Ireland's Parliament 'approves' communications data retention
In an effort to reconcile its policy laundering tendencies with the lack of a national law on retention, the Government has succeeded in quietly implementing data retention into its Criminal Justice (Terrorist Offences) bill (now an Act).
This Bill itself was first introduced in December 2002, and made slow progress. It was introduced to the Seanad in February 2005, and in Committee stage, retention was introduced. The bill was passed shortly aftewards.
The amendments call for data retention at all fixed line and mobile phone service providers for 3 years.
The purpose behind the amendments was to, according to the Minister for Justice, Malcolm McDowell, "give a solid basis in Irish law to the retention of communication data and to protect people in a way that is not done at the moment." He argued that this information "is an essential aid .. in the fight against crime and in combating terrorism and, ... the protection and security of the State."
The Minister argued that this information is generated by phone companies for charging purposes.
Although there are laws that permit access to this information by law enforcement agencies, there was previously no legal requirement to retain it.
In April 2002, the Minister for Public Enterprise issued directions at the request of the Minister of Justice to oblige service providers to retain data for at least three years. The Government argued that this was a necessary temporary bridging of the gap between the transposition of the EU Directive on privacy and electronic communications into Irish law. This is misleading because the 2002 Directive did not require data retention.
The transposition into law was approved in March 2002, and providers were not required to retain the data for the full three years. The legislation was never published, however, as they were subject to a "gagging order" requiring that the service providers not disclose the fact of the directions were made. Eventually the details were leaked, and the documentation accessed under the Freedom of Information.
In fact, the results from the FOI request by Karlin Lillington of the Irish Times finds that the Government has long been aware of the legal standing of retention in Ireland, and so should have rectified it at an earlier date. Instead, they waited for a strategic moment in 2005.
In January 2005 the Irish Data Protection Commissioner, Joseph Meade, issued an order to service providers to erase data that is more than six months old, as of May of 2005. The Commissioner argued that the temporary directions were in force for too long without legal mandate. The Government interpreted this as a requirement to move forward with primary legislation calling for retention. The Minister of Justice argued
Without some contrary action being taken, the initiative by the Data Protection Commissioner would, if the telecommunications companies accepted its validity, seriously undermine the ability of the Garda Sý´ocha´na to investigate criminal activity, including terrorism and to protect the security of the State.
According to the Minister of Justice, the Attorney General also advised that the Data Protection Commissioner may have been acting outside of his powers.
Shortly afterwards, in response to the case of Director of Public Prosecutions v. Murphy on January 21 2005 the Attorney General argued that in order to ensure the admissibility of telecommunications data as evidence, retention should be placed on legal standing through primary legislation with safeguards against the possible misuse of the data.
The Government contends that service providers need this legislation because of a current conflict of obligations. The Government believes that service providers are compelled to retain data for 36 months under section 110 of the Postal and Telecommunications Act 1983; but the Data Protection Commissioner's notice required them to delete this data after six months.
On January 27 2005 the Minister of Justice announced his intent to comply with 'international obligations' and to help fight terrorism through introducing a policy on data retention.
I indicated that one of the things I propose to do with regard to Committee Stage amendments is to deal with the question of data retention in so far as it is necessary to underpin the fight against international terrorism. It is desirable that our law on this matter should be beyond debate. It should never be a question of differing interpretations, let us say, for example, between the Data Commissioner and the Minister for Communications, Marine and Natural Resources, as to what is or is not a legitimate use of the power to require telecommunications companies to keep records of communications so that they can afterwards be examined in the context of criminal investigations. The Bill is largely to do with the introduction of provisions into Irish law to extend our law in an adequate way to deal with international terrorism, as is required by various international instruments to which we are party.
Such international obligations do not exist, however, despite the great attempts by the Irish Government to create these international obligations in the first instnace.
Laundering Strategy and the Rush to Legislate
With the court decision and the decision by the Data Protection Commissioner, the Government felt compelled to act. It also felt it should act swiftly, because of the Parliamentary timetable. With the May deadline imposed by the Data Protection Commissioner, and with St. Patrick's Day and the Easter Holidays, the Minister for Justice argued that
If I were to provide for all of this in a separate Bill it would be doubtful if I could meet the 5 May deadline. I can say for a certainty that it is cognate to this Bill in that any effort to monitor international terrorism or to counter it would fall flat on its face if on 5 May, telecommunications data was to become erased automatically after six months. Any effort to look back over a reasonable period, which is 36 months in the Government’s view, would become impossible if the telecommunications companies accepted the validity of the directive they have now received from the Information Commissioner.
So it was decided, apparently 'after long consideration' that the Government should "take advantage of this legislative vehicle to insert these new provisions into our law."
The Government accepted that its strategy to launder this policy through the EU was facing some challenges. As the Minister of Justice admitted,
I had hoped to avail of the European basis for making rules in this area but it did not materialise.
When it held the presidency of the EU the government pushed the 'framework decision' that would compel all service providers of all types (telephone, mobile, internet, etc.) to retain data for up to three years. This initiative was also pushed by the French, Swedish, and British governments. In the summer of 2004, however, the European Commission decided to intervene in this Council process arguing that it was a first pillar issue, and thus internal market considerations were required.
The Minister of Justice found this to be a frustrating situation, however.
The framework decision ran into difficulties with the European Commission. It is difficult to understand exactly what has happened to the framework decision but it appears that the commissioner is of the strong view that data retention should be dealt with in the first pillar of the European Union treaties, that is the same pillar as data protection and communications. While it is probably safe to assume that the framework decision in its present form is moribund, we do not know what proposal will take its place. The Commission has apparently promised a first pillar on data retention but, whatever the outcome, it seems that any EU initiative will not now take place in a time frame that would allow me to meet the May deadline set by the Data Protection Commissioner. Faced with that I must act now before 5 May. There is no EU cavalry coming down the hill to help me. I must sort out this conflict.
The 'EU cavalry' is facing increased trouble, so having failed at the strategy of policy laundering the Minister of Justice relied on obscuring the policy to minimize debate.
When the debate had moved back to the lower House, the Justice Minister lamented this situation.
Deputies may be aware that an EU framework decision on data retention was published last year following the terrorist bombings in Madrid. The decision, which arose from a declaration on combating terrorism, instructed the European Council to adopt an instrument on data retention by June 2005. The framework decision, which was a response to the declaration, encountered some technical difficulties during the negotiations on it. It is doubtful, regardless of whether the framework decision or an alternative instrument is eventually agreed, that it will be possible to adopt any instrument by June of this year. It is normal to await agreement on such international instruments before preparing implementing legislation. If the Data Protection Commissioner had not acted as he did and if the EU had not encountered the difficulties I have mentioned, different options would have been open to me.
Instead, they concealed the policy in an old bill just before it was to be passed, with practically no debate.
In the last minutes before the amendments were approved in the lower house, one dissenting voice raised concerns regarding the lack of debate. According to Sinn Fein TD, Aengus O'Snodaigh:
I particularly oppose the new section which the Minister has introduced concerning traffic data retention. This is not only because it infringes the right to privacy, has fundamental and significant human rights implications and the Human Rights Commission has not had an opportunity to give its opinion on this and other amendments, but also because it is another instance of the Government making an illegal practice legal retrospectively, similar to the Health (Amendment) (No.2) Bill. I oppose it because of the manner in which the Minister is inserting these sections into this legislation by stealth at a late stage, which is anti-democratic.
My office never received the amendments and on inquiry was initially told that they would be published only this morning. That was misinformation. They were not available electronically. They were not in the internal mail this morning and the General Office informed me they were not circulated at all. They had got stuck in that office whose staff did not seem to be aware they had them. I cannot speak for other Deputies but I had only two hours in which to peruse these proposals. Human error or not, this is not acceptable. The debate should at the very least have been postponed on that basis as well as on the basis of my other points. ...
The Minister also said that the legislation would be subject to the normal rigours of passage through the Oireachtas, including Committee Stage scrutiny. The Minister misled the Dáil and possibly also the Seanad and the public in this regard. I do not accept his reason for introducing these amendments at this stage. The safeguards in which he places great faith are not adequate.
Shortly thereafter, the amendments were passed.
Authorization and Safeguards
Amendment 9 allows the Garda to have access to the data for the purpose of prevention, detection, investigation, or prosecuting of crime, or for the safeguarding of the state.
In Ireland, the Minister of Justice authorises wiretaps. When asked whether the minister would also authorise access to this data, the Minister of Justice responded that
Clearly it is impractical to have ministerial intervention in every request for who telephoned who. As a matter of practicality in the investigation of, say, a kidnapping, a bank robbery or whatever, that work would involve looking at a suspect and seeing who did the suspect telephone during the relevant period. It might also involve looking at the suspect’s contacts. I would spend all my life writing further warrants and I would have to move into Garda headquarters because one could not have the same degree of ministerial control and accountability in an issue that is going to change from hour to hour. I do not want to speak about current cases but Members are aware this kind of material is important and that it could not possibly involve the Minister having an intervening role as he does in relation to interception of the content of communications.
Individuals may also apply to a 'judicial figure' to find out if their information has been 'improperly' accessed.
Defining Traffic Data
The Government argues that retention occurs anyways, because phone companies need to this data.
If there was no retention of this type everybody could say they never made, say, 5,000 telephone calls during that month. The telecos have to be in a position to say that one did made the calls and these are the telephone transactions one made at a particular time. They have to amass the data even from a defensive point of view, otherwise every bill would be disputed. People would say their bill looked steep and that they did not use their phone often and challenge the telecos to prove the contrary. The telecos have to be in a position to say that one’s telephone was used X number of times for international calls and X number of times for local locals and to show the times and dates.
As such, all that is considered in these debates are the logs of the phone calls, not the more problematic information such as location data, even though it is implicated within the law.
This is yet another case of a law on communications data retention being passed without careful consideration of the nature of the data being retained. Without understanding the nature of the data, which could include our general movements over a span of three years, it is harder to understand how invasive this practice is.
Period of Retention
The Government does not accept that 6 months is sufficient, as decreed by the Data Protection Commissioner. According to the Minister of Justice,
The issue is first, whether that kind of material can be stored indefinitely and if there is an increased cost and, second, if the Data Protection Commissioner arrives at a view regarding, say, a six-month period but without a statutory authority, what would be the implications for the investigation of serious crime from my perspective? I must ask myself that question. The Commissioner is entitled to his view but I have to take a different view into account. All in all, I believe that 36 months is an appropriate period. I do not believe there is much difference between six months and 36 months. If my privacy is in some way infringed by having the information on file or on a hard disk for six months, I do not regard it as a great reassurance to me to know that it is erased after six months rather than 36 months. It would not change my sense of wellbeing to know that an additional period of time had not elapsed before the data was destroyed.
He later continues,
In my view whether the period is six months or 36 months makes very little difference. I do not think that with these safeguards in particular it is a matter of great importance. I have always been unimpressed by the arguments that material deleted after a period of time increases one’s dignity and rights as a human being. This notion that if, for instance, I gave a fingerprint which is destroyed after some specified period of time does not really worry me. I am aware of a contrary opinion which worries about a big brother state amassing information indefinitely about everybody. The 36-month period is what the Government favours.
This regime will certainly be questioned as to its compliance with the European Convention on Human Rights.