Michael Finneran (Roscommon-South Leitrim, Fianna Fail)

): I am pleased to be in the Seanad to present the Communications (Retention of Data) Bill 2009. The primary purpose of the Bill is to transpose Directive 2006/24/EC of the European Parliament and of the Council into Irish law. The directive requires service providers to retain data generated or processed in connection with the provision of publicly available electronic communications or of public communications networks and to make it available, on request, for the detection, investigation and prosecution of serious crime.

This is a short and relatively straightforward Bill but it places on a sound statutory footing, with strong safeguards, a procedure that is essential for the proper and effective investigation of serious crime and for the safeguarding of the security of the State. It has been in the news at regular intervals for various reasons over recent years and some misconceptions may have arisen as to its scope and purpose. At the outset, it is important to bear in mind that data retention is not new but has been an essential feature of crime investigation in Ireland and safeguarding State security for many years. Also to be borne in mind, and something I would like to emphasise, is that data information is not concerned with content. It is about the who, where and when of a communication. The intrusion into persons' privacy is minimal.

I would like to place data retention in this country in a historical perspective by saying that its origins go back to the days of the Department of Posts and Telegraphs, when communications were by and large restricted to fixed line phones and the postal system. There was one provider of those fixed line phones and the postal system: the State. Typically, telephony operators, even after the market was opened up, retained data for six years for their own purposes, such as billing and marketing. This made sense as the Statute of Limitations, during which a telephone bill could be challenged or payment pursued, was six years. The operators made the data information available to the Garda Síochána or Defence Forces, on request, when required for investigating crime and safeguarding the security of the State. In those circumstances, relations between the operators and the law enforcement authorities developed so that the voluntary scheme, which was based on goodwill and common sense on both sides, worked to the satisfaction of all concerned. Any member of the Garda Síochána could request data in respect of a crime he or she was investigating. The system was not regulated by statute and for that reason at a particular point, statutory intervention was regarded as desirable.

The first significant statutory intervention came in the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993. Section 13 of that Act inserted new subsections into section 98 of the Postal Packets and Telecommunications Services Act 1983. Under the inserted subsection (2A), a person employed by a company who disclosed, to any person,any information concerning the use made of telecommunications services provided for any other person by the company was guilty of an offence. There were exceptions which included disclosures made for the prevention or detection of crime or for the purpose of any criminal proceedings or in the interests of the security of the State. A request by a member of the Garda Síochána for a disclosure had to be in writing and be signed by a member not below the rank of chief superintendent. In practice, this meant that all disclosure requests were channelled through one specified chief superintendent, an effective and appropriate procedure that continues to this day. A parallel inserted provision ensured that any request from the Permanent Defence Force for data required in the interests of safeguarding the security of the State had to be made through an officer not below the rank of colonel.

That remained the situation until the adoption of Directive 2002/58/EC of the European Parliament and of the Council in July 2002, concerning the processing of personal data and the protection of privacy in the electronic communications sector. As interpreted for data protection purposes, that directive provided that traffic data could only be retained for six months. That left this country with a dilemma, as clearly the law enforcement authorities required data to be retained for longer than six months if they were not to be severely handicapped in their ability to fight crime and safeguard State security. In practice, most retained data that is required is requested by those authorities within six months of it being generated or processed. However, the quality of data retained for longer periods can be equally important in fighting crime, including terrorist crime. The Department of Justice, Equality and Law Reform and the then Department of Public Enterprise came to an agreement that telephony data should be retained by the operators for three years, that is, half the period for which the operators previously voluntarily retained telephony data. That agreement was given statutory effect in directions issued by the Minister for Public Enterprise to the main telephony operators made under section 110(1) of the Postal and Telecommunications Services Act 1983.

It was intended to follow up quickly the directions with primary legislation. However in 2003, Ireland received an invitation from some of our colleagues in the EU to co-sponsor a framework decision on data retention. Agreement was reached on Ireland's participation in the preparation of the instrument. Obviously, further work on the legislation had to be deferred until the text of a framework decision was agreed and adopted.

The negotiations on the framework decision proved difficult and complex. They had effectively reached stalemate when the Madrid bombings during the Irish Presidency of the EU in 2004 highlighted the necessity and urgency of obtaining agreement on the retention of data. Negotiations recommenced in earnest but had not been concluded by January 2005 when the then Data Protection Commissioner issued notices to the main telephony operators directing that they retain data for no longer than six months. Rather than hamper the Garda Síochána and the Defence Forces in their vital work in investigating crime and safeguarding our security, a decision was taken to include provisions in the Criminal Justice (Terrorist Offences) Bill, which was then being debated in this House, on the retention of telephony data. Some Members will doubtless recall the generally positive response expressed during the debate in this House to the inclusion of the data retention provisions in the terrorist offences Bill. It was also decided to leave the more complex internet provisions until an EU instrument had been agreed. The urgency of ensuring that the law enforcement authorities could gain access to retained data, in a controlled and supervised manner, was acknowledged.

I have given this short background to the law and procedures relating to data retention in this country to put the record straight and also to place the Bill in its proper context. Agreement could not be reached on the framework decision and it was replaced by a directive of the European Parliament and of the Council. It is that directive that is being transposed in the Bill. It is normal practice, as provided for in the European Communities legislation, to transpose such directives by means of secondary legislation. Our legal advice suggested that there would be no problem in using secondary legislation as our transposition vehicle. However, on the basis of later advice, it was decided, for a technical reason, to proceed by way of primary legislation. This partially explains the delay in publishing the Bill.

The preparation of the Bill was also delayed by the prolonged consultations with the service providers and, in particular, their representative associations and other interested parties. At this point it is right that I put on the record my appreciation of the constructive way the service providers entered into the consultative process. The negotiations were long and, at times, complex and are still continuing between the Garda Síochána and the representative associations on the implementation of the legislation.

The directive must be transposed into national law and the legislation in Ireland is now well overdue. The European Commission initiated infringement proceedings against Ireland in the European Court of Justice and in a judgment on 26 November 2009 the court found that Ireland, by failing to adopt the directive within the prescribed period, had failed to fulfil its obligations under the directive. Progressing this Bill to the point where it can be enacted has now gained even greater urgency.

I will outline the provisions of the Bill. It is relatively short and largely remains within the parameters established by the directive. It has two main objectives. The first, at section 3,obliges service providers to retain data. The second, at sections 6 and 7, gives the relevant law enforcement agencies power to make a disclosure request for retained data and obliges the service providers to comply with such a request. I will explain those important elements of the Bill but first I emphasise the importance of section 2.

Section 2 gives effect to Article 1.2 of the directive by providing that the Act does not apply to the content of communications. It does not, for example, apply to the content of a telephone conversation or an e-mail. It does not apply to web browsing or web sites visited but simply allows law enforcement agencies in Ireland to seek information about the who, where and when of a communication. In the case of the Internet, it obliges service providers to retain the Internet equivalent of the type of telephony data that has been retained for many years.

Article 1.1 of the directive obliges member states to ensure that retained data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law. We are defining "serious offence" as an offence punishable by imprisonment for a term of five years or more. The First Schedule lists five further indictable offences as serious offences for the purposes of the Bill that have maximum penalties of less than five years but which the Garda Síochána have asked to be included. They deal with important matters such as reporting child abuse, corruption in public bodies and administration of substances capable of inducing unconsciousness or sleep, such as the date rape drug.

No matter how "serious offence" is defined, it will not affect the amount of data retained. It cannot be known in advance for what the data may be required. Of course, the vast majority of data will not be required and will be destroyed after the appropriate time. However, by defining "serious offence" the amount of telephony data for which a disclosure request can be made will be less than under the present law where data can be disclosed for the investigation of anyoffence.

It would have been possible under the terms of the directive to give every law enforcement agency in the country authority to make a disclosure request. This has not been done but in addition to the traditional role of An Garda Síochána and the Permanent Defence Force, the Bill gives the Revenue Commissioners power to make disclosure requests in respect of six specific serious revenue offences. The primary reason for the inclusion of the Revenue Commissioners in this Bill is to provide their investigating officers with access to communication data in order to assist them in tackling various forms of serious tax evasion that are undermining the collection of tax revenues of the State. Tackling tax evasion has always been a top priority for the Revenue Commissioners.