The Communications (Retention oI Data) act 2011 was passed on the 26 th January 2011 beIore the dissolution oI the 30 th Dail. Historically the area was governed by the Postal and Telecommunications Services Act 1983. S. Applies both to the content and the inIormation derived Irom the intercepted messages.
Original Description:
Original Title
A review of the Communications (Retention of Data) Act 2011
The Communications (Retention oI Data) act 2011 was passed on the 26 th January 2011 beIore the dissolution oI the 30 th Dail. Historically the area was governed by the Postal and Telecommunications Services Act 1983. S. Applies both to the content and the inIormation derived Irom the intercepted messages.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online from Scribd
The Communications (Retention oI Data) act 2011 was passed on the 26 th January 2011 beIore the dissolution oI the 30 th Dail. Historically the area was governed by the Postal and Telecommunications Services Act 1983. S. Applies both to the content and the inIormation derived Irom the intercepted messages.
Copyright:
Attribution Non-Commercial (BY-NC)
Available Formats
Download as DOCX, PDF, TXT or read online from Scribd
Mchel O'Dowd. O`Hanlon & O`Dowd Solicitors - October 2011 www.odowd.ie
The Communications (Retention oI Data) Act 2011 was passed on the 26 th January 2011 beIore the dissolution oI the 30 th Dail. Broadly speaking the Act transposes Directive 2006/24/EC (The Data Retention Directive).
Historv of Data Retention and Wiretaps in Ireland reland has had something oI a chequered past when it comes to the privacy oI Communications. Historically the area was governed by the Postal & Telecommunications Services Act 1983. Section 98 oI the 1983 Act made it an OIIence Ior a person who
(a) intercepts or attempts to intercept. or (b) authorises. suffers or permits another person to intercept. or (c) does anvthing that will enable him or another person to intercept.
telecommunications messages being transmitted bv the companv or who discloses the existence. substance or purport of anv such message which has been intercepted or uses for anv purpose anv information obtained from anv such message.
The company in this case would have been Telecom Eireann. Amending legislation however has broadened the deIinition Irom 'the company to all 'authorised undertakings. Kelleher in his book notes that s.98 applies both to the content and the inIormation derived Irom the intercepted messages. 1 n the wake oI Kennedy v. reland which involved wiretaps being illegally installed on Journalist`s telephones 2 the government introduced the Postal Packets and Telecommunications Messages (Regulation) Act 1993. Section 2 oI the act provided that a Minister Ior Justice could give an authorisation Ior a wiretap, subiect to the conditions in speciIied in sections 4 (iustiIying a criminal investigation), 5(iustiIying an investigation in the interests oI the security oI the state) and 6(applications Ior authorization) being complied with, but only Ior the purpose oI criminal investigation or in the interests oI the security oI the State. Section 13 oI the 1993 Act also inserted into section 98 a new subsection (2A). This provided that a person employed by a company who disclosed, to any person, any inIormation concerning the use made oI telecommunications services provided Ior any other person by the company was guilty oI an oIIence. As always there were exceptions, and these were: (a) at the request or with the consent of that other person. (b) for the prevention or detection of crime or for the purpose of anv criminal proceedings. (c) in the interests of the securitv of the State. (d) in pursuance of an order of a court. (e) for the purpose of civil proceedings in anv court. or
1 Kelleher, Privacv and Data Protection Law in Ireland. (Tottell, 2006) p 448 2 |1987| R 587 Page 2 (f) to another person to whom he is required. in the course of his dutv as such emplovee. to make such disclosure. 3
t was also required that a request by a member oI the Garda Siochana to a person employed by the company to make a disclosure was to be signed by a member oI the Garda Siochana not below the rank oI chieI superintendent, and Iurther that a request by an oIIicer oI the DeIence Forces to a person employed by the company to make a disclosure shall be in writing and be signed by an oIIicer oI the Permanent DeIence Force who holds an army rank not below that oI colonel. Practice in the telecommunications industry was to retain all data Ior the period oI the statute oI limitations, i.e. 6 years. 4
The Department oI Justice, Equality and Law ReIorm and the then Department oI Public Enterprise came to an agreement that telephony data should be retained by the operators Ior three years, and directions issued by the Minister Ior Public Enterprise to the main telephony operators made under section 110(1) oI the Postal and Telecommunications Services Act 1983 in April 2002. Section 110 provides as Iollows, and like S98, its application is broadened to include the companies existing in a post deregulation era. The Minister mav issue directions in writing to either companv requiring the companv (a) to complv with policv decisions of a general kind made bv the Government concerning the development of the postal or telecommunications services of which he mav advise the companv from time to time.
The Data Protection Commissioner was unhappy with this solution, and he noted:
'Due to the lack of progress at national and EU level on the unsatisfactorv legislative basis for the retention of communications traffic data this was the subiect of comment bv me in mv previous reports-I had no option but to issue enforcement notices in earlv Januarv 2005 to three telecommunications companies requiring them with effect from 1 Mav 2005 to hold such data for national securitv purposes for a maximum period of twelve months. Two of the companies appealed the notices to the Circuit Court while the other did not. I noted that the legislative lacuna was being regularised in that amendments to the Criminal Justice (Terrorist Offences) Bill 2002 were introduced on 3 Februarv 2005-and subsequentlv passed- in Seanad Eireann bv the Minister for Justice. Equalitv and Law Reform. As I did not want unnecessarv legal costs to be incurred bv me or indeed the companies. I cancelled the Enforcement Notices on 7 Februarv in the expectation that this Bill would be enacted before 1 Mav 2005. Though a three vear retention period has been provided in the legislation. I remain of the view that this is an excessive period.` 5
The view oI the Data Protection Commissioner was not unreasonable. Directive 2002/58/EC provided in Article 15 that the retention oI data would be permissible 'when such restriction constitutes a necessarv. appropriate and proportionate measure within a democratic societv to safeguard national securitv (i.e. State securitv). defence. public
3 Postal Packets and Telecommunications Messages (Regulation) Act 1993, S 13. 4 Note however Artilce 29 Working Party document on Telco Billing periods, Opinion 1/2003 on the storage of traffic data for billing purposes, where it is suggested 3-6 months is more reasonable http://ec.europa.eu/iustice/policies/privacy/docs/wpdocs/2003/wp69en.pdI 5 Annual Report 2004 p. Page 3 securitv. and the prevention. investigation. detection and prosecution of criminal offences or of unauthorised use of the electronic communication svstem. Regarding an appropriate period Ior retention the directive suggested 'Member States mav. inter alia. adopt legislative measures providing for the retention of data for a limited period iustified on the grounds laid down in this paragraph`. The Commissioner Ielt that a balance had to be struck, but three years was in excess oI the 'limited period allowed Ior. 6
The result oI the Data Protection Commissioners enIorcement notice was the hurried introduction oI Part 7 oI the Criminal Justice (Terrorist OIIences) Act 2005. This legislation provided Ior the retention oI traIIic and location data regarding 'communications transmitted bv means of a fixed line or mobile telephone.` but not 'to the content of such communications`. 7 Ior a period oI three years. Section 63 provided:
(1) Subiect to subsections (2) and (4). the Garda Commissioner mav request a service provider to retain. for a period of 3 vears. traffic data or location data or both for the purposes of (a) the prevention. detection. investigation or prosecution of crime (including but not limited to terrorist offences). or (b) the safeguarding of the securitv of the State. (2) The data retention request must be made in writing. (3) Traffic data and location data that are in the possession of a service provider on the passing of this Act and that were retained bv the service provider for the purposes specified in subsection (1) are deemed to have been the subiect of a data retention request. but onlv if the 3 vear retention period for the data has not elapsed before the passing of this Act. (4) For the purposes of this Part. the 3 vear retention period begins (a) in the case of traffic data or location data referred to in subsection (3). on the date before the passing of this Act on which the data were first processed bv the service provider. or (b) in the case of anv other traffic data or location data. on the date on or after the passing of this Act on which the data were first so processed. (5) Notwithstanding anv other enactment or instrument. a service provider shall retain. for the purposes and the period specified in subsection (1). the data specified in a data retention request made to the provider. (6) Nothing in this section shall be taken as requiring a service provider to retain aggregated data or data that have been made anonvmous.
%e Data Retention Directive: Callenge bv Ireland The Data Retention Directive's ostensible Iunction is to harmonise Member States provisions concerning the obligations of the providers of publiclv available
6 See Press release oI DPC, 24/2/03: http://bit.ly/hcU5qd 7 Section 62 Page 4 electronic communications services or of public communications networks with respect to the retention of certain data which are generated or processed bv them. in order to ensure that the data are available for the purpose of the investigation. detection and prosecution of serious crime. as defined bv each Member State in its national law. 8
n case C301-06 it was argued that 'the choice of Article 95 of the Treatv establishing the European Communitv (TEC) as the legal basis for Directive 2006/24/EC (the Directive) is fundamentallv flawed.` Article 95 has now been renumbered Article 114 in the post Lisbon consolidation. 9 Michael McDowell, the rish Minister Ior Justice at the time Ielt it was a matter which was not internal market measure which could be agreed (by qualiIied maiority voting), and was instead a criminal matter (requiring unanimity). reland voted against the Directive.
Article 114(ex 95) provides that the EU Parliament and Council have competence Ior internal market measures: 'The European Parliament and the Council shall. acting in accordance with the ordinarv legislative procedure and after consulting the Economic and Social Committee. adopt the measures for the approximation of the provisions laid down bv law. regulation or administrative action in Member States which have as their obiect the establishment and functioning of the internal market.
reland however argued that
'...neither Article 95 TEC nor anv other provision of the TEC can provide a proper legal basis for the Directive. It is primarilv Irelands case that the sole or. alternativelv. the main or predominant purpose of the Directive is to facilitate the investigation. detection and prosecution of serious crime. including terrorism. In those circumstances. it is Irelands contention that the onlv permissible legal base for the measures contained in the Directive is Title JI of the Treatv on European Union (TEU). in particular Articles 30. 31(1)(c) and 34(2)(b).
In support of its submissions. Ireland has indicated that a consideration of the recitals to and the fundamental provisions of the Directive unquestionablv demonstrates that reliance upon Article 95 TEC as the legal basis for the Directive is whollv inappropriate and unsustainable. In that regard. it has pointed out that the Directive is clearlv and unambiguouslv directed towards the fight against serious crime. Accordinglv. Ireland submits that this constitutes the main or predominant purpose of the Directive and. indeed. its sole obiective. 10
Advocate General Bot noted that 'an act adopted on the basis of Article 95 EC must be intended to improve the conditions for the establishment and functioning of the internal market. In that regard. he notes that several Member States had legislated on data retention bv service providersand that those national provisions varied substantiallv. particularlv in regard to the retention period required and the tvpes of data to be retained. Such disparities could therefore make it necessarv to harmonise national provisions.`
8 Article 1 9 Link to Consolidated TEU: http://bit.ly/biYRC5 10 reland v Parliament and Council Case 301/06 Feb 10 2009 Page 5 He also took the view that 'the retention of data bv the providers of electronic communications services represents a significant financial burden on them which is proportionate to the amount of data to be retained and the retention period. It follows that. in the absence of harmonisation. a provider of electronic communications services would be faced with costs related to the retention of data which differ according to the Member State in which he wishes to provide those services. Such differences mav constitute barriers to the free movement of electronic communications services and mav create obstacles to the establishment and functioning of the internal market in electronic communications.`
As such he took the the view that the adoption oI the directive on the basis oI Article 114(95) EC was iustiIied.
While reland argued that the sole or main purpose oI the directive was the investigation, detection and prosecution oI serious crime, the Advocate General took the view that there is no doubt that the rationale oI the obligation to retain data lies in the Iact that it Iacilitates that obiective, the mere Iact that the directive reIers to such an obiective is not suIIicient Ior a Iinding that it is an act Ialling within the area covered by police and iudicial cooperation in criminal matters. 11
The European Court oI Justice upheld the view oI the Advocate General.
Data Retention Directive: Provisions Article 4 oI the Directive provides that: Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided onlv to the competent national authorities in specific cases and in accordance with national law. The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessitv and proportionalitv requirements shall be defined bv each Member State in its national law. subiect to the relevant provisions of European Union law or public international law. and in particular the ECHR as interpreted bv the European Court of Human Rights.
For the purposes oI the ECHR The European Court oI Human Rights established in Klass 12 that telephone communications Iall under both 'correspondence and 'private liIe and as such the protections oI Article 8 apply. t was held in Malone 13 that not iust the contents oI telephone communications but also the telephone numbers dialed (i.e. traIIic data) are protected under Art 8 ECHR. n Copland the court held that this principle also applies to e-mail. 14
The directive divides into 6 conceptual categories the data it requires to be retained as Iollows. Within this it outlines exactly the inIormation it wants to to be retained.
Article 5(1) oI the directive provides that the Iollowing categories should be retained:
11 http://curia.europa.eu/en/actu/communiques/cp08/aII/cp080070en.pdI 12 Klass and Others v. Germanv. ECHR 6.9.1978. 13 Malone v. The United Kingdom. ECHR. 2.8.1984. 14 Copland v. The United Kingdom.ECHR 3.4.2007. Page 6 (a) data necessary to trace and identiIy the source oI a communication: (1) concerning fixed network teleponv and mobile teleponv: (i) the calling telephone number, (ii) the name and address of the subscriber or registered user, (2) concerning Internet access, Internet e-mail and Internet teleponv: (i) the user ID(s) allocated, (ii) the user ID and telephone number allocated to anv communication entering the public telephone network, (iii) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address. user ID or telephone number was allocated at the time of the communication,
(b) data necessarv to identifv the destination of a communication. (1) concerning fixed network teleponv and mobile teleponv: (i) the number(s) dialled (the telephone number(s) called). and. in cases involving supplementarv services such as call forwarding or call transfer. the number or numbers to which the call is routed, (ii) the name(s) and address(es) of the subscriber(s) or registered user(s), (2) concerning Internet e-mail and Internet teleponv: (i) the user ID or telephone number of the intended recipient(s) of an Internet telephonv call, (ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the intended recipient of the communication, (c) data necessarv to identifv the date. time and duration of a communication. (1) concerning fixed network teleponv and mobile teleponv, te date and time of te start and end of te communication; (2) concerning Internet access, Internet e-mail and Internet teleponv: (i) the date and time of the log-in and log-off of the Internet access service. based on a certain time zone. together with the IP address. whether dvnamic or static. allocated bv the Internet access service provider to a communication. and the user ID of the subscriber or registered user, (ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephonv service. based on a certain time zone, (d) data necessarv to identifv the tvpe of communication. (1) concerning fixed network teleponv and mobile teleponv: te telepone service used; (2) concerning Internet e-mail and Internet teleponv: te Internet service used; (e) data necessarv to identifv users communication equipment or what purports to be their equipment. (1) concerning fixed network teleponv, te calling and called telepone numbers; (2) concerning mobile teleponv: (i) the calling and called telephone numbers, (ii) the International Mobile Subscriber Identitv (IMSI) of the calling partv, (iii) the International Mobile Equipment Identitv (IMEI) of the calling partv, (iv) the IMSI of the called partv, (v) the IMEI of the called partv, (vi) in the case of pre-paid anonvmous services. the date and time of the initial activation of the service and the location label (Cell ID) from which the service was activated, (3) concerning Internet access, Internet e-mail and Internet teleponv: Page 7 (i) the calling telephone number for dial-up access, (ii) the digital subscriber line (DSL) or other end point of the originator of the communication, (f) data necessarv to identifv the location of mobile communication equipment. (1) te location label (Cell ID) at te start of te communication; (2) data identifving te geograpic location of cells bv reference to teir location labels (Cell ID) during te period for wic communications data are retained.
Article 5(2) provides explicitly that no data revealing the content oI the communication may be retained pursuant to this Directive. Article 6 provides that Member States shall ensure that the categories oI data speciIied in Article 5 are retained Ior a minimum oI 6 months and a maximum oI two years.
Article 7 provides that without preiudice to the Data Protection Directive (95/46/EC) and ePrivacy Directive (2002/58/EC) member states are under an obligation to ensure that data retained must comply with a number oI minimum 'data security principles. These are: (a) the retained data shall be of the same qualitv and subiect to the same securitv and protection as those data on the network, (b) the data shall be subiect to appropriate technical and organisational measures to protect the data against accidental or unlawful destruction. accidental loss or alteration. or unauthorised or unlawful storage. processing. access or disclosure, (c) the data shall be subiect to appropriate technical and organisational measures to ensure that thev can be accessed bv speciallv authorised personnel onlv,
Article 11 amends Article 15 oI Directive 2002/58. ClariIying unambiguously the issues which conIronted the rish Data Protection Commissioner in 2003. t provides that 'Paragraph 1 shall not applv to data specificallv required bv Directive 2006/24/EC`.
Article 12 oI the Directive allows Ior a Member state to extend the periods allowed Ior in article 6. The method Ior extending the retention period is as Iollows: 1) A Member State 'facing particular circumstances that notifv an extension` may extend the retention period unilaterally. 15
2) The Member State shall immediately notiIy the Commission and the other member states and outline the grounds Ior introducing them. 3) The commission shall within 6 months oI the above happening either approve or reiect the measures. n doing so they shall examine whether the extension is 'a means of arbitrarv discrimination or a disguised restriction of trade between Member States and whether thev constitute an obstacle to the functioning of the internal market`. 16
15 Article 12(1) 16 Article 12(2) Page 8 4) naction on the part oI the commission will be an automatic approval. 5) I there is an approval in line with the above, the commission may consider whether to propose an amendment to the directive. There is no analogous provision in the directive however Ior reducing the period below 6 months.
Article 14 oI the Directive Provides Ior an Evaluation Report to be completed by the 15 th September 2010. This was to consider inter alia technological developments and as to whether the list oI data and periods oI retention should be amended. This report was assisted by the views oI the Article 29 Working Party. The Working party called Ior the deIinition oI minimum standards Ior the security measures to be taken by providers, and noted that 'Under directives 2006/24/EC and 2002/58/EC. the securitv of personal data must be proportionate to the risks arising from the processing of such data and the features of the data.(.) It is unquestionable that the implementation of the D.R. Directive carries specific risks to data subiects on account of the nature of traffic data.17 t also noted that security issues abounded the storage oI retained data, with only 45 oI companies having external audits or third party security accreditations. t suggested the Iollowing would assist in security retained data: strong access control to the retained data: , deIinition oI user responsibilities; , proIiles with diIIerent user privileges - strong authentication for system access: , dual authentication mechanisms, (i.e. password biometrics, or password token) - detailed tracking of accesses and processing operations: , log retention - log integrity: , encryption technology or equivalent measures - logical separation from other systems processing traffic data for commercial purposes - additional necessary measures: , detailing roles and Iunctions oI system administrators dealing with systems where traIIic data are stored Ior law enIorcement authority related purposes , ad-hoc policy documents The Article 29WP also suggested that the maximum retention period should be reduced, and all EU providers should comply with a single shorter term having Iound that that data is retained in Member States Ior 12 months (48), Ior more than 12 months (30), and Ior 6 to 12 months (22). The actual Evaluation report oI the Commission is overdue.
17 Report, Page 6 Page 9
Communications (Retention of Data) Act 2011
Section 3 oI the Act is the principle section, and it provides that a service provider shall retain the data in the categories as set out in Schedule 2 oI a period oI 2 years in respect oI 'Iixed network telephony and mobile telephony, and one year in respect oI 'internet access, internet e-mail and internet telephony data. t also provides that the periods oI retention commence Irom the passing oI the Criminal Justice (Terrorist OIIences) Act in the case oI data which was retained under that act (i.e data relating to voice communications), or Irom the date oI the passing oI the 2011 act in every other case (i.e. internet metadata).
The Act requires the Iollowing Data to be retained under section 3 in the case oI ~fixed network telephony and mobile telephony:
1. Data necessary to trace and identiIy the source oI a communication: (a) the calling telephone number; (b) the name and address oI the subscriber or registered user.
2. Data necessary to identiIy the destination oI a communication: (a) the number dialled (the telephone number called) and, in cases involving supplementary services such as call Ior warding or call transIer, the number or numbers to which the call is routed; (b) the name and address oI the subscriber or registered user.
3. Data necessary to identiIy the date and time oI the start and end oI a communication.
4. Data necessary to identiIy the type oI communication: the telephone service used.
5. Data necessary to identiIy users` communications equipment or what purports to be their equipment: (a) the calling and called telephone number; (b) the nternational Mobile Subscriber dentiIier (MS) oI the called and calling parties (mobile telephony only); (c) the nternational Mobile Equipment dentity (ME) oI the called and calling parties (mobile telephony only); (d) in the case oI pre-paid anonymous services, the date and time oI the initial activation oI the service and the cell D Irom which the service was activated (mobile telephony only).
6. Data necessary (mobile telephony only) to identiIy the location oI mobile communication equipment: (a) the cell D at the start oI the communication; (b) data identiIying the geographical location oI cells by reIerence to their cell D during the period Ior which communication data are retained. 18
18 Schedule 2, Part 1 Page 10
The Act requires the Iollowing Data to be retained under section 3 in the case oI ~internet access. internet email and internet telephony data:
1. Data necessary to trace and identiIy the source oI a communication: (a) the user D allocated; (b) the user D and telephone number allocated to any communication entering the public telephone network; (c) the name and address oI the subscriber or registered user to whom an nternet Protocol (P) address, user D or telephone number was allocated at the time oI the communication.
2. Data necessary to identiIy the destination oI a communication: (a) the user D or telephone number oI the intended recipient oI an nternet telephony call; (b) the name and address oI the subscriber or registered user and user D oI the intended recipient oI the communication. 3. Data necessary to identiIy the date, time and duration oI a communication: (a) the date and time oI the log-in and log-oII oI the nternet access service, based on a certain time zone, together with the P address, whether dynamic or static, allocated by the nternet access service provider to a communication, and the user D oI the subscriber or registered user; (b) the date and time oI the log-in and log-oII oI the nternet e-mail service or nternet telephony service, based on a certain time zone.
4. Data necessary to identiIy the type oI communication: the nternet service used.
5. Data necessary to identiIy users` communication equipment or what purports to be their equipment: (a) the calling telephone number Ior dial-up access; (b) the digital subscriber line (DSL) or other end point oI the originator oI the communication. 19
Section 4 oI the Act implements Article 7 oI the directive IaithIully with regard to Data Security.
Section 5 oI the Act provides that a service provider shall not access the retained data save as: (a) at the request and with the consent oI a person to whom the data relate, (b) Ior the purpose oI complying with a disclosure request, (c) in accordance with a court order, or (d) as may be authorised by the Data Protection Commissioner.
n light oI Section 5(c) it is noteworthy that this appears to put on a Iirm Iooting the availability oI a Norwich Pharmacal Order to disclose all inIormation held by the Data Retention Act. n light oI the decision in EMI v. Eircom (I), this appears to broaden exponentially the purposes Ior which retained data can be put. This issue is also the subiect oI a preliminary reIerence to the European Court oI Justice 20 Given the Iact Article 1(1) oI the Directive explicitly states that
19 Schedule 2, Part 2 20 ReIerence Ior a preliminary ruling Irom the Hgsta domstolen (Sweden) lodged on 20 September 2010 Page 11 the purpose Ior which data is retained is Ior the 'investigation, detection and prosecution oI serious crime, as deIined by each Member State in its national law this seems to be a step too Iar.
A disclosure request is made in accordance with section 6. t outlines three authorities who may make a request; the Garda Siochana, the DeIence Forces and the Revenue Commissioners. A member oI an Garda Siochana not below the rank oI chieI superintendent may request the disclosure oI data retained Ior the purposes oI: (a) the prevention, detection, investigation or prosecution oI a serious oIIence. n this case a serious oIIence means an oIIence punishable by imprisonment Ior a term oI 5 years or more, and an oIIence listed in Schedule 1. 21
(b) the saIeguarding oI the security oI the State, (c) the saving oI human liIe.
A Colonel oI the DeIence Forces may request a disclosure where that oIIice is satisIied that disclosure is required Ior the purposes oI saIeguarding the security oI the state. 22 .
A Principal oIIice oI the Revenue Commissioners may request data retained Ior the purpose oI 'the prevention, detection, investigation or prosecution oI a revenue oIIence. The deIinition oI a 'Revenue OIIence is deIined in section 1, and essentially includes tax Iraud; oil smuggling; non payment oI excise duties; and smuggling oI tobacco or alcohol. The CCL in their submission on the Bill noted that giving powers oI disclosure to Revenue OIIicials was a step too Iar, and that the Gardai could iust as easily request the data in the course oI prosecuting a revenue oIIence. They also recommend requests should be subiect to Judicial Approval.
A disclosure request must generally be made in writing under section 6(4), but in cases oI extreme urgency the request may be made orally and Iollowed up by written conIirmation within 2 working days. 23 Service providers are obliged to comply with the disclosure request due to section 7, and section 3(3) obliges a service provider to retain the data in a way that they may be disclosed without undue delay.
Section 9 oI the Act provides that the Gardai, DeIence Forces and Revenue Commissioners shall submit reports to their relevant ministers (i.e. Justice, DeIence and Finance as applicable). The reports shall include: (a) the number oI times when data had been disclosed in response to a disclosure request, (b) the number oI times when a disclosure request could not be met, (c) the average period oI time between the date on which the retained data were Iirst processed and the disclosure request.
Having been reviewed by the relevant ministers, the reports are to be Iorwarded to the Minister Ior Justice, who shall prepare a report on the operation oI the act Ior the European Commission. There is no mechanism Ior the publication oI
Bonnier Audio AB, Earbooks AB, Norstedts Frlagsgrupp AB, PiratIrlaget Aktiebolag, Storyside AB v PerIect Communication Sweden AB (Case C-461/10) http://bit.ly/IhiJC1 21 These are: An oIIence under sections 11 and 12 oI the Criminal Assets Bureau Act 1996; An oIIence under section 6 oI the Criminal Evidence Act 1992; An oIIence under section 12 oI the Non-Fatal OIIences against the Person Act 1997; An oIIence under section 1 oI the Prevention oI Corruption Acts 1889 to 1995; An oIIence under section 5 oI the Protections Ior Persons Reporting Child Abuse Act 1998. 22 Section 6(2) 23 Section 6(5) Page 12 a public report.
Section 10 oI the Act provides Ior a complaints procedure. Section 10(1) provides that:
A contravention of section 6 in relation to a disclosure request shall not of itself render that disclosure request invalid or constitute a cause of action at the suit of a person affected bv the disclosure request. but anv such contravention shall be subiect to investigation in accordance with the subsequent provisions of this section and nothing in this subsection shall affect a cause of action for the infringement of a constitutional right.
n light oI this it is hard to disagree with the CCL's view that the 'monitoring mechanisms proposed are lightweight`. Not unlike the system provided Ior in the nterception oI Postal Packets and Telecommunications Messages (Regulation) Act 1993 a person who Ieels hard done by shall make a complaint to a 'reIeree, who is one and the same person nominated under the 1993 Act. The reIeree may decide (a) whether a disclosure request was made as alleged in the application, and (b) iI so, whether any provision oI section 6 has been contravened in relation to the disclosure request. I, aIter investigating the matter, the ReIeree concludes that a provision oI section 6 has been contravened, the ReIeree shall (a) notiIy the applicant in writing oI that conclusion, and (b) make a report oI the ReIeree`s Iindings to the Taoiseach.
At the reIeree's discretion, he may: (a) direct the Garda Siochana, the DeIence Force or the Revenue Commissioners to destroy the relevant data and any copies oI the data, (b) make a recommendation Ior the payment to the applicant oI such sum by way oI compensation as may be speciIied.
The Decision oI the ReIeree is Iinal.
Again similar to the 1993 Act, a designated Judge shall (a) keep the operation oI the provisions oI this Act under review, (b) ascertain whether the Garda Siochana, the DeIence Force and the Revenue Commissioners are complying with its provisions, and (c) include, in the report to the Taoiseach under section 8(2) oI the Act oI 1993, such matters relating to this Act that the designated iudge considers appropriate.
Section 8 oI the 1993 Act obliges the Taoiseach to lay the report beIore the Oireachtas. Given the propensity Ior this report to date not to exceed a number oI lines and to be uncritical, it is suggested that this is not the most eIIective method oI iudicial oversight. However, Ior the Iirst time in 2010, Judge arIlaith O`Neill noted that he investigated a number oI alleged breaches oI Section 64(2) oI the Criminal Justice (Terrorist OIIences) Act 2005 which had been Page 13 committed by a member oI An Garda Siochana. 24 t appears happed is that a Garda was access the phone records oI an ex-boyIriend who became suspicious when she knew oI the calls he had made since they parted company. t appears that the Garda in question did not Iace any criminal sanctions. 25
SI 336 of 2011
Section 5 oI S 336 oI 2011 implements Directive 2009/136/EC and replaces S 535 oI 2003 and appears to put a Iurther gloss on the protections Ior the protection oI the privacy oI electronic communications by prohibiting the listening. tapping. storage or other kinds of interception or surveillance of communications and the related traffic data bv persons other than users. without the consent of the users concerned. This however is expressly without preiudice to Section 98 oI the 1983 act and Section 2 oI the 1993 act that we have discussed already. n what can only be considered poor draIting more akin to copying and pasting, the instrument also excepts a measure 'legally authorised under Article 15(1) oI the directive, where rights may be restricted where 'necessarv. appropriate and proportionate measure within a democratic societv to safeguard national securitv (i.e. State securitv). defence. public securitv. and the prevention. investigation. detection and prosecution of criminal offences or of unauthorised use of the electronic communication svstem`.
Exceptions are also allowed Ior communications systems to work by not preventing 'the technical storage of communications and the related traffic data which is necessarv for the convevance of a communication with out preiudice to the principle of confidentialitv`.
Also excepted is 'anv legallv authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of anv other business communication` The best example that comes to mind oI this is recordings oI calls Ior 'training and quality purposes but where an oral contract is made, Ior instance Ior insurance, a television package or mobile phone tariII.
Article 6 oI S 336 oI 2011 deals with the residual data leIt over Irom the Communications (Retention oI Data) Act 2011. t is provided that subiect to the provisions oI the instrument and the 2011 Act traIIic data relating to subscribers and users processed and stored Ior the purpose oI the transmission oI a communication shall be erased or made anonymous when it is no longer needed Ior that purpose.
Furthermore, it is expressly noted that telecommunications company may only process traIIic data necessary Ior the purpose oI subscriber billing and interconnection payments only up to the end oI the period in which the bill may be lawIully challenged and payment pursued or where such proceedings are brought during that period until those proceedings are Iinally determined. The company must inIorm its subscribers oI the types oI traIIic data that are processed and oI the duration oI such processing.
24 http://www.scribd.com/doc/49538701/nterception-and-Data-Retention-in-reland-Judicial-Report 25 'Garda accused oI bugging her ex-boyIriend, The Sunday Times, (20.02.2011) 'Garda who spied on her boyIriend will keep iob, The Sunday Times, (14.08.2011) Page 14 t should also be noted that Ior some reason the deIinition oI 'undertaking has been removed Irom S 336 oI 2011. n its predecessor an undertaking was deIined as ' a person engaged or intending to engage in the provision oI electronic communications networks or services or associated Iacilities 26 . Article 4 oI S 336 oI 2011 repeats this deIinition, in a diIIerent context. Undoubtedly the deIinition has not changed, but the wisdom oI removing a perIectly clear deIinition must be questioned.
In Conclusion The next interesting instalment in rish Law Regarding Data Retention will no doubt be the decision oI the European Court oI Justice in Digital Rights reland Ltd v. Minister Ior Communication & Ors. Digital Rights reland was granted permission to make a reIerence to the European Court oI Justice regarding whether Directive 2006/24/EC is invalid having regard to the Iundamental rights enioyed by the citizens oI the EU. DR were granted leave to bring a preliminary reIerence by the High Court oI the 5 th May 2010, and this matter is still outstanding. 27
26 Regulation 2 oI S 535 oI 2003 27 http://www.bailii.org/ie/cases/EHC/2010/H221.html