Thursday, 29 April 2010
Seanad Eireann Debate
Minister of State at the Department of the Environment, Heritage and Local Government (Deputy Michael Finneran): I am pleased to be in the Seanad to present the Communications (Retention of Data) Bill 2009. The primary purpose of the Bill is to transpose Directive 2006/24/EC of the European Parliament and of the Council into Irish law. The directive requires service providers to retain data generated or processed in connection with the provision of publicly available electronic communications or of public communications networks and to make it available, on request, for the detection, investigation and prosecution of serious crime.
This is a short and relatively straightforward Bill but it places on a sound statutory footing, with strong safeguards, a procedure that is essential for the proper and effective investigation of serious crime and for the safeguarding of the security of the State. It has been in the news at regular intervals for various reasons over recent years and some misconceptions may have arisen as to its scope and purpose. At the outset, it is important to bear in mind that data retention is not new but has been an essential feature of crime investigation in Ireland and safeguarding State security for many years. Also to be borne in mind, and something I would like to emphasise, is that data information is not concerned with content. It is about the who, where and when of a communication. The intrusion into persons’ privacy is minimal.
I would like to place data retention in this country in a historical perspective by saying that its origins go back to the days of the Department of Posts and Telegraphs, when communications were by and large restricted to fixed line phones and the postal system. There was one provider of those fixed line phones and the postal system: the State. Typically, telephony operators, even after the market was opened up, retained data for six years for their own purposes, such as billing and marketing. This made sense as the Statute of Limitations, during which a telephone bill could be challenged or payment pursued, was six years. The operators made the data information available to the Garda Síochána or Defence Forces, on request, when required for investigating crime and safeguarding the security of the State. In those circumstances, relations between the operators and the law enforcement authorities developed so that the voluntary scheme, which was based on goodwill and common sense on both sides, worked to the satisfaction of all concerned. Any member of the Garda Síochána could request data in respect of a crime he or she was investigating. The system was not regulated by statute and for that reason at a particular point, statutory intervention was regarded as desirable.
The first significant statutory intervention came in the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993. Section 13 of that Act inserted new subsections into section 98 of the Postal Packets and Telecommunications Services Act 1983. Under the inserted subsection (2A), a person employed by a company who disclosed, to any person,any information concerning the use made of telecommunications services provided for any other person by the company was guilty of an offence. There were exceptions which included disclosures made for the prevention or detection of crime or for the purpose of any criminal proceedings or in the interests of the security of the State. A request by a member of the Garda Síochána for a disclosure had to be in writing and be signed by a member not below the rank of chief superintendent. In practice, this meant that all disclosure requests were channelled through one specified chief superintendent, an effective and appropriate procedure that continues to this day. A parallel inserted provision ensured that any request from the Permanent Defence Force for data required in the interests of safeguarding the security of the State had to be made through an officer not below the rank of colonel.
That remained the situation until the adoption of Directive 2002/58/EC of the European Parliament and of the Council in July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector. As interpreted for data protection purposes, that directive provided that traffic data could only be retained for six months. That left this country with a dilemma, as clearly the law enforcement authorities required data to be retained for longer than six months if they were not to be severely handicapped in their ability to fight crime and safeguard State security. In practice, most retained data that is required is requested by those authorities within six months of it being generated or processed. However, the quality of data retained for longer periods can be equally important in fighting crime, including terrorist crime. The Department of Justice, Equality and Law Reform and the then Department of Public Enterprise came to an agreement that telephony data should be retained by the operators for three years, that is, half the period for which the operators previously voluntarily retained telephony data. That agreement was given statutory effect in directions issued by the Minister for Public Enterprise to the main telephony operators made under section 110(1) of the Postal and Telecommunications Services Act 1983.
It was intended to follow up quickly the directions with primary legislation. However in 2003, Ireland received an invitation from some of our colleagues in the EU to co-sponsor a framework decision on data retention. Agreement was reached on Ireland’s participation in the preparation of the instrument. Obviously, further work on the legislation had to be deferred until the text of a framework decision was agreed and adopted.
The negotiations on the framework decision proved difficult and complex. They had effectively reached stalemate when the Madrid bombings during the Irish Presidency of the EU in 2004 highlighted the necessity and urgency of obtaining agreement on the retention of data. Negotiations recommenced in earnest but had not been concluded by January 2005 when the then Data Protection Commissioner issued notices to the main telephony operators directing that they retain data for no longer than six months. Rather than hamper the Garda Síochána and the Defence Forces in their vital work in investigating crime and safeguarding our security, a decision was taken to include provisions in the Criminal Justice (Terrorist Offences) Bill, which was then being debated in this House, on the retention of telephony data. Some Members will doubtless recall the generally positive response expressed during the debate in this House to the inclusion of the data retention provisions in the terrorist offences Bill. It was also decided to leave the more complex internet provisions until an EU instrument had been agreed. The urgency of ensuring that the law enforcement authorities could gain access to retained data, in a controlled and supervised manner, was acknowledged.
I have given this short background to the law and procedures relating to data retention in this country to put the record straight and also to place the Bill in its proper context. Agreement could not be reached on the framework decision and it was replaced by a directive of the European Parliament and of the Council. It is that directive that is being transposed in the Bill. It is normal practice, as provided for in the European Communities legislation, to transpose such directives by means of secondary legislation. Our legal advice suggested that there would be no problem in using secondary legislation as our transposition vehicle. However, on the basis of later advice, it was decided, for a technical reason, to proceed by way of primary legislation. This partially explains the delay in publishing the Bill.
The preparation of the Bill was also delayed by the prolonged consultations with the service providers and, in particular, their representative associations and other interested parties. At this point it is right that I put on the record my appreciation of the constructive way the service providers entered into the consultative process. The negotiations were long and, at times, complex and are still continuing between the Garda Síochána and the representative associations on the implementation of the legislation.
The directive must be transposed into national law and the legislation in Ireland is now well overdue. The European Commission initiated infringement proceedings against Ireland in the European Court of Justice and in a judgment on 26 November 2009 the court found that Ireland, by failing to adopt the directive within the prescribed period, had failed to fulfil its obligations under the directive. Progressing this Bill to the point where it can be enacted has now gained even greater urgency.
I will outline the provisions of the Bill. It is relatively short and largely remains within the parameters established by the directive. It has two main objectives. The first, at section 3,obliges service providers to retain data. The second, at sections 6 and 7, gives the relevant law enforcement agencies power to make a disclosure request for retained data and obliges the service providers to comply with such a request. I will explain those important elements of the Bill but first I emphasise the importance of section 2.
Section 2 gives effect to Article 1.2 of the directive by providing that the Act does not apply to the content of communications. It does not, for example, apply to the content of a telephone conversation or an e-mail. It does not apply to web browsing or web sites visited but simply allows law enforcement agencies in Ireland to seek information about the who, where and when of a communication. In the case of the Internet, it obliges service providers to retain the Internet equivalent of the type of telephony data that has been retained for many years.
Article 1.1 of the directive obliges member states to ensure that retained data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law. We are defining “serious offence” as an offence punishable by imprisonment for a term of five years or more. The First Schedule lists five further indictable offences as serious offences for the purposes of the Bill that have maximum penalties of less than five years but which the Garda Síochána have asked to be included. They deal with important matters such as reporting child abuse, corruption in public bodies and administration of substances capable of inducing unconsciousness or sleep, such as the date rape drug.
No matter how “serious offence” is defined, it will not affect the amount of data retained. It cannot be known in advance for what the data may be required. Of course, the vast majority of data will not be required and will be destroyed after the appropriate time. However, by defining “serious offence” the amount of telephony data for which a disclosure request can be made will be less than under the present law where data can be disclosed for the investigation of any offence.
It would have been possible under the terms of the directive to give every law enforcement agency in the country authority to make a disclosure request. This has not been done but in addition to the traditional role of An Garda Síochána and the Permanent Defence Force, the Bill gives the Revenue Commissioners power to make disclosure requests in respect of six specific serious revenue offences. The primary reason for the inclusion of the Revenue Commissioners in this Bill is to provide their investigating officers with access to communication data in order to assist them in tackling various forms of serious tax evasion that are undermining the collection of tax revenues of the State. Tackling tax evasion has always been a top priority for the Revenue Commissioners.
Deputy Michael Finneran: The Bill recognises the Revenue Commissioners’ role as a criminal law enforcement agency whose role is to protect the Exchequer from fraud. Experience has shown that the lack of such access has been a hindrance in detecting certain cases of serious tax fraud and gathering the necessary evidence for the purposes of prosecution. This need is clearly justified and access to such information should improve the level of detection of serious tax evasion and gathering of the evidence necessary for criminal prosecution, and it will assist in depriving criminals of funds.
Modern telecommunications and the Internet are invariably utilised by those engaged in the type of illicit activities investigated by the Revenue Commissioners. For example, documents encountered by Revenue officers in the course of investigating cigarette smuggling in maritime freight where bogus bills of landing are used, oil laundering and the distribution of laundered oil——
Deputy Michael Finneran: ——under cover of bogus invoices, alcohol fraud using bogus documentation, cross-Border VAT fraud and other forms of serious tax evasion often include contact phone numbers which need to be traced. The identity of the subscriber must be established along with the usage of the phone if the investigation is to be progressed.
I find the case for access compelling and Revenue Commissioners have given categorical assurance that requests for such information will be confined to investigations involving serious indictable revenue offences. I might add that the Revenue case for access has been supported in the past by the Attorney General, the DPP and An Garda Síochána. It was also one of the recommendations made in the report of the revenue powers group to the Minister for Finance as long ago as November 2003.
Article 3 of the directive establishes the obligation to retain data. It is given effect in section 3of the Bill, which obliges service providers to retain telephony data for two years and Internet data for 12 months. Why were these periods chosen when the directive states the period should be between six months and two years? At present, telephony data must be retained for three years under Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 and it was traditionally retained for six years.
There are at present no statutory requirements to retain Internet data. Following a re-evaluation by the law enforcement authorities as to their requirements for the investigation of serious crime and safeguarding the security of the State, it was considered that a two-year retention period for telephony data would be sufficient. Similarly, the 12 months retention period for Internet data is deemed to be the minimum necessary in respect of that data. Most retained data that is the subject of a disclosure request was generated or processed in the previous six months but the quality of information held for longer makes the retention periods provided for in the Bill necessary for efficient law enforcement and State security.
I readily recognise that we are among a small minority of member states that have opted for the maximum period of two years for the retention of telephony data. That period is in accordance with our traditional methods of gaining evidence in criminal investigations. Other countries may have developed other methods of investigation that renders recourse to telephony data less important. Within the parameters of the directive, we are legislating for the requirements of the Irish law enforcement authorities and not those of other member states. Our retention period for Internet data is in line with the majority of other member states as the Internet is a relatively new development and most countries have no tradition of gathering evidence from this source.
Section 4 ensures that the same level of security will attach to data retained under this Act as is retained for other purposes. It gives effect to Article 7 of the directive and the providers must destroy the data as soon as the retention periods have expired. However, one month’s grace is given to enable the data to be actually destroyed. This section also provides that the data protection commissioner will be the supervisory authority in Ireland for the purpose of both the Act and the directive. The appointment of a supervisory authority is required by Article 9 of the directive.
I accept that, in the light of some significant breaches of data security in recent times, such as the theft of laptops with unencrypted material, there is some concern about the security of retained data. There is an increasing appreciation of the need to ensure the highest level possible of security on data that are in the possession of service providers for use for their own purposes and the legislation can do no more than apply that heightened level of security to the data retained for the purposes of compliance with this Bill. In doing so, the legislation complies with the security requirements of the directive.
Following breaches of security, a data protection review group was established which sent its report to the Minister for Justice, Equality and Law Reform at the end of March. Issues around it, including its publication, are being considered in the context of the recent announcement of the transfer of functions, which includes data protection.
Article 6 of the directive requires member states to adopt measures to ensure that data retained in accordance with the directive are provided only to the competent authorities in accordance with national law. This requirement is given effect in the Bill at section 6, which establishes who can make a disclosure request and for what purposes. Unlike some other countries, the ability to make a disclosure request is confined to just three law enforcement agencies, namely, the Garda Síochána, the Permanent Defence Force and the Revenue Commissioners.
A member of the Garda Síochána not below the rank of chief superintendent will be entitled to make a disclosure request for the purpose of the prevention, detection, investigation and prosecution of serious crime, safeguarding the security of the State and saving human life. There are three differences between the powers of the Garda under section 6 and the analogous provisions in the 2005 Act. Under that Act, the Garda could make a disclosure request in respect of any offence, not just a serious offence, and could not make a request in respect of the saving of human life. In addition, the 2005 Act did not provide for disclosure requests in respect of Internet data. These are three very desirable differences.
A colonel in the Permanent Defence Force will be able to make a disclosure request for the purpose of safeguarding the security of the State. This repeats the analogous provision in the 2005 Act, but with the addition of the relevant Internet data. I have already mentioned that this provision could not have been included in a statutory instrument transposing the directive, as safeguarding the security of the State is outside the scope of the directive because of the legal base used for the directive.
The Bill gives the Revenue Commissioners power for the first time to make a disclosure request in respect of six named revenue offences. These all come within the definition of serious crime, in that they are all triable on indictment with a penalty of imprisonment of five years. As with requests from the Garda Síochána and the Permanent Defence Force, requests will be made by one person, in this case a Revenue officer of at least principal officer rank. This is a highly desirable initiative. Senators will recall a recent statement by the Revenue Commissioners of the likelihood of increased tax evasion in these economically difficult times.
In one way or another, sections 9 to 12, inclusive, provide safeguards to ensure that the data retention scheme is not misused. Section 9 gives effect to Article 10 of the directive under which member states are obliged to forward to the Commission statistics of the use of data retention during the previous year. Since so few Irish authorities have the right to make a disclosure request and because such requests are centralised, the compilation of statistics is relatively straightforward. In 2009, we were one of the first countries to return telephony statistics even though the legislation transposing the directive was not in force. The statistics will be compiled by the three law enforcement authorities with the right to make disclosure requests. The Garda Commissioner will forward Garda statistics to the Minister for Justice, Equality and Law Reform, the Chief of Staff of the Permanent Defence Force will forward statistics to the Minister for Defence and the Revenue Commissioners will forward statistics to the Minister for Finance. The Ministers for Defence and Finance will review the statistics submitted to them respectively before forwarding them to the Minister for Justice, Equality and Law Reform for transmission to the European Commission. In this way, the Commission will be in a position to monitor the operation of the data retention provisions throughout the EU.
Under Article 14 of the directive, the Commission will submit to the European Parliament and the Council an evaluation of the application of the directive and its impact on the service providers and consumers, taking into account further developments in electronic communications technology and the statistics provided under Article 10. The evaluation will inform a view as to whether it will be necessary to amend the directive, in particular with regard to the list of data and the periods of retention. The evaluation is well under way and the results will be made public.
The safeguards provided at sections 10 to 12, inclusive, are essential for the proper operation of the legislation. They are of the utmost importance in ensuring public confidence that the legislation is not being misused and will also reassure the service providers that it is only used for the stated purposes. Section 10 provides for the independent complaints procedure. Under this section, where a person believes that data relating to him or her are in the possession of a service provider and have been accessed following a disclosure request, that person may apply to the complaints referee for an investigation into the matter. Section 11 provides for an invitation by the President of the High Court to a serving judge of the High Court to undertake the duties of keeping the operation of the Act under review and section 12 sets out those duties. These safeguards already operate satisfactorily for the retention of telephony data under the 2005 Act, so there is no need at this stage for me to explain them in further detail except to emphasise that, in our case, only three law enforcement agencies have the right to request data.
There are two Schedules to the Bill. The first I have already mentioned. The Second Schedule gives effect to Article 5 of the directive. It lists the categories of data to be retained by the service providers. There can be argument and, indeed, disagreement as to the extent of the data mentioned in Article 5. This is especially so in the context of rapid advances in technology. For that reason, a committee of experts has been established by the European Commission to interpret and explain the directive in light of prevailing circumstances and to give a guide as to what data need to be retained and, equally important, what does not need to be retained. Ireland is represented on that committee. It would not be possible in the legislation to set out exactly what each provision means, for example, when some requirements may be open to more than one meaning in light of further advances in technology. The service providers and the Garda Síochána, the Permanent Defence Force and the Office of the Revenue Commissioners have been in discussions for some time on drawing up a memorandum of understanding in which each can agree on what is required to be retained. I understand that work on the memorandum is virtually complete and is awaiting the enactment of the Bill.
In this introductory speech on the background, content and implications of the Communications (Retention of Data) Bill 2009, I have attempted to place the Bill in its proper context. Nothing new is created in the Bill. It does no more than extend, with some changes, existing obligations relating to telephony data to Internet data. I again emphasise the importance of data in the investigation of serious crime and safeguarding the security of the State. One regularly reads in newspaper reports of telephony data given in evidence in some of the most notorious trials in recent years. We cannot expect the Garda Síochána to solve complex crimes if we do not give it the means to do so. We must provide safeguards to ensure that those means are not misused and this Bill provides the same safeguards as are available under the interception of communications provisions, this despite the fact that the intrusion into persons’ privacy under the Bill is minimal.
I would reiterate that the content of communications cannot be retained or disclosed under the Bill. This means, for example, that the law enforcement agencies cannot obtain information on the social networking sites that persons access. This may be regarded in some quarters as lessening its impact but, in the context of preserving privacy and compliance with international human rights instruments, it is one of the Bill’s strengths.
In 2005, the House welcomed the legislation that placed the retention of telephony data on a full statutory basis. This Bill extends the provisions of the 2005 Act to Internet data and the saving of human life. It also restricts the type of data that can be requested to the investigation of mainly serious offences and reduces the period of retention for telephony from three years to two years. Despite misgivings about the legislation and the retention of data generally by a small number of persons, I am confident that Senators will again welcome legislation that is so important to our law enforcement authorities in their constant battle to bring serious criminals, including terrorists, to justice.
For various reasons, the preparation of this Bill has been delayed. The present situation is that the European Commission undertook infringement proceedings against Ireland before the European Court of Justice and the court found that Ireland had failed to comply with its compliance obligations. Therefore, it is in all our interests, if only to avoid a large fine, that the Bill pass speedily through the Oireachtas and become law as soon as possible. While I look forward to a full debate on the Bill, I also look forward to its early enactment. I commend it to the House.
Senator Eugene Regan: I thank the Minister of State for outlining the position in respect of the Bill. He indicated that nothing new is created in the Bill and that it does no more than extend, with some changes, existing obligations relating to telephony and Internet data. He then referred to the infringement proceedings and suggested we should get on with passing the legislation. Those proceedings came about as a result of the failure to adopt national legislation in respect of this matter. The digest relating to this Bill, which was prepared by the Oireachtas Library and Research Service, highlights the fact that the “The domestic solution which had been under preparation by the Department was dropped in favour of pursuing a Data Retention Directive at European level”. As the Minister of State indicated, the Government joined other member states in trying to adopt a framework decision. The domestic approach then failed.
Ireland was involved from the outset in the attempt to formulate a solution at European level. However, the Minister of State failed to refer to the fact that it challenged, in the European Court of Justice, the decision to draft a directive and stated that this matter should have been dealt with by way of framework decision.
I cannot understand how a European directive, which was passed in 2006 and which was required to be transposed into law by 15 September 2007, has still not been accommodated within our legislative framework. The Minister of State now suggests that this is a pressing matter and that we need to get on with tackling it. The same line was trotted out a couple of weeks ago in respect of anti-money laundering legislation. Ireland was challenged in the European Court of Justice on two occasions in respect of the latter. The Minister of State indicated that a judgment has now been handed down against us and that we run the risk of having fines imposed, which is the case with regard to non-compliance with EU law.
The explanation the Minister of State offered in respect of the delay is just not sufficient. To be in default in respect of the transposition of EU law is a serious matter. It is most unsatisfactory that the Government continually introduces Bills and states that it is in default and that judgments have been made against it in respect of delays in transposing directives. The Minister of State indicated that the retention of data is important for many reasons, including in respect of combating organised crime, terrorism, etc. However, there has been a delay of almost three years beyond the implementation date relating to the directive. The Government does not have its priorities right in this area.
The transposition of the directive into Irish law should have been easy because the work relating to the subject matter of the Bill was done at European level. Ireland participated in the adoption of the directive at that level but there has still been a delay. One of the reasons offered by the Minister of State in this regard is that the matter must be dealt with by means of primary legislation and that, therefore, the publication of the Bill was delayed. Why would that lead to a delay in the publication of the Bill? I could understand if it had given rise to protracted debate within the Houses. However, it is quite unsatisfactory for such a delay to have occurred. It is extremely embarrassing for the country that it is in default in respect of the implementation of EU legislation which, as everyone acknowledges, is important, especially in the context of combating the most serious forms of organised crime.
The directive strikes a balance and, as is normally the case, bestows on member states a certain amount of latitude and flexibility with regard to how they choose to implement it. The directive also calls for remedies and refers to: “The right of any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with national provisions adopted pursuant to Directive 95/46/EC to receive compensation”. The directive is balanced and transposing it into national law could in no way be seen as difficult. In that context and in light of the importance of the exercise of that transposition, the Bill, notwithstanding the extraordinary and inexcusable delay in this introduction, must be welcomed.
A number of issues have been raised by certain groups. These issues relate to the balancing of people’s rights, particularly in the context of Article 8 of the European Convention on Human Rights. The German Constitutional Court recently handed down a judgment on the manner in which the directive was to be implemented in Germany. An issue with regard to the principle involved arises. However, the essential difficulty arises in the context of the safeguards that are implemented in national legislation. That is the issue which arose for the German constitutional court. The issue that arises for us is whether the safeguards and supervision and oversight mechanisms contemplated in the Bill will prove adequate.
Another issue arises with regard to retention periods and the fact that Ireland has chosen to impose the maximum retention period. The case has been made that this will impose a financial cost on service providers etc. However, an exceptional situation obtains in this country in that there has been a breakdown in law and order as a result of the activities of those involved in organised crime. The most recent report of the Independent Monitoring Commission refers to the resumption of terrorist attacks in Northern Ireland — invariably, such attacks will spill over into this State — and states that the threat of terrorist activity is at its highest level for some time. The retention periods provided for in the Bill are appropriate. However, provision should be made to review them every three years to assess whether such lengthy periods are required. This would add to the proportionality of the measures that are proposed. In view of the fact that Ireland has specific problems when it comes to organised crime and terrorism, the retention periods that are envisaged are appropriate for now.
Issues arise about the adequacy of the provisions regarding oral requests for disclosure of data. While there is provision for reports to the Minister and the European Commission, a regular report should be made to the Oireachtas on the implementation of the Bill, following its introduction. In addition, those affected by the illicit disclosure of personal data should be notified of any such leaks. There should be sanctions in place, as well as adequate remedies and compensation for those affected. An issue also arises regarding the cost of data retention and to impose it simpliciter on service providers without a contribution would be draconian.
An issue has been raised regarding the competitiveness of the economy, in that the Bill proposes the imposition of a highly onerous regime. This also must be taken into account. These are a number of the issues that can be dealt with on Committee Stage.
Fine Gael welcomes the introduction of the Bill, although the delay in its introduction was inexcusable. I reserve my position in respect of tabling amendments on Committee Stage that I consider to be appropriate.
Senator Denis O’Donovan: I support the Bill and welcome the Minister of State, Deputy Mary White. I believe this is my first time to speak before her in this Chamber. I wish her luck in her new brief, in which I am sure she will be a breath of fresh air. I refer to an ongoing debate in this Chamber in which I have yet to speak, namely, the role of women in politics and so on. In that regard, it is a major plus for feminists and women, in particular, to see a new face among the ranks of Ministers of State.
While the gestation period of the Bill has been prolonged, its framework and the concept for it within legislation has been in place for at least 30 years. I note that in the historical perspective offered to the House by the Minister of State, Deputy Finneran, he went back to the first piece of legislation dating from 1983 and outlined how things had changed in the short time since. At the time there was no Skype, there were no mobile phones and the Internet had not been developed. There has been a technological revolution in respect of e-commerce and e-mailing, as well as Twitter and tweets, etc. Therefore, even if this legislation had been introduced ten years ago, because of the pace of technological advances within the last decade, in particular, it probably would have required updating and change. Consequently, I do not perceive the delay in the introduction of the Bill as a ground for major criticism of the Government.
I broadly welcome the Bill. In particular, one should note that in some of the high profile crimes solved in recent years such as those involving Wayne O’Donoghue and Joe O’Reilly, evidence intercepted by the Garda Síochána was critical in the conviction and incarceration of those guilty of serious crimes. There is no doubt but that in the war the Government and the State, irrespective of who is in power, wage against organised crime, this legislation will have a major role to play. However, in introducing such important legislation, one should caution, as my colleague, Senator Regan, has also noted, that one cannot underestimate the great significance of the test case brought in Germany. I refer to a fairly recent landmark decision in which the German constitutional court actually rejected the European Union directive.
The Minister of State should respond on the European Union-wide implications of this decision by a court in Germany. Germany is both a major player in the support of the euro and one of the strongest and most powerful countries within the European Union. However, while this decision probably does not completely overthrow the entire purpose of the European Union directive and this legislation, nevertheless it places a huge question mark against the future direction of the directive. It has caused consternation from a legal perspective in respect of the equivalent legislation in Germany. I seek to establish what the repercussions are and what ripple effect this will have on other European Union countries.
I consider the Constitution to be the most fluid and active written constitution within the European Union. Not many other countries have such a written constitution. If one considers the Australian and American systems, one finds the 1937 Constitution has been the second most amended constitution in constitutional history. The number of amendments introduced in our relatively short history is phenomenal. Therefore, from a constitutional perspective, the Minister of State should reflect on the implications, if any, of such a challenge here. There is a doubt at the back of my mind that should such a constitutional challenge take place, it might give rise to the prospect, however worrying it may be for the Government, that it might create a roadblock to the legislation under discussion. Perhaps I am acting as devil’s advocate in this regard, but one should not walk away from or dismiss lightly this matter.
On the subject of crime and criminal law, the appropriate use of this legislation in the fight against organised crime will be welcome. It is needed by the country, the Garda and the Defence Forces. It is welcome that, as far as I can discern in reading through the Bill, an attempt to intercept or gather information and keep it for the period set out therein must be sanctioned by a chief superintendent of the Garda or a colonel in the Army.
I also note the legislation will extend the powers of the Revenue Commissioners. I have some reservations about this because the Revenue Commissioners already have draconian powers. While I make this point in a balanced and non-derogatory fashion, as a young solicitor dealing with the powers of Customs and Excise back in the early 1980s, I can recall an instance in which a European lady’s car was confiscated while she was shopping in Bantry. When she emerged, she was unable to find her car and it took her a day or two to establish where it had been taken and who had taken it. In other words, through the use of such draconian powers, a sledgehammer is being used to crack a nut. The Revenue Commissioners, the Customs Service and so on have great draconian powers as matters stand and I have an uneasy feeling that such powers are being extended willy-nilly to Revenue in many areas.
Of course, I condemn organised efforts and scams to deprive Revenue of funding, whether it be VAT fraud or cross-Border dealings involving the illicit importation of diesel or cigarettes. While I understand it has a job to do, such powers should be controlled and investigated. Moreover, if mistakes are made, such powers might be curtailed, if that is the correct term to use, at ministerial level.
It is important we recognise what is happening in other European countries in this respect. My colleague referred to the Bills Digest through which I browsed to check legislative changes made and the background to what was happening in other EU member states. There are comparative data retention schemes in France. Following transposition of the data directive, France retains data on telephony and Internet usage for one year. Under our proposal, such data would be retained for three years. In Germany matters are in disarray because of a court decision. In Belgium the justice Ministry proposes to introduce a two year data retention period. Given that the directive is being transposed into law in member states, why does a standard two or three-year retention period not apply across Europe? Why will the period that will apply here be different from that which will apply in Belgium or another member state?
I wish to deal with a matter, to which the Minister of State did not refer. We have had the amazing experience of what has happened in the banking sector during the past three years, whether one would describe it as white collar fraud or gross negligence. The provisions of this legislation probably cannot be applied retrospectively, but could they be applied to oversee the way in which banks do business? They have brought the country to its knees in the past two or three years by making serious mistakes which bordered on being criminal. They over-lent funds to young people who were anxious to enter the property market. A game of Russian roulette was being played in the market, in which the sky was the limit with regard to the prices paid for plots of land which were totally over-valued. Taxpayers now have to foot the bill. I ask the Minister of State to consider whether this legislation could be used to monitor the way banks do business. Perhaps I am losing the run of myself in making this suggestion.
If information was available on the activities of criminals, it would be far more valuable than giving extra powers to the Revenue Commissioners. However, I broadly welcome the legislation. It would be good if it was of assistance in putting organised criminals behind bars. I have mentioned two recent cases, particularly that of Joe O’Reilly, where data used by the Garda enabled it to put behind bars two people who would otherwise probably have walked free. That was a very good achievement on its part. I hope the Minister of State or whoever will deal with the Bill on Committee Stage will reflect on the few points I have made.
Senator David Norris: I also welcome the Minister of State and, like my colleagues, broadly welcome the Bill, although I have some reservations about it. I have already organised the tabling of amendments to it.
The Minister of State outlined the background to the legislation, to which Senator Regan referred, namely, the European directive and the attempt by the Government to transpose it into Irish law. The problem is — this is a point to which I will return — that in the transposition of the directive there has not been homogenous application of its provisions in all European countries. I will point to certain discrepancies between this country and certain other European countries which place elements of Irish business at a disadvantage. That is my first point.
In his recital of the history of the origins of the legislation the Minister of State invoked the spectre of the Madrid bombings, terrorism and so on. Interestingly, he also indicated that the Data Protection Commissioner had intervened at a certain stage to reduce drastically, from three years to six months, the period within which data had to be retained. I find this very interesting, particularly in the light of the reservations expressed by the commissioner concerning the retention of data in criminal cases.
I join my colleagues in welcoming the fact that the Garda Síochána managed to use what the Minister of State described as a “who, what, where and when” of telephonic records to secure convictions in recent murder cases. This can only be applauded by citizens. However, concerns have been raised about the retention of data in circumstances where citizens have been acquitted. This appears to go completely against the presumption of innocence, a cardinal tenet of law. I would like the Minister of State to examine this matter because it is very serious.
Will the Minister of State explain or ask the Minister of State who introduced the legislation what he meant when he said: “. . . it was decided, for a technical reason, to proceed by way of primary legislation [having already contemplated doing so by secondary legislation]?” It is not sufficient for the information of the House to be simply told that a matter was decided for a technical reason; we need full disclosure. I would like to know exactly what was that technical reason. It may perhaps refer to the series of cases to which Senator Regan adverted.
The Minister of State also said: “Section 2 gives effect to Article 1.2 of the directive by providing that the Bill does not apply to the content of communications.” How, in the name of God, could it, unless there was routine recording of conversations? I seek an assurance that this does not happen. I can tell the House that 25 or 30 years ago my telephone was tapped. I attempted to do something about this, but I came up against a brick wall. Of course, as I was not a journalist at that stage, I did not receive any answer or compensation. However, one needs to be reassured that one’s telephone conversations will remain private. I will be calling in another context for the introduction of a law on privacy. I have a house in Cyprus and on top of the Troodos Mountains where I live there are the golf balls of the allies. I know what they are used for; they are used to listen in to every single telephone conversation. This is done electronically and recordings are triggered by the use of certain words. I frequently speak the word “al-Qaeda” into the telephone just to cause a bit of bother.
Reference was made to the Revenue Commissioners, in which respect Senator O’Donovan expressed concern. I would be delighted if some of the big boys were caught, but with regard to the idea that tackling tax evasion is always a top priority for the Revenue Commissioners, I wonder about this and the effectiveness of their operations. I have always been a compliant taxpayer, always tried to pay every single penny that I owe in tax and made my returns on time. Therefore, I was surprised to receive a bill for an extra €2,000 on the basis that I had made a late submission. Luckily, I had kept the receipt and was able to show that that was not the case, but I did not receive an apology. I received a cheque for €450, which is a little different from them trying to extract €2,000 from me. If I was a dotty old widow or widower, I probably would have paid the bill. Therefore, when the Revenue Commissioners obtain information, let us make sure they will use it appropriately and efficiently.
With regard to security and safety concerns about data kept on laptops, there is a good deal of nonsense spoken. Yesterday I was stuck in a stone corridor between two locked fire doors in the basement of Leinster House. How safe was I if there had been an explosion? In the old days one could have bought one’s old computer for €100 when one was issued with one, but now we are told we cannot do this because of security concerns. That is bizarre. If there were secrets on our computers, they would be ours. In any case I had never used my computer. I wanted to take one to Cyprus to learn how to use it and leave another one here but that was not acceptable. I said there was nothing on my computer. We can be a little daft about such matters. The point I am making is that most instances of security failure are due to human frailty, not a technical flaw.
I wish to deal with another serious point. I have been briefed by the Internet Service Providers Association of Ireland which is concerned that some of the proposals made in the Bill will seriously weaken the industry’s competitive edge, deter innovative Internet-based businesses from establishing here and hurt Ireland’s reputation as e-commerce hub. This is a development of what I said, that there is not homogenous application of the provisions of the directive throughout the European Union. My concerns come under four headings and include the timescale, which is too long and about which other Members have indicated they might have slight concerns, the cost burden to the Internet supplier, the flawed procedures, in particular, inappropriate applications, oral applications and so on, and unfair liability.
In regard to the timescale, the Minister of State said the majority of countries had this timescale or a longer one. The facts are as follows. Luxembourg, Germany, Lithuania, Slovakia and Holland apply a six-month retention period for Internet data. We can clearly see the one-year requirement stipulated in the Communications (Retention of Data) Bill puts Irish Internet service providers at a serious and distinct disadvantage. I suggest a six-month Internet data retention period. This is vital to ensure Ireland maintains its status as an e-commerce hub. It relates to competition. The cost of doing business here must not be greater than overseas. For example, Holland, with its six-month retention period, is an advanced e-commerce nation and a serious competitor to Ireland. We must retain our competitive position.
I will table an amendment to amend section 3(1), which deals with Internet data, to read “in the case of the data in the category specified in Part 2 of Schedule 2, a period of six months”. I propose this reduction and ask the Minister of State to consider it.
There is the cost burden. Most EU member states do not reimburse costs incurred by operators to retain and retrieve data, but some do. I will give some examples which are among our main competitors. France, Germany and Holland, which is one of our main competitors, provide funds to cover certain operational costs. Lithuania covers the cost of retention if public authorities request that particular data is retained for more than six months. France and Germany have lists for the different kinds of data requests and their corresponding payments. In the Czech Republic, Finland and Britain, money spent on equipment acquired to retain and retrieve data is reimbursed. Irish ISPs are placed at a disadvantage vis-à-vis those countries, including serious competitors like Holland where some form of reimbursement is provided. Other services provided to law enforcement, equipment, fuel, etc. are paid for. Why should the provision of this service be treated differently? I will suggest a subsection requiring ISPs to be reimbursed for capital expenditure and operating costs. That will probably be ruled out of order because it will be seen as imposing a cost on the Exchequer but I will at least seek to have the principle ventilated.
There is the question of flawed procedures. The provisions in regard to the complaints procedure in section 10(1) are flawed and will serve only to encourage sloppy work. For example, evidence secured by a search warrant is rendered invalid if the strict stipulations governing such a search warrant are not followed. Why should there be any difference for a disclosure request concerning electronic data? Why should the authority be bothered to follow the rules if the end results will be invalid anyway? The options for redress are unacceptably limited. The recommendation is that section 10(1) be amended so that a contravention of section 6 in regard to a disclosure request shall make the disclosure request invalid and any such contravention shall be subject to an investigation in accordance with the subsequent provisions of this section and nothing in this subsection shall affect case of action for the infringement of a constitutional right.
I refer to unfair liability and immunity. The Bill does not express immunity from liability of a service provider which, in good faith, discloses data on request which purports to be in accordance with the new regulations but which is not. Examples would be if data is not requested for the purpose of the detection, investigation or prosecution of serious offences or an error is made in the date and time or the wrong subscriber is identified. I will table an amendment in this regard.
I refer to unfair liability and the question of oral versus written requests. As Members all know, oral requests for anything can be a bit tendentious. There is a serious potential risk in section 6(5) regarding disclosure requests. There is the potential problem of documentation not arriving and no proof the request was ever made. It places Internet service providers in danger of falling into civil law traps.
Section 6(5) should be dropped. Requests should be written or a unique request numbering system should be used so that when an oral request is made, it is allocated a unique identifier in the same manner as if it were written which must then be placed on the subsequent written request. If the written request is not received, the ISP would have this reference to prove the oral request was made. We are basically talking about a paper trail and actual, clear and factual evidence. It would obviate a situation where somebody could say he or she telephoned and made a request. We would have no proof. In these serious matters, some degree of proof is needed so this unique identifier is an important element. I hope the Minister of State will consider it seriously.
Senator Dan Boyle: I welcome my colleague, the Minister of State, who has responsibility for data protection, which is an important element of this wider debate. In regard to the framing of a Bill of this type, which tries to balance the need for the State to have access to information for security purposes and the rights of the person, we badly need to get it right. Much protracted discussion took place between the Departments of Justice, Equality and Law Reform and the Department of Communications, Energy and Natural Resources on this issue. It is right it is given that consideration because we need to bear in mind what is being compromised in passing legislation of this nature.
The legislation must be put on the Statute Book to conform with an EU directive. However, that is under question following the decision of the German Constitutional Court. While we need legislation on the retention of data, the extent to which the provisions of this Bill cover our obligations under the EU directive is a subject worthy of discussion. The reason the German Constitutional Court decided to strike down the German legislation was because of what it termed the exceptional intensity of interference with human rights. The German Government was subsequently obliged to put clear and transparent measures in place to ensure data safety and adequate legal remedies for citizens in regard to the misuse of personal data. That is what a Bill of this type should try to do.
In looking at the German legislation and at this Bill as it progresses through Committee and Report Stages, I hope we will come up with the most effective legislation in this area. The difficulty in dealing with a Bill which refers to data retention is that we must also refer to data protection. I was subject to hacking in recent months. Given how loose the Internet can be and how easily information can be got from third party sources and subsequently used, we need greater legal protection, so I welcome the fact we are debating this Bill.
As several speakers said, we received representations from the Internet Service Providers Association of Ireland which made useful points. I am not sure whether all of them can be acceded to or even agreed with, but what it said about the timescale for the retention of data bears consideration given that countries such as Germany, the Netherlands and Slovakia apply a six-month retention period whereas this Bill refers to a 12-month retention period.
There are issues in regard to who bears the cost of data retention and how it should be shared between the various people involved in the process. Again, EU member states have applied different criteria. France, Germany and the Netherlands cover certain operational costs while Britain, Finland and the Czech Republic reimburse capital expenditure involved in the retention of data. As a vested interest, the Internet Service Providers Association of Ireland is right to ask these questions and to ensure the legislation is strengthened accordingly.
The area of unfair liability is a bit more nebulous and how it is defined will probably exercise greater legal minds than mine. The presence of Senators Regan and Bacik might help to clear up some of those inconsistencies as the legislation progresses.
One of our responsibilities as legislators is to look at the issue for which legislation is required and identify those affected by the introduction of the legislation. It is proper for the Internet Service Providers Association of Ireland to ask questions and to ask us, as legislator, to respond accordingly. On those grounds, I look forward to the further progress of this Bill. I hope lessons can be learned from what occurred in Germany and that we retain the minimum amount of information for the shortest period, that we limit the use of and access to this information and protect the principle of individual freedom.
Senator Ivana Bacik: I welcome the Minister of State. The Labour Party broadly welcomes the purpose of the Bill. Ireland is obliged to pass legislation on foot of the 2006 directive. It is unfortunate, however, that the European Court of Justice has found Ireland to be in breach of our obligations due to the delay in transposing the directive. The Minister of State indicated one of the reasons for the delay was a desire to implement the directive through primary legislation. While I appreciate it is preferable to enact primary legislation to implement the directive, it was perfectly possible to draft and pass primary legislation in both Houses with much greater speed than has been the case with the Bill before us. This desire for primary legislation alone is not sufficient reason for the delay.
I note that on Tuesday last, the European Commission published a Green Paper outlining its initiatives in the area of freedom, security and justice for the years 2010 to 2014. One of the initiatives outlined on data retention is the need to evaluate and, if necessary, amend the data retention directive. The Commission states it will adopt an evaluation report in autumn 2010 and make it public. It is unfortunate that while a review and evaluation of how the directive has been operating in practice in domestic systems throughout the European Union is under way, Ireland is still transposing the directive into primary law.
While the Labour Party acknowledges that data retention is a useful and important principle and requires, as the Minister of State noted, a sound statutory framework, we and others have concerns about the extent of the safeguards in the Bill given the encroachments it makes on individual rights to privacy. I accept the Minister of State’s point that the Bill does not relate to the content of communications which is not covered by its terms. Nonetheless, it permits the retention of data for a much longer period than that permitted in other member states.
While the timeframe for data retention is one issue, as others have highlighted, it is unfortunate that Ireland is among the small minority of member states to opt for the maximum period of two years for retention of telephone data, as provided for in Part 1 of Schedule 2. This decision is unfortunate and unnecessary. It would have been more appropriate to limit the retention period to a maximum of one year, which is the standard term in use in other member states. Some states use the minimum period of six months. I believe such a period would have been sufficient for the Internet data provided for in Part 2 of Schedule 2. Rather than having this data retained, as envisaged, for one year, it should be retained for six months.
The Data Protection Commissioner recommended that a one year retention period for telephone traffic data and a six month period for Internet data would have been sufficient. The commissioner pointed out that the Garda Síochána rarely requests data that is more than one year old. The two year retention period is, therefore, unnecessary and unduly onerous.
A good deal of representation has been made to the Minister on behalf of service providers. The Internet Service Providers Association of Ireland, for example, has been in consultation with the Minister and Department and has written to Members arguing that whereas Ireland will require a one year retention period for Internet data, countries such as Germany, the Netherlands, Slovakia, Luxembourg and Lithuania apply a six month retention period. The association argues that the extra costs and resources required to meet the one year requirement for Internet data will put many Irish Internet service providers at a distinct disadvantage.
In addition to the argument made from the business side, an argument is also made from the perspective of privacy rights and civil liberties. We should use the minimum period necessary to make the legislation effective. Given what the Data Protection Commissioner has advised, it is not necessary to use the two year maximum for telephone data and one year maximum for Internet data. Timeframes of one year for telephone data and six months for Internet data would have been more appropriate.
Deputy Sherlock raised concerns in the Dáil about whether the Bill has been superseded in some senses as a crime prevention measure by the Criminal Justice (Surveillance) Bill. He also referred to the volume of requests for retained data submitted by the Garda. For example, in 2006 Deputy Howlin noted in the Dáil that 10,000 requests were made by the Garda for access to personal telephone records under the powers contained in the Criminal Justice (Terrorist Offences) Act. With approximately 30 requests per day being made in 2006, it begs the question as to whether all these requests were necessary to investigate serious crime. Such requests must be subject to scrutiny and oversight.
One of the reasons a sound statutory framework is important is that it would provide a legislative basis for oversight and scrutiny. While I am pleased the Bill includes provisions on oversight and scrutiny, they are not sufficient to ensure adequate protections. The Data Protection Commissioner, in a forthright briefing provided in November 2009, stated that the safeguards provided for in the Bill and the 2005 Act were far from adequate.
A number of the oversight and safeguard mechanisms provided for in the legislation are flawed. A concern has arisen regarding section 12, which deals with the duties of the designated judge, that until now the annual reports of the designated judge have been rather cursory, consisting of one line stating that legislative provisions have been complied with. We need to ensure that under section 12 more detail is provided by the designated judge on the operation of the provisions of the legislation.
Further, provision is not made in section 12 or elsewhere for the officer of the Garda Síochána, Revenue Commissioners or Defence Forces who seeks disclosure to be held to account if there is an abuse of process, for example, if the officer abuses the facility to seek disclosure. The corollary of this flaw is the flaw in section 10. It provides in subsection (1) that a contravention of section 6, which provides for the process of requesting disclosure, does not of itself render the disclosure request invalid. This is unfortunate as it means a disclosure request made in breach of section 6 and in a manner that amounts to an abuse of power by an officer of the Garda, Revenue or Defence Forces may still be valid and will not constitute a cause of action according to section 10(1). This is unfortunate as it means the safeguards lack teeth.
When the Bill was first mooted I publicly highlighted a further point regarding safeguards. In February 2009 — this shows how long the Bill has been in gestation — in an article in The Irish Times, Karlin Lillington referred to a concern I had expressed regarding the comeback, if one likes, for an individual who believes a request for disclosure of data relating to him or her was made in breach of the Act or was an abuse of power. While an individual in such circumstances may apply to the referee under section 10(2) for an investigation into the matter, this is somewhat meaningless as a means of securing redress because the legislation does not include a mechanism whereby a person whose data has been disclosed would be informed or notified of such disclosure. I argued that section 10 should be amended to provide for a duty of notification of a person in respect of whom data had been requested. My criticism of the legislation in this regard was itself criticised. It is important to note, however, that in many other countries such a notification is in place. Clearly, notification would have to be made some time after the disclosure request is made because no one is suggesting a Garda, Revenue or Army investigation should be jeopardised in any way. It is not about notifying a person when a disclosure request is being made or shortly thereafter. There is a duty of notification in Germany, the US and Canada after a period of time has passed following the request for disclosure. There is no reason for not amending the Bill to provide for this.
The Internet service providers have certainly raised issues about budgetary implications and the effect the lengthy timeframe in the Bill will have on their competitiveness within the EU, which is a very valid concern. The Data Protection Commissioner has also suggested that oversight provisions need to be significantly strengthened and has expressed doubt about the inclusion of the Revenue Commissioners. I accept that the Minister of State has stated there are important reasons for that and that the Revenue Commissioners’ powers will only be exercised in respect of six named revenue offences. Those offences should be named in the Bill, because they are not currently. If the Revenue Commissioners are to be included, they should then be made subject to some external oversight mechanism beyond this Bill, as occurs with the Garda Síochána Ombudsman Commission which has an oversight duty over any abuse of power by gardaí.
Senator Jim Walsh: Cuirim fáilte roimh an Aire Stáit inniu chun an Bille tábhachtach seo a phlé. I welcome the Minister of State to the House. While the Bill is relatively short, it is none the less important as we are transposing EU directives into our own domestic legislation. The primary purpose of the Bill is to put an obligation on providers of publicly available electronic communications services to retain certain data.
Many of our telephone service providers would historically have retained data for up to six years for their own use. We imposed an obligation on those providers of a three-year retention under the 1983 Act. That is available to the Garda but no such legislation underpins Internet data, and given the major use people make of the Internet and other electronic communications, it is important such an area would be regulated. It can assist the various State investigative bodies that are charged with ensuring compliance with the law in this country. We are reducing the three-year requirement under the 1983 Act to two years under this Bill. The Garda Síochána is satisfied with that change.
Most of our focus will probably be directed at Internet data. There is a provision under the EU directive to work within the parameters of retention for a period between six months and two years. We have selected 12 months as the optimum period. I presume that is being done after close consultation with the Garda, but I will come back to this point later.
A disclosure request by the Garda when conducting an investigation can only be made under the provisions of the Bill where a prison sentence of five years would apply to the offence in question. I think there are five specified offences in the Schedule, and this recognises that there is an impingement on the privacy of individuals when we give powers to State bodies to use data which are personal to the individual citizen.
Senator Bacik mentioned that there is no offence for the abuse of process in this instance. Can the Minister of State clarify this? If there is such an omission in the Bill, it should be examined because we are moving from the telephony era to the Internet era. I believe that abuse of process in this area should be a serious offence. If we look at the codes of practice that companies have for dealing with the abuse of electronic information by employees, we find that it is a sackable offence in most instances. It is viewed as being serious. I would not like to think we do not have penalties commensurate with the level of abuse and which should be imposed on anybody who failed to meet the standard we expect of them.
It is right that the Data Protection Commissioner and people involved in human rights organisations would take an interest in the detail of the Bill. I noted that interest and it surprised me to an extent, especially given the manner in which serious crime is so well organised and the difficulties encountered by the authorities charged with tackling gang related activities. There are constraints on the authorities and some of those are for good reason, but if data retention is only concerned with the who, where and when of communication and the Garda cannot request information about the content of a phone call or Internet message, then I would query the wisdom of such a policy. If we are going down this road, the purpose should be to bring people to account who are guilty of serious offences. Restricting it in this way would raise questions about the benefit we would get from this.
I also have questions about the offences under the authority of the Revenue Commissioners. The Data Protection Commissioner has also raised queries about this. Can the Minister of State tell the House if all the offences mentioned in the Bill are offences that would carry a prison sentence of five years or more? Some of them appear to be offences that should not be included in the provisions of this Bill for pursuit by the Revenue Commissioners.
Senator Paschal Donohoe: I welcome the Minister of State and I welcome the opportunity to speak on this Bill. It is the first time I have addressed the Minister of State since she was appointed to her new post, so I wish her the best of luck.
I wish to focus on the cost and business implications of this Bill. Our country is rightly prioritising the smart economy as an engine that will deliver a sustainable economic recovery for Ireland. It is vital we look at legislation that has an impact on the use of technology and ensure there are no consequences to passing this Bill that would prove an unacceptable burden on our competitiveness. I use that phrase carefully. When one goes out to deliver a social objective, sometimes that objective is so important that the cost is worth bearing by the State. However, my concern is that unforeseen consequences of this legislation could impact on the viability of home-grown or international companies that depend on technology, including the Internet, for their viability. I refer to the contribution by the Internet Service Providers’ Association of Ireland in its analysis of the Bill. The association has raised a number of points that I want to put on the record. I hope that on Committee Stage the Minister will be able to respond in detail to some of those points, which appear worthy of further analysis. The thrust of the association’s argument is that the Bill has consequences that will adversely affect our ability to be an e-commerce hub. One aspect is the period of time for which Internet data would need to be retained in our own jurisdiction. The legislation proposes a period of one year, but Germany and Slovakia have retention periods of six months. The Netherlands, which is a competitor of ours in the e-commerce area, also has a six-month data retention period. Therefore, we would be asking companies here to have a data retention period which is longer than some of our competitor nations. That additional six months would place an extra cost on such companies. All these little costs add up to affect the competitiveness of a business. I would like the Minister of State to clarify this point in her response to this Second Stage debate or on Committee Stage. I want to know specifically why we will have a data retention period that is longer than that which applies in some of our competitor countries.
The second point concerns the cost burden, which we frequently discuss in this House. It is clear the State’s regulatory touch in various parts of the economy has been far too light. As we seek to increase that, it will generate costs. Those costs need to be borne in all cases because it is clear that light regulation has been to the great detriment of the entire country.
One of the consequences of this Bill will be an additional cost for data retention, as well as a cost for servicing that data over the relevant period. As other countries seek to implement equivalent legislation, I have been informed that in those jurisdictions the state bears some of the costs involved. Specifically, France, Germany and the Netherlands cover some of the costs of implementing this sort of legislation. In addition, Britain will reimburse companies for the capital expenditure involved. In the absence of such a commitment here, the cost will fall on Internet service providers. The latter companies will either absorb the cost themselves, which will affect their profitability, or the cost will be passed on those using Internet services, whether they are individual consumers or businesses. What can we do to ensure the cost is minimised and is borne in such a way that it will not affect Ireland’s viability as an e-commerce hub?
My third point concerns disclosure requests. On Committee Stage I will be seeking information on how such requests will be dealt with. What will the consequences be for businesses and individuals if these disclosure requests are not dealt with properly, and if issues arise over serving them?
A fourth point concerns the issue of liability. The Bill appears to infer that if a data or service provider provides data to the State, in good faith, on foot of a request which subsequently turns out to be flawed — in that it is not in keeping with the regulations we are discussing here — there would appear to be some uncertainty about the status of the data provider if that data turns out to be flawed.
I would welcome a response from the Minister of State to those four points, as well as an opportunity to discuss them. This Bill is both welcome and necessary, but what can we do to ensure it will not have a detrimental effect on the viability of businesses that provide such Internet services?
Minister of State at the Department of Justice, Equality and Law Reform (Deputy Mary Alexandra White): I thank all Senators who contributed to this debate. I hope the importance of data information in the investigation of serious crime, including gangland and transnational crime, and in safeguarding our country against terrorist activity, has been conveyed. I also hope the importance of the balance between this use of data retention to fight serious crime and the right of every citizen to privacy has been clearly shown.
Data retention is a tried and tested valuable tool in the investigation of crime and in safeguarding the security of the State and it has not received as much attention as some of the more recent initiatives for fighting crime, in particular gangland crime. These include the Criminal Justice (Amendment) Act and the Criminal Justice (Surveillance) Act, which were passed into law as recently as last July.
I wish to refer to the memorandum of understanding that is being negotiated between the Garda Síochána, the Permanent Defence Forces, the Revenue Commissioners and the representative associations of the vast majority of telephony operators and Internet service providers in the State. It is a work in progress and, while virtually complete, can not be finalised until the Bill is enacted. As the legislation will come into operation on the day it is signed into law, it is important the providers are in a position to comply with their duties under it. The only way that can be achieved is for advance discussions to take place with the law enforcement authorities that are entitled to make disclosure requests under the legislation.
The negotiations in Brussels on the directive took place at a time of very rapid developments in technology. This was recognised by the Commission and the member states. It was clear that the directive could soon become out of date, and less useful as an investigatory tool for law enforcement agencies, if it tried to over-interpret the data which it was intended should be retained and disclosed. For that reason, the Commission established two committees for the purpose of identifying problems in implementing the directive.
One of the committees consists of national experts from a selected group of member states, including Ireland. The types of problems that committee addresses are related to matters such as the obligation to retain data, who should retain it, and the type of data that need not be retained, such as spam. These issues feed into the other committee consisting of representatives of all member states. The latter committee reports on the implementation of the directive in member states, and hears from experts from the technology companies on relevant issues. In our case, they also feed into the discussions on the memorandum of understanding.
All sides involved in the discussions on the memorandum of understanding recognise that it is to the benefit of all of them, and ultimately to the benefit of law enforcement in this country, if the Garda Síochána, Revenue Commissioners and the Defence Forces know what providers can reasonably retain, within the parameters established in the directive, and that the providers know what is required of them under the directive by the law enforcement authorities.
The purpose of the memorandum is simply to ensure the directive operates as intended. I greatly welcome the initiative of all concerned in its negotiations. It does what would not be feasible in the Bill — that is, it sets out in more detail what is required to be retained under the directive. For example, there has been some comment on which provider should retain a particular piece of data. Recital 13 of the directive states that data should be retained in such a way as to avoid being retained more than once. Accordingly, if more than one service provider is in possession of particular data, only one need retain it for the purposes of the directive. The detail on which provider retains duplicated data can only be agreed in discussions between the service providers and the law enforcement authorities.
The question of human rights and privacy arises when legislation such as this Bill is proposed. It is recognised that all personal information is important to the individual and that is why the intrusion into a person’s privacy is kept to a minimum and is only used in serious instances. No content is retained or disclosed under the directive or the legislation, for example, the content of a telephone call or e-mail or web sites visited. What is retained could be compared to an envelope with a note inside where what is required to be retained is the address on the envelope with the note inside being destroyed. The directive addresses the human rights implications in recital 9. It refers to Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, under which everyone has the right to respect for his or her private life and correspondence. It states:
Like approximately half of the member states, we do not reimburse the costs associated with the retention of data. It is recognised that this is a burden on the providers and that, naturally, they would prefer if the State did reimburse the costs. They have argued strongly in discussions with officials from the Department of Justice, Equality and Law Reform for the costs to be reimbursed but, ultimately, they have accepted that the money, which would have to come from the Garda Vote, is not available. The willingness of the providers to bear the cost of implementation is appreciated. It is an example of civic mindedness at its best, where companies with information at their disposal make it available in accordance with strict statutory guidelines to the law enforcement authorities. In order that there would be a full understanding of the costs of implementing the legislation, the service providers were asked to provide their best estimate of those costs. The composite figure we received, which represents the total costs of the nine biggest players in the industry, was a once-off amount of €2.9 million on capital expenditure and annual running costs of approximately €1.6 million.
Reference has been made to the recent decision of the German Constitutional Court which struck down the German legislation transposing the directive. Two important points should be borne in mind when discussing that decision. The court did not find that data retention was unconstitutional in Germany, but simply the way the directive was transposed. Second, this was a German court examining German legislation in the context of the German Constitution. The issue was with transposition, which apparently went beyond what was required, not the directive. This does not affect the way we transpose the directive or our timescale for transposition. As matters stand, any further delay in our transposition process could entail a substantial fine being levied on Ireland.
I would like to respond to some of points raised in the course of the debate. Senator Regan criticised the delay in publishing the Bill. There were two reasons for the delay. The consultation process with the service providers took longer than expected and the original plan to transpose the directive by means of secondary legislation had to be abandoned, resulting in a delay in publishing the Bill.
Senator O’Donovan asked why it was necessary to give the Revenue Commissioners power to make disclosure requests and if they could not make them through the Garda. The Revenue Commissioners received legal advice some time ago that a law enforcement authority could only make a disclosure request for its own purposes. That ruled out any question of the Revenue Commissioners making their requests through the Garda. The Customs Service, in particular, is involved in the investigation of serious crimes, such as the importation of illegal goods such as drugs, which have international crime implications. It would be illogical to deprive it of the investigating tool provided for in the Bill.
Senator O’Donovan also asked why it was necessary to retain data for two years when most other countries can make do with 12 or six months. He referred to standard retention practices in the European Union. The directive allows data to be retained for between six months and two years. The Department of Justice, Equality and Law Reform has been advised by our law enforcement authorities that the minimum period required for the retention of telephony data is two years and for Internet data, 12 months. It was explained in the opening remarks that the two-year period for telephony data is a reduction of one year from the present law and a four-year reduction from past practice. The vast majority of data are requested within the first six months of being generated. However, the quality and potential of data that is older makes the retaining of data for a longer period essential. For example, when a gangland criminal is charged with an offence, it may be necessary to request data that is up to two years old in the case of telephony data that might help to identify other members of the gang. Similarly, if a person is arrested in the State on suspicion of being a member of an international terrorist organisation, telephony data going back for two years may help in identifying a gang preparing a major terrorist outrage.
The two-year retention period for telephony data is among the highest retention periods provided by other member states. Most have legislated for 12 months, with two or three opting for six months. It is understandable that some member states legislating for data retention for the first time might wish to steer a middle course. The 12-month retention period for Internet data seems to be in the mainstream of how other member states have implemented that aspect. The European Commission is reviewing the operation of the directive and issues such as the retention periods are likely to be addressed in that review.
Senator Norris asked what was the technical reason the directive could not be transposed by way of secondary legislation. In the normal course, directives are implemented by way of secondary legislation. The European Communities Act 1972, as amended, so provides and given the volume of directives, that is the only practical way of implementing the majority of directives. However, primary legislation is required under Article 29 of the Constitution where the State exercises an option or discretion in the transposition procedure. In the Data Retention Directive, there is a provision in Article 1 requiring each member state to ensure data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law. Advice was received in the Department of Justice, Equality and Law Reform that defining serious crime for the purpose of transposing the directive could be interpreted as exercising a discretion and it would be safer to proceed by way of primary legislation. Accordingly, in order to ensure that the implementation would not be held up through a court challenge, it was decided to cease work on the statutory instrument that had been prepared and to proceed by way of a Bill. Another reason it was originally decided to transpose by way of secondary legislation was to meet the implementation deadline. It was always intended after that to prepare the type of legislation now proposed in order to fill in some gaps in the directive, such as requiring data for the purpose of saving human life and safeguarding the security of the State.
Senator Bacik asked about the six Revenue offences. These are named in section 1 of the Bill under the definition of “Revenue offence”. In response to Senator Walsh, all the Revenue offences have a maximum prison sentence of five years.
|Last Updated: 15/12/2010 12:31:29||Page of 10|