Oireachtas Joint and Select Committees
Wednesday, 8 November 2017
Joint Oireachtas Committee on Justice, Defence and Equality
General Scheme of the Communications (Retention of Data) Bill 2017: Discussion
As we have a quorum, we will now commence the meeting in public session. I thank Senator Frank Feighan for his attendance to facilitate the commencement of our meeting. I have received apologies from Senator Frances Black. The purpose of today's meeting is to commence pre-legislative scrutiny of the general scheme of the communications (retention of data) Bill 2017. I welcome from the Department of Justice and Equality, Ms Geraldine Moore, principal officer, Mr. Dermot Woods, principal officer, and Ms Layla de Cogan Chin, assistant principal officer. On behalf of the committee, I thank the witnesses for their attendance to discuss this important legislation. The format of the meeting is that the witnesses will be invited to make an opening statement which will be followed by a question-and-answer session with the members.
Before we begin, I draw the attention of our witnesses to the situation on privilege. The witnesses are protected by absolute privilege in respect of their evidence to the committee. However, if they are directed by the committee to cease giving evidence on a particular matter and they continue to so do, they are entitled thereafter only to a qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and they are asked to respect the parliamentary practice to the effect that, where possible, they should not criticise or make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable.
Members of the committee should be aware that under the salient rulings of the Chair, they should not comment on, criticise or make charges against a person outside the House or an official either by name or in such a way as to make him or her identifiable.
I now invite Ms Moore to make her opening statement.
Ms Geraldine Moore:
I thank the Chairman and the committee for this opportunity to participate in the pre-legislative scrutiny of the general scheme of the communications (retention of data) Bill which was published in October. The purpose of the Bill is to update data retention law in Ireland to take account of evolving European Court of Justice jurisprudence in the area.
By way of background to the general scheme, the Communications (Retention of Data) Act 2011 provides the legal basis for the retention and subsequent disclosure of both telephone and Internet data for the purpose of the prevention, detection, investigation and prosecution of serious offences and safeguarding the security of the State. The data in question are subscriber data, which are the identity of the subscriber, and traffic and location data such as the location of a mobile phone and the numbers of other mobile phones it has communicated with. Access to such data is very important in the context of both combating serious crime and safeguarding the security of the State.
In its judgement of April 2014 in the Digital Rights Ireland case, the European Court of Justice found the EU data retention directive to be incompatible with Articles 7 and 8 of the Charter of Fundamental Rights. The judgement was the consequence of the referral of a number of questions concerning the compliance of the EU data retention directive with the EU Charter of Fundamental Rights to the European Court of Justice by the Irish High Court. The court found the directive went beyond what is necessary in that by requiring subscriber, traffic and location data to be held by service providers, it entailed an interference with the lives of almost all citizens in Europe and not just those linked to serious crime. It also held that the directive did not expressly provide that access to and subsequent use of the data should be restricted to the purpose of preventing serious offences. The directive did not provide for prior review by a court or independent administrative body when law enforcement agencies sought access to metadata. There was no clear basis in the directive for the length of time that service providers were obliged to retain data.
In light of the ruling, the Government approved the drafting of a revised data retention Bill which would take cognisance of the findings of the court. In December 2016, the European Court of Justice considered the issue of data retention again, and in its ruling in Tele2, which related to data retention law in Sweden and the UK, the court adopted a strict interpretation of its previous ruling in the Digital Rights Ireland case. The court found that national legislation providing for general and indiscriminate retention of traffic and location data for the purpose of fighting crime was in breach of the Charter of Fundamental Rights. It did not, however, preclude member states from adopting legislation permitting the targeted retention of such data.
It also found that EU law precluded national legislation from providing for data retention and disclosure which was not restricted to fighting serious crime, where access was not subject to prior review by a court or independent administrative authority, and where there was no legal requirement for the data concerned to be retained within the European Union.
The 2011 Act already provides for a number of the requirements identified by the court. The current Act provides that data can only be accessed by specific agencies where the data are required for the prevention, detection, investigation or prosecution of a serious offence, the safeguarding of the security of the State or the saving of human life. Additional safeguards provided for in the legislation to protect the data in question include data security provisions, data destruction provisions and restriction on access to retained data. The legislation also provides for oversight of its operation by a High Court judge who reports to the Taoiseach at least annually and for a complaints referee, who is a Circuit Court judge, to deal with the concerns of any persons who believe that their data may have been unlawfully accessed in breach of the Act. These safeguards have been retained in the revised Bill.
The existing legislation requires service providers to retain Internet data for one year and telephone and mobile data for two years, and allows An Garda Síochána and other State agencies to make direct requests to service providers for retained data for investigative purposes, and as such, the legislation needs to reflect those elements of the European Court of Justice rulings. While in strict legal terms the Tele2 judgment does not have direct effect in Irish law, it sets down clear parameters on what member states may provide for in national legislation relating to data retention, and as we are obliged to ensure that our law is in compliance with EU law, we have revised the original heads of the Bill approved by Government in 2015 to take account of the ruling in the Tele2 judgment as well.
The revised general scheme which members have before them responds to both EU Court of Justice rulings by providing for ministerial authorisation for the retention by service providers of targeted categories of traffic and location data for the purpose of the prevention, detection, investigation or prosecution of serious crime or safeguarding the security of the State; by requiring judicial authorisation for disclosure of retained data to the Garda Síochána and other agencies; by providing for notification of persons whose data have been disclosed when such notification is unlikely to jeopardise the investigation of an offence or to undermine the security of the State; and by providing for the data concerned to be held for a 12 month period and for that data to be held in the EU. Overall oversight of the new legislation will continue to be vested in a High Court judge, with a judge of the Circuit Court independently investigating complaints.
It has to be said that the Tele2 judgment is challenging from a law enforcement point of view. It limits national legislation to requiring the targeted retention of data based on objective evidence. While the Bill reflects this requirement and provides for the making by the Minister of orders for the retention of specified categories of data, the actual making of such orders will require careful consideration. No final decisions have been made on what specific categories of data might be the subject of ministerial orders for targeted retention.
In January 2016, following reports alleging inappropriate accessing of the telephone records of certain journalists, the Government commissioned a review of the law in this area. In his review of the law on the retention of and access to communications data, Mr. Justice Murray took account of the Tele2judgment. Most of the review is taken up with an analysis of the 2011 data retention Act with recommendations on how the Act might be amended in light of the judgment. This report has been hugely helpful to us in preparing these proposals. The vast majority of its recommendations have been taken into account in the general scheme, with a small number of issues to be resolved in finalising the Bill.
There are relatively few recommendations specific to accessing the data of journalists contained in the review, the key one of which is that access to journalists’ retained data for the specific purpose of identifying their journalistic sources should be authorised by a judge of the High Court. The approach advocated by the Minister is to apply the protection of judicial authorisation to every citizen in all cases and not just to a particular class of citizen in particular cases. The revised heads of the Bill propose that any application for authorisation to access any person’s data, except in cases of urgency, must be approved by one of a number of designated District Court judges. This is the strictest form of compliance with the ruling of the European Court of Justice which requires authorisation either by a judge or an independent body. The hierarchy of a complaints procedure administered by a Circuit Court judge and oversight of operation of the Act by a High Court judge has been maintained. Given the proposals in the Bill, making additional provisions for High Court authorisation for accessing journalists’ data in certain cases could give rise to complexities. Such an authorisation would only apply to requests for access to journalistic sources, so District Court authorisations would be required for all other access requests. The result would be that other categories of persons who may have sources, for example, Members of these Houses, would be treated differently. Search warrants, which could result in more intrusive content data being discovered, are issued by the District Court. For these reasons, the Minister believes that there are strong arguments for a clear and consistent level of judicial protection for everyone’s data, but of course he would welcome the committee’s views on this. The Minister forwarded a copy of Mr. Justice Murray’s review together with the revised heads of the Bill in order that the committee could examine the proposed legislation and the review together in considering the Minister’s proposal for a balanced and proportionate data retention regime providing a high level of protection for all citizens.
Committee members will have read through the heads of the Bill. There are numerous key new provisions, including in heads 3 and 4 which place an obligation on service providers to retain subscriber data for a period of 12 months from the date on which the data were first processed and allow the competent authorities to make direct requests to service providers for that data. Heads 5 and 6 provide for applications to be made by the competent authorities for ministerial orders for the targeted retention of categories of traffic and location data or traffic and location data in respect of specified persons for the purpose of the prevention, detection, investigation or prosecution of serious crime or safeguarding the security of the State and for the making of ministerial orders to retain such data. Head 8 allows a competent authority to apply to an authorising judge for an authorisation to make a disclosure request. Head 15 provides for the notification of a person who has been the subject of a disclosure request or other persons whose interests have been materially affected by the disclosure request. Most of the other provisions of the Bill relating to data security, data destruction arrangements, restrictions on access to retained data, the complaints procedure and oversight of the operation of the Act by a High Court judge have been taken from the existing 2011 Act.
I hope that I have provided the committee with an understanding of the background to and content of the Bill and I am happy to respond to any questions that members may have.
I thank the officials for attending this morning. It is important, in the first instance, to remember the background and context for this, and having read the Murray report, I am not certain that the Bill as currently proposed would meet the threshold that is laid out in that report. One of the recommendations of the Murray report was that consideration should be given to the inclusion in any amending legislation governing access to retained communications data of a provision expressly prohibiting access for the purpose of identifying a journalist's sources, except in accordance with the circumstance and conditions laid down in that legislation. Those conditions should be the suspected commission of a serious criminal offence or unlawful activity. It appears that the threshold as outlined here is lower because the Minister can, for example, intervene in circumstances where there is only a suspicion of such activity. There is a mismatch between the recommendations of the Murray report and the heads of this Bill. I know that the National Union of Journalists, NUJ, and others have expressed concern that this does not meet the threshold and does not implement the recommendations of the Murray report. I invite Ms Moore to comment on that.
Ms Geraldine Moore:
We have not provided for a separate regime for journalists. The Act applies to everyone, to all citizens. Head 8, which is probably one of the most important heads, sets out what has to be considered by a member of An Garda Síochána or the other State agencies in making an application for an authorisation. They have to be satisfied that the data would relate to a person who is suspected of having committed a serious offence or would have implications for State security. The provisions of head 8 apply equally to journalists.
Would Ms Moore not accept that it is important in the interests of the media that we have protection for journalists, particularly in the context of what the Garda Síochána Ombudsman Commission, GSOC, was doing? Does she not think that there is a need to include that within the general scheme of the Bill?
Ms Geraldine Moore:
I think it is provided for already but the protection is for all persons. We did not think it would be appropriate to provide for particular categories of persons. We would have had to draw up a list of particular categories and we would end up with a two-tier regime. We have provided for the one data retention regime and all the protections apply to everyone equally.
The Murray review recommended that amending legislation covering the access to retain communications data should expressly prohibit access for the purpose of identifying a journalist's sources except in accordance with the circumstances laid down in legislation and that they should require prior authorising to access a journalist's information from a judge of the High Court. The draft scheme does not seem to have met that threshold.
Ms Geraldine Moore:
We did consider that. We had been working on the draft scheme before Mr. Justice Murray's report and had decided in favour of a District Court authorisation procedure for everyone. When we received Mr. Justice Murray's report, we considered the proposal in regard to the High Court but journalists are not the only ones who would have sources to protect. As I said in my statement, Members of the Houses or teachers or doctors could have sources. It would be very difficult to legislate in this way for a particular category.
In terms of the standard, it is not a strict necessity - this was mentioned in other submissions - that the standard in terms of accessing the data is again lower. Would Ms Moore accept that the standard in terms of accessing sources or data is lower than what the report has and other EU judgments have recommended?
It is a proportionality test rather than a test of strict necessity. The level of intrusiveness is potentially increased by lowering the threshold. By generalising the scheme of the Bill and not specifically mentioning those who are threatened by the potential intrusiveness of data, does Ms Moore not consider there is a potential increased risk of data usage with the lowering the threshold?
The Tele2 judgment requires that "the national legislation must be based on objective evidence which makes it possible to identify a public whose data is likely to reveal a link, a least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or preventing a serious risk to public security". It does not appear that this requirement is laid out in the general scheme. Again, it seems that the threshold or requirement is more vague and is not specifically defined within the general scheme. Has Ms Moore tried to match this against that judgment or from what has she tried to set the threshold?
Ms Geraldine Moore:
We are taking account of the Tele2 judgment. Head 8 is the important one. It provides that in applying for an authorisation, a garda or any of the State agencies must be satisfied that the data is required in regard to the investigation of a serious offence or a threat to the security of the State.
The Minister said previously that he was not in position to detail who or which journalists' data had been accessed by bodies since 2011. He said previously that the legislation will clearly define what the circumstances are in which sources could potentially be accessed. With the threshold that has been laid out and by failing to specifically define what the circumstances are, by generalising it and not incorporating a particular field of people, the Department is neutralising the potential protection it is trying to achieve within the context of the Bill.
Ms Geraldine Moore:
I think it does. The important element is that it relates to the investigation of a serious offence or a threat to the security of the State and that it must also be the least intrusive means available, it must be proportionate and of a scale that is reasonably required to achieve the objectives for which it is being sought. We were quite careful in drafting head 8 and in providing for the criteria. We were greatly helped by Mr. Justice Murray's report in that regard.
In a submission made by the Irish Council for Civil Liberties and Digital Rights Ireland, they have said that not only does the general scheme fail to comply with EU law, but the general scheme leaves a fragmented system of oversight in place that does not include key recommendations from the Murray review of data retention and does not adequately reflect the European Convention on Human Rights. Does Ms Moore want to respond to those concerns?
Ms Geraldine Moore:
We have provided for a system of oversight. We have a complaints procedure which would be administered by a Circuit Court judge and we have the oversight by a High Court Judge. I think the section is called a review of the operation of the Act but "review" in that sense is probably a weak term in that the High Court judge has extensive powers in regard to the Act. He can investigate any case. He has powers of investigation, powers to request information and powers to compel people to provide him with information. He can make recommendations, including revoking an authorisation, and he can communicate with the Minister, with the Data Protection Commissioner and the Taoiseach in this regard. The oversight provisions are quite strong. We have the layer of the authorisation by a District Court judge, a complaints procedure to a Circuit Court judge-----
The Murray report dealt specifically with journalists and the complaints around the 2011 Act. Does Ms Moore accept that by not explicitly providing a defined threshold and by failing to create a higher standard of action for journalists' sources, the legislation, as outlined, is not being held to a high standard?
The Tele2 judgment states that "access can, as a general rule, be granted, in relation to the objective of fighting crime, only to the data of individuals suspected of planning, committing or having committed a serious crime or of being implicated in one way or another in such a crime". That direct nexus does not seem to be set out in heads 8 and 9.
There is a contradiction of opinion in that there is significant criticism of those heads, that they do not meet the Tele2 judgment threshold.
There is a general concern that, in the drafting of this provision, it has failed to reach the appropriate threshold of protection that underpins the Murray report. While people welcome the drafting and the changes to the legislation, there is still concern that the threshold has not been matched. Has Ms Moore received or incorporated submissions or discussed this with various organisations and have the witness responded to their concerns?
I thank the witness very much for attending. Can I clarify how the process applies? Under head 4, a request for subscriber data can be made by a member of An Garda Síochána, the Defence Forces or the other bodies. Is there a formal process under the Act whereby the data holder responds to that request?
That is set out in head 4. Does the Act deal with the response from the service provider? If a service provider states that the data can be provided, is that dependent on an application being made to court?
Throughout the draft heads of the Bill, there are references to persons who are suspected of having been involved in the commission of a serious offence. There is also information in respect of those who are not involved in it, but may have information. The second heading relates to State security and a person who is suspected of posing an existing and serious threat to the security of the State. Can Ms Moore give me an example of where a person may pose a threat to the security of the State, but he or she would not be involved in the commission of an offence?
Mr. Dermot Woods:
It might be helpful if I respond to that. I would assess that in the vast of cases those people who pose a threat to the security of the State are likely committing a serious offence. Essentially, these powers are targeted at terrorist organisations or people who would be providing support or other services to terrorist organisations and, largely speaking, they would be doing so in committing a serious offence. There may be circumstances where persons would be providing legitimate financial services but for a terrorist purpose. It may be difficult immediately in terms of the evidence available to the authorities to identify the criminal offence but they would have intelligence information perhaps from other agencies or from other sources or investigations that support or succour would be in the course of being provided. Those actions would of themselves be a threat to the security of the State. However, the Deputy is quite right that in the vast majority of cases, they would already be committing a criminal offence, such as a firearms or explosive offence.
To use Mr. Woods' example and a financial institution which is involved, perhaps unwittingly, in providing information or providing a service, I would have thought that would be covered by head 4(1)(a) and (b) where it states "while not directly related to a person who is suspected of being or having been involved in the commission of the offence, are nevertheless likely to assist in the prevention, detection, investigation or prosecution of that offence". Does Mr. Woods envisage the issue about the threat to the security of the State being used against people in the political sphere?
Mr. Dermot Woods:
The long and the short of it is "No". Part of what guards against that now in the framework of thresholds that has been put in place in the proposal here is that there is in effect a two stage process by which access to traffic and location data will be governed. The first is an application to the Minister in which a reasoned case which satisfies the thresholds must be made. The second is then to access the actual data that has been instructed to be retained in front of a judge and again the thresholds have to be reached to the satisfaction of a judge. The requirements that are set out in the Act in each occasion that the data is to be accessed have to be satisfied and the judge can only then authorise access to it. Subsequent to that, after the fact, there are two layers of further oversight. One is the complaints referee in an individual application and the second is the designated judge who has a general oversight of the Act, including access to individual applications and authorisations.
Coming back to the point of pitching at the threshold of the District Court, that also fits into the Minister's decision to retain the existing oversight arrangements but also to manage the new process of authorisation for access within the current hierarchy that exists between the various judicial levels in the courts.
Going back to a point raised by Deputy Chambers earlier, I would have thought that people who are involved in crime journalism would be individuals who come within some of these categories because although they are not involved in the commission of the offence, they may have data which may assist in it. Deputy Chambers was asking whether there should be a new head or a provision within one of the heads recognising what is referred to as journalistic privilege. The response was that everyone is covered by this and why should journalists be given a particular heading. However, in our law there is some recognition of the principle of journalistic privilege which does not really apply to many others. Was that given consideration or is it something that the Minister intends to give consideration to, particularly in light of the Murray report?
Mr. Dermot Woods:
It was given consideration. I think the Minister's view partly, on the one hand, is that if one identifies journalists as a group who have a particular position, and indeed they do and that is recognised in law and would therefore have to be taken into account by the District Court judge who is considering granting an authorisation, there is also particular recognition in law of the privileged position of medical practitioners or legal practitioners or sacerdotal privilege. Members of the Oireachtas have a particular position and that is recognised in law also. One ends up then with a potential schedule of individuals in respect of whom applications might have to be made in a different way and who would then attract a greater protection for the same rights than other citizens. The Minister's view was that his preference was to accord protection across the board. That does not mean that journalists are in any way less protected than other citizens. It means that they have an equivalent protection. In respect of the arrangements that are in place in law already, the specific position in law of the protection of journalistic sources, those arrangements have to be taken into consideration by the judge in assessing whether he will grant access of not.
When the judge is considering the issue, who is advocating on behalf of the doctor and medical confidentiality or the journalist in respect of journalistic privilege? Is there somebody in the court forum who is advocating that or is the judge assumed to take that into account?
Mr. Dermot Woods:
It is not a joined application in which the individual for obvious reasons would have representation. One can see the obvious difficulties if a member of a criminal organisation were to be able to have representation before a judge in deciding whether his data should be accessed. There is a practical issue there.
I am thinking of the other type of individual, such as a doctor, and Mr. Woods is right that a doctor could have data that could be relevant to an individual that is involved in the commission of an offence, or a journalist. However, when it comes to the application, it is a matter for the district judge to consider the privilege, if any exists, that applies to those individuals.
Mr. Dermot Woods:
-----rather than have a random application, for want of a better description, made to a district judge in any location in the country who would not deal with them routinely. At least there is the possibility for judges to develop an expertise in it, but also to share experience among themselves in the standards which that they apply and the arrangements that they have in place for dealing with the applications.
Go raibh maith agat.
Many of the questions I was going to ask have been extensively pursued by Deputies Chambers and O'Callaghan in respect of heads 4 and 8. The evidential threshold for access under the former is presumably high as opposed to merely being a request. The witnesses have expanded on some of the process but, aside from the process and mechanics, what would be required in an application as opposed to merely a request?
I hope the witnesses will forgive me if this seems like a silly question, although I am told that there is no such thing. Head 2 states: "This Act does not apply to the content of communications transmitted by means of fixed network telephony, mobile telephony, Internet access, internet e-mail or Internet telephony." Why is that the case?
Mr. Dermot Woods:
I will let Ms Moore address the first part of the Deputy's question, but the latter part relates to making it explicit in the legislation that this does not involve the interception of the content of communications. There are no circumstances in using the provisions of this legislation where the content of communications can be accessed.
I thank the witnesses for attending. I admit to still having plenty to learn about all of this. I have not read the full Bill, only bits and pieces.
The European Court of Justice, ECJ, rejected the EU data retention directive in April 2014. Its decision was based on a case brought by Digital Rights Ireland, which specifically questioned the constitutionality of Ireland's data retention law that implemented the directive in question. Is there an admission from the Department of its failing in this regard, given that judgment?
According to the ECJ, the Department was wrong in how it behaved. Is that not true? Although the witnesses mentioned Digital Rights Ireland, the impression being given is that these changes are coming about as if they have little or nothing to do with the Digital Rights Ireland judgment. I am mystified by why the Department has not said that, given the judgment, it must have been wrong. Is there any acknowledgement?
Mr. Dermot Woods:
If it is helpful for the Deputy, I will follow up on that. In a way, there is an oddly complex interaction between the two judgments. In the 2014 Digital Rights Ireland judgment, the ECJ set out a number of features of what would constitute a proper data retention regime. According to subsequent analysis and interpretation of it, it set out not quite a checklist of all of the factors that must be satisfied in order for a regime to be complaint, but that there could be a pattern of arrangements, elements of which would, if drawn together, satisfy a threshold set by the court. Many features of the existing Irish regime satisfy those requirements.
The Tele2 and Watson joint case and judgment built on the Digital Rights Ireland judgment but took a significant step further. The court set out a number of features that were required, including a mandatory checklist. That has led us to putting in place legislation that satisfies those ECJ requirements. Given that the requirements of EU law have changed, we must satisfy them. Even though some of the existing features of the Act satisfy requirements of the Tele2 judgment, in overall terms they are not satisfied, so we have to put in place additional measures, for example, independent prior authorisation, judicial authorisation and an explicit requirement for the data to be retained in the EU. Such elements must be put in place, which is why the Act is being revised.
Mr. Dermot Woods:
No, it is not. However, the ECJ has found that a number of features are required of any given data retention scheme in a member state. We must satisfy those in so far as they are not currently satisfied.
It is important to note that the ECJ does not pronounce on the validity of national law. It cannot. It pronounces on the validity of European law, as it did with the 2006 directive, or it sets out the requirements of European law, in this case in respect of the charter, that have to be satisfied by national systems of legislation in order to be compliant with EU law. That is what we must do now. It is a position that faces all of the EU member states. I will not say "as a matter of routine", but almost as a matter of routine, the ECJ will evolve and develop European law and member states have to respond to that. That is what we are doing in this case.
Let us consider the proposed arrangement. The Murray report highlights the importance of an objective standard of data security and that achieving objective standards in respect of EU law would require a robust form of monitoring and supervision of service providers by an independent authority with a clearly defined role and expressly associated powers and duties. Mr. Justice Murray suggested the Data Protection Commissioner for this role. Why has the Department not accepted his recommendation?
Ms Geraldine Moore:
The Data Protection Commissioner's role is not one of monitoring, but enforcement. We decided to opt for what we had previously and which worked well, namely, the review of the operation of the Act by a designated High Court judge who has overview of all aspects of the legislation and who can investigate any case in respect of which authorisations or approvals were granted. The judge would have extensive powers to access documentation or compel people to provide him or her with information and could make recommendations in that regard. That is the system that we have put in place. There is also a complaints procedure for people who are concerned that their data have been disclosed in breach of the legislation.
Even if the Department does not find the Data Protection Commissioner to be ideal for the role of an independent authority, and notwithstanding what it has come up with, does it have a strong reason for not introducing an independent authority of some form in line with the Murray report's recommendation?
Mr. Dermot Woods:
I might add something that could be helpful to note. I am not particularly involved in the development of the legislative proposals on the GDPR and the directive but, as a matter of course, the Data Protection Commissioner will have a role in respect of, for example, a given service provider in terms of the latter's general compliance with the GDPR. The arrangements that will be put in place in that regard, reflecting in more detail what is in the current data protection Acts, require service providers and other private corporations to have in place arrangements of a particular standard for the protection of personal data. In that regard, the Data Protection Commissioner will have a power of enforcement and investigation in respect of that for telephony service providers as she will for any other private corporation.
In addition, there are the layers of judicial supervision at District, Circuit and High Court levels. It is due to the specific nature of the data that are held and processed, for example, in respect of members of a criminal gang or people who carry out criminal offences, that we think it is important to retain the independent scrutiny at a judicial level. All of that is in addition to the general scrutiny that would be available in law anyway to the Data Protection Commissioner. The general data protection regulation, GDPR, will not take away that role from her in respect of the investigation and oversight of data controllers' management of personal data.
Mr. Dermot Woods:
I hate to say it but there is a great story about the talks process in Northern Ireland. At one point, when Tony Blair came into the room and was about to say something to the assembled people about the talks, the fire alarm went off. Peter Robinson responded by saying, "There goes the BS detector."
People are leaving. Let us wait until we hear what the clerk has to say. Is it a fire alarm? It is, so we must vacate. I propose that we suspend until it is safe to return, which I hope will only be for a maximum of ten minutes. Is that agreed? Agreed.
The witness referred to the EU directive and how the EU recommended that the data be stored in the EU. The Murray report recommends that persons whose rights have been affected by wrongful access to retained data should have an appropriate judicial remedy, which is a principle supported by EU legislation and the European Court of Human Rights. I understand that the general scheme does not provide for such a judicial remedy and instead proposes a complaint procedure using the referee mechanism of the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993. Why has the Department taken that position?
Ms Geraldine Moore:
We are examining this in the context of the Bill and we are taking advice on the matter. We will be taking account of it. We are also looking at the remedies available under the new data protection legislation and what needs to be provided in the legislation. That is one of the issues that we are looking at.
According to the general scheme a ministerial order would be required to retain the data and then judicial authorisation would be required for it to be released to the relevant statutory body. While the Minister would order the retention of data, judicial authorisation would be required for access to this data. Does the witness think that these steps offer adequate safeguards against the possible abuse of the process?
Ms Geraldine Moore:
Yes, because the data the Minister will order to be retained will be targeted data and consist of certain sub-sets of data. The Minister will give great consideration to making the order on the data, and will only do so if he considers it to be proportionate. On the judicial authorisation, the judge making the authorisation will have to be satisfied that the authorisation is for valid purposes, including for the investigation of an offence. The criteria for such considerations is set out in the legislation. We believe that the targeted retention and judicial authorisation will work well together as a process.
I thank the witness.
I sought some information from the telephone operator 3. I spent months trying to find out if anybody had sought access to my mobile phone data, but it was not obliged to tell me. I do not know if the legislation is relevant to this point. Under the new legislation, if a State body accesses a person's mobile data through an operator such as 3, will the individual concerned be entitled to the knowledge that that has happened?
Ms Geraldine Moore:
Under the search procedure a person would be able to apply to a Circuit Court judge if he or she believes that their data has been breached and that the data has been disclosed in breach of the Act. The Circuit Court judge would investigate it on behalf of the person and can make recommendations.
I am sorry to interrupt, but how would a person know that the information had been sought in the first instance to make a complaint? The Deputy is raising a very serious matter. Are we not, as citizens, entitled to be informed in the first instance that such information has been sought?
Mr. Dermot Woods:
At head 15 the post factonotification arrangement is set out. This follows directly from the Tele2 judgement. An arrangement will be put in place whereby people who have been the subject of a request will be informed once certain requirements are satisfied.
However, if an individual was the subject of an access request and nothing came from the process and there was nothing further to be engaged in, arrangements would be put in place. The Minister will make regulations providing for information to be given to such individuals.
Rather than characterise it as the State hiding behind security interests, can Mr. Woods appreciate that the concept of State security can be so all-embracing that it is ripe for abuse? For example, there is great potential for a person in the Government of the day to take advantage of something potentially being in the interest of the security of the State in order to withhold information.
Mr. Dermot Woods:
It is not necessarily ripe for abuse. We should not forget that there are post factojudicial and independent control mechanisms. The designated judge who examines the use of the powers under legislation such as this each year in a detailed way would very quickly identify if there was a problem in that regard or some abuse of the process. No such abuse has been identified. There may be individuals engaged in paramilitary organisations on an ongoing basis who would not necessarily at a given point be convicted of an offence but would still be engaged in activities giving rise to State security issues, such as, for example, a paramilitary or serious criminal organisation There would be a difficulty in maintaining the value of the investigatory power of the Garda in counteracting those activities if at a certain point in the process it had to reveal information to the individual that let him or her know they were under investigation or the subject of interest for those paramilitary activities. However, because there are three layers of potential judicial examination of each application, which is a process independent of the Minister, there is not much scope for widespread abuse.Although a detailed case will have to be made to the Minister to make an order for retention, the key point in our view and that of several other member states, as highlighted in the Digital Rights Ireland and the Tele2 Sverige AB cases at the ECJ, is that controls need to be at the point of access rather than retention. Although the Minister may issue an order to a service provider to retain a subset of data for an individual, the data is not released to anybody outside the company until a judge has decided that it can be accessed by, for example, the Garda Síochána. That is one layer of judicial control. At that point it must satisfy all the requirements set out in the Act and the judge would also take into account the general principles of law that go beyond what is explicitly set out in the Act. Subsequent to that, there is a potential level of control by a Circuit Court judge, Judge Hannan, who is the complaints referee, and then a further level of routine control by Ms Justice Baker, who is the designated judge. They have very significant powers of access and compulsion in respect of records and persons involved and can recommend remedies. For example, the complaints referee can recommend a remedy in terms of a sum of compensation which must be given effect to by the Minister. There is no choice in law about that. In that sense, there is a strong pattern of independent judicial oversight that guards against abuse and that is independent of the Minister in respect of both the use of the retained data powers for criminal offences and in respect of the security of the State,.
We are in the early stages of many aspects of the issue but any retention of data entails a lot of scope for violation of human rights, privacy rights and so on. In that context, we have to proceed with caution and be very attentive to the opinions of human rights bodies in the State and across Europe. As the witnesses said, journalists are afforded a certain amount of privilege and protection in any case in terms of their employment and, therefore, I do not believe it necessary that they be singled out for special protection. There is a certain irony in the uproar that occurred when GSOC went looking for journalists' phone records not to investigate the journalists but in order to look into gardaí illegally invading the privacy of other citizens. When the journalists' records were sought in order to investigate those illegal acts, the journalists complained their privacy was being violated but they had no problem using the information to illegally violate other people's privacy. Sadly, the days of a free press crusading against the State are long gone, as is evidenced by Denis O'Brien owning 60% of the Irish media and those in RTÉ behaving like lackeys. A crusading press does not exist and journalists do not deserve any special privilege, although I wish there were some worthy of it. I do not think there is anything less or special there because the protections are the same. The big question is whether the protections are adequate for anybody and I have concerns in that regard.
The witnesses have said that not every District Court judge will be involved. I am thankful for that because the carry-on of some is well documented and people would be really scared if it were envisaged that every District Court judge would be responsible. That is particularly so as we do not have a judicial council to have oversight of judicial conduct in the performance of their duties. Although the witnesses have said there will be a panel rather than every District Court judge being involved, that is not enough and I would be uncomfortable with it. It should at least be at Circuit Court level. I presume the witnesses do not envisage requests coming in every day of the week and, therefore, it should not be a particularly onerous function whereby one would have to give up one's day job to deal with all of this. I do not see how a Circuit Court judge or a panel of Circuit Court judges would not be better in that regard.
The difficulty for most people is that expertise is not there. Who would select the panel? How is that decided? Who appoints them? Where is the input on that issue? I appreciate the witnesses have half dealt with the issue. It will be a problematic area.
As regards judicial oversight and adopting the model of some of the procedures under the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, we have repeatedly highlighted the deficiencies in that legislation in terms of people not being able to access a complaints procedure because they did not know their communication was intercepted unless they learned of it by accident. There are particular deficiencies in judicial oversight and we gave an example of the judge overseeing the procedure going in and spending half a day covering the Garda, the Defence Forces and the other areas that needed to be checked in terms of whether the legislation was complied with. That is not effective judicial oversight and I am concerned by it.
The officials have said that they are considering reviewing that model and I hope they do so because that will be a problem.
The last issue is the option of being allowed to do it without any judicial oversight at all if the urgency of the situation dictates it. Again, how is urgency being defined here? Where is that quantified? Who determines that the situation does not require judicial oversight? I note that a superior officer has to prepare a report within seven days to explain why it was done without judicial oversight but there needs to be more meat on defining that in its entirety.
In terms of the points made by Deputy Wallace about threats to the State, the argument could be made that individuals are involved in a paramilitary organisation or in criminality and therefore they cannot know that their data is being retained. Surely the point is that gardaí only believe the person is involved in criminality or paramilitary activity but do not know that to be the case. They do not have the evidence to prove it because if they did, they would have brought them before the courts. There is a danger there, in the context of the Special Criminal Court, non-jury courts and so forth of this being done under the auspices of dealing with terrorism but then being used by everyone else. I would still have questions around that.
Ms Geraldine Moore:
The urgency provision will be used mostly in relation to missing persons. An Garda Síochána has told us that in the year up to October 2016, there were 1,027 missing persons. Approximately 500 to 600 of those went missing late at night. In those circumstances, An Garda Síochána would ask the service providers to tell them the last known location of the person's mobile phone. That is where they would envisage using the urgency provision without judicial authorisation.
Mr. Dermot Woods:
It is one of those complex parts of the Tele2 judgment. If one reads it strictly, it would not allow one to access retained data in order to locate somebody who has disappeared and who may have mental health issues and whose family knows that there is a risk of suicide. This is one of the routine uses for An Garda Síochána, in trying to locate people at short notice. One often comes across cases of elderly people who have Alzheimer's disease or dementia who have left their care home or their home and there is an urgent requirement to locate them. We have taken the view that it simply could not be understood that one could not put in place, where a person's life might be in imminent danger, an arrangement or mechanism to try to support locating that person. That is the key, if not the overwhelming use of the urgency procedure in respect of communications data by An Garda Síochána. It is used in efforts to locate people at short notice. It can also happen in cases where, for example, in a domestic violence situation a woman has been removed from the house by her husband who is abusing her. There have been cases of women who have been taken out of their homes being located in the boot of a car. The locating of such people is achieved by using location data from the last use of the phone. It is in those circumstances that there is an identified and justifiable need for an urgency procedure in order to make sure that data gardaí need in order to try to locate people can be accessed.
The witnesses have heard the views of members. They have outlined the areas of concern and interest. It is still early days and I hope that all of that will be taken into account. Without any further ado, on behalf of the committee I thank Ms Moore, Mr. Woods and Ms De Cogan Chin for their attendance and engagement with committee members this morning. We will suspend for one minute to facilitate the arrival of our next set of witnesses.
The purpose of this part of the meeting is to continue our scrutiny of the general scheme of the communications data retention Bill, 2017. I welcome Mr. TJ McIntyre, law lecturer in UCD and chairman of Digital Rights Ireland, DRI and Mr. Simon McGarr, solicitor. Both witnesses are welcome. They will be invited to make a brief opening statement to be followed by a questions and answers session. Before we begin, I am obliged to advise the witnesses of the situation with regard to privilege. Witnesses are protected by absolute privilege in respect of the evidence they are to give to the committee. However, if they are directed by the committee to cease giving evidence on a particular matter and continue to so do, they are entitled thereafter only to qualified privilege in respect of their evidence. They are directed that only evidence connected with the subject matter of these proceedings is to be given and asked to respect the parliamentary practice to the effect that, where possible, they should not criticise nor make charges against any person, persons or entity by name or in such a way as to make him, her or it identifiable. Members of the committee know the rules already.
I will now proceed speedily and invite Mr. McIntyre to address the committee.
Dr. T.J. McIntyre:
Thank you, Chairman. I should just say that the order in which we propose to speak is that Mr. McGarr will make a few remarks regarding the general position in respect of data retention in Ireland and then I will address some of the particular points that were made in our written submissions, as well as responding to some of the points made by the departmental officials earlier. Hopefully, we will have plenty of time at the end for questions and discussion with the members.
Mr. Simon McGarr:
The question of data retention has been a hotly contested one since the regime was introduced by way of a secret ministerial order by the then Minister for Communications, Marine and Natural Resources to the telecommunications companies to retain data. That order came to light when the then Data Protection Commissioner, Mr. Joe Meade, said that in the event that the aforementioned order remained the sole basis on which data was retained, he would challenge it in the absence of any further legislative basis.
Mr. Simon McGarr:
Subsequently, the Government of the day brought in a provision under the Criminal Justice (Terrorist Offences) Act, namely, a subsection of that Act specifically dealing with data retention.
The provision was a subsection of that Act specifically dealing with data retention. That was the basis on which Digital Rights Ireland launched its legal challenge to the data retention regime and that was commenced on 11 August 2006. It was evident to Digital Rights Ireland that the data retention regime in Ireland was not compatible with European law or the Constitution. I am somewhat constrained in respect of discussing the matter because it remains a live action to this day.
Anyway, it was interesting to hear the comments from departmental officials in respect of the position on the Tele2 judgment. The departmental position has been that the current Act is not satisfied by the Tele2 judgment. In other words, it is not in compliance. However, the Department's position in terms of its defence before the courts remains a full defence on all heads of the action. The defence continues to rely upon the now struck-down data retention directive, among other things.
It is difficult to address these two tracks plainly. I propose to simply address some of the principles that are being restated by way of the Communications (Data Retention) Bill 2017 and to demonstrate why the problems that have always been present in this legislative format continue in this latest incarnation.
Primarily, the problems lie in Ireland's duty to ensure that European law is upheld. The State has a duty to ensure that the requirements of European law are not breached. Several areas of the general scheme are specifically in breach of the provisions laid out in the Digital Rights Ireland case. That case set out the principles on which a data retention scheme could be brought in. It stated the general principle that unless a scheme met those principles, it was illegal. The reason the directive fell was that it did not meet those principles. Our original legislative provisions were based on that directive and continue to be based on that directive.
The new scheme requires that there continues to be a shortfall between the checklist in the Tele2 and Digital Rights Ireland cases and what is proposed to be brought in now. In consequence, the new legislation, like all previous legislation on this topic, will still be in breach of European law. This is bad, obviously, because Ireland is required to be in compliance with European law. Moreover, it will have specific consequences in respect of the use of the evidence gathered and the significance of how that evidence can be relied upon in court.
If it is the case, as has been decided by the Supreme Court, that data collected in good faith by the Garda by a means which is believed to be fair and reasonable but which subsequently turns out not to be, then it is possible for the courts to such data collected in that manner into account.
It is held by the State that data currently being collected and accessed is protected by that decision of the Supreme Court. However, there is no doubt – it was acknowledged at the committee today - that since the Tele2 and Digital Rights Ireland cases it is clear the State system of collecting data is not in compliance with the law, and the State knows this.
This is a crisis. In his report, Mr. Justice Murray recognises the level of crisis this represents. He makes a strong call for the current regime to be suspended. That is not simply from the position of human rights and civil rights, although these are absolutely critical. It is also because there will be instances, if this goes forward, of the occurrence of risk that prosecutions that would otherwise be successful could face challenge. This could arise on foot of evidence produced being challenged on the ground that the State knew or ought to have known that it was not properly collected.
What we have is a system of mass surveillance. It has been going on for little over a decade, longer if we take the pre-legislative position. It has been under-challenged since 2006. The European law underpinnings have been found to be incompatible with the EU Charter of Fundamental Rights and, therefore, incompatible with European law.
Contrary to the statement committee members heard earlier, European law is directly effective on Ireland. Unlike the European Court of Human Rights, judgments of the Court of Justice of the European Union are directly effective in Ireland. Decisions in respect of legality are directly effective. They can be appealed to and are superior to Irish law. What we have is a system whereby those laws have been allowed to continue. I am not going to suggest this is as a result of a state of denial, but we have seen no evidence of recognition of the urgency for this matter to be addressed. We can see now the means by which it is proposed to address this. It appears that the actual problem, which is what the State wishes, has been expressed clearly. The State wishes that the collection of data in itself was not a breach of data protection rights, but it is, and that is what the court has found. The State wishes that the relevant question was when data was accessed rather than when it was collected. The Court of Justice in Europe has found that this is not the case. The court made this finding in 2013 in the Digital Rights Ireland case. The State wishes the question was merely that it could take account of court cases without having to apply them directly. In fact, those court cases are binding on the State. The decisions of the court in Luxembourg are binding on the State. They can be appealed to directly in courts and the courts must apply them directly in Ireland. The argument that European courts do not make decisions on domestic law is a distinction without a difference. If there is a finding that a domestic law is in contravention of European law, and European law is defined by the courts, then the domestic law in question falls.
That is the scene-setting I have sought to put in place. We have a potentially critical issue involving the mass surveillance of the entire population of Ireland. It is not limited to journalists, but it should be noted that European law specifically recognises certain classes of communications that are particularly sensitive. These classes include communications between: trade unionists and union members; journalists and their sources; and lawyers and their clients. These are recognised as specific communications that are specifically sensitive. That is not to say these are the only communications that ought to be given protection, as was correctly pointed out by the departmental officials at the committee earlier. The correct role is to ensure that the floor of protection for all citizens meets the requirement of the most vulnerable and sensitive data communications.
I will hand over to Dr. McIntyre, who will take the committee through some of the details in respect of the heads of the Bill. I hope we will have time for questions. I am mindful that some of the members need to be elsewhere.
Dr. T.J. McIntyre:
I was somewhat surprised by the posture taken by the Department today. I did not recognise many of the points departmental officials made as accurate statements of the law. The overall posture of the Department was that this was a new issue that had crept up on us and taken all of us by surprise in December last year, when the Tele2 judgment came out.
I am surprised by that because I feel like I have been talking about this issue for decades. In fact, I have been, because we commenced our constitutional challenge in 2006. At that stage, we highlighted the exact issues that we are talking about today. The Department has known for many years that these are live issues. In fact, prior to this matter getting to the European Court of Justice in Luxembourg, national data retention laws were struck down by national constitutional courts in quick succession in 2008, 2009 and 2010 before the German Federal Constitutional Court and the constitutional courts in Bulgaria and Romania. At this stage we have had literally a decade to address the issue. It is remarkable that it is only being done now.
It is also remarkable that the Department continues to fight our case. The Department is in the remarkable position of having commissioned a report from the retired Chief Justice that describes the existing scheme under the 2011 Act as a form of mass surveillance that is in breach of European Union standards, while, at the same time, maintaining the position in the High Court that the matter must go to full trial because the allegations against the State are denied in every regard.
If only from the perspective of the hard-pressed taxpayer, it is remarkable that the Department will continue to subsidise the legal profession in this regard. As a lawyer, I suppose I am grateful for that to some extent. It is, nevertheless, undesirable.
This summer the Department fought our application to have a preliminary hearing that would expedite the resolution by the courts of these matters. We sought a preliminary hearing on purely the European law issues. In other words, to save time and expense we sought to have these European law points determined separately before we got into the constitutional issues that arose. While the Murray review was on its desk, which made these points which determined that, as a matter of European law, the scheme was illegal, the Department, nevertheless, opposed our application claiming it was a matter where it would be inappropriate to determine the European points separately and that the European constitutional points should all be folded into one much longer and much wider hearing.
Obviously, we cannot do justice to the 170-odd pages of the Murray report nor even the 16 pages in our written submissions. I am happy to answer any questions committee members might have, however.
I want to address the points that were relied on by departmental officials who attended the committee earlier on. Mr. Dermot Woods, in particular, laid great emphasis on the three layers of judicial protection, which he described as involved in the new scheme. I would like to take issue with one of his characterisations. He said the complaints referee system to be established under the new scheme will include provision for compensation to be awarded to people whose communications have been wrongfully accessed. That is not in fact the case. If one looks at our submission and head 22 of the Bill, one will see that the existing power to award compensation has been expressly taken away. In fact, it no longer appears in the powers of the complaints referee under head 22. It has been taken away without any explanation or justification.
The role of the designated judge was stressed at great length. Some committee members have already heard me making the point in respect of the designated judge that the oversight system, as it currently exists, is inadequate. It is worth repeating that the designated judge has to date issued annual reports, consisting of a single page in most cases containing two or three paragraphs with no substantive detail of any sort on the actions he or she has taken to oversee surveillance in Ireland. It is worth bearing in mind that the designated judge does not just oversee data retention but also interception of the content of communications. This is all done on a part-time basis, on top of their day jobs, which are enough in themselves to keep them quite busy in the Four Courts. They do this on the basis of one day or one or two mornings or afternoons, attending the various offices in the Department of Justice and Equality and in the Defence Forces, and so on.
This is inadequate. It is entirely insufficient to provide an adequate and transparent system of oversight. In fairness, the new designated judge in the area, Ms Justice Marie Baker, has taken a more expansive approach and she has already issued one ad hocreport in response to a particular allegation of wrongful interception which contained considerable more detail than any prior reports. It may be that she intends to issue annual reports which are more detailed in future. We do not know, however. The problem is there is no requirement on the designated judge to do so. It is left up to them to decide how they are going to fulfil their statutory responsibility. To date, they have done so in this entirely opaque way.
Why is this inadequate? Is it because it is entirely lacking in transparency? Fortunately, we can evaluate how effective the designated judge has been because we can look to some issues exposed elsewhere. The Data Protection Commissioner carried out a review in 2014 of the handling of communications data by An Garda Síochána. The Murray review updated that to a limited extent. We can identify from these several areas where the designated judge has missed fundamental breaches of the existing schemes.
The 2014 report revealed a systematic practice in An Garda Síochána of retrospectively rubber-stamping requests. The theory was that requests had to be approved in advance by a senior member, namely, a chief superintendent or above. In practice, requests for communications data were being made by individual gardaí without any prior authorisation and were being delivered in batches to the chief superintendent after the fact to be rubber-stamped. The statutory criteria were being entirely ignored. We discovered from the 2014 audit that the Communications (Retention of Data) Act 2011 had been misapplied. Gardaí had been citing it in applications to access data held by firms which were not subject to the legislation. It was being used entirely beyond its scope. Again, the designated judge failed to pick up on this.
We also know, courtesy of the Murray review, that requests for retained data were made in cases other than serious offences. They were made in respect of criminal offences which did not meet the statutory threshold that the offence be punishable by five years or more imprisonment. This is remarkably significant because successive justice Ministers have told the Houses that retained data is only used for the purposes of investigating serious crime and is not used in respect of more trivial matters. It emerged from the Murray review that, to this day, retained data is being accessed for this purpose on the basis of what is essentially voluntary disclosure by the communications providers, which is entirely outside the remit of the 2011 Act. Again, the designated judge for many years failed to pick up on this effective evasion of the requirements of the 2005 and 2011 Acts.
While there is no reason to think that the designated judges are not individuals of the highest probity who are committed to carrying out the functions in this area as best they can, our position is that the designated judge system is inadequate and has been shown to be so. One cannot expect a part-time, busy, High Court judge, with no expertise in the area and no secretarial or technical expert support, no guidance as to how to carry out their functions, to do so on an ad hocbasis and point to it as sufficient for oversight.
Mr. Dermot Woods also mentioned the role the Data Protection Commissioner has in this regard. What he did not mention was that the Data Protection Commissioner is in effect gagged in what it can do and say. The commissioner is limited in what she can do in that there are significant carve-outs from the remit of the Data Protection Commissioner. As we stated in our written submissions, the Data Protection Commissioner is precluded from investigating certain matters relating to national security which covers a great deal of surveillance. On top of that, the Data Protection Commissioner is precluded from publishing reports of what they discover in carrying out their investigations.
In 2016, at around the same time as the GSOC revelations were emerging, the Data Protection Commissioner indicated she was going to audit the handling of communications data by the relevant State bodies, in particular the Defence Forces and An Garda Síochána. She was going to evaluate how they carried out their obligations and functions under the 2011 Act, how they handled the data they accessed and so on. We have since asked, by means of requests from journalists and freedom of information requests, for these reports. The Data Protection Commissioner has taken the view that she is not entitled to give us copies of these reports. The bodies which were audited have refused to release these reports. The role of the Data Protection Commissioner in ensuring transparency is a limited one. Again, in the current state of legislation, the Data Protection Commissioner cannot act as a sufficient oversight body.
Broadly speaking, we can identify the legislation as having three areas where we have to think about the safeguards that will be put in place. What are the safeguards for making a ministerial retention order? What are the safeguards in respect of accessing retained data? What are the safeguards in respect of notifying people that data have been accessed and then a remedy being available to them? The starting point is the retention order by the Minister. There is no provision for these retention orders to be made public. There is no provision for any review of the proportionality or necessity of detention orders. The departmental officials indicated the retention orders would be targeted. The Tele2 case requires that they be targeted.
However, that was not included in the legislation. There is no provision in the relevant head that retention orders must be targeted or specifically limited in this way.
The Tele2 case also sets a very high standard. A retention order, because it is so invasive, can only be made if it is strictly necessary. This is a point that Deputy Jack Chambers made earlier. Again, that is not something that appears in the legislation. The test here is essentially one of whether it would be proportionate to retain the data, not whether it is strictly necessary, that is, that any other means of achieving the same goal can be completely excluded.
Accessing the data, the second area in which we expect to see safeguards, also does not meet the requirements set out in Tele2. Tele2 focuses on the investigation of crime. It pertains to accessing data of people who are in some way implicated in crime and, again, this is a point that Deputies raised earlier. However, the heads of Bill do not reflect it. They allow for accessing - indeed they explicitly allow for accessing - of data of people who are not in any way implicated in crime, and that would include journalists. The point was made earlier, again primarily by Deputy Jack Chambers, that there is no journalistic protection in the legislation. We say that this is not just in breach of the recommendations made by Mr. Justice Murray, it is in clear breach of European Convention on Human Rights, ECHR, case law. The latter stresses that journalistic data has to be carved out as a special entity requiring special protections. It also requires that in all cases - even in cases of urgency - there should be a prior judicial authorisation process before journalistic data is handed over. The reasoning here is very simple; one cannot unring the bell. One cannot restore the confidentiality to a source once that source has been identified. In the case law we cited in the submissions, the European Court of Human Rights has said that even in cases of urgency, it might be possible to devise situations where, for example, it is required that data be stripped out to eliminate any information that would identify a source before any remaining information was handed over. Mechanisms must be put in place in national law to allow it. However, the Bill that is in front of the committee does not do that.
Finally, in respect of the third category, those situations in which we have access and we look at the notification and the remedies available for access, we have a number of concerns that again, the standards set out in Tele2 are not met. Here we say that we have a failure to meet the core standard in respect of notification. The problem here is that the legislation contains a very vague exemption. People may be refused notification of the fact of access if notification would be incompatible with the purposes for which the data was retained. That appears to be a very wide carve-out. It is not entirely clear what is meant by it. I do not think it is the world's greatest example of drafting. On the face of it, however, it appears to allow a very wide exclusion, particularly because it refers to investigations which may take place in future. For example, it might allow for an exclusion of notification in situations where there is a desire not to give away the use of this data as an investigative technique in unrelated cases involving other people. It is not the case that it is limited to the possibility that further investigations will be carried out against an individual or other individuals who are affiliated with those involved in some way.
Second, as already stated, the role of the complaints referee is limited and the power to award compensation is taken away. In addition, the complaints referee is gagged in what he or she can say where no violation of the legislation has been found. One might ask why that matters. Surely it is enough that the complaints referee says there is no violation. It matters because the complaints referee, in finding that there is no violation, might be exposing, for example, a very wide and possibly questionable interpretation of the legislation being relied upon, which individuals might wish to challenge. It matters because the complaints referee, by being precluded from giving reasons, will not be in a position to satisfy individuals as to why a particular authorisation to access data might have been justified. It matters because, fundamentally, there is no reason for this blanket gag to be placed on the complaints referee. This is a holdover from the Communications (Retention of Data) Act 2011 and, before that, the Criminal Justice (Terrorist Offences) Act 2005. There, the thinking was that there had to be a blanket secrecy provision, otherwise the complaints referee could be used for what the computer scientists term an "oracle attack". If an individual thinks they have been under surveillance, they could go to the complaints referee. If he or she gets a full decision, fine. If he or she gets a decision which simply says, essentially, that the complaints referee is unable to confirm or deny, then he or she will realise that he or she has been placed under surveillance and that his or her data has been accessed. In other words, the secrecy provision was a mechanism to prevent people from determining whether their data had been accessed.
This is not appropriate any more because the 2017 Bill provides a presumption that one should be notified. The general rule, by default, is that notification should be made, except in certain narrow circumstances. It is possible, therefore, to say that the complaints referee should be able to discuss the facts of the matter and should be able to give reasons, if an individual already knows that his or her data has been accessed, having already received a notification. There is no good reason for saying that someone has been notified that his or her data has been accessed but that the complaints referee will still be precluded from explaining the circumstances in which that took place.
There are obviously a lot more points contained in the written submissions. At this stage, I would be happy to help committee members any further if I can.
I thank the witnesses very much for their contributions. The more that we hear, the more alarm bells are starting to go off. We have lots of reasons to be concerned. We in Ireland certainly have a lot of work to do in order to try to make this legislation fit for purpose. I have already raised this question with the officials who came before the committee. Do the witnesses think that an independent authority should be appointed to monitor standards of data security and also compliance with security standards? If so, what kind of powers would be required for that independent authority to do its job properly?
Dr. T.J. McIntyre:
I agree with the recommendations of Mr. Justice Murray. In fact, I think that has to be folded into a wider look at surveillance oversight in Ireland generally. The designated judge here is dealing with just one of three statutory regimes. We have data retention, that is, access to communications data; we have interception, access to the content of communications; and we have the Criminal Justice (Surveillance) Act 2009, which pertains to the planting of bugs or tracking devices on cars. We have a separate designated judge who deals with the 2009 Act. We also have the designated judge under this legislation who will deal with data retention and interception. If we are going to professionalise the role, I think it would be desirable to fold them into a single oversight body to look at the oversight of surveillance generally and avoid situations where matters might fall through the cracks between the two different sets of judges. Within that, we could have the security and monitoring function that Deputy Wallace mentions.
Do the witnesses think that the number of designated officers in each statutory body should be limited? It is recommended in the Murray report that only a limited number of designated officers in statutory authorities should have authority to request disclosure of retained data, particularly as training in privacy and proportionality should be required in order for someone to act as a designated officer. Also, should this training in privacy and proportionality for designated officers, or anyone who might access retained data, be stated in the legislation?
Mr. Simon McGarr:
Unquestionably, it is necessary to have a limited number of officers. If there is going to be a system where certain designated people can seek to have access to information, they must be given the necessary training to allow them to do that, otherwise they are not in a position to perform their duty sufficiently. What would be valuable is not so much to set out the training they should get, but rather to clearly set out what the duties are and ensure that the training gives them the information they need in order to perform those duties. Putting descriptions of training into legislation is probably a way of building in obsolescence where a fast-moving topic like data retention is concerned.
Mr. Simon McGarr:
It would be important that there be a recognised system and that certain tasks be performed and certain assessments be done internally before a request is made externally to a telecommunications provider. This is important for the telecommunications provider. Under GDPR, it will be liable if information is released improperly. It is as much for the provider's protection as it is for the protection of the individual whose data has been given out that the provider at least require some sort of written record so that it can say that all necessary legislative provisions had been adhered to before it issued the information. In terms of leaving telecommunications providers open to criticism and, potentially, substantial fines under the GDPR, it is critical that there be a set form of request with a certain number of protections built into it.
I put a question to the previous delegation. The Murray report recommends that persons whose rights have been affected by wrongful access to retained data should have an appropriate judicial remedy, which has been backed up by EU legislation and the European Court of Human Rights. The general scheme of the Bill does not provide for this. The Department stated that it was examining this issue and had not made up its mind yet. What do the witnesses have to say on this matter?
Dr. T.J. McIntyre:
To be honest, I am bemused by the decision to drop the provision for compensation by the complaints referee. I wonder whether this was done by accident. I would prefer to believe that it was done by accident rather than by stealth. It would be desirable that the complaints referee have that power. One cannot expect individuals to take on the expense and risk of a High Court action in every case where there has been an abuse.
I must stop Dr. McIntyre at this point. I am afraid that the Final Stage vote on the Water Services Bill is being signalled on the screen. From Deputy Daly's contribution, my understanding is that a justice and equality Bill will commence immediately on the conclusion of this vote. That will require the attendance of the greater number of our Deputies. It becomes impossible for us to continue.
At the start of it. There will be some heavy parts. For the first couple of amendments, Deputy Wallace can stay here and I can handle them. I do not know whether any of the other Deputies will be there. They would not need to be. It would be remiss of us not to conclude this meeting.
It would be good to be able to conclude our business. There are a number of important matters, not just relating to what Mr. McGarr and Dr. McIntyre are outlining, but even in our private session.
It is eight minutes from the bell. I suppose that 15 minutes would be the most reasonable position to allow for a coffee. We will suspend for 15 minutes. I thank Deputy Daly for her intervention.
I raised some points with the previous delegation but did not get much satisfaction on the following point: according to the general scheme a ministerial order would be required to retain the data. Then judicial authorisation would be required for it to be released to the relevant statutory body. While the Minister would order the retention of data, judicial authorisation would be required for access to data. Do the witnesses think these steps offer adequate safeguards against possible abuse of the process?
Dr. T.J. McIntyre:
One point about access is that the urgency provision, which the Deputy has mentioned already, does not meet the Murray recommendations. Mr. Justice Murray recommended that if an access is made under the urgency provisions there should be retrospective judicial oversight. The access might be made but the judge should then be required to evaluate whether access had been appropriately granted. The intention is obviously to avoid abuse.
The Deputy also mentioned the problem of the national security provision, that notification of the fact that access is not granted can be refused on national security grounds. That is a problem that is compounded by the fact that this Bill does not define national security so it leaves open the grounds on which notification might be refused.
Mr. Simon McGarr:
If I might follow up on the question of the urgency. There is no one in the country who would not recognise the value of being able to find a lost person, missing person, a person at risk by way of an inquiry from cellphone masts, etc. It should be recognised that the data retention scheme is intended to retain data beyond the point that it would normally be retained by telecommunications providers. After all, they do retain this data for up to six months for operational purposes. It is simply to give a legislative basis beyond that point. As a result, there would be very few missing persons cases, for example, where a child goes missing, where it would be necessary to rely upon retention of data legislation to access that data. The person would have to have been missing for up to six months before the access was sought under this legislation. While the Garda may have given the Department some figures in respect of the purposes for urgent requests I am not sure those urgent requests are made for data that would be retained anyway in respect of people's locations and which did not require the implementation of the retention of data regime.
On the issue of state security, even protests could be deemed a threat to state security at times. When Deputy Clare Daly and I got over a fence in Shannon Airport to search a military plane the authorities probably would have felt we were endangering state security whereas we would have had a very different idea about that. I have never thought about this before but have other states defined what state security means to them?
Dr. T.J. McIntyre:
I could not tell the Deputy the position in other states generally. However, when the Policing Authority was established the Act which created it was the first Irish Act to define national security because it creates a carve-out: the Policing Authority oversees Garda functions only in the area of the criminal justice system, not national security functions. There is a definition that could be imported here which contains exclusions aimed at protecting freedom of expression and protest, for example, from national security exclusions.
The Deputy makes a very good point about how elastic that term is. It is a concern because the notion of serious crime is also very elastic. A serious crime under the heads of this Bill is one that is punishable by five years' imprisonment or more. That includes stealing a Mars bar or painting graffiti because theft and criminal damage each carry possible prison sentences of up to ten years. Mr. Justice Murray in his review was very critical of this and said by definition these types of offences, which could be tried either summarily or on indictment, when tried summarily are not serious offences and should not be included in this regime. There is a risk that this could be used as a pretext for a wider investigation, for example, if, as part of a political protest, graffiti, even chalk marks, were placed on a wall, that would be a serious offence sufficient to trigger the application of this legislation.
I thank the witnesses for their contribution and submission. They mentioned that under EU law and in general jurisprudence, provision is made for certain people in society to have particular privileges around data. Should there be a separate pillar within the scheme and who would they include in that additional protection? The Department tried to provide a generalised scheme without specifying anybody. How would the witnesses codify that or are there examples in other countries?
Mr. Simon McGarr:
We have an analogy from the data protection regime for Europe. There are two classes of data: personal and sensitive personal data.
Sensitive personal data is given additional protections over and above personal data. What has happened is that the EU has also recognised that there are communications that are particularly sensitive and require particular protections. Those communications have been set out in jurisprudence. I think they have been set out in legislation at EU level. If my memory serves me, in terms of the full list, the EU recognises communications between trade union officials and their members, communications between lawyers and their clients and communications between journalists and their sources. I feel there is a fourth one but it does not spring to mind.
Mr. Simon McGarr:
No, I do not feel it has even done enough to protect the lower level in this heads of Bill. However, the question arises as to whether it would be desirable to protect everyone's data to the highest level. In other words, we would say this is the level we should apply to those special conditions and we will move everybody's protections up to that level. In principle, that would be attractive and sensible given that we would then lose the problems, which the Department recognises are very valid, of creating a two-tier process where we argue over whether or not the communication on a particular instance of a person who falls inside a class falls inside the protected communications sub-class. An example would be where a trade unionist talks to a member who is also a friend. We do not want queries about whether or not the legislative provisions apply to-----
Mr. Simon McGarr:
The Murray report takes the view that there are particular protections that should be given to certain people, including journalists. I think those protections are valuable and should be provided for here. I would also say that one way of dealing with this, which would address the Department officials' concern, would be to have those same protections apply to all other citizens. Then we will have met the requirements under the Murray report and addressed the questions of creating a single easy-to-define system of protection.
Mr. Simon McGarr:
I would go further. I would say it falls short of both the Murray recommendations, the requirements of European law in the form of the Tele2 judgment and the European Convention on Human Rights. There is no doubt in my mind that the provisions as they stand individually and collectively would not meet those requirements. We do not want to be in the position where we are going to have to buy frequent flyer tickets to Luxembourg but if it is the case that we have to go back to the European Court of Justice in respect of these matters then-----
Mr. Simon McGarr:
Given that the incentives to a person sitting in jail to seek to challenge his or her conviction are quite substantial and the legal pathway by which such a conviction could be challenged if this evidence had been used in those circumstances is quite clear to any practitioner, I cannot imagine circumstances where there would not be a challenge, even apart from a challenge from an NGO.
I again record our appreciation. This is not the first time the witnesses have come before us. Their contributions today, opening addresses and responses have been hugely informative not only for the committee members but also, I hope, for others who may be listening. It was important that the witnesses had the opportunity to hear the earlier session. I would have liked for our guests to have stayed on and heard the second session. It might have been equally instructive but these are early stages. I hope many of the points reflected on by Mr. McGarr and Mr. McIntyre will be taken on board as this Bill presents further.