Last October 2017, the Government published the General Scheme of the Communications (Retention of Data) Bill 2017 (the Bill). The draft Bill was published in response to Chief Justice Murray’s Report, which reviewed the law concerning the retention of and access to communications data held by communications service providers, and recent decisions of the EU Court of Justice (CJEU) in the Digital Rights Ireland and Tele2 cases. Having engaged with stakeholders to hear their views on the draft Bill, the Oireachtas Joint Committee on Justice and Equality has now published its Report on pre-legislative scrutiny of the Bill.
Data Retention law in Ireland – A recap
Ireland implemented the Data Retention Directive 2006/24/EC (the Directive) by means of the Communications (Retention of Data) Act 2011 (the 2011 Act). The Directive requires communications service providers (defined as “a person engaged in the provision of a publicly available electronic communications service or public communications network by means of fixed line or mobile telephones or the internet“) to retain metadata relating to everyone’s telephone calls, text messages, e-mails and communications on the Internet, for 6 to 24 months. Metadata includes traffic, location and subscriber data, but not the content of communications. The purpose of such retention is to ensure the data are available for designated authorities, such as the police and security services, for the prevention, investigation, detection and prosecution of serious crime. In April 2014, in the Digital Rights Ireland case, the CJEU declared the Directive invalid on the basis that: the requirement for service providers to retain all communications data, even of persons not suspected of involvement in serious crime, was disproportionate; the Directive failed to set objective criteria determining how and when national authorities could access and use retained data; the Directive failed to protect individuals’ rights by means of procedural safeguards such as prior review of access requests of designated authorities by a court; and the Directive failed to stipulate that communications data be retained within the EU. Despite the CJEU declaring the Directive to be invalid, the State’s data retention regime has continued to operate under the 2011 Act.
In December 2016, in the Tele2 case, the CJEU ruled that EU law prohibited general and indiscriminate retention of traffic and location data, and that procedural safeguards such as prior review of access requests made by designated authorities by an independent body, such as a court, were essential. The Murray Report, published last October 2017, further criticised many aspects of the 2011 Act, including: the lack of independent vetting and authorisation of access requests made by designated authorities; the lack of coherence (“legislative scatter”) in the statutory rules governing the retention and disclosure of data: failure of the Act to set out clear objective criteria governing data retention and disclosure; absence of clear procedures and protocols to be followed by authorities given access to retained data; failure to provide for notification of persons whose data is disclosed; a lack of remedies for wrongful access to retained data; and a failure to require communications service providers to keep data within the EU.
The Draft Bill
The General Scheme of the Communications (Retention of Data) Bill 2017 provides for:
- the repeal of the 2011 Act;
- the continuation of the 2011 Act definition of “service provider”
- the exclusion from retention of the contents of communications, such as recordings of voice calls or the text and image contents of emails or websites;
- the designation of the An Garda Síochána, Defence Forces, Revenue Commissioners, Garda Síochána Ombudsman Commission (GSOC) and the Competition and Consumer Protection Commission (CCPC) as the statutory agencies having authority to request access to retained data;
- the retention by service providers of information that identifies subscribers for 12 months, and access to it by designated officers of the statutory agencies in connection with specific serious offences;
- traffic and location data to be retained only by order of the Minister for Justice and Equality on foot of an application by the head of one of the statutory agencies;
- access by designated officers to traffic and location data to be conditional on an order of an authorising judge, and to be restricted to purposes relating to certain serious offences;
- access without a judge’s order to be permitted only in cases of urgency;
- service providers to keep retained data securely in the EU, and all retained data to be destroyed when proceedings or investigations conclude;
- criminal penalties for service providers that fail to comply with obligations;
- periodic review of the Act’s operation by a designated judge;
- reports of the designated judge and of the statutory authorities to be laid before the Oireachtas; and
- persons who are the subject of or are affected by a disclosure to be notified of that fact, and to have access to the complaints procedure under the Interception of Postal Packets and Communications Messages (Regulation) Act 1993.
The Committee has made a number of recommendations, which it hopes will inform the drafting of the final Bill, to ensure that the State’s data retention legislation is fully compliant with EU law. The Committee’s recommendations include:
1) Journalists and their sources: The Committee recommends, per the Murray Report, that it should be made explicit that retaining or accessing data in order to identify journalists’ sources should be permitted only where prior judicial authorisation has been secured and there is an overriding requirement in the public interest. In principle, access should be permitted only when the journalist (and not somebody else) is the object of investigation for suspected commission of a serious criminal offence or for unlawful activity which poses a serious threat to the security of the State.
2) Rights to notification: Persons whose retained data is disclosed should be notified of the fact once doing so is unlikely to prejudice an investigation.
3) Judicial remedy: The Committee recommends, per the Murray Report, that persons whose rights have been affected by access to retained data should have an appropriate judicial remedy, expressly provided for in legislation.
4) Independent monitoring authority: The Committee believes that the current system, retained in the General Scheme, of oversight by a designated judge of the High Court, is not a sufficiently robust protection against the potential for excessive surveillance. The Committee recommends therefore the establishment of an independent authority, chaired by a senior judge. This body should be fully accountable to the Houses of the Oireachtas and furnish periodic detailed reports on its activities; and it should be provided with the necessary resources and technical expertise to perform its functions.
5) Test to be applied for retaining data: The Committee recommends that a Ministerial Order for data retention should only be made where ‘strictly necessary’. A time limit of no more than three months should also be set for the retention of such data.
6) Targeted data retention: The Committee believes that in order for the proposed legislation to be fully compliant with EU law, it must limit and clearly set out the circumstances in which data can be retained. In line with the Tele2 ruling, a Ministerial Order for data retention must be targeted. There must be an established connection between the data to be retained and the objective pursued.
7) Access to third party data: Heads 8 and 9 of the General Scheme are overly permissive in permitting access to data of entirely unconnected third parties if “likely to assist in the prevention, detection, investigation or prosecution of that offence.” The Committee recommend this is restricted, as per the Tele2 ruling, so that a person whose information is demanded must be in some way implicated in the crime before access to his or her data can be granted.
8) Precise definitions of data: The definition of “traffic and location data” in Head 1 of the General Scheme is potentially very broad in its scope. It should be amended to ensure that the legislation cannot be used to require the logging of information about web browsing or other information which tends to reveal the content of communications. The precise categories of data that can be retained should be explicitly set out in the legislation.
9) Compensation: The Committee believes that the current power under the 2011 Act of the Complaints Referee to award compensation to individuals whose data has been accessed in contravention of the legislation should be retained.
10) Retrospective authorisation: An urgency exception should only be provided for where accompanied by a requirement that the authority seeking disclosure must subsequently provide objective evidence of the need for urgent and immediate access without prior authorisation, and must submit, as soon as possible thereafter, an application to the independent body or designated judge for retrospective authorisation.
The Bill is listed as “priority legislation for publication” in the Government’s legislative programme for Spring/Summer 2018. We will post further updates on the progress of the Bill in due course.