Dermot Ahern (Louth, Fianna Fail)

I move: "That the Bill be now read a Second Time."

I am pleased to be in the House today to present the Communications (Retention of Data) Bill 2009. The primary purpose of the Bill is to transpose Directive 2006/24/EC of the European Parliament and Council into law. The directive requires service providers to retain data generated or processed in connection with the provision of publicly available electronic communications or public communications networks and to make it available on request for the detection, investigation and prosecution of serious crime.

Before I explain the provisions of the Bill and its background, I would like to speak more generally about data retention and its important role in the investigation of serious crime and in safeguarding the security of the State. It has been in the news at regular intervals over the past few years and some misconceptions may have arisen as to its scope and purpose. It is important to bear in mind that data retention is not new; it has been an essential feature of crime investigation and the safeguarding of State security for many years. Also to be borne in mind is that data information is not concerned with the content of a communication; it is about who, where and when. The intrusion into a person's privacy is minimal.

The retention of data in this country began in the days of the Department of Posts and Telegraphs, when communications were by means of fixed-line telephones and the postal system, of which the State was the only provider. Typically, telephony operators, even after the market was opened up, retained data for six years for their own purposes, such as billing and marketing. This made sense because the statute of limitations during which a telephone bill could be challenged or payment pursued was six years. The operators made the data information available to the Garda on request when required for fighting crime and safeguarding the security of the State. In those circumstances, relations between the operators and Garda developed so that the voluntary scheme was based on goodwill and common sense on both sides. Any Garda could request data in respect of a crime he or she was investigating. The system was not regulated by statute.

The first significant statutory intervention came in the form of the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, of which section 13 inserted new subsections into section 98 of the Postal and Telecommunications Services Act 1983. Under the inserted subsection (2A), a person employed by a company who disclosed to any person any information concerning the use made of telecommunications services provided for any other person by the company was guilty of an offence. There were exceptions, including disclosures made for the prevention or detection of crime or for the purpose of any criminal proceedings or in the interests of the security of the State. A request by a member of the Garda Síochána to make a disclosure had to be in writing and be signed by a member not below the rank of chief superintendent. In practice, this meant that all disclosure requests were made through one specified chief superintendent, a practice that continues to this day. A parallel inserted provision ensured that any request from the Permanent Defence Force for data required in the interests of safeguarding the security of the State must be made through an officer not below the rank of colonel.

This remained the case until the adoption of Directive 2002/58/EC of the European Parliament and Council in July 2002, which concerned the processing of personal data and the protection of privacy in the electronic communications sector. As interpreted for data protection purposes, the directive provided that traffic data could only be retained for six months. This posed a problem for Ireland, as the Garda required data to be retained for longer than six months if it was not to be severely handicapped in its ability to fight crime and safeguard State security. In practice, most retained data that is required is requested by the Garda or Permanent Defence Force within six months of its being generated or processed. However, the quality of data retained for longer periods can be equally important in fighting crime, including terrorist crime.

The Department of Justice, Equality and Law Reform and the then Department of Public Enterprise came to an agreement that telephony data should be retained by operators for three years; that is, half the period for which the operators voluntarily retained telephony data previously. That agreement was given statutory effect in directions issued by the Minister for Public Enterprise to the main telephony operators under section 110(1) of the Postal and Telecommunications Services Act 1983. It was intended to follow up the directions with primary legislation. However, in 2003 Ireland received an invitation from some of our colleagues in the EU to co-sponsor a framework decision on data retention. Agreement was reached on Ireland's participation in the preparation of the instrument, and further work on the legislation had to be deferred until the text of the framework decision was agreed and adopted.

The negotiations on the framework decision proved difficult and complex. They had effectively reached stalemate when the Madrid bombings during the Irish Presidency of the EU in 2004 highlighted the necessity and urgency of obtaining agreement on the retention of data. Negotiations recommenced in earnest but had not been concluded by January 2005 when the then Data Protection Commissioner issued notices to the main telephony operators directing that they retain data for no longer than six months. Rather than hamper the Garda Síochána and the Defence Forces in their vital work in investigating crime and safeguarding our security, a decision was taken to include provisions in the Criminal Justice (Terrorist Offences) Bill, which was then being debated in the Seanad, on the retention of telephony data. It was also decided not to deal with the more complex Internet provisions until an EU instrument had been agreed. I am glad to say the data retention proposals included in the Bill received a generally warm welcome. The urgency of ensuring that the Garda and Defence Forces could gain access to retained data in a controlled and supervised manner was acknowledged.

I have given this short background to the law and procedures relating to data retention in this country to put the record straight and also to place the Bill in its proper context. As we are all probably aware, agreement was never reached on the framework decision, and it was replaced by a directive of the European Parliament and Council, which is now being transposed in the Bill. It is normal practice, as provided for in the European Communities legislation, to transpose such directives by means of secondary legislation. Our legal advice suggested there would be no problem in using secondary legislation as our transposition vehicle. However, on the basis of later advice, it was decided for a technical reason to proceed by way of primary legislation. This partially explains the delay in publishing the Bill.

The preparation of the Bill was also delayed by prolonged consultations with service providers and, in particular, their representative associations and other interested parties. I express my appreciation of the constructive way in which the service providers entered into the consultative process. The process was long and, at times, complex, and negotiations are still continuing between the Garda Síochána and the representative associations on the implementation of the legislation.

The directive was adopted under Article 95 of the Treaty establishing the European Community, which provides for the adoption of measures for the approximation of provisions laid down by law, regulation or administrative action in member states which have as their object the establishment and functioning of the Internal Market. Ireland, supported by Slovakia, applied to the European Court of Justice to have the directive annulled on the basis that the choice of legal basis for the directive was fundamentally flawed. The Irish case was that neither Article 95 of the European Community treaty, nor any other provision of that treaty, could provide a proper legal base for the directive. Ireland submitted that the sole or at least main or predominant purpose of the directive was the investigation, detection and prosecution of serious crime. In those circumstances, Ireland submitted that the only permissible legal basis for the measures contained in the directive was Title VI of the Treaty on European Union, being the provisions on police and judicial co-operation in criminal matters. Articles 30, 31 and 34, in particular, were relevant. In a judgment last February, the court found against Ireland's application. The directive must now be transposed into national law and the legislation in Ireland is now well overdue. The European Commission has initiated infringement proceedings against Ireland in the European Court of Justice adding greater urgency to have the legislation enacted without delay.

I will now outline the provisions of the Bill which is relatively short and largely remains within the parameters established by the directive. The Bill has two main objectives. The first, at section 3, obliges service providers to retain data. The second, at sections 6 and 7, gives the relevant law enforcement agencies power to make a disclosure request for retained data and obliges the service providers to comply with such a request. I will explain these important elements in a moment but will first emphasise the importance of section 2.

Section 2 gives effect to Article 1.2 of the directive by providing that the Act does not apply to the content of communications. It does not, for example, apply to the content of a telephone conversation or an e-mail or to web browsing or websites visited. It simply allows law enforcement agencies in Ireland to seek information in regard to the who, where and when of a communication. In the case of the Internet, it obliges service providers to retain data equivalent to the type of telephony data that has been retained for many years. I would like, at this stage, to dispel another myth. Neither the Garda Síochana nor the Department of Justice, Equality and Law Reform will retain a vast database of information relating to the use of communications by our citizens. The fact is that the Garda Síochana, Permanent Defence Force and the Revenue Commissioners will be, under this legislation, able to request data information for the purposes established in the Bill and subject to the safeguards therein. It is the telephony operators and Internet service providers who will retain the data for the periods set out in the Bill.

Article 1.1 of the directive obliges member states to ensure that retained data is available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law. This raises some important questions. I mentioned earlier that the intention was to transpose the directive by means of secondary legislation. This would have ensured that we could have avoided infringement proceedings. However, it was always intended to follow such secondary legislation with primary legislation. That legislation would have consolidated the data retention schemes for telephony and Internet data retention. More important, it would have allowed us to add to the list of purposes for which data could be sought. These are data necessary for safeguarding the security of the State and the saving of human life. They do not form part of the directive. The Bill consolidates the data retention schemes and includes provisions on State security and the saving of human life which means further legislation will not be required.

There has been much discussion on what constitutes a "serious offence". There are two basic points to bear in mind in any debate on what should be a serious offence for the purpose of the Bill. Currently, telephony data can be sought for the investigation of any offence. Any credible definition of "serious offence" used in the Bill will, therefore, restrict the offences for which data can be sought. There is no universal definition of "serious offence" in this country. The expression is described in some Acts as an offence punishable by a term of imprisonment of five years or more. However, such definitions are solely for specific purposes or Acts. Any offence that can be charged on indictment is, under our Constitution, a serious offence. This means it would have been feasible to define "serious offence" as any offence that carries a penalty of more than 12 months imprisonment. Following much thought and consultation with the Garda Síochana, I accepted a suggestion first made by the service providers that for the purposes of a disclosure request a penalty of imprisonment of five years or more would be appropriate. In addition, the First Schedule contains a handful of other serious offences, triable on indictment but with a maximum penalty of less than five years imprisonment, for which data can also be sought. This list was suggested by the Garda Síochana and represents its opinion on the offences for which it is essential it retains the ability to make a disclosure request, namely, offences carrying a penalty of up to five years imprisonment.

Regardless of how "serious offence" is defined, it will not affect the amount of data that is retained. It cannot be known in advance for what data may be required. The vast majority of data will not be required and will be destroyed after the appropriate time. However, by defining "serious offence" the amount of telephony data for which a disclosure request can be made will be less than under current law where data can be disclosed for the investigation of any offence.

It would have been possible under the terms of the directive to give every law enforcement agency in the country authority to make a disclosure request but this has not been done. In addition to the traditional role of the Garda Síochana and the Permanent Defence Force, I have given power to the Revenue Commissioners to make disclosure requests in respect of six specific revenue offences. The primary reason for the inclusion of the Revenue Commissioners in this Bill is to provide its investigating officers with access to communication data to assist them in tackling various forms of serious tax evasion that are undermining the collection of tax revenues in the State. Tackling tax evasion has always been a top priority for Revenue.

The Bill recognises the role of the Revenue Commissioners as a criminal law enforcement agency whose task it is to protect the Exchequer from fraud. Experience has shown that the lack of such access has been a hindrance in detecting certain cases of serious tax fraud and gathering the necessary evidence for the purposes of prosecution. This need is clearly justified and access to such information should improve the level of detection of serious tax evasion and the gathering of evidence necessary for criminal prosecution and will assist in depriving criminals of funds.

Modern telecommunications and the Internet are invariably utilised by those engaged in the type of illicit activities investigated by Revenue. For instance, documents encountered by Revenue officers in the course of investigating cigarette smuggling in maritime freight where bogus Bills of Lading are used, oil laundering and the distribution of laundered oil under cover of bogus invoices, alcohol fraud using bogus documentation, cross-border VAT fraud and other forms of serious tax evasion often include contact phone numbers which need to be traced and the identity of the subscriber established along with the usage of the phone if the investigation is to be progressed.

I find the case for access compelling and Revenue has given categorical assurance that requests for such information will be confined to investigations involving serious indictable revenue offences. I might add that the Revenue case for access has been supported in the past by the Attorney General, the DPP and An Garda Síochana and was one of the recommendations made by the Revenue powers group in its report to the Minister for Finance in November 2003.

Article 3 of the directive establishes the obligation to retain data and is given effect in section 3 of the Bill. It obliges service providers to retain telephony data for two years and Internet data for 12 months. Members may ask why two years and 12 months when the directive states between two years and six months? Under Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 telephony data must be retained for three years. There are currently no statutory requirements in relation to the retention of Internet data. Some commentators have suggested that I am reducing the retention period for telephony data from three to two years to comply with the terms of the directive. This is not the case. Article 95(4) of the TEC states that if after the adoption of a harmonisation measure a member state deems it necessary to maintain national measures it can notify the Commission of those provisions and the grounds for maintaining them. The Commission has the power to approve or reject the national provisions involved. Following a re-evaluation by the Garda Síochana as to its requirements for the investigation of serious crime and safeguarding the security of the State, it was considered that a two year retention period for telephony data would be sufficient. Similarly, the 12 months retention period for Internet data is deemed to be the minimum necessary in respect of that data. Most retained data that is the subject of a disclosure request was generated or processed in the previous six months but the quality of longer held information makes retention periods provided for in the Bill necessary for efficient law enforcement and State security. I would suggest there is never a good time to deprive our law enforcement agencies of a vital weapon in the constant battle against criminals and terrorists who themselves are adept at using modern technology and now is certainly not a good time.

Section 4 ensures that the same level of security will attach to data retained under this Act as is retained for other purposes. It gives effect to Article 7 of the directive. The providers must destroy the data as soon as the retention periods have expired. However, one month's grace is given to enable the data to be actually destroyed. Apparently there is more to destroying the data than simply pressing a button. This section also provides that the Data Protection Commissioner will be the supervisory authority in Ireland for the purpose of both the Act and the directive. The appointment of a supervisory authority is required by Article 9 of the directive.

I accept that in the light of some significant breaches of data security in recent times, such as the theft of laptops with unencrypted material, there is some concern about the security of retained data. There is an increasing appreciation of the need to ensure the highest level possible of security on data that are in the possession of service providers for use for their own purposes and the legislation can do no more than apply that heightened level of security to the data retained for the purposes of compliance with this Bill. In doing so, the legislation complies with the security requirements of the directive. Following the recent breaches of security, I established a data protection review group which I understand is almost ready to publish a consultative document describing the issues from a legal, technical and regulatory perspective. I hope that interested parties will contribute their views on the consultative document so that it will be in a position to begin writing its report without delay.

Section 5 repeats section 64(1) of the Criminal Justice (Terrorist Offences) Act 2005. It sets out the circumstances in which the service providers can access data retained under the Act.

Article 6 of the directive requires member states to adopt measures to ensure that data retained in accordance with the directive are provided only to the competent authorities in accordance with national law. This requirement is given effect in the Bill at section 6.

Section 6 establishes who can make a disclosure request and for what purposes. Unlike some other countries, the ability to make a disclosure request is confined to just three law enforcement agencies: the Garda Síochána, the Permanent Defence Force and the Revenue Commissioners. A member of the Garda Síochána not below the rank of chief superintendent will be entitled to make a disclosure request for the purpose of the prevention, detection, investigation and the prosecution of serious crime, safeguarding the security of the State and saving human life.

There are three differences between the powers of the gardaí under section 6 and the analogous provisions in the 2005 Act. Under the 2005 Act, the gardaí could make a disclosure request in respect of any offence, and not just a serious offence, and they could not make a request in respect of the saving of human life. Also, the 2005 Act did not provide for disclosure requests in respect of Internet data. These are three very desirable differences.

A colonel in the Permanent Defence Force will be able to make a disclosure request for the purpose of safeguarding the security of the State. This repeats the analogous provision in the 2005 Act but with the addition of the relevant Internet data. I have already mentioned that this provision could not have been included in a statutory instrument transposing the directive as safeguarding the security of the State is outside the scope of the directive. That is because of the legal base used for the directive.

For the first time, the Bill gives the Revenue Commissioners power to make a disclosure request in respect of six named revenue offences. These all come within the definition of serious offence in that they are all triable on indictment with a penalty of imprisonment of five years. As with requests from the Garda Síochána and Permanent Defence Force, requests will made by one person, in this case a revenue officer of at least principal officer rank. This is a highly desirable initiative. Deputies will recall a recent statement by the Revenue Commissioners of the likelihood of increased tax evasion in these economically difficult times.

Sections 9 to 12 in one way or the other provide safeguards to ensure that the data retention scheme is not misused. Section 9 gives effect to Article 10 of the directive under which member states are obliged to forward to the Commission statistics of the use of data retention during the previous year. Because so few Irish authorities have the right to make a disclosure request and because such requests are centralised, the compilation of statistics in Ireland is relatively straightforward. This year, we were one of the first countries to return telephony statistics, even though the legislation transposing the directive was not in force. The statistics will be compiled by the three law enforcement authorities with the right to make disclosure requests. The Garda Commissioner will forward Garda statistics to the Minister for Justice, Equality and Law Reform, the Chief of Staff of the Permanent Defence Force will forward statistics to the Minister for Defence and the Revenue Commissioners to the Minister for Finance. The Ministers for Defence and Finance will review the statistics submitted to them respectively before forwarding them to the Minister for Justice, Equality and Law Reform for transmission to the European Commission. In this way the Commission will be in a position to monitor the operation of the data retention provisions throughout the EU.

Under Article 14 of the directive, the Commission will submit to the European Parliament and the Council an evaluation of the application of the directive and its impact on the service providers and consumers, taking into account further developments in electronic communications technology and the statistics provided under Article 10. The evaluation will inform a view as to whether it will be necessary to amend the directive, in particular with regard to the list of data and the periods of retention. The results of the evaluation will be made public.

The safeguards provided at sections 10 to 12 are essential for the proper operation of the legislation. They are of the utmost importance in ensuring public confidence that the legislation is not being misused and will also reassure the service providers that it is only used for the stated purposes. Section 10 provides for the independent complaints procedure. It provides that where a person believes that data relating to him or her and are in the possession of a service provider have been accessed following a disclosure request, that person may apply to the complaints referee for an investigation into the matter. Section 11 provides for an invitation by the President of the High Court to a serving judge of the High Court to undertake the duties of keeping the operation of the Act under review. Section 12 sets out those duties. These safeguards already operate satisfactorily for the retention of telephony data under the 2005 Act so there is no need at this stage for me to explain them in further detail.

There are two Schedules to the Bill. The first lists the indictable offences that have a maximum prison sentence of less than five years for which the chief superintendent of the Garda Síochána will be enabled to make a disclosure request. The offences include identifying an officer of the Criminal Assets Bureau, administering substances capable of inducing unconsciousness or sleep, reporting child abuse knowing it to be false and corruption of public officials.

The second Schedule gives effect to Article 5 of the directive. It lists the categories of data to be retained by the service providers. There can be argument and indeed disagreement as to the extent of the data mentioned in Article 5. This is especially so in the context of rapid advances in technology. For that reason, a committee of experts has been established by the European Commission to interpret and explain the directive in the light of prevailing circumstances and to give a guide as to what data need to be retained and, equally important, what does not need to be retained. Ireland is represented on that committee. Also, it would not be possible in legislation to set out exactly what each provision means, in particular, as I mentioned, when some requirements may be open to more than one meaning in the light of further advances in technology. The service providers and the Garda Síochána, Permanent Defence Force and the Office of the Revenue Commissioners have been in discussions for some time on drawing up a memorandum of understanding in which each can agree on what is required to be retained. Work on the memorandum is advanced and will be completed when the legislation becomes law.

In this introductory speech on the background, content and implications of the Communications (Retention of Data) Bill 2009, I have attempted to place the Bill in its proper context. Nothing new is created in the Bill; it does no more than extend, with some changes, existing obligations relating to telephony data to internet data. I would again emphasise the importance of data in the investigation of serious crime and safeguarding the security of the State. On a regular basis, one reads in the newspapers reports of telephony data given in evidence in some of the most notorious trials in recent years. We cannot expect the Garda Síochána to solve complex crimes if we do not give them the means to do so. Of course, we have to provide safeguards to ensure those means are not misused and this Bill provides the same safeguards as are available under the interception of communications provisions. This despite the fact that the intrusion into persons' privacy under this Bill is minimal.

I reiterate that the content of communications cannot be retained or disclosed under the Bill. This means, for example, that the law enforcement agencies cannot obtain information on the social networking sites that persons access. This may be regarded in some quarters as lessening its impact but, in the context of preserving privacy and compliance with international human rights instruments, I see it as one of its strengths.

I mentioned earlier that, for various reasons, the preparation of this Bill has been delayed. The present situation is that the European Commission has commenced infringement proceedings against Ireland before the European Court of Justice. Therefore, it is in all our interests that the Bill pass speedily through the Oireachtas and become law as soon as possible. While I look forward to a full debate on the Bill, I also look forward to its early enactment.

See this speech in context