Ms Geraldine Moore:

I thank the Chairman and the committee for this opportunity to participate in the pre-legislative scrutiny of the general scheme of the communications (retention of data) Bill which was published in October. The purpose of the Bill is to update data retention law in Ireland to take account of evolving European Court of Justice jurisprudence in the area.

By way of background to the general scheme, the Communications (Retention of Data) Act 2011 provides the legal basis for the retention and subsequent disclosure of both telephone and Internet data for the purpose of the prevention, detection, investigation and prosecution of serious offences and safeguarding the security of the State. The data in question are subscriber data, which are the identity of the subscriber, and traffic and location data such as the location of a mobile phone and the numbers of other mobile phones it has communicated with. Access to such data is very important in the context of both combating serious crime and safeguarding the security of the State.

In its judgement of April 2014 in the Digital Rights Ireland case, the European Court of Justice found the EU data retention directive to be incompatible with Articles 7 and 8 of the Charter of Fundamental Rights. The judgement was the consequence of the referral of a number of questions concerning the compliance of the EU data retention directive with the EU Charter of Fundamental Rights to the European Court of Justice by the Irish High Court. The court found the directive went beyond what is necessary in that by requiring subscriber, traffic and location data to be held by service providers, it entailed an interference with the lives of almost all citizens in Europe and not just those linked to serious crime. It also held that the directive did not expressly provide that access to and subsequent use of the data should be restricted to the purpose of preventing serious offences. The directive did not provide for prior review by a court or independent administrative body when law enforcement agencies sought access to metadata. There was no clear basis in the directive for the length of time that service providers were obliged to retain data.

In light of the ruling, the Government approved the drafting of a revised data retention Bill which would take cognisance of the findings of the court. In December 2016, the European Court of Justice considered the issue of data retention again, and in its ruling in Tele2, which related to data retention law in Sweden and the UK, the court adopted a strict interpretation of its previous ruling in the Digital Rights Ireland case. The court found that national legislation providing for general and indiscriminate retention of traffic and location data for the purpose of fighting crime was in breach of the Charter of Fundamental Rights. It did not, however, preclude member states from adopting legislation permitting the targeted retention of such data.

It also found that EU law precluded national legislation from providing for data retention and disclosure which was not restricted to fighting serious crime, where access was not subject to prior review by a court or independent administrative authority, and where there was no legal requirement for the data concerned to be retained within the European Union.

The 2011 Act already provides for a number of the requirements identified by the court. The current Act provides that data can only be accessed by specific agencies where the data are required for the prevention, detection, investigation or prosecution of a serious offence, the safeguarding of the security of the State or the saving of human life. Additional safeguards provided for in the legislation to protect the data in question include data security provisions, data destruction provisions and restriction on access to retained data. The legislation also provides for oversight of its operation by a High Court judge who reports to the Taoiseach at least annually and for a complaints referee, who is a Circuit Court judge, to deal with the concerns of any persons who believe that their data may have been unlawfully accessed in breach of the Act. These safeguards have been retained in the revised Bill.

The existing legislation requires service providers to retain Internet data for one year and telephone and mobile data for two years, and allows An Garda Síochána and other State agencies to make direct requests to service providers for retained data for investigative purposes, and as such, the legislation needs to reflect those elements of the European Court of Justice rulings. While in strict legal terms the Tele2 judgment does not have direct effect in Irish law, it sets down clear parameters on what member states may provide for in national legislation relating to data retention, and as we are obliged to ensure that our law is in compliance with EU law, we have revised the original heads of the Bill approved by Government in 2015 to take account of the ruling in the Tele2 judgment as well.

The revised general scheme which members have before them responds to both EU Court of Justice rulings by providing for ministerial authorisation for the retention by service providers of targeted categories of traffic and location data for the purpose of the prevention, detection, investigation or prosecution of serious crime or safeguarding the security of the State; by requiring judicial authorisation for disclosure of retained data to the Garda Síochána and other agencies; by providing for notification of persons whose data have been disclosed when such notification is unlikely to jeopardise the investigation of an offence or to undermine the security of the State; and by providing for the data concerned to be held for a 12 month period and for that data to be held in the EU. Overall oversight of the new legislation will continue to be vested in a High Court judge, with a judge of the Circuit Court independently investigating complaints.

It has to be said that the Tele2 judgment is challenging from a law enforcement point of view. It limits national legislation to requiring the targeted retention of data based on objective evidence. While the Bill reflects this requirement and provides for the making by the Minister of orders for the retention of specified categories of data, the actual making of such orders will require careful consideration. No final decisions have been made on what specific categories of data might be the subject of ministerial orders for targeted retention.

In January 2016, following reports alleging inappropriate accessing of the telephone records of certain journalists, the Government commissioned a review of the law in this area. In his review of the law on the retention of and access to communications data, Mr. Justice Murray took account of the Tele2judgment. Most of the review is taken up with an analysis of the 2011 data retention Act with recommendations on how the Act might be amended in light of the judgment. This report has been hugely helpful to us in preparing these proposals. The vast majority of its recommendations have been taken into account in the general scheme, with a small number of issues to be resolved in finalising the Bill.

There are relatively few recommendations specific to accessing the data of journalists contained in the review, the key one of which is that access to journalists’ retained data for the specific purpose of identifying their journalistic sources should be authorised by a judge of the High Court. The approach advocated by the Minister is to apply the protection of judicial authorisation to every citizen in all cases and not just to a particular class of citizen in particular cases. The revised heads of the Bill propose that any application for authorisation to access any person’s data, except in cases of urgency, must be approved by one of a number of designated District Court judges. This is the strictest form of compliance with the ruling of the European Court of Justice which requires authorisation either by a judge or an independent body. The hierarchy of a complaints procedure administered by a Circuit Court judge and oversight of operation of the Act by a High Court judge has been maintained. Given the proposals in the Bill, making additional provisions for High Court authorisation for accessing journalists’ data in certain cases could give rise to complexities. Such an authorisation would only apply to requests for access to journalistic sources, so District Court authorisations would be required for all other access requests. The result would be that other categories of persons who may have sources, for example, Members of these Houses, would be treated differently. Search warrants, which could result in more intrusive content data being discovered, are issued by the District Court. For these reasons, the Minister believes that there are strong arguments for a clear and consistent level of judicial protection for everyone’s data, but of course he would welcome the committee’s views on this. The Minister forwarded a copy of Mr. Justice Murray’s review together with the revised heads of the Bill in order that the committee could examine the proposed legislation and the review together in considering the Minister’s proposal for a balanced and proportionate data retention regime providing a high level of protection for all citizens.

Committee members will have read through the heads of the Bill. There are numerous key new provisions, including in heads 3 and 4 which place an obligation on service providers to retain subscriber data for a period of 12 months from the date on which the data were first processed and allow the competent authorities to make direct requests to service providers for that data. Heads 5 and 6 provide for applications to be made by the competent authorities for ministerial orders for the targeted retention of categories of traffic and location data or traffic and location data in respect of specified persons for the purpose of the prevention, detection, investigation or prosecution of serious crime or safeguarding the security of the State and for the making of ministerial orders to retain such data. Head 8 allows a competent authority to apply to an authorising judge for an authorisation to make a disclosure request. Head 15 provides for the notification of a person who has been the subject of a disclosure request or other persons whose interests have been materially affected by the disclosure request. Most of the other provisions of the Bill relating to data security, data destruction arrangements, restrictions on access to retained data, the complaints procedure and oversight of the operation of the Act by a High Court judge have been taken from the existing 2011 Act.

I hope that I have provided the committee with an understanding of the background to and content of the Bill and I am happy to respond to any questions that members may have.