Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Interception of the content of communications is a criminal offence under section 98 of the Postal and Telecommunications Services Act 1993,1 while the lawful interception of communications by state authorities is regulated under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993.2 The latter Act followed a 1987 decision of the Supreme Court ruling that wiretaps of journalists violated the Constitution.3 In October 2001, the Taoiseach (Prime Minister) publicly apologised on behalf of the State to three journalists whose phones were tapped during the 1980s as part of an effort to control leaks from the government. The Taoiseach apologised for "the inappropriate invasion of their privacy and interference by the State with their role as journalists."4

Under the 1993 Act interception of postal packets or telecommunications may be authorised by the Minister for Justice and Law Reform on foot of an application by either the Commissioner of the Garda Síochána or Chief of Staff of the Defence Forces. Authorisations may be granted for criminal investigations in relation to serious offences or in relation to the security of the State, subject to a balancing exercise where the Minister must be satisfied that other investigations are inadequate, and that the importance of obtaining the evidence or information is sufficient to justify the interception.

Oversight of this system is provided by a Designated Judge of the High Court, who keeps the general operation of the Act under review, and by a complaints procedure whereby a Complaints Referee is empowered to hear complaints of interceptions other than in accordance with the Act.5 It should be noted that the oversight regime has been criticised for a lack of transparency. While the Designated Judge is obliged to produce an annual report, since the start of the system that report has consisted of no more than a single page containing essentially no substantive content. In particular, and unlike the practice in other jurisdictions, the annual report provides no details as to the internal procedures which were followed to ensure compliance, the number of intercepts carried out, or the steps which were taken to guard against and remedy mistaken intercepts.6

State surveillance – other than the interception of communications and data retention – has until recently been largely unregulated in Irish law.7 For example, the use of audio bugging devices, car tracking devices, and long lenses to look inside buildings were all without any statutory basis. Indeed, in 1996 the Law Reform Commission described the result as being surveillance in a "legal vacuum" which was incompatible with Ireland's obligations under the ECHR.8 In 1998 therefore the Law Reform Commission recommended substantial reform to include systems of authorisation of surveillance and judicial oversight.9

Reform did not, however, come about until 2009, prompted by two events: a high profile "gangland" murder and a judicial investigation into police misconduct, which found that police had been "recording persons, including their colleagues and senior officers, at will, or contemplating or carrying out covert surveillance using electronic devices without any statutory guidance or regulation and without any internal…guidelines".10

The result was the Criminal Justice (Surveillance) Act 2009, which introduced for the first time a statutory basis for covert surveillance. However, it should be noted that it is limited in its scope. The bill allows for the Gardaí to carry out surveillance of suspected criminals with the District Court's permission, or in certain emergency situations without any permission. The Act also extends the admissibility of information obtained in surveillance operations. It has been pointed out that the approach taken by the Act applies only to a relatively narrow class of surveillance: i.e., surveillance by the Garda Síochána, Revenue, or Defence Forces, which make use of (restrictively defined) surveillance devices. As such it does not apply to covert following or observation without such devices, which will continue to be essentially unregulated, subject only to the judicial guidance given in Kane v. Governor of Mountjoy Prison.11Nor will it apply to covert surveillance by other state agencies with investigative functions, nor to the use of informants."12

This narrow scope therefore still leaves many forms of surveillance without a statutory basis, and it has been argued by a legal scholar that those other types of surveillance may still be vulnerable to challenge under the ECHR.13

Under the 2009 Act the general rule is that covert surveillance devices may only be planted and used on the basis of of an authorisation from a judge of the District Court.14

The oversight mechanism under the 2009 Act mirrors the one established for interception and data retention by establishing two levels of review: a Complaints Referee to hear individual complaints of wrongful surveillance and a Designated Judge of the High Court tasked with keeping the operation of the Act under review.

National security legislation

The Offences Against the State Act 1939 is the primary piece of anti-terrorist legislation in Ireland. Part 2 of the Act defines certain offences that are considered to be offences against the state. Part 3 introduced the concept of an illegal organisation, a provision that has seen much use though the years in securing the conviction of members of the provisional IRA and other organisations involved in the conflict in Northern Ireland.

Section 52 of the Offences Against the State Act 1939 has also been subjected to additional judicial scrutiny in recent years. It provides that a person suspected of an offence under the Offences Against the State Act must account for his movements or actions during any specified period and divulge all information relating to the commission or intended commission of an offence. Although the section was found to be constitutional in Heaney v. Ireland,15 the European Court of Human Rights found the defendants, who received six-month sentences for failing to account for their movements, had been denied the right to a fair trial (Section 6.1 of the Convention) and the presumption of innocence (Section 6.2 of the Convention). In Quinn v. O’Leary & Ors,16 a case with similar facts, it was held by a judge that the plaintiff was entitled to have his conviction set aside on the basis of the European Convention of Human Rights, although the government was not obliged to repeal the offending legislation. The issue has not been yet been considered in light of the implementation of the European Convention on Human Rights Act 2003.

While privacy groups, such as Digital Rights Ireland17 and the Irish Council for Civil Liberties,18 raised questions over the constitutionality of the emergency surveillance provision, which effectively avoids the judicial approval process, they generally favoured the Act. The bill is widely perceived as a warranted invasion of privacy as it provides the Gardaí with the necessary tools to disrupt organised crime, yet is confined by the requirement of judicial authorisation as well as strict limitations.

Data retention

Data retention – the storage by communications providers of traffic data about the telephone calls, text messages, emails, location, etc. of their customers – has been a controversial issue in Ireland since 2001. In that year it was revealed by the journalist Karlin Lillington that Irish mobile phone operators were holding customer records (including locator records tracking their movements) for six years, without any legal basis. This prompted intervention by the DPC which would have required that information to be deleted. However, in 2002 the government responded by imposing a requirement for telecommunications service providers to retain customers' communications data, using a secret Ministerial order that received no parliamentary consideration.19 In January 2003, the DPC, which itself operates under the auspices of the Department of Justice, Equality and Law Reform, initiated proceedings for judicial review on the basis that the government was "using an 'invalid' Ministerial Directive to unconstitutionally store citizens' phone, fax, and mobile phone data."20 The DPC agreed to delay instituting proceedings on the basis of a government commitment that stand-alone legislation would be introduced to regulate the storage of this data.

Three years later, however, no legislation had appeared. In response, the DPC issued enforcement notices in January 2005 which would have required telecoms companies to delete this data after 12 months. This finally brought about government action, and shortly afterwards the Criminal Justice (Terrorist Offences) Act 2005 introduced a three-year period of data retention for telephone traffic and location details.

The Criminal Justice (Terrorist Offences) Act 2005 largely has its origins in the European Union Framework Decision on Combating Terrorism. As a result they share an overly broad and vague definition of "terrorist activity."21

In the course of debate the previous Minister for Justice, Michael McDowell, stated: "The Bill is largely to do with the introduction of provisions into Irish law to extend our law in an adequate way to deal with international terrorism, as is required by various international instruments to which we are party." Such language is unfortunate as no international instruments as yet require data retention for a period of 36 months, and proposals put forward for such during the Irish Presidency of the EU were rejected. Given the length of time the government had to publish legislation on the issue, and despite repeated promises of dedicated legislation, they chose nevertheless to insert the provisions as a last-minute amendment into a largely unrelated bill.22

Current Irish data retention law is, therefore, contained in Part 7 of the 2005 Act. Under that Part the Commissioner of the Garda Síochána may require telecommunication providers to retain traffic and location data for a period of three years.

Access to this data is based entirely on internal approval procedures within the Garda Síochána or Defence Forces – a member of the police force or army officer of a sufficient rank can make an access request to a telecommunication provider without any need for external approval. Data can be accessed for the purposes of the "prevention, detection, investigation or prosecution of crime" or "the safeguarding of the security of the State".23 There is no proportionality requirement – data can be accessed in respect of any crime, or indeed possible future crime, not merely serious crime, and it is not required that access to data be necessary or proportionate in the context of the particular case. In addition, under section 64, data can be accessed by a court order in the context of civil proceedings.

An oversight mechanism is established in sections 65 and 66, which extends the Designated Judge and Complaints Referee system established for the interception of communications to cover data retention also.

Although the Irish government initially supported data retention legislation at a European level, the 2006 Data Retention Directive,24 which was eventually adopted, was opposed by the government, which alleged that it had been passed using the wrong legal basis. Consequently Ireland brought a challenge to the validity of the directive – though only in relation to the procedure used to adopt the law, not the fundamental rights issues which it presented.25

In June 2008, the European Court of Justice (ECJ) heard Ireland's action against the EC and Parliament for the annulment of the directive. The Advocate General published his opinion in October 2008 stating that Ireland's case challenging the directive should be rejected.26 Subsequent to this opinion the ECJ rejected Ireland's challenge in February 2009.27

In 2009, it emerged that a range of State agencies and the communications industry had adopted a private agreement on data retention, pending full implementation of the Data Retention Directive.28 The agreement reportedly provides for the retention and sharing of data in excess of what is likely to be required by the Irish law, which will implement the Directive and was adopted without reference to the Oireachtas. The agreement is of particular concern to privacy advocates in light of revelations that Irish State agencies make very frequent requests for access to personal data.29

It should be noted that the manner of passage into law of the the Criminal Justice (Terrorist Offences) Act 2005, which introduced, as said earlier, a three-year period of data retention for telephone traffic and location details, was heavily criticised by civil rights groups. In particular, despite the length of time the government had to publish legislation on the issue and despite repeated promises of dedicated legislation, the provisions were inserted as a last-minute amendment into a largely unrelated bill.30

The Irish online civil rights group Digital Rights Ireland (DRI) commenced a High Court action against the Irish Government in 2006, challenging the Criminal Justice (Terrorist Offences) Act 2005 on the basis of Irish and European Law.31 DRI believes that the type of data retention envisaged constitutes an infringement of the constitutional right to privacy as well as the right to respect for private life and correspondence under Article 8 of the European Convention on Human Rights, as it requires that the telephone and online communications of all individuals in the State be logged. DRI argues that domestic case law,32 as well as case law from the European Court of Human Rights,33 have made it clear that telephone conversations are protected by these concepts. The European Court of Human Rights has also held that the keeping of logs of such communications (such as records of numbers dialled) falls within the scope of Article 8.34

In July 2008, the Irish Human Rights Commission was accepted as an amicus curiae (friend of the court) in this litigation. The Human Rights Commission has stated that: "This case raises important issues about the extent to which laws and measures governing the monitoring of one's private life by the State in pursuit of tackling crime possess sufficient human rights safeguards".35

In May 2010, the High Court decided that the DRI challenge be referred to the European Court of Justice (ECJ) under Article 267 of the Treaty on the Functioning of the European Union.36 As of the end of July 2010, the High Court has not published the questions to be referred to the ECJ.

At the time of writing Ireland has not yet transposed the Data Retention Directive. Initially the government had expressed an intention to transpose the Directive by Ministerial order and without primary legislation.37 However, following advice from the Attorney General it was accepted that primary legislation was necessary.38 The Communications (Retention of Data) Bill 2009 is currently before the Oireachtas and proposes to transpose the directive by introducing a two-year retention period for telephony data and a one-year period for Internet data.

National databases for law enforcement and security purposes

In 2009, the DPC agreed a policy document with An Garda Síochána to govern the use of the automated number plate recognition (ANPR) system introduced by the Gardaí. The system involves the use of an in-car camera which recognises the vehicle registration number (VRN) of other road users. These VRNs are checked against a watch list of vehicles maintained by the Gardaí and, if the vehicle is on the list, details are provided to the Gardaí. The DPC noted that any large-scale recording of personal data must be proportionate and acceptable safeguards must be in place. The ANPR policy agreed with the Gardaí's aims to balance the effective use of the system with respect for the rights and privacy of individuals.

National and international data disclosure agreements

Nothing to report.

Territorial privacy

Video surveillance

Nothing to report.

Location privacy (GPS, mobile phones, location based services, etc.)

It is a criminal offence to harass another person. Pursuant to section 10 of the Non-Fatal Offences Against the Person Act 1997, the offence includes harassment by use of a telephone, by persistently following, watching, pestering, besetting, or communicating with the victim. Harassment occurs where a person seriously interferes with the other person's peace and privacy or causes alarm, distress, or harm to the other, and these acts are such that a reasonable person would realise that the acts would seriously interfere with the other's peace and privacy or cause alarm, distress or harm to the other.

In 2009, the DPC agreed a policy document with An Garda Síochána to govern the use of the automated number plate recognition (ANPR) system introduced by the Gardaí. The system involves the use of an in-car camera which recognises the vehicle registration number (VRN) of other road users. These VRNs are checked against a watch list of vehicles maintained by the Gardaí and, if the vehicle is on the list, details are provided to the Gardaí. The DPC noted that any large-scale recording of personal data must be proportionate and acceptable safeguards must be in place. The ANPR policy agreed with the Gardaí's aims to balance the effective use of the system with respect for the rights and privacy of individuals.

Irish law has since 2006 made provision for the electronic tagging of certain convicts and, since 2007, for the electronic tagging of certain persons released on bail pending trial.39 At the time of writing, however, these systems have yet to be deployed. The implementation of electronic tagging is currently being considered by a Project Board appointed by the Minister for Justice and Law Reform in January 2009.40

Travel privacy (travel identification documents, biometrics, etc.) and border surveillance

The Irish government had previously chosen to comply with the US requirement of a biometric passport for visa waiver countries by providing a "secure printed digital photograph" without encoding any information electronically on the card. At the time it was the only European government to take this minimalist approach.41 Since then, however, the Irish government has introduced ePassports which are described by the Department of Foreign Affairs as follows: "While the new biometric passport will look much the same as its predecessor, it will have a microchip embedded in it which contains the digitised facial image and personal details of the passport holder as they appear on the data page. The microchip can be read electronically at border controls. The Government has no plans, at this stage, to include a citizen's fingerprints."42

National ID and smart cards

In 1998 a unique personal identification number system for use in dealing with public agencies was established. The Personal Public Service Number (PPSN) replaced the "Revenue and Social Insurance" (RSI) number that, for years, was used only for social welfare and tax purposes. The use of the PPSN has expanded considerably since 1998 and it is arguably becoming a national identity system "by stealth".43 The PPSN is used as a unique personal identifier in communications between the individual and specified state agencies, such as government departments, hospitals, local authorities, and educational institutions. Employers may also use the PPSN for interaction with state bodies (most notably the Revenue Commissioners), while some state agencies have used the PPSN as a unique identification number for their own employees.44 Most recently, landlords have been permitted to seek tenants' PPSNs for the purposes of registering with the Private Residential Tenancies Board, although there is no obligation on tenants to provide it.45

The Act allows for the exchange of personal data between prescribed bodies in certain circumstances, and its provisions in this respect are expressly exempt from the Data Protection Act. However, it is clear from the Social Welfare Acts and the PPSN Code of Practice published by the Department of Social Protection46 that a PPSN can be requested or used only by specified public bodies or persons authorised by those bodies to act on their behalf. It is a criminal offence to request or hold a PPSN without the requisite legal authority.

The Register of users of the PPSN maintained by the Department of Social Protection bears testament to the zeal with which various state agencies have engaged in data matching and exchange exercises.47 The DPC criticised this scheme while it was debated, stating that "the proposed sharing of personal data, obtained and kept by legally separate entities, for such diverse purposes is fundamentally incompatible with…the basic tenets of data protection law."48 In February 2004, the Department of Social Protection issued a Code of Practice on the use of the PPSN, and recognises its potency and its status as personal data under the Data Protection Acts, but does not attempt to unduly constrain its use.

The DPC has repeatedly pointed out his concerns about the PPSN system, noting the increased use of the PPSN as an identifier in his 2009 report. The DPC "availed of every opportunity during 2009 to highlight [its] serious concerns as to the suitability of the PPSN as a national Unique Health Identifier (UHI)" and a 2009 report by the Health Information and Quality Authority on UHIs reached the conclusion that the PPSN is not fit for purpose as a UHI.49 The Department of Health is due to publish a Health Information Bill which will provide a legal basis for the use of health information and which should address privacy concerns. It is expected that the bill would provide further responsibilities to the DPC in relation to health information.

The Gardaí and armed forces, at present, are prohibited from collecting and using the PPSN for matters other than those related to their own members. The Immigration Act 2003, however, gives power to An Garda Síochána to use the PPSN in relation to non-EU nationals.50

Although at present the system does not incorporate an ID card per se, a public services card (PSC) has been under development for a number of years. The PSC would use the PPSN as a unique identifier and would include a photograph and signature as identification mechanisms.

In 2009, the Oireachtas Joint Committee on Social & Family Affairs published a report on social welfare fraud, recommending that the development of an integrated services card be fast-tracked.51

"To this end, the Committee believes that biometric information should be incorporated into the public services card in order to eliminate the possibility of fraud and to facilitate this card becoming a national identity card. The Committee supports the introduction of a national identity card and believes that it is fundamental that the public services card which is currently in development be designed in such a way that it will later be able to incorporate data from other government departments and agencies."

The report shows no evidence of having considered the human rights or data protection implications of introducing such a system of national ID cards, not to mention the desirability of such a system and the possibility of further function creep.52

RFID tags

Nothing to report.

Bodily privacy

The Criminal Justice (Forensic Evidence and DNA Database System) Bill 2010, before the Houses of the Oireachtas at the time of writing, is a bill that will authorise the taking of bodily samples from those suspected of certain criminal offences and those who volunteer to have such samples taken from them for the purpose of the investigation of offences, or incidents that may have involved the commission of offences. If enacted, it will establish a statutory system for the collection of DNA samples, the creation of DNA profiles and the establishment of a DNA database against which profiles can be matched. (See more details under the "Genetic privacy" section.)