Mr. Dale Sunderland:

Thank you Chairman and good morning to you and the committee members. I am very pleased to be able to assist the committee today in is pre-legislative scrutiny of the proposed Bill.

The timing of our contribution today is somewhat unusual given that the general scheme was published just eight days ago and the formal invite to appear before the committee issued only yesterday. These timescales pose some challenges for the Data Protection Commission, DPC, in our role in assisting this committee in the pre-legislative scrutiny and also in our role in being mandatorily consulted by the Minister for Justice under the Data Protection Act 2018.

On foot of the Court of Justice of the European Union, CJEU, judgment in April, the DPC was informed by the Department of Justice in June that a general scheme was in preparation as an interim amendment to the 2011 Data Retention Act, pending fuller scale reform. The Department indicated that the DPC would be consulted and, in fact, the DPC received the general scheme just eight days ago. We have not yet returned our detailed observations to the Department on the general scheme as we were advised last week by the Department that significant data protection-relevant updates to the scheme were being made, which would be reflected in the revised final version of the Bill. The DPC has only received a copy of that updated Bill in the past 24 hours and we are now working diligently to prepare our detailed observations for the Department of Justice.

In the meantime, the DPC is very happy to share our preliminary observations on the general scheme, while acknowledging that some of what we comment on may already have been addressed in an updated version of the proposed Bill. The DPC’s remit relates to data protection-related rights and freedoms of individuals and our observations on the proposed Bill reflect the binding requirements in this regard set out by the CJEU.

Under the current 2011 Act, the main oversight and monitoring functions are reserved for the “designated judge” as set out in section 12 of that Act, namely to ascertain whether the agencies prescribed to make disclosure requests are complying with the Act. However, the Act also provides that these judicial supervisory powers do not affect the functions of the Data Protection Commission. In addition, the Act assigns a specific role to the DPC where it is designated as the national supervisory authority. With these provisions in mind, some years ago the DPC conducted a number of audits to examine the designated bodies concerned and the telecommunications service providers. The summary findings of those audits are available in the DPC annual reports of 2016 and 2017.

The general scheme clearly sets out to address the CJEU finding that mass and indiscriminate retention of electronic location and traffic data is not permitted for the purposes of combatting serious crime. In making this finding, the CJEU set out a number of more permissible targeted retention measures that could be deployed, subject to specific safeguards and limitations by member states, for the purpose of fighting serious crime.

In that respect, head 5 provides for, subject to judicial authorisation and a transparency requirement to publish any order, the retention of Schedule 2 data, where an existing or foreseeable national security issue is in play. It is the DPC's preliminary view that the arbitrary period of 12 months for retention is at odds with the CJEU's requirement for an assessment, in each case, of the period of time for which retention is actually necessary.

The CJEU has made it clear that derogations to the prohibition of storage of traffic and location data may only be granted for a period of time that is strictly necessary to achieve the objective pursued. We also note the provisions that will allow bypassing of the advanced judicial authorisation in the context of requiring disclosure of such Schedule 2 data, as set out under head 9. However, it is not clear how such purportedly urgent exceptions would, in the event, be justified. Likewise, the means by which it will be clear a national security issue exists, or is foreseen, is not clear from the general scheme and further detail in this regard, would be of assistance to the DPC in our assessment of the measures.

Heads 12 to 15 give rise to some concerns, given the court has said that the limited and targeted retention it sees as permissible for serious crime investigation must not be turned into mass and indiscriminate retention. In this regard, in respect of the specified bodies, themselves quite broad in range, which may access preservation or production orders for Schedule 2 data, the means by which objective targeting and limiting criteria will be established are not clear from the scheme. With regard to justified urgent cases in heads 14 and 15, the apparent lack of judicial oversight after the event is also of concern.

In light of the high risks to the rights and freedoms of data subjects inherent in the processing envisaged in the general scheme, the DPC is of the view that the Department should now conduct a data-protection impact assessment with regard to the processing and the provisions proposed. The DPC also notes that there is no provision in the general scheme for the restriction of data subject rights. Such rights include access rectification and erasure. If restrictions are intended, we recommend that these should be provided for in the Bill, with a justification for why the restrictions are necessary and in what circumstances.

I hope to be of assistance to the committee and I am very happy to answer any questions members may have.