Memorandum of Understanding(signed [Insert date of final signing])Memorandum of Understanding (MoU) between the CommunicationsIndustry

and the following state agencies

: The Commissioner of AnGarda Síochána, The Permanent Defence Forces and The RevenueCommissioners, in relation to Section 5 of the Communications(Retention of Data) Act 2009.Roles of the Communications Industry and state agencies relating to theCommunications (Retention of Data) Act 2009, to include provisions ofthe Data Retention Enforcement Directive 2006/24/EC.Purpose of the MoU

1. The purpose of the MoU is to promote efficient and effective standards of co-operation between the state and the Communications Industry:a. in dealing specifically with Section 5 of the Communications(Retention of Data) Act 2009 (hereinafter “the Act”);b. clarifying of the operating procedures to be utilised by parties to thisMoU;c. detailing clearly the data to be retained by undertakings;d. protecting the rights of users; ande. assisting in the prevention of serious offences, the safeguarding of thesecurity of the state and the saving of human life.2. This MOU is only a non-binding statement of understanding or agreement andcreates no legal obligations or commitments on the signing parties.

Background

3. This MoU operates on foot of the Act which gives effect to Directive 2006/24/ECof the European Parliament and of the Council of 15 March 2006

on theretention of data generated or processed in connection with the provision ofpublicly available electronic communications services or of publiccommunications networks and amending Directive 2002/58/EC

, to provide forthe retention and access to certain data for the purposes of the prevention ofserious offences, the safeguarding of the security of the state and the saving ofhuman life. The Act repeals the Criminal Justice (Terrorist Offences) Act 2005,

Represented by: ALTO, TIF and ISPAI. These groups are all industry associations, without prejudiceto, or excluding any unrepresented communications undertaking in the state. The expression‘undertaking’ shall be used to mean: Authorised operator, service provider or legal undertaking

At the time of signing

O.J. No. L105, 13.04.2006 p. 54

O.J. No. L201, 31.07.2002 p. 37

part 7, and amends the Interception of Postal Packets and TelecommunicationsMessages (Regulation) Act 1993.4. This MoU sets out an understanding by the parties regarding implementation ofthe Act and in particular the details of data to be retained by members of thesignatory industry associations. This MoU shall be considered to foster bestindustry practice.5. This MoU does not operate to counter or contradict the legislative intent of theEuropean Institutions or the Houses of the Oireachtas.6. This MoU takes effect subject but not limited to, other legislative instruments

mentioned in the Act.7. This MoU seeks to minimise the costs, time delay and audit requirements ofcomplying with data access requests under the Act and to promote efficientadministration of its requirements within the Communications Industry workingwith agencies of the state.8. This MoU is intended to make formulation, transmission, verification andservicing of applications for data disclosure requests as efficient as possible andto ensure that an audit trail exists which is acceptable to the state, Courts anddemonstrates compliance with Data Protection legislation.

Applicability

9. This MoU specifically mentions undertakings. In some limited instances, entitiessubject to the Act may not be authorised under the European Communities(Electronic Communications Networks and Services) Authorisation Regulations2003 S.I. 306 of 2003 transposing Directive 2002/20/EC, but maybe subject tothe Act.10. This MoU is applicable regardless of the requirement or preference to beAuthorised under the Electronic Communications Networks and Services. In mostcases undertakings will be subject to Authorisation requirements.

Criminal Assets Bureau Act 1996 – 1996, No. 31Criminal Evidence Act 1992 – 1992, No. 12Criminal Justice (Terrorist Offences) Act 2005 – 2005, No. 2Customers Consolidation Act 1876, 39 & 40, Vict. Ch. 36Data Protection Act 1988 – 1988, No. 25Data Protection Acts 1988 and 2003Finance Act 1999 – 1999, No. 2Finance Act 2001 – 2001, No. 7Finance Act 2003 – 2003, No. 3Finance Act 2005 – 2005, No. 5Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 – 1993, No.10Non-Fatal Offence Against the Person Act 1997 – 1997, No. 26Prevention of Corruption Acts 1889 to 1995Protections for Persons Reporting Child Abuse Act 1998 – 1998, No. 49Taxes Consolidation Act 1997 – 1997, No. 39

11. This applicability statement in no way fetters the discretion or powers of stateagencies in the lawful conduct of criminal investigations. It should be noted thatthis MoU in no way applies to entities or undertakings with no publicly available orcommercial connection to the communications industry

or entities who mayrecord information for valid business purposes.12. This MoU applies across the mobile network operator, fixed line network operatorand Internet Service Provider – ISP, markets

.13. Fixed and mobile undertakings will already be operating in compliance withexisting laws in the area of data retention and interception. Modifications broughtabout as a result of the Act should be read in line with the annexes andschedules to this MoU.14. This MoU and the Act now includes legal requirements on ISPs or the ISPdivisions of undertakings, the following points are noted and agreed:

•

An undertaking

shall retain data only in relation to a service that is provideddirectly by the provider and which is under the provider’s operational control;

•

Services provided using the providers network, datacentre, servers or otherfacilities by a third party, where the provider does not have operationalcontrol of the service, shall not be subject to retention by the provider; in thiscase, retention shall be responsibility of the 3

party;

•

All events will be provided with a timestamp containing a time zone. This willnot necessarily be the local time zone; and

•

While retained data may identify IP addresses, endpoint information and orsubscriber information presented by a user, providers do not seek toindependently verify this information. In addition, providers cannot in generalidentify the individual actually using a device at a particular time.15. This MoU contains three detailed schedules which have been agreed by theparties. These schedules are:

•

Schedule 1:

Data to be retained relating to fixed and mobile networktelephony

– Retention period: 24 months

;

•

Schedule 2:

Data to be retained relating to Internet Service Providers(Internet Access, Internet email and Internet Telephony – VoIP)

– Retentionperiod: 12 months

; and

•

Schedule 3:

Procedures for making and servicing a data request.

Process steps

Certain issues have been raised about the application of the Act to customers or end users. The Actdoes not apply to same e.g., banks, call centres etc.

In some cases, Irish undertakings may be providing services in all three markets e.g., Mobile, Fixedand ISP.

Specifically, in this section meaning either an Authorised Operator with an ISP division, or a standalone ISP.