Aengus Ó Snodaigh (Dublin South Central, Sinn Fein)

This is a very important Bill relating to the retention of data. Since I was first elected to the House in 2002 I have argued that while I accept there is a requirement to retain some level of data, we should not go down this road unless there is legislation to protect that data, give power to the Data Commissioner to investigate and have full access to what is being retained and provide for protections and safeguards to ensure nothing untoward can happen with the data that is retained.

People have argued that the reasons for data retention are mainly to help law enforcement agencies and make it easier for those agencies to secure convictions quickly. There is some logic to that argument. However, consider the rapidly changing nature of the data we are discussing - we are talking about telecommunications and, in particular, the significant use of the Internet - and the rapid turnaround of mobile telephone numbers and mobile telephones. Two year old data would be obsolete and, in fact, might end up hampering criminal investigations by causing the diversion of time and resources to chasing up culs-de-sac. The connection between information retained two years ago and somebody who had access to a mobile telephone two years ago might not lead to the expected results.

The proliferation of telecommunications and other forms of digital media has made data retention a great deal easier. Now, one can retain data by pressing a button whereas back when Sherlock Holmes and others were investigating crimes everything had to be written in longhand and duplicated. They did not have access to technology. By pressing a button one can retain all the bills for mobile telephones and all the connections made between one mobile telephone and another. The same applies to computers. A very significant amount, probably too much data, will be stored. It then becomes a difficulty when one must interrogate the database to glean some type of information which might offer a lead, only for that lead to end up in a cul-de-sac. Obviously, the Garda and other law enforcement agencies are accustomed to chasing leads that bring them down culs-de-sac, but given the potential scale of the data we will be retaining the potential for many culs-de-sac is overwhelming. Also, given the fact that the Garda Síochána is hampered by not having the best equipment or the required number of gardaí dedicated to tackling crime, because many of them are stuck behind desks where they should not be, it means their valuable time could be wasted. There are major problems in that regard.

A six month data retention regime would probably be far more efficient and help law enforcement agencies across the European Union. This Bill was triggered by our failure to transpose properly into Irish law what was required under a European Union directive. I believe it was in 2002 that the former Minister, former Deputy Síle de Valera, in the last item of business of that Dáil, rushed through the data retention legislation with little scrutiny or thought. It provided for retaining data for over three years, rather than for a maximum of two years as the European Union had requested.

Obviously, the Garda Síochána, with the additional powers it has been given and with the ability to seek judicial power to retain certain data, could identify the key targets it has rather than have the wholesale trawling exercise for which this type of legislation provides. Every last item of telecommunication or correspondence will be retained. I might pick up my telephone and dial a number inadvertently which reaches somebody who, in two years, might be the subject of an investigation. What if I dial that number and then sit on the telephone and it rings the number ten times again? That has happened. The first name in the telephone book in my mobile telephone is my wife's. If I sit on the telephone, it might ring that number ten times. However, what if the wrong telephone number is the last number dialled? I could become the subject of a criminal investigation two years hence, with all that it entails, if that number happened to belong to somebody who warranted a criminal investigation. This applies to hundreds of thousands, if not millions, of mobile telephone numbers and mobile telephone users across the European Union.

There is major concern about this data and the failure of the European Union, particularly of some member states, to put in place proper data retention safeguards. A 2007 report, the Privacy and Human Rights Report, ranked different countries in the European Union in this regard. It refers to the endemic surveillance society - the "Big Brother" concept. The report found that the 12 member states, including Ireland, which it examined were involved in a systematic failure to uphold safeguards. Nine member states were held in the report to have some safeguards but weakened protections. Only one member state, Greece, was described as having adequate safeguards against abuse. There is a potential for abuse and one could have inadvertent incidents, of which I could cite many more examples, or miscarriages of justice.

In respect of data retention, Ireland and ten other member states were awarded the lowest grading of "extensive surveillance/leading in bad practice". Under the directive, retention is required for between six months and two years. In Britain, the standard retention period is 12 months, whereas under these proposals data will be retained for one year in the case of Internet records and two years in the case of telephone records. Those who propose the reduced periods claim it is a great decision but they fail to mention that we are in breach of European law. As I and others have pointed out since 2002 and, in particular, since the introduction of the 2005 legislation, Ireland is in contravention of European Union rules. Despite this, it has taken until now to reduce retention periods and rather than reducing them to below the maximum permitted by the EU, they have been set at the maximum levels.

Digital Rights Ireland has raised major concerns about data retention by State agencies, such as the Garda Síochána and Revenue Commissioners, under existing rules. The industry has also raised concerns about who will manage and pay for the system and the potential for abuse. What will happen if laptop computers containing stored data are lost, as has occurred regularly? It is easy to store this data and just as easy to leak, lose or sell it. What will happen if this occurs?

As far as I can determine from the text, there is no compulsion on the service provider or the State to inform people whose personal data is lost or inadvertently or intentionally leaked. The data to be stored is not a couple of names or addresses but includes details of a person's Internet use for one year, including all sites visited. There is no guarantee that the owner of a computer is the person who visited the sites in question or that the owner of mobile telephone made a particular call. The potential for leaks of information is significant.

Some people argue that those who have nothing to hide have nothing to fear. After 15 years in jail, members of the Birmingham Six and Guildford Four and others who have been falsely imprisoned in this State and in other jurisdictions will say that argument does not hold in every circumstance. Deputy Niall Collins of the Fianna Fáil Party used a similar argument in July during an interview on Matt Cooper's radio programme, "The Last Word". When he was asked whether he would publish his telephone bills, including his telephone records for the previous year, he answered to the effect that he did not understand what was meant by the question.

Under this legislation, information will be retained on every single call one has made on one's mobile phone. This data could be leaked or inadvertently or maliciously used against individuals. No one can argue there are not those in the Department of Justice, Equality and Law Reform and Garda Síochána who have not engaged in malicious leaking of data against republicans and others. I have seen photographs which were taken in Garda stations published in newspapers in this State. The only people who have access to this information are gardaí. Similarly, a previous Minister for Justice, Equality and Law Reform would not even admit to me in the House how many Deputies were having their telephones monitored. I have not yet asked the same question of the current Minister. How many current Deputies have their telephones monitored by the State? Despite the fact that this type of activity, which is unacceptable in a democracy, is taking place, the Minister expects us to sign away access to all information about our telecommunications in order that it can be analysed, interrogated and, possibly, leaked.

Laptop computers containing significant amounts of data have been lost in this State and overseas. The Health Service Executive, for instance, recently lost a laptop containing a substantial quantity of data. The information people provide when filling in application forms for the HSE, FÁS and other organisations could be useful to journalists and the private sector. Marketing companies want access to names, addresses and information on who one calls and so forth. Providers of Internet and mobile telephone services could use information on an individual's mobile phone and Internet usage to try to sell him or her their products. For example, a mobile telephone company which retains information on my telephone usage for two years will be able to determine that I mainly use numbers with the 085 prefix and make most of my calls at night. It could then try to encourage me to buy into a programme or scheme which makes it more money and costs me more money. That is a potential outcome of this legislation. While I accept that the data will be retained for a specific purpose, questions remain as to who will manage it. Will the Minister provide an assurance that nothing untoward will happen?

I recognise the additional safeguards in the Bill, including a provision on judicial supervision, but they do not go far enough. Under this provision, I must submit an application to find out what data has been retained and whether it has been leaked, rather than the other way around. Data protection should have been strengthened before the legislation was introduced.

Data retention will create significant costs, even in terms of physical storage, although I accept that technological devices are becoming smaller. For example, a small, 500 GB external hard drive I recently installed in my office would have taken up a full office ten years ago. Nevertheless, given the scale of the data to be retained and the periods for which it must be held, large-scale systems will be necessary. These will also have to be secured and monitored and a backup provided in case the system shuts down or something happens to the storage facility. Providing these systems and the necessary safeguards will generate a cost. Is it a cost to the State or to the Internet service providers or telecommunications providers? There is a cost - it might be outlined in the Bill; I may have overlooked that part. In Finland the Ministry of the Interior, when the original proposal by the EU was put to it, worked out that if the measure was adopted at the full scale as intended at the time it would cost €5.5 billion to operate it properly and efficiently in line with what was expected of it. That is a huge cost. Finland would have a similar cost to here. What is the cost? Who will pay for it? The taxpayer always ends up paying for it - are people aware of what is intended? They are some of the concerns. I will enjoy the opportunity to tease out some aspects of this if I get a chance to do so on Committee Stage.

When I first started to research the retention of data I came across a story - I do not know if it is true - that when the European Union first started discussing the retention of data by all of the member states it explained the concept to the various Ministers. One Minister or official at the meeting said his or her country - it was Britain - had a system in place for the previous five years. It had what was called the ECHELON programme in place well ahead of the European Union whereby it, along with the US, tracked every single item of telecommunications traffic between Ireland, the European Union and America through the Cheltenham and Capenhurst facility. Everything went across the ocean. The system was retained for the benefit of MI5. It was not in place just to look at terrorism. There were financial implications. It was tracking businesses and everything else, which had nothing to do with anything. It was planning the future of its economy and was using the data to facilitate it. That was when the European Union discovered the extent of surveillance by the British on it, not just on Ireland. There are significant dangers, in terms of the "Big Brother" society or potential for that when one starts to retain data at the scale we are discussing. That is why I urge, once again, that we bring in proper data protection legislation which allows the consumer - those whom the surveillance is geared at - access to the information which is being stored so it is not wrongly stored or abused.

See this speech in context