telco traffic retention is now 3 years. So there is a net reduction.”

    I never once said it was properly legally mandated or mandated at all.

    While there is an incompatibility with DP Regulations there is a method of working with has been within the temporal limits I suggest: 6 years, 3 years and now 2 years (Legally or not).

    As you well know it was retained at 3 years in the 2005 CJ (Counter Terrorism) Act, now reduced to 2 years under DRED.

    I accept but with reservation, the practical application of 6 month retention.

    Have you looked into the EU Privacy and ECommerce Directive at all? It makes interesting reading when linked to the DP Directives in the main. For example offering wide Traffic Data exemptions etc.

    Oisin – Interesting points. I guess SI 93 of 2009 might be of relevance in addition to Dome Telecom v eircom! It is wider than we would have liked.

    Ronan

  6. [...] Irish ISPs / telecommunications providers have been in negotiations for some time now as to how the Data Retention Bill will be applied once passed. The first draft of an agreement between them was leaked in September [...]

  7. […] of the most-read posts on this site is a 2009 set of ten questions about data retention legislation in Ireland. It was written with a mixture of anger and detail. Today’s post contains neither. […]

Leave a Reply