Ms Elizabeth Farries:

I would like to thank the committee for giving me an opportunity to speak today. To that end, and in response to our discussions last week, I have summarised some key recommendations drawing from our written submissions, which the committee received and we discussed last week. There is a lot to cover. At the core of this discussion is the explicit protection of journalistic sources. I will leave that to the words of Mr. Seamus Dooley when he speaks, but I note at the outset that we absolutely advocate implementing the Murray review recommendations in that regard.

Moving to the issue of strict necessity, Ms Geraldine Moore said last week that the system of data retention and access, as laid out in the Bill, is most balanced, proportionate and fair. However, as Deputy Jack Chambers noted, and as per the decision in Tele2, proportionality in this instance is insufficient. As per Tele2, a ministerial order for data retention should only be made where strictly necessary. Under the scheme of the Bill, heads 5 and 6, detailing these ministerial orders, fail to meet that strict standard. They instead apply the weaker standard of proportionality, and that is incompatible with the standard laid out in Tele2.

The next subject is targeted data retention. It was noted last week that the finding in Tele2 limits legislation torequire that data retention be based on targeted and objective evidence. This limitation does not appear to be implemented under the heads of Bill. Heads 5 and 6, for example, give a largely unfettered power to make rules requiring general traffic and controlled data retention. The language in the Bill allows access to data that is "likely to assist", as opposed to requiring objective evidence that "reveals a link" with serious criminal offences. As a result, it falls significantly short of the standard set in Tele2.

Now we have the issue of limited third-party access. Last week, Deputy Jim O'Callaghan posited that provision for safeguarding the security of the State might be used against people in the political sphere, or people not directly connected to a crime, for example financial officers. Mr. Dermot Woods said that this would not be the case. However, it could be a problem for third-party access. Head 8 permits access to data of entirely unconnected third parties, again on the more permissive grounds that the data is "likely to assist" in protecting the State. This permissive stance clashes with EU law. To uphold the requirements of Tele2, the person whose information is demanded must in some way, again, be implicated in a crime. They cannot simply be a third party.

That leads to the larger discussion about the precision of how we define data. Ms Moore said last week that there were no final decisions made about what specific categories of data might be the subject of ministerial orders. That said, it was clarified for Senator Ó Donnghaile that, as per head 3, the Bill does not apply to the content of communications. It is only meant to apply to the data around it. However, under head 1, as the scheme of the Bill is written currently, "traffic and location data" is given an exceptionally wide and substantially more permissive definition that might inadvertently include the content that the Bill is supposed to be setting aside. It includes any "data processed for the purpose of sending, receiving or storing communications". This definition is so permissive that it could conceivably permit ministerial orders to require Internet Service Providers, ISPs, to log Uniform Resource Locators, URLs. A URL is not in and of itself "content", but it often reveals the content of a web page, for example a news article that someone is reading. That goes beyond the remit of the Bill as defined.

There is also the issue of notification. Last week, the need for proper notification was raised. The Chair commented that surely people in Ireland must be entitled to know when our data is being accessed. The response last week was that a person would automatically be informed if their data was disclosed. We respectfully submit that this is not the case. Under head 15 of the Bill there are a range of exemptions for notification, include a vague catch-all at subhead 2(a), where notification would not be "consistent with the purposes for which the authorisation or approval concerned was issued or granted". This is very vague. It creates a lot of leeway around who gets to know their data is being looked at and who does not. We therefore urge that notification in this context means fully upholding the requirements of Tele2, that those whose data is retained must be notified as soon as possible, that is, as soon as it is not liable to jeopardise an investigation.

There is also the issue of judicial remedies. Deputy Mick Wallace posed a question that we had not addressed in our submissions, but one which is very important, and that is why the Bill does not have a judicial remedy. The Murray review recommends one, and this is a principle supported by EU legislation and the European Court of Human Rights. We understand that the Minister is getting advice on this matter, and to this advice we add our recommendation that a judicial remedy should absolutely be implemented. As former Chief Justice Murray wrote, it is necessary "bearing in mind the coercive character of a data retention system, and the concomitant risk to fundamental rights associated with it".

Last week, Deputy Wallace also queried why the Bill has not, as per the Murray review, instituted a robust independent supervisory authority. In response, we heard that the Bill went with what was previously in place, which was said to be working quite well. That is to say a designated judge of the High Court was charged with oversight and all was well. We also heard that each year the judge examines the use of powers under the legislation in a detailed way, and so could very quickly identify if there was a problem, including any acts of abuse. We respectfully submit that this has not been the case, and that the overview system has not worked very well at all. In fact, as a Deputyrecalled for us, there are not detailed examinations each year.

Instead there have been annual reports, which have exclusively consisted of a few formulaic paragraphs which are put together very quickly, without any formal processes in place. It is our submission that this is not a sufficiently detailed examination. We further argue that a judge alone does not have sufficient resources, or even competence, to exercise comprehensive control over State surveillance. The oversight role at this stage is described as "ad hoc, after the fact, part-time function of a busy judge with no staff, specialist training or technical advisors" in Privacy International and Digital Rights Ireland's report, entitled The Right to Privacy in Ireland - Stakeholder Report Universal Periodic Review 25th Session – Ireland. The judge, therefore, is at risk of becoming over-reliant on the feedback from the agencies that they are supposed to be overseeing. They need the agencies to tell them everything is all right so they can sign off on it.

Generalist judges cannot on their own be expected to have the sort of specialist knowledge necessary to assess the technological complexities in a surveillance system. As surveillance becomes rapidly more technologically complex, it changes, year-to-year and month-to-month. Judges increasingly lack the specialist knowledge needed to provide adequate oversight. We want Ireland to keep up with the trend of EU member states, and to do that we recommend replacing the designated judge with a unified independent supervisory agency. We recommend that this independent agency should include parliamentary accountability. According to the European Union Agency for Fundamental Rights, which put a 2017 report out following its 2015 report, Ireland and Malta are currently the only two countries in the EU that do not provide for parliamentary oversight of intelligence agencies.

We also recommend that the independent body be chaired by a judge in a nearly full-time position, and be supported by a secretariat with a sufficiently technical expertise needed to make the decisions required in these instances. They need the resources to provide detailed support, including formalised reports available to the public. There are examples in the EU where these more fulsome aspects of intelligence agency oversights are included. We address this need at length in pages ten to 14 of our written submission to the committee.

We thank the committee for giving the Irish Council for Civil Liberties, ICCL, the opportunity to speak with it today. We have other recommendations itemised in the written submission, and summarised in a list that may be before the members. If it is not then I will circulate it to members after the meeting. We hope to have the opportunity to speak with the committee more generally about the Bill.