Mr. Jimmy Martin:

The primary purpose of the general scheme is to give effect to the outstanding provisions of the 2001 Council of Europe Budapest Convention on Cybercrime, known as the Budapest Convention, other than articles relating to the real-time collection and recording of data which are being looked at in the context of separate legislation by the Department.

The Budapest Convention is the main international instrument on cybercrime and has been given effect in almost 70 states, including all of the member states of the European Union other than Ireland. The majority of articles of the Budapest Convention have already been given effect in Irish law, mainly by the Criminal Justice (Offences Relating to Information Systems) Act 2017. The main new provisions of substance introduced by the scheme relate to preservation orders and production orders required by the Budapest Convention. They are addressed in heads 5 and 6 of the scheme. There are already statutory provisions to provide for access to records held on paper or computers. These existing procedures include search warrants and other court orders to make material available or orders to produce documents or provide information. These mechanisms are not comprehensive and were introduced at a time when most data was held either in paper form or on a particular computer in a known physical location and under the control of a person.

Data is still held in this way and these provisions are still required. However, most data, whether personal or business, is now held in the cloud under the control of multinational Internet service providers. Records held in this way may be temporarily broken up into multiple segments or shards and stored in different servers in different jurisdictions or moved to different servers in different geographic areas, depending on the availability at particular times of the day. This means that it is not viable to establish the physical location of the data as far as establishing jurisdiction is concerned. This has implications for some of the existing legal provisions. Furthermore, the role of multinational Internet service providers also complicates issues. The purpose of heads 5 and 6 is to provide a modern, comprehensive procedure to protect and access such data via preservation and production orders, which can be served directly to Internet service providers for the purpose of criminal investigations and prosecutions but subject to appropriate safeguards. Accompanying these measures are provisions to deal with admissibility of evidence and situations where information might be privileged, such as legal advice or journalist sources. The heads follow the requirements of the 2001 Budapest Convention, and the procedures set out also follow the most up-to-date template provided by the European Union regulation on European production and preservation orders for electronic evidence in criminal proceedings. This was adopted in July 2023 and will come into effect from 18 August 2026. I will come back to this regulation later.

The purpose of a preservation order is to preserve targeted data for a temporary period with a view to giving effect to a subsequent production order. It is temporary and does not allow any access to the data itself. To avoid confusion, I will explain the difference between the concept of data retention and a preservation order. The European Court of Justice has held that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating crime. In this context, data relates to the mass-storage of data that will be collected in the future. This scheme only relates to data already being stored as part of the services of an internet services provider on the date the court order is served on a service provider. It does not require the future storage of data yet to be generated. The preservation order provided for in head 5 requires temporary preservation of targeted data being held by the service provider on the date the order was served. It is normally for a period not exceeding 90 days.

Jurisdiction, as set out in head 6(2) for both preservation and reduction orders, is based primarily on where the person who has control or lawful access to the data is based, regardless of where the data itself is held. The term "person" includes a company.

I mentioned that the procedure is subject to appropriate safeguards. The Budapest Convention itself contains a number of safeguards that must be met and we sought and obtained legal advice that these are complied with. In addition, the scheme is intended to comply with EU data protection law and the Data Protection Act 2018. Also, we have initiated a formal consultation process with the Data Protection Commission to ensure that it has no issues. All orders under this scheme must be considered and determined upon by an independent judge. For example, in the case of a production order seeking traffic or content data, the judge must be satisfied that it relates to a serious criminal offence and that the issuing of the order is necessary and proportionate.

There are a number of other technical provisions outstanding from the Budapest Convention and these have been given effect by heads 4, 7A and 7B, and head 8 and 8A, which are all technical. In head 12, we refer to the EU evidence regulation on European production and preservation orders that I mentioned earlier. This EU evidence regulation forms part of the EU e-evidence package, which is a directive and regulation aimed at making it easier and faster for law enforcement and judicial authorities to obtain the electronic evidence they need to investigate and prosecute criminals. It will have direct effect in Irish law from August 2026. The regulation provides for an EU cross-border regime whereby law enforcement authorities in a given member state can request an order for data controlled by an Internet service provider based in another EU member state in the form of an European production and preservation order. It is a cross-border measure. While the EU regulation will have direct effect in Ireland, Ireland must designate an Irish authority competent to issue European production orders. To ensure consistency for both practitioners and Internet service providers based in Ireland, it was decided that the procedures to be followed for obtaining a domestic production order should mirror those required for a European order.

Head 12 identifies the Irish authority, namely, designated District Court judges, that will issue European production and preservation orders sought by Irish competent authorities, such as An Garda Síochána, in respect of data held by Internet service providers based elsewhere in the European Union. It is also worth noting that there are other measures to be implemented to give full effect to the e-evidence package, particularly the designation of an enforcing authority that can raise grounds for refusing a European production order from another member state, as well as a designation of a central authority. This will be addressed by legislation in due course.

Finally, head 13 relates to measures under the European Union regulation on addressing the dissemination of terrorist content online. This regulation provides a mechanism for the issuing of EU-wide orders requiring service providers that host online content to remove terrorist content within a short timeframe. The regulation came into effect on 7 June 2022 and as an EU regulation, it has direct effect in Irish law. An Garda Síochána has been designated as the competent authority to issue removal orders. The regulation also requires the designation of a national body to oversee the imposition of sanctions for non-compliance and the Attorney General has advised that primary legislation is required to give the necessary powers to a national body to issue such financial penalties. The Government has decided that Coimisiún na Meán should be designated as a national body for Ireland. The scheme proposes to amend the Online Safety and Media Regulation Act 2022, which amends the Broadcasting Act 2009, to provide us with the necessary powers after which formal designation will take place. Until the necessary amendment is made, Ireland will not be in full compliance with our EU obligations.