Page 1

Wiretaps and Data Retention in Ireland

Mchel O'Dowd. O`Hanlon & O`Dowd Solicitors - October 2011
www.odowd.ie

The Communications (Retention oI Data) Act 2011 was passed on the 26
th
January 2011 beIore the dissolution oI the
30
th
Dail. Broadly speaking the Act transposes Directive 2006/24/EC (The Data Retention Directive).

Historv of Data Retention and Wiretaps in Ireland
reland has had something oI a chequered past when it comes to the privacy oI Communications. Historically the area
was governed by the Postal & Telecommunications Services Act 1983. Section 98 oI the 1983 Act made it an OIIence
Ior a person who

(a) intercepts or attempts to intercept. or
(b) authorises. suffers or permits another person to intercept. or
(c) does anvthing that will enable him or another person to intercept.

telecommunications messages being transmitted bv the companv or who discloses the existence. substance or
purport of anv such message which has been intercepted or uses for anv purpose anv information obtained
from anv such message.

The company in this case would have been Telecom Eireann. Amending legislation however has broadened the
deIinition Irom 'the company to all 'authorised undertakings. Kelleher in his book notes that s.98 applies both to the
content and the inIormation derived Irom the intercepted messages.
1
n the wake oI Kennedy v. reland which involved
wiretaps being illegally installed on Journalist`s telephones
2
the government introduced the Postal Packets and
Telecommunications Messages (Regulation) Act 1993. Section 2 oI the act provided that a Minister Ior Justice could
give an authorisation Ior a wiretap, subiect to the conditions in speciIied in sections 4 (iustiIying a criminal
investigation), 5(iustiIying an investigation in the interests oI the security oI the state) and 6(applications Ior
authorization) being complied with, but only Ior the purpose oI criminal investigation or in the interests oI the security
oI the State.
Section 13 oI the 1993 Act also inserted into section 98 a new subsection (2A). This provided that a person employed
by a company who disclosed, to any person, any inIormation concerning the use made oI telecommunications services
provided Ior any other person by the company was guilty oI an oIIence. As always there were exceptions, and these
were:
(a) at the request or with the consent of that other person.
(b) for the prevention or detection of crime or for the purpose of anv criminal proceedings.
(c) in the interests of the securitv of the State.
(d) in pursuance of an order of a court.
(e) for the purpose of civil proceedings in anv court. or

1
Kelleher, Privacv and Data Protection Law in Ireland. (Tottell, 2006) p 448
2
|1987| R 587
Page 2
(f) to another person to whom he is required. in the course of his dutv as such emplovee. to make such
disclosure.
3


t was also required that a request by a member oI the Garda Siochana to a person employed by the company to make a
disclosure was to be signed by a member oI the Garda Siochana not below the rank oI chieI superintendent, and Iurther
that a request by an oIIicer oI the DeIence Forces to a person employed by the company to make a disclosure shall be in
writing and be signed by an oIIicer oI the Permanent DeIence Force who holds an army rank not below that oI colonel.
Practice in the telecommunications industry was to retain all data Ior the period oI the statute oI limitations, i.e. 6
years.
4

The Department oI Justice, Equality and Law ReIorm and the then Department oI Public Enterprise came to an
agreement that telephony data should be retained by the operators Ior three years, and directions issued by the Minister
Ior Public Enterprise to the main telephony operators made under section 110(1) oI the Postal and Telecommunications
Services Act 1983 in April 2002.
Section 110 provides as Iollows, and like S98, its application is broadened to include the companies existing in a post
deregulation era.
The Minister mav issue directions in writing to either companv requiring the companv
(a) to complv with policv decisions of a general kind made bv the Government concerning the development of
the postal or telecommunications services of which he mav advise the companv from time to time.

The Data Protection Commissioner was unhappy with this solution, and he noted:

'Due to the lack of progress at national and EU level on the unsatisfactorv legislative basis for the retention of
communications traffic data this was the subiect of comment bv me in mv previous reports-I had no option but
to issue enforcement notices in earlv Januarv 2005 to three telecommunications companies requiring them with
effect from 1 Mav 2005 to hold such data for national securitv purposes for a maximum period of twelve
months. Two of the companies appealed the notices to the Circuit Court while the other did not. I noted that the
legislative lacuna was being regularised in that amendments to the Criminal Justice (Terrorist Offences) Bill
2002 were introduced on 3 Februarv 2005-and subsequentlv passed- in Seanad Eireann bv the Minister for
Justice. Equalitv and Law Reform. As I did not want unnecessarv legal costs to be incurred bv me or indeed the
companies. I cancelled the Enforcement Notices on 7 Februarv in the expectation that this Bill would be
enacted before 1 Mav 2005. Though a three vear retention period has been provided in the legislation. I remain
of the view that this is an excessive period.`
5


The view oI the Data Protection Commissioner was not unreasonable. Directive 2002/58/EC provided in Article 15 that
the retention oI data would be permissible 'when such restriction constitutes a necessarv. appropriate and
proportionate measure within a democratic societv to safeguard national securitv (i.e. State securitv). defence. public

3
Postal Packets and Telecommunications Messages (Regulation) Act 1993, S 13.
4
Note however Artilce 29 Working Party document on Telco Billing periods, Opinion 1/2003 on the storage of traffic
data for billing purposes, where it is suggested 3-6 months is more reasonable
http://ec.europa.eu/iustice/policies/privacy/docs/wpdocs/2003/wp69en.pdI
5
Annual Report 2004 p.
Page 3
securitv. and the prevention. investigation. detection and prosecution of criminal offences or of unauthorised use of the
electronic communication svstem. Regarding an appropriate period Ior retention the directive suggested 'Member States
mav. inter alia. adopt legislative measures providing for the retention of data for a limited period iustified on the
grounds laid down in this paragraph`. The Commissioner Ielt that a balance had to be struck, but three years was in
excess oI the 'limited period allowed Ior.
6



The result oI the Data Protection Commissioners enIorcement notice was the hurried introduction oI Part 7 oI the
Criminal Justice (Terrorist OIIences) Act 2005. This legislation provided Ior the retention oI traIIic and location data
regarding 'communications transmitted bv means of a fixed line or mobile telephone.` but not 'to the content of such
communications`.
7
Ior a period oI three years. Section 63 provided:

(1) Subiect to subsections (2) and (4). the Garda Commissioner mav request a service provider to retain. for a
period of 3 vears. traffic data or location data or both for the purposes of
(a) the prevention. detection. investigation or prosecution of crime (including but not limited to terrorist
offences). or
(b) the safeguarding of the securitv of the State.
(2) The data retention request must be made in writing.
(3) Traffic data and location data that are in the possession of a service provider on the passing of this Act and
that were retained bv the service provider for the purposes specified in subsection (1) are deemed to have been
the subiect of a data retention request. but onlv if the 3 vear retention period for the data has not elapsed
before the passing of this Act.
(4) For the purposes of this Part. the 3 vear retention period begins
(a) in the case of traffic data or location data referred to in subsection (3). on the date before the passing of
this Act on which the data were first processed bv the service provider. or
(b) in the case of anv other traffic data or location data. on the date on or after the passing of this Act on which
the data were first so processed.
(5) Notwithstanding anv other enactment or instrument. a service provider shall retain. for the purposes and
the period specified in subsection (1). the data specified in a data retention request made to the provider.
(6) Nothing in this section shall be taken as requiring a service provider to retain aggregated data or data that
have been made anonvmous.

%e Data Retention Directive: Callenge bv Ireland
The Data Retention Directive's ostensible Iunction is
to harmonise Member States provisions concerning the obligations of the providers of publiclv available

6
See Press release oI DPC, 24/2/03: http://bit.ly/hcU5qd
7
Section 62
Page 4
electronic communications services or of public communications networks with respect to the retention of
certain data which are generated or processed bv them. in order to ensure that the data are available for the
purpose of the investigation. detection and prosecution of serious crime. as defined bv each Member State in
its national law.
8


n case C301-06 it was argued that 'the choice of Article 95 of the Treatv establishing the European Communitv
(TEC) as the legal basis for Directive 2006/24/EC (the Directive) is fundamentallv flawed.` Article 95 has now
been renumbered Article 114 in the post Lisbon consolidation.
9
Michael McDowell, the rish Minister Ior Justice at the
time Ielt it was a matter which was not internal market measure which could be agreed (by qualiIied maiority voting),
and was instead a criminal matter (requiring unanimity). reland voted against the Directive.

Article 114(ex 95) provides that the EU Parliament and Council have competence Ior internal market measures:
'The European Parliament and the Council shall. acting in accordance with the ordinarv legislative
procedure and after consulting the Economic and Social Committee. adopt the measures for the
approximation of the provisions laid down bv law. regulation or administrative action in Member States
which have as their obiect the establishment and functioning of the internal market.

reland however argued that

'...neither Article 95 TEC nor anv other provision of the TEC can provide a proper legal basis for the
Directive. It is primarilv Irelands case that the sole or. alternativelv. the main or predominant purpose of the
Directive is to facilitate the investigation. detection and prosecution of serious crime. including terrorism. In
those circumstances. it is Irelands contention that the onlv permissible legal base for the measures contained
in the Directive is Title JI of the Treatv on European Union (TEU). in particular Articles 30. 31(1)(c) and
34(2)(b).

In support of its submissions. Ireland has indicated that a consideration of the recitals to and the
fundamental provisions of the Directive unquestionablv demonstrates that reliance upon Article 95 TEC
as the legal basis for the Directive is whollv inappropriate and unsustainable. In that regard. it has pointed
out that the Directive is clearlv and unambiguouslv directed towards the fight against serious crime.
Accordinglv. Ireland submits that this constitutes the main or predominant purpose of the Directive and. indeed.
its sole obiective.
10


Advocate General Bot noted that 'an act adopted on the basis of Article 95 EC must be intended to improve the
conditions for the establishment and functioning of the internal market. In that regard. he notes that several Member
States had legislated on data retention bv service providersand that those national provisions varied substantiallv.
particularlv in regard to the retention period required and the tvpes of data to be retained. Such disparities
could therefore make it necessarv to harmonise national provisions.`


8
Article 1
9
Link to Consolidated TEU: http://bit.ly/biYRC5
10
reland v Parliament and Council Case 301/06 Feb 10 2009
Page 5
He also took the view that 'the retention of data bv the providers of electronic communications services represents a
significant financial burden on them which is proportionate to the amount of data to be retained and the retention
period. It follows that. in the absence of harmonisation. a provider of electronic communications services would be
faced with costs related to the retention of data which differ according to the Member State in which he wishes to
provide those services. Such
differences mav constitute barriers to the free movement of electronic communications services
and mav create obstacles to the establishment and functioning of the internal market in electronic
communications.`

As such he took the the view that the adoption oI the directive on the basis oI Article 114(95) EC was iustiIied.

While reland argued that the sole or main purpose oI the directive was the investigation,
detection and prosecution oI serious crime, the Advocate General took the view that there is no doubt that the rationale
oI the obligation to retain data lies in the Iact that it Iacilitates that obiective, the mere Iact that the directive reIers to
such an obiective is not suIIicient Ior a Iinding that it is an act Ialling within the area covered by police and
iudicial cooperation in criminal matters.
11


The European Court oI Justice upheld the view oI the Advocate General.


Data Retention Directive: Provisions
Article 4 oI the Directive provides that:
Member States shall adopt measures to ensure that data retained in accordance with this Directive are
provided onlv to the competent national authorities in specific cases and in accordance with national law. The
procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in
accordance with necessitv and proportionalitv requirements shall be defined bv each Member State in its
national law. subiect to the relevant provisions of European Union law or public international law. and in
particular the ECHR as interpreted bv the European Court of Human Rights.

For the purposes oI the ECHR The European Court oI Human Rights established in Klass
12
that telephone
communications Iall under both 'correspondence and 'private liIe and as such the protections oI Article 8 apply.
t was held in Malone
13
that not iust the contents oI telephone communications but also the telephone numbers
dialed (i.e. traIIic data) are protected under Art 8 ECHR. n Copland the court held that this principle also applies to
e-mail.
14


The directive divides into 6 conceptual categories the data it requires to be retained as Iollows. Within this it outlines
exactly the inIormation it wants to to be retained.

Article 5(1) oI the directive provides that the Iollowing categories should be retained:

11
http://curia.europa.eu/en/actu/communiques/cp08/aII/cp080070en.pdI
12
Klass and Others v. Germanv. ECHR 6.9.1978.
13
Malone v. The United Kingdom. ECHR. 2.8.1984.
14
Copland v. The United Kingdom.ECHR 3.4.2007.
Page 6
(a) data necessary to trace and identiIy the source oI a communication:
(1) concerning fixed network teleponv and mobile teleponv:
(i) the calling telephone number,
(ii) the name and address of the subscriber or registered user,
(2) concerning Internet access, Internet e-mail and Internet teleponv:
(i) the user ID(s) allocated,
(ii) the user ID and telephone number allocated to anv communication entering the public
telephone network,
(iii) the name and address of the subscriber or registered user to whom an Internet Protocol
(IP) address. user ID or telephone number was allocated at the time of the communication,

(b) data necessarv to identifv the destination of a communication.
(1) concerning fixed network teleponv and mobile teleponv:
(i) the number(s) dialled (the telephone number(s) called). and. in cases involving
supplementarv services such as call forwarding or call transfer. the number or numbers to
which the call is routed,
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s),
(2) concerning Internet e-mail and Internet teleponv:
(i) the user ID or telephone number of the intended recipient(s) of an Internet telephonv call,
(ii) the name(s) and address(es) of the subscriber(s) or registered user(s) and user ID of the
intended recipient of the communication,
(c) data necessarv to identifv the date. time and duration of a communication.
(1) concerning fixed network teleponv and mobile teleponv, te date and time of te start and
end of te communication;
(2) concerning Internet access, Internet e-mail and Internet teleponv:
(i) the date and time of the log-in and log-off of the Internet access service. based on a
certain time zone. together with the IP address. whether dvnamic or static. allocated bv the
Internet access service provider to a communication. and the user ID of the subscriber or
registered user,
(ii) the date and time of the log-in and log-off of the Internet e-mail service or Internet
telephonv service. based on a certain time zone,
(d) data necessarv to identifv the tvpe of communication.
(1) concerning fixed network teleponv and mobile teleponv: te telepone service used;
(2) concerning Internet e-mail and Internet teleponv: te Internet service used;
(e) data necessarv to identifv users communication equipment or what purports to be their equipment.
(1) concerning fixed network teleponv, te calling and called telepone numbers;
(2) concerning mobile teleponv:
(i) the calling and called telephone numbers,
(ii) the International Mobile Subscriber Identitv (IMSI) of the calling partv,
(iii) the International Mobile Equipment Identitv (IMEI) of the calling partv,
(iv) the IMSI of the called partv,
(v) the IMEI of the called partv,
(vi) in the case of pre-paid anonvmous services. the date and time of the initial activation of
the service and the location label (Cell ID) from which the service was activated,
(3) concerning Internet access, Internet e-mail and Internet teleponv:
Page 7
(i) the calling telephone number for dial-up access,
(ii) the digital subscriber line (DSL) or other end point of the originator of the
communication,
(f) data necessarv to identifv the location of mobile communication equipment.
(1) te location label (Cell ID) at te start of te communication;
(2) data identifving te geograpic location of cells bv reference to teir location labels (Cell ID)
during te period for wic communications data are retained.

Article 5(2) provides explicitly that no data revealing the content oI the communication may be retained pursuant to this
Directive. Article 6 provides that Member States shall ensure that the categories oI data speciIied in Article 5 are
retained Ior a minimum oI 6 months and a maximum oI two years.

Article 7 provides that without preiudice to the Data Protection Directive (95/46/EC) and ePrivacy Directive
(2002/58/EC) member states are under an obligation to ensure that data retained must comply with a number oI
minimum 'data security principles. These are:
(a) the retained data shall be of the same qualitv and subiect to the same securitv and protection as those data
on the network,
(b) the data shall be subiect to appropriate technical and organisational measures to protect the data against
accidental or unlawful destruction. accidental loss or alteration. or unauthorised or unlawful storage.
processing. access or disclosure,
(c) the data shall be subiect to appropriate technical and organisational measures to ensure that thev can be
accessed bv speciallv authorised personnel onlv,

Article 11 amends Article 15 oI Directive 2002/58. ClariIying unambiguously the issues which conIronted the rish
Data Protection Commissioner in 2003. t provides that 'Paragraph 1 shall not applv to data specificallv required bv
Directive 2006/24/EC`.

Article 12 oI the Directive allows Ior a Member state to extend the periods allowed Ior in article 6. The method Ior
extending the retention period is as Iollows:
1) A Member State 'facing particular circumstances that notifv an extension` may extend the retention period
unilaterally.
15

2) The Member State shall immediately notiIy the Commission and the other member states and outline the
grounds Ior introducing them.
3) The commission shall within 6 months oI the above happening either approve or reiect the measures. n doing
so they shall examine whether the extension is 'a means of arbitrarv discrimination or a disguised restriction of trade
between Member States and whether thev constitute an obstacle to the functioning of the internal market`.
16


15
Article 12(1)
16
Article 12(2)
Page 8
4) naction on the part oI the commission will be an automatic approval.
5) I there is an approval in line with the above, the commission may consider whether to propose an amendment
to the directive.
There is no analogous provision in the directive however Ior reducing the period below 6 months.

Article 14 oI the Directive Provides Ior an Evaluation Report to be completed by the 15
th
September 2010. This was to
consider inter alia technological developments and as to whether the list oI data and periods oI retention should be
amended. This report was assisted by the views oI the Article 29 Working Party. The Working party called Ior the
deIinition oI minimum standards Ior the security measures to be taken by providers, and noted that 'Under directives
2006/24/EC and 2002/58/EC. the securitv of personal data must be proportionate to the risks arising from the
processing of such data and the features of the data.(.) It is unquestionable that the implementation of the D.R.
Directive carries specific risks to data subiects on account of the nature of traffic data.17 t also noted that security
issues abounded the storage oI retained data, with only 45 oI companies having external audits or third party security
accreditations. t suggested the Iollowing would assist in security retained data:
strong access control to the retained data:
, deIinition oI user responsibilities;
, proIiles with diIIerent user privileges
- strong authentication for system access:
, dual authentication mechanisms, (i.e. password biometrics, or password token)
- detailed tracking of accesses and processing operations:
, log retention
- log integrity:
, encryption technology or equivalent measures
- logical separation from other systems processing traffic data for commercial purposes
- additional necessary measures:
, detailing roles and Iunctions oI system administrators dealing with systems where traIIic data are stored
Ior law enIorcement authority related purposes
, ad-hoc policy documents
The Article 29WP also suggested that the maximum retention period should be reduced, and all EU providers should
comply with a single shorter term having Iound that that data is retained in Member States Ior 12 months (48), Ior
more than 12 months (30), and Ior 6 to 12 months (22). The actual Evaluation report oI the Commission is overdue.



17
Report, Page 6
Page 9

Communications (Retention of Data) Act 2011

Section 3 oI the Act is the principle section, and it provides that a service provider shall retain the data in the categories
as set out in Schedule 2 oI a period oI 2 years in respect oI 'Iixed network telephony and mobile telephony, and one
year in respect oI 'internet access, internet e-mail and internet telephony data. t also provides that the periods oI
retention commence Irom the passing oI the Criminal Justice (Terrorist OIIences) Act in the case oI data which was
retained under that act (i.e data relating to voice communications), or Irom the date oI the passing oI the 2011 act in
every other case (i.e. internet metadata).

The Act requires the Iollowing Data to be retained under section 3 in the case oI ~fixed network telephony and mobile
telephony:

1. Data necessary to trace and identiIy the source oI a communication:
(a) the calling telephone number;
(b) the name and address oI the subscriber or registered user.

2. Data necessary to identiIy the destination oI a communication:
(a) the number dialled (the telephone number called) and, in cases involving supplementary services such as call Ior
warding or call transIer, the number or numbers to which
the call is routed;
(b) the name and address oI the subscriber or registered user.

3. Data necessary to identiIy the date and time oI the start and end oI a communication.

4. Data necessary to identiIy the type oI communication:
the telephone service used.

5. Data necessary to identiIy users` communications equipment or what purports to be their equipment:
(a) the calling and called telephone number;
(b) the nternational Mobile Subscriber dentiIier (MS) oI the called and calling parties (mobile telephony only);
(c) the nternational Mobile Equipment dentity (ME) oI the called and calling parties (mobile telephony only);
(d) in the case oI pre-paid anonymous services, the date and time oI the initial activation oI the service and the cell D
Irom which the service was activated (mobile telephony only).

6. Data necessary (mobile telephony only) to identiIy the location oI mobile communication equipment:
(a) the cell D at the start oI the communication;
(b) data identiIying the geographical location oI cells by reIerence to their cell D during the period Ior which
communication data are retained.
18


18
Schedule 2, Part 1
Page 10

The Act requires the Iollowing Data to be retained under section 3 in the case oI ~internet access. internet email and
internet telephony data:

1. Data necessary to trace and identiIy the source oI a communication:
(a) the user D allocated;
(b) the user D and telephone number allocated to any communication entering the public telephone network;
(c) the name and address oI the subscriber or registered user to whom an nternet Protocol (P) address, user D or
telephone number was allocated at the time oI the communication.

2. Data necessary to identiIy the destination oI a communication:
(a) the user D or telephone number oI the intended recipient oI an nternet telephony call;
(b) the name and address oI the subscriber or registered user and user D oI the intended recipient oI the
communication.
3. Data necessary to identiIy the date, time and duration oI a communication:
(a) the date and time oI the log-in and log-oII oI the nternet access service, based on a certain time zone, together with
the P address, whether dynamic or static, allocated by the nternet access service provider to a communication, and the
user D oI the subscriber or registered user;
(b) the date and time oI the log-in and log-oII oI the nternet e-mail service or nternet telephony service, based on a
certain time zone.

4. Data necessary to identiIy the type oI communication:
the nternet service used.

5. Data necessary to identiIy users` communication equipment or what purports to be their equipment:
(a) the calling telephone number Ior dial-up access;
(b) the digital subscriber line (DSL) or other end point oI the originator oI the communication.
19


Section 4 oI the Act implements Article 7 oI the directive IaithIully with regard to Data Security.

Section 5 oI the Act provides that a service provider shall not access the retained data save as:
(a) at the request and with the consent oI a person to whom the data relate,
(b) Ior the purpose oI complying with a disclosure request,
(c) in accordance with a court order, or
(d) as may be authorised by the Data Protection Commissioner.

n light oI Section 5(c) it is noteworthy that this appears to put on a Iirm Iooting the availability oI a Norwich
Pharmacal Order to disclose all inIormation held by the Data Retention Act. n light oI the decision in EMI v. Eircom (I),
this appears to broaden exponentially the purposes Ior which retained data can be put. This issue is also the subiect oI a
preliminary reIerence to the European Court oI Justice
20
Given the Iact Article 1(1) oI the Directive explicitly states that

19
Schedule 2, Part 2
20
ReIerence Ior a preliminary ruling Irom the Hgsta domstolen (Sweden) lodged on 20 September 2010
Page 11
the purpose Ior which data is retained is Ior the 'investigation, detection and prosecution oI serious crime, as deIined by
each Member State in its national law this seems to be a step too Iar.

A disclosure request is made in accordance with section 6. t outlines three authorities who may make a request; the
Garda Siochana, the DeIence Forces and the Revenue Commissioners. A member oI an Garda Siochana not below the
rank oI chieI superintendent may request the disclosure oI data retained Ior the purposes oI:
(a) the prevention, detection, investigation or prosecution oI a serious oIIence. n this case a serious oIIence
means an oIIence punishable by imprisonment Ior a term oI 5 years or more, and an oIIence listed in
Schedule 1.
21

(b) the saIeguarding oI the security oI the State,
(c) the saving oI human liIe.

A Colonel oI the DeIence Forces may request a disclosure where that oIIice is satisIied that disclosure is required Ior the
purposes oI saIeguarding the security oI the state.
22
.

A Principal oIIice oI the Revenue Commissioners may request data retained Ior the purpose oI 'the prevention,
detection, investigation or prosecution oI a revenue oIIence. The deIinition oI a 'Revenue OIIence is deIined in
section 1, and essentially includes tax Iraud; oil smuggling; non payment oI excise duties; and smuggling oI tobacco or
alcohol. The CCL in their submission on the Bill noted that giving powers oI disclosure to Revenue OIIicials was a
step too Iar, and that the Gardai could iust as easily request the data in the course oI prosecuting a revenue oIIence. They
also recommend requests should be subiect to Judicial Approval.

A disclosure request must generally be made in writing under section 6(4), but in cases oI extreme urgency the request
may be made orally and Iollowed up by written conIirmation within 2 working days.
23
Service providers are obliged to
comply with the disclosure request due to section 7, and section 3(3) obliges a service provider to retain the data in a
way that they may be disclosed without undue delay.

Section 9 oI the Act provides that the Gardai, DeIence Forces and Revenue Commissioners shall submit reports to their
relevant ministers (i.e. Justice, DeIence and Finance as applicable). The reports shall include:
(a) the number oI times when data had been disclosed in response to a disclosure request,
(b) the number oI times when a disclosure request could not be met,
(c) the average period oI time between the date on which the retained data were Iirst processed and the
disclosure request.

Having been reviewed by the relevant ministers, the reports are to be Iorwarded to the Minister Ior Justice, who shall
prepare a report on the operation oI the act Ior the European Commission. There is no mechanism Ior the publication oI

Bonnier Audio AB, Earbooks AB, Norstedts Frlagsgrupp AB, PiratIrlaget Aktiebolag, Storyside AB v PerIect
Communication Sweden AB (Case C-461/10) http://bit.ly/IhiJC1
21
These are: An oIIence under sections 11 and 12 oI the Criminal Assets Bureau Act 1996; An oIIence under section 6 oI
the Criminal Evidence Act 1992; An oIIence under section 12 oI the Non-Fatal OIIences against the Person Act
1997; An oIIence under section 1 oI the Prevention oI Corruption Acts 1889 to 1995; An oIIence under section 5 oI
the Protections Ior Persons Reporting Child Abuse Act 1998.
22
Section 6(2)
23
Section 6(5)
Page 12
a public report.

Section 10 oI the Act provides Ior a complaints procedure. Section 10(1) provides that:

A contravention of section 6 in relation to a disclosure request shall not of itself render that disclosure request
invalid or constitute a cause of action at the suit of a person affected bv the disclosure request. but anv such
contravention shall be subiect to investigation in accordance with the subsequent provisions of this
section and nothing in this subsection shall affect a cause of action for the infringement of a constitutional
right.

n light oI this it is hard to disagree with the CCL's view that the 'monitoring mechanisms proposed are
lightweight`. Not unlike the system provided Ior in the nterception oI Postal Packets and Telecommunications
Messages (Regulation) Act 1993 a person who Ieels hard done by shall make a complaint to a 'reIeree, who is one and
the same person nominated under the 1993 Act. The reIeree may decide
(a) whether a disclosure request was made as alleged in the application, and
(b) iI so, whether any provision oI section 6 has been contravened in relation to the disclosure request.
I, aIter investigating the matter, the ReIeree concludes that a provision oI section 6 has been contravened, the ReIeree
shall
(a) notiIy the applicant in writing oI that conclusion, and
(b) make a report oI the ReIeree`s Iindings to the Taoiseach.

At the reIeree's discretion, he may:
(a) direct the Garda Siochana, the DeIence Force or the Revenue Commissioners to destroy the relevant data
and any copies oI the data,
(b) make a recommendation Ior the payment to the applicant oI such sum by way oI compensation as may be
speciIied.

The Decision oI the ReIeree is Iinal.

Again similar to the 1993 Act, a designated Judge shall
(a) keep the operation oI the provisions oI this Act under review,
(b) ascertain whether the Garda Siochana, the DeIence Force and the Revenue Commissioners are
complying with its provisions, and
(c) include, in the report to the Taoiseach under section 8(2) oI the Act oI 1993, such matters relating to this
Act that the designated iudge considers appropriate.

Section 8 oI the 1993 Act obliges the Taoiseach to lay the report beIore the Oireachtas. Given the propensity Ior this
report to date not to exceed a number oI lines and to be uncritical, it is suggested that this is not the most eIIective
method oI iudicial oversight. However, Ior the Iirst time in 2010, Judge arIlaith O`Neill noted that he investigated a
number oI alleged breaches oI Section 64(2) oI the Criminal Justice (Terrorist OIIences) Act 2005 which had been
Page 13
committed by a member oI An Garda Siochana.
24
t appears happed is that a Garda was access the phone records oI an
ex-boyIriend who became suspicious when she knew oI the calls he had made since they parted company. t appears
that the Garda in question did not Iace any criminal sanctions.
25



SI 336 of 2011

Section 5 oI S 336 oI 2011 implements Directive 2009/136/EC and replaces S 535 oI 2003 and appears to put a
Iurther gloss on the protections Ior the protection oI the privacy oI electronic communications by prohibiting the
listening. tapping. storage or other kinds of interception or surveillance of communications and the related traffic data
bv persons other than users. without the consent of the users concerned. This however is expressly without preiudice to
Section 98 oI the 1983 act and Section 2 oI the 1993 act that we have discussed already. n what can only be considered
poor draIting more akin to copying and pasting, the instrument also excepts a measure 'legally authorised under Article
15(1) oI the directive, where rights may be restricted where 'necessarv. appropriate and proportionate measure within
a democratic societv to safeguard national securitv (i.e. State securitv). defence. public securitv. and the prevention.
investigation. detection and prosecution of criminal offences or of unauthorised use of the electronic communication
svstem`.

Exceptions are also allowed Ior communications systems to work by not preventing 'the technical storage of
communications and the related traffic data which is necessarv for the convevance of a communication with out
preiudice to the principle of confidentialitv`.

Also excepted is 'anv legallv authorised recording of communications and the related traffic data when carried out
in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of anv
other business communication` The best example that comes to mind oI this is recordings oI calls Ior 'training and
quality purposes but where an oral contract is made, Ior instance Ior insurance, a television package or mobile phone
tariII.

Article 6 oI S 336 oI 2011 deals with the residual data leIt over Irom the Communications (Retention oI Data) Act 2011.
t is provided that subiect to the provisions oI the instrument and the 2011 Act traIIic data relating to subscribers
and users processed and stored Ior the purpose oI the transmission oI a communication shall be erased or made
anonymous when it is no longer needed Ior that purpose.

Furthermore, it is expressly noted that telecommunications company may only process traIIic data necessary Ior the
purpose oI subscriber billing and interconnection payments only up to the end oI the period in which the bill may be
lawIully challenged and payment pursued or where such proceedings are brought during that period until those
proceedings are Iinally determined. The company must inIorm its subscribers oI the types oI traIIic data that are
processed and oI the duration oI such processing.


24
http://www.scribd.com/doc/49538701/nterception-and-Data-Retention-in-reland-Judicial-Report
25
'Garda accused oI bugging her ex-boyIriend, The Sunday Times, (20.02.2011) 'Garda who spied on her boyIriend
will keep iob, The Sunday Times, (14.08.2011)
Page 14
t should also be noted that Ior some reason the deIinition oI 'undertaking has been removed Irom S 336 oI 2011. n
its predecessor an undertaking was deIined as ' a person engaged or intending to engage in the provision oI electronic
communications networks or services or associated Iacilities
26
. Article 4 oI S 336 oI 2011 repeats this deIinition, in a
diIIerent context. Undoubtedly the deIinition has not changed, but the wisdom oI removing a perIectly clear deIinition
must be questioned.


In Conclusion
The next interesting instalment in rish Law Regarding Data Retention will no doubt be the decision oI the European
Court oI Justice in Digital Rights reland Ltd v. Minister Ior Communication & Ors. Digital Rights reland was granted
permission to make a reIerence to the European Court oI Justice regarding whether Directive 2006/24/EC is invalid
having regard to the Iundamental rights enioyed by the citizens oI the EU. DR were granted leave to bring a
preliminary reIerence by the High Court oI the 5
th
May 2010, and this matter is still outstanding.
27






26
Regulation 2 oI S 535 oI 2003
27
http://www.bailii.org/ie/cases/EHC/2010/H221.html