Seán Sherlock (Cork East, Labour)

That we are only now transposing a directive which was agreed in 2006 is typical of the manner in which the Government has been remiss in its obligations vis-À-vis the transposition of EU directives in general. Ireland is behind the curve again because our European counterparts, in some instances, are already preparing to undertake a review of the directive that we have yet to transpose.

This House, for the first time, will bring about legislation specifically charged with the retention of communications data. This legislation is so flawed that it will have to be completely rewritten if the Labour Party is to support it. It is bad for business, too costly to implement, undemocratic and the oversight provisions are too weak. I hope it will be significantly amended to make it a more realistic and not the sham we have before us.

The reason for Ireland's delay in following our EU counterparts in introducing such a Bill are well documented. An attempt by previous Administrations to exclude the European Parliament and the European Court of Justice delayed the adoption of the directive here. Thankfully, with the exception of Slovakia, the overzealous and restrictive measures favoured by the former Minister for Justice, Equality and Law Reform, Deputy Michael McDowell, curried little favour in Europe. This directive was seen as the lesser of two evils by the Party of European Socialists in the European Parliament, in 2004-05. This is where we differ with the Minister's interpretation in terms of the historical perspective of the directive.

Following the Madrid bombing in 2005 the Irish, British and two other governments came forward with proposals for a third pillar intergovernmental decision on data retention. Such a measure would have been adopted by the Justice Council with consultation rights only for the European Parliament and no oversight role for the European Court of Justice afterwards. This course of action was opposed by the Commission and the European Parliament, largely on the grounds that such a measure should be approved by the European Parliament. The Commission then issued a proposal for a draft directive in September 2005 and the socialist group negotiated amendments in the European Parliament and adopted it December.

One of those amendments concerned a full review of the measure in September 2010. My colleague in the European Parliament, Mr. Proinsias de Rossa, MEP, voted in favour of the compromise and the four Fianna Fáil MEPs at that time abstained. The directive was approved by the Council in 2006 and was to have been transposed into Irish law by September 2007. However, the then Minister, Deputy McDowell, took a case to the European Court of Justice, arguing that the Council had no authority to adopt the directive and that only a third pillar initiative was permitted. The Government refused to transpose the directive while this case was ongoing. In response the European Commission began legal proceedings over Ireland's failure to transpose. Last February the European Court of Justice rejected the Government's argument and upheld the directive.

My understanding is that civil liberties groups did not have an opinion about the four countries' initiative in 2005, but had written in opposition to the draft directive. If there were no directive, it could be argued, it is likely that the four countries' initiative would have been adopted. In that context there are two views that can be taken on the directive, and consequently this Bill. One is that we transpose and thereby pass the Bill into law without question and accept it as a fait accompli. The second is that we seek to amend the Bill and ground it in reality by addressing the cost of its implementation for businesses and the issue of oversight. The Labour Party takes the view that there are circumstances in which data retention is needed and useful. However, there are some many flaws in the proposed legislation that it would have to be considerably amended before we could be satisfied with its passing into law. If we take the historical perspective and the context in the which the directive was fashioned, then we must speak of the Madrid bombings and the Omagh atrocity, which occurred prior to the instigation of the directive. However, much water has passed under the bridge and the need to transpose and legislate remains. We have an obligation in that respect.

It could be argued that this legislation has been superseded in some respects by the surveillance Bill in its use as a crime prevention measure. Whether this Bill is a complement to recently adopted legislation is open to question. Generally speaking, the provisions within the Bill must be such that they are only allowed in clearly prescribed circumstances and we must guard against any nefarious use of the Act when it comes into force. The provisions must be subject to democratic review. They must also be subject to proper judicial review.

A criticism of the Bill relates to its timing. I have already stated that we are behind the curve and Ireland should now be preparing for the 2010 review of the directive. It should also be pointed out that the European Court of Justice will now be bound by the data protection article of the Charter of Fundamental Rights because of Lisbon. If there are claims from any quarter that this represents excessive interference from Brussels, it would be my view that Mr. McDowell's alternative was far more draconian and that the Fianna Fáil-Progressive Democrats arrangement originally sought to extend this measure to the entire EU. If one argues this Bill from the civil libertarian perspective, then I respectfully suggest that the only alternative was Fianna Fáil's original proposal. It is better that, rather than having "an intergovernmental measure", we have a "Community measure" that gives a voice to the European parliament, and gives the European Court of Justice a meaningful role.

Concerns have previously arisen as to the nature and specifically the volume of requests made for retained data. Previously, Deputy Brendan Howlin highlighted how, in 2006, there were 10,000 Garda requests for access to personal telephone records under powers arising from the amendment to the Criminal Justice (Terrorist Offences) Act. This amounts to almost 30 requests for every day in 2006, and it is evident that a review of the practice has been long required. That we are finally to address this directive with a Bill is positive but it is not without its perils.

The Labour Party fully supports data retention but only for specific circumstances. With these powers, there is a responsibility, and it is our hope that through the legislative process we will address some of the ambiguities and issues arising from what has been presented in the Bill. I am concerned with the provisions in the Bill in regard to the timeframe within which data will be retained by service providers. There are concerns also in regard to costs undertaken by those service providers to adhere to such a provision. It is our considered view that the minimum period of six months may be sufficient. However, we will take this under advisement and speak about this on Committee Stage. I fear that if the maximum allowable retention period will be two years, then we will open this process to an abuse and the cost to business will reduce competitiveness and will ultimately affect the consumer.

I fail to see how 10,000 requests per annum could possibly be pertinent to a serious crime investigation. Further, the lack of a role for the Garda Ombudsman is of itself a cause for concern. Where an officer of the Garda Síochána Ombudsman Commission is investigating a complaint against a Garda that may involve a criminal offence, the officer of the commission has all the powers, immunities and privileges of a member of the Garda Síochána. This includes common law powers and powers under any Act, whether passed before or after the Garda Síochána Act 2005. So, it seems that officers of the Garda Síochána Ombudsman Commission will have the powers vested in the Garda under this Bill. While this is reasonable, it raises the question as to why the Garda Síochána Ombudsman Commission and its officers have been specifically excluded from exercising the powers to be vested in gardaí under the Criminal Justice (Surveillance) Bill. Consistency in application would require that the ombudsman commission should have investigative powers equivalent to those of gardaí under both these pieces of legislation. What is the reason for excluding the ombudsman commission under one Bill and including it in the other? I hope the Minister will address this point.

On the issue of oversight, I must ask whether the Minister is seriously asking this Legislature to accept section 11 as it is worded at present. If we speak specifically to the issue of oversight, section 11 would have to be modified to give a more structured role for judicial oversight other than that which is proposed. The wording in sections 11 and 12 is as weak as water and pays lip service to the notion of oversight. There is no provision for redress for a person who has been investigated inappropriately under this provision. There is no provision for a Revenue officer, member of the Garda Síochána or member of the Permanent Defence Force to be brought to book where a misuse or abuse of the process is proven. The oversight process must investigate an adequate number of files and this must be on a random basis.

The question again arises as to what real powers a judge has in regard to any abuse of process. There is none that I can see in the Bill. I refer the Leas-Cheann Comhairle to the Bills Digest produced by the Oireachtas Library, which produced an excellent paper on this matter, and I acknowledge its invaluable service in this respect. On the matter of judicial supervision, the paper states: "In carrying out his-her duties the judge may investigate any case in which a disclosure request is made, communicate with the Taoiseach or the Minister concerning disclosure requests, and the Data Protection Commissioner in connection with the Commissioner's functions under the Data Protection Acts 1988 and 2003." While this oversight broadly echoes similar approaches used in, for example, the Criminal Justice (Surveillance) Bill 2009, Mr. Tom McIntyre, speaking in the context of the Criminal Justice (Terrorist Offences) Act 2005, raised concerns about the effectiveness of this form of supervision scheme. He stated:

...this oversight system has been almost entirely opaque from the outset. The annual reports of the Designated Judge - since the position was created in 1993 - have consisted every year of no more than a single line stating that the operation of the Act has been kept under review and its provisions have been complied with. There has been for example no discussion of what steps have been taken to keep the operation of the Act under review; whether the individual files were reviewed; the volume of surveillance being carried out; and whether mistakes were made in carrying out surveillance (such as targeting of the wrong individual or number) and, if so, what steps were taken to safeguard against such mistakes in future. There is similarly no publicly available report of the Complaints Referee indicating what complaints, if any, have been made and-or upheld. This may be contrasted with the most recent Annual Report of the UK Chief Surveillance Commissioner which reveals, amongst other things, that 23,628 authorisations for directed surveillance were granted to law enforcement agencies; and 60 different law enforcement agencies were inspected during the year...

The reports of the designated judge are not exactly what one would call models of transparency. There is no reason that we should not have a provision in the Bill which would guarantee that statistical data is made available. There is an irony in that because, if one examines section 9 of the Bill, one will see there is provision for an annual statistical report to the European Commission, as required by the directive, but not to the Oireachtas or to Irish citizens. At least this report should be laid before the Oireachtas.

The opaque nature of the Irish oversight system also becomes obvious when compared with the equivalent report in the United Kingdom. The relevant official in the UK is the Interception of Communications Commissioner. That individual is a retired judge who has similar functions to our designated judge. However, his most recent annual report runs to 24 pages in total, nine of which are devoted to data retention issues. Granted, the UK system is on a much larger scale, but one key difference is that the UK commissioner does not see his role as limited to the narrow question of legality - instead his report goes into detail about mistakes which were made and explains what is being done to prevent further mistakes. It would be desirable to establish a greater role for the designated judge along these lines. I hope we can address those issues on Committee Stage.

The functions of the designated judge and complaints referee are too limited. One of the problems with the role of the designated judge under section 12 is that it envisages him or her as being engaged in a largely paper-based exercise. Section 12 gives the designated judge "the power to investigate any case in which a disclosure request is made". Let us suppose however that a junior garda informally pressurises an Internet service provider, ISP, employee to hand over information - perhaps for some private purpose. In that case no "disclosure request", as defined in section 6, would have been made, thus leaving a question mark as to whether the judge has any power to investigate. It might be possible to read section 12 widely to find such a power - but it would be desirable for it to be made clear.

The judge's role under section 12 is also limited to "ascertain[ing] whether the Garda Síochána, the Permanent Defence Force and the Revenue Commissioners are complying with" the Act. As such, the judge does not appear to enjoy any power to, for example, make sure that ISPs and telcos are storing this information securely or are responding appropriately to requests.

Similarly, the role of the complaints referee under section 10 hinges on there being a "disclosure request". As such, he or she would have no power to investigate if, for example, a newspaper were to bribe a telecoms employee for access to information. I refer to a recent case where a red top, which I will not name, was recently implicated in a similar phone tapping scandal. Those problems are to some extent mitigated by the fact that the Data Protection Commissioner might investigate those situations but the Data Protection Commissioner will not have the same oversight powers. The Act should clarify the functions of the designated judge and complaints referee and make clear what is to happen in borderline cases.

There is uncertainty about to whom the Bill will apply. The Bill takes, essentially verbatim, the loose language of the directive and in section 1 defines a service provider as "a person who is engaged in the provision of a publicly available electronic communications service or a public communications network by means of fixed line or mobile telephones or the Internet". Those are wide, and imprecise definitions and given that specific statutory obligations are created an element of doubt can arise. There are many various applications and we do not know how the provisions would apply to or affect those who use webmail, webmail-like applications, open WiFi, and voice Internet messaging. The list is endless. There is such a broad scope and range of technologies that it is our view that the definitions need to be clearer. That will cause panic and confusion across the sector and will have seriously damaging consequences for Ireland's ability to promote itself as a destination for high-tech industries.

I wish to read into the record a copy of a letter received by the Minister from the ICT Division of Engineers which speaks further to the concerns they have about the Bill:

We first observe that electronic data is diverse, and increasing in its diversity. Telephone, mobile phone and text messaging are well established, along with electronic email messaging. However, in many communities it is now more common to use social networking sites - such as Facebook, Bebo, and LinkedIn - for direct person to person, and person to group communication. Such communications use a different technology than email, and cannot necessarily be detected by software which specifically tracks email. Further, direct internet messaging - such as AIM, MSN, Yahoo Messenger and Skype messaging - are also extremely common. Finally of course Twitter is also now perhaps the most prevalent of them all, and can be used both for instant person to person communication, as well as person to group communication. No doubt next year, there will be another new communication technology..

Our concern is that as criminals become aware of the legislation pertaining in Ireland, they may well be able to displace their electronic communication modes to new ones for which legislation has yet to be passed. [That issue needs to be raised as well.]

On a different track, we would note that in today's world, much electronic communication is international in nature. Correspondents (of instant messaging, email, social networking, twitter and so) may not always be within the Irish jurisdiction, and not even within the EU. We gently draw this to your attention, and assume your legal advisors are considering the consequences of capturing information relating to citizens and companies from outside the EU who may not be covered by Irish legislation. [That point must be addressed by the Minister in response to this debate.]

With today's falling costs of storage, there is no particular great concern over the cost of the physical hardware. However, safely and securely storing and then retrieving (perhaps after several years) increasing quantities of information does have implications on the business processes of the service providers concerned.

There is the aspect of capturing the information in the first instance, based on the number of modes of communication. That will run into billions if one takes the two year retention period into account. That issue will have to be addressed. Following that, there is a significant cost implication for businesses as a result of that. In this country we are talking about the possibility of a smart economy. What the legislation does is incurs a further cost on businesses by virtue of the data retention period. Wider issues arise in terms of the jurisdiction of the legislation vis-À-vis the fact that we trade internationally and messages pass internationally. That is something that must be addressed by the legislation.

No justification has been given for a two-year retention period for phone data. Under the directive, member states are free to choose a data retention period between six months and two years. The UK adopted a standard 12 month period. I am not aware of any justification as to why the Bill opts for the maximum two years for telephone data. The European Commission's own research on police requests for data has shown that the overwhelming majority of requests are for data which is less than three months old. If the Garda experience is different then some evidence to that effect would be desirable.

As to the budgetary implications of this legislation, I have serious reservations about the undue cost that would be borne by businesses as a result of that measure.

Again, I refer to the Oireachtas research service that focused on the budgetary implications. It stated the Bill is silent on the likely costs to be involved in implementing and complying with the provisions of the directive. According to the status report on the transposition of the directive by EU member states and EFTA and the regulatory impact assessment prepared by the Department of Justice, Equality and Law Reform, the State will not reimburse service providers the costs involved in complying with the obligations under the Bill, even though "service providers have complained that management of data would impose heavy costs that they would in turn have to pass on to businesses and consumers". The net effect of the legislation, arguably, is that we will retain all sorts of data, 99.9% of which will be superfluous messages that pass between ordinary citizens. This will be stored by the service providers. There will be a cost for that storage and the consumer will end up paying that cost.

I accept the principle that there must be data retention. However, there must be balance in terms of how long it is retained and whether it is necessary to retain data for two years. I believe it is unnecessary. It is impractical and in the context of crime prevention measures, I am not convinced that retaining data, particularly Internet data, for a period of two years will catch more criminals or undo a terrorist organisation. We must exercise a little common sense in our approach to the legislation. With that in mind, we will seek to amend the legislation significantly to reflect our views.

See this speech in context