Mr. T.J. McIntyre:

There are two issues here. The first issue is the standard in Irish law under which surveillance can be carried out. The standard in Irish law at the moment is that surveillance can be carried out on someone by ministerial warrant in the case of listening to his or her phone calls, and by individual internal Garda authorisation and signature in the case of accessing his or her phone records. Following the recent judgment of the European Court of Justice in the Tele2-Watson case, I think it is reasonably clear that this is inadequate. The judgment in question makes it clear that there must be judicial authorisation of surveillance in the case of accessing phone records and - all the more so, it seems to me - in the case of listening to phone calls. The second issue is important as well. In the Tele2-Watson case, the court went on to say that in addition to having prior judicial authorisation before phone records can be accessed, there must also be some form of after-the-fact notification. In other words, the person whose phone records were accessed must be notified of that at a later stage - after the investigation has been concluded - as long as he or she can be notified without undermining a law enforcement purpose. His or her phone records may have been accessed innocently or accidentally, or because he or she was incidentally involved in an investigation targeting somebody else, but nevertheless he or she should be notified of the fact that those records were accessed so that he or she can challenge them, if necessary, and say "No, my phone records were wrongfully accessed, I was put under surveillance for an improper purpose and I want to take this matter further". As Deputy Wallace has pointed out, at the moment Irish mobile phone companies appear to be unwilling to respect this right. At the moment, Irish law does not provide for this right. It seems to me that because this is a requirement of the European Charter of Fundamental Rights, it is not just an obligation that is binding on the Irish State - it is an obligation that would be directly effective in the Irish courts. It seems to me that in an appropriate case, this would be binding on the Irish courts and indeed on the Data Protection Commissioner in assisting individuals to exercise their rights under the charter and under the GDPR.