Michael Finneran (Roscommon-South Leitrim, Fianna Fail)

-----under cover of bogus invoices, alcohol fraud using bogus documentation, cross-Border VAT fraud and other forms of serious tax evasion often include contact phone numbers which need to be traced. The identity of the subscriber must be established along with the usage of the phone if the investigation is to be progressed.

I find the case for access compelling and Revenue Commissioners have given categorical assurance that requests for such information will be confined to investigations involving serious indictable revenue offences. I might add that the Revenue case for access has been supported in the past by the Attorney General, the DPP and An Garda Síochána. It was also one of the recommendations made in the report of the revenue powers group to the Minister for Finance as long ago as November 2003.

Article 3 of the directive establishes the obligation to retain data. It is given effect in section 3of the Bill, which obliges service providers to retain telephony data for two years and Internet data for 12 months. Why were these periods chosen when the directive states the period should be between six months and two years? At present, telephony data must be retained for three years under Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 and it was traditionally retained for six years.

There are at present no statutory requirements to retain Internet data. Following a re-evaluation by the law enforcement authorities as to their requirements for the investigation of serious crime and safeguarding the security of the State, it was considered that a two-year retention period for telephony data would be sufficient. Similarly, the 12 months retention period for Internet data is deemed to be the minimum necessary in respect of that data. Most retained data that is the subject of a disclosure request was generated or processed in the previous six months but the quality of information held for longer makes the retention periods provided for in the Bill necessary for efficient law enforcement and State security.

I readily recognise that we are among a small minority of member states that have opted for the maximum period of two years for the retention of telephony data. That period is in accordance with our traditional methods of gaining evidence in criminal investigations. Other countries may have developed other methods of investigation that renders recourse to telephony data less important. Within the parameters of the directive, we are legislating for the requirements of the Irish law enforcement authorities and not those of other member states. Our retention period for Internet data is in line with the majority of other member states as the Internet is a relatively new development and most countries have no tradition of gathering evidence from this source.

Section 4ensures that the same level of security will attach to data retained under this Act as is retained for other purposes. It gives effect to Article 7 of the directive and the providers must destroy the data as soon as the retention periods have expired. However, one month's grace is given to enable the data to be actually destroyed. This section also provides that the data protection commissioner will be the supervisory authority in Ireland for the purpose of both the Act and the directive. The appointment of a supervisory authority is required by Article 9 of the directive.

I accept that, in the light of some significant breaches of data security in recent times, such as the theft of laptops with unencrypted material, there is some concern about the security of retained data. There is an increasing appreciation of the need to ensure the highest level possible of security on data that are in the possession of service providers for use for their own purposes and the legislation can do no more than apply that heightened level of security to the data retained for the purposes of compliance with this Bill. In doing so, the legislation complies with the security requirements of the directive.

Following breaches of security, a data protection review group was established which sent its report to the Minister for Justice, Equality and Law Reform at the end of March. Issues around it, including its publication, are being considered in the context of the recent announcement of the transfer of functions, which includes data protection.

Section 5repeats section 64(1) of the Criminal Justice (Terrorist Offences) Act 2005. It sets out the circumstances in which the service providers can access data retained under the Act.

Article 6 of the directive requires member states to adopt measures to ensure that data retained in accordance with the directive are provided only to the competent authorities in accordance with national law. This requirement is given effect in the Bill at section 6, which establishes who can make a disclosure request and for what purposes. Unlike some other countries, the ability to make a disclosure request is confined to just three law enforcement agencies, namely, the Garda Síochána, the Permanent Defence Force and the Revenue Commissioners.

A member of the Garda Síochána not below the rank of chief superintendent will be entitled to make a disclosure request for the purpose of the prevention, detection, investigation and prosecution of serious crime, safeguarding the security of the State and saving human life. There are three differences between the powers of the Garda under section 6 and the analogous provisions in the 2005 Act. Under that Act, the Garda could make a disclosure request in respect of any offence, not just a serious offence, and could not make a request in respect of the saving of human life. In addition, the 2005 Act did not provide for disclosure requests in respect of Internet data. These are three very desirable differences.

A colonel in the Permanent Defence Force will be able to make a disclosure request for the purpose of safeguarding the security of the State. This repeats the analogous provision in the 2005 Act, but with the addition of the relevant Internet data. I have already mentioned that this provision could not have been included in a statutory instrument transposing the directive, as safeguarding the security of the State is outside the scope of the directive because of the legal base used for the directive.

The Bill gives the Revenue Commissioners power for the first time to make a disclosure request in respect of six named revenue offences. These all come within the definition of serious crime, in that they are all triable on indictment with a penalty of imprisonment of five years. As with requests from the Garda Síochána and the Permanent Defence Force, requests will be made by one person, in this case a Revenue officer of at least principal officer rank. This is a highly desirable initiative. Senators will recall a recent statement by the Revenue Commissioners of the likelihood of increased tax evasion in these economically difficult times.

In one way or another, sections 9 to 12, inclusive, provide safeguards to ensure that the data retention scheme is not misused. Section 9 gives effect to Article 10 of the directive under which member states are obliged to forward to the Commission statistics of the use of data retention during the previous year. Since so few Irish authorities have the right to make a disclosure request and because such requests are centralised, the compilation of statistics is relatively straightforward. In 2009, we were one of the first countries to return telephony statistics even though the legislation transposing the directive was not in force. The statistics will be compiled by the three law enforcement authorities with the right to make disclosure requests. The Garda Commissioner will forward Garda statistics to the Minister for Justice, Equality and Law Reform, the Chief of Staff of the Permanent Defence Force will forward statistics to the Minister for Defence and the Revenue Commissioners will forward statistics to the Minister for Finance. The Ministers for Defence and Finance will review the statistics submitted to them respectively before forwarding them to the Minister for Justice, Equality and Law Reform for transmission to the European Commission. In this way, the Commission will be in a position to monitor the operation of the data retention provisions throughout the EU.

Under Article 14 of the directive, the Commission will submit to the European Parliament and the Council an evaluation of the application of the directive and its impact on the service providers and consumers, taking into account further developments in electronic communications technology and the statistics provided under Article 10. The evaluation will inform a view as to whether it will be necessary to amend the directive, in particular with regard to the list of data and the periods of retention. The evaluation is well under way and the results will be made public.

The safeguards provided at sections 10 to 12, inclusive, are essential for the proper operation of the legislation. They are of the utmost importance in ensuring public confidence that the legislation is not being misused and will also reassure the service providers that it is only used for the stated purposes. Section 10 provides for the independent complaints procedure. Under this section, where a person believes that data relating to him or her are in the possession of a service provider and have been accessed following a disclosure request, that person may apply to the complaints referee for an investigation into the matter. Section 11 provides for an invitation by the President of the High Court to a serving judge of the High Court to undertake the duties of keeping the operation of the Act under review and section 12 sets out those duties. These safeguards already operate satisfactorily for the retention of telephony data under the 2005 Act, so there is no need at this stage for me to explain them in further detail except to emphasise that, in our case, only three law enforcement agencies have the right to request data.

There are two Schedules to the Bill. The first I have already mentioned. The Second Schedule gives effect to Article 5 of the directive. It lists the categories of data to be retained by the service providers. There can be argument and, indeed, disagreement as to the extent of the data mentioned in Article 5. This is especially so in the context of rapid advances in technology. For that reason, a committee of experts has been established by the European Commission to interpret and explain the directive in light of prevailing circumstances and to give a guide as to what data need to be retained and, equally important, what does not need to be retained. Ireland is represented on that committee. It would not be possible in the legislation to set out exactly what each provision means, for example, when some requirements may be open to more than one meaning in light of further advances in technology. The service providers and the Garda Síochána, the Permanent Defence Force and the Office of the Revenue Commissioners have been in discussions for some time on drawing up a memorandum of understanding in which each can agree on what is required to be retained. I understand that work on the memorandum is virtually complete and is awaiting the enactment of the Bill.

In this introductory speech on the background, content and implications of the Communications (Retention of Data) Bill 2009, I have attempted to place the Bill in its proper context. Nothing new is created in the Bill. It does no more than extend, with some changes, existing obligations relating to telephony data to Internet data. I again emphasise the importance of data in the investigation of serious crime and safeguarding the security of the State. One regularly reads in newspaper reports of telephony data given in evidence in some of the most notorious trials in recent years. We cannot expect the Garda Síochána to solve complex crimes if we do not give it the means to do so. We must provide safeguards to ensure that those means are not misused and this Bill provides the same safeguards as are available under the interception of communications provisions, this despite the fact that the intrusion into persons' privacy under the Bill is minimal.

I would reiterate that the content of communications cannot be retained or disclosed under the Bill. This means, for example, that the law enforcement agencies cannot obtain information on the social networking sites that persons access. This may be regarded in some quarters as lessening its impact but, in the context of preserving privacy and compliance with international human rights instruments, it is one of the Bill's strengths.

In 2005, the House welcomed the legislation that placed the retention of telephony data on a full statutory basis. This Bill extends the provisions of the 2005 Act to Internet data and the saving of human life. It also restricts the type of data that can be requested to the investigation of mainly serious offences and reduces the period of retention for telephony from three years to two years. Despite misgivings about the legislation and the retention of data generally by a small number of persons, I am confident that Senators will again welcome legislation that is so important to our law enforcement authorities in their constant battle to bring serious criminals, including terrorists, to justice.

For various reasons, the preparation of this Bill has been delayed. The present situation is that the European Commission undertook infringement proceedings against Ireland before the European Court of Justice and the court found that Ireland had failed to comply with its compliance obligations. Therefore, it is in all our interests, if only to avoid a large fine, that the Bill pass speedily through the Oireachtas and become law as soon as possible. While I look forward to a full debate on the Bill, I also look forward to its early enactment. I commend it to the House.