Ivana Bacik (Independent)

I welcome the Minister of State. The Labour Party broadly welcomes the purpose of the Bill. Ireland is obliged to pass legislation on foot of the 2006 directive. It is unfortunate, however, that the European Court of Justice has found Ireland to be in breach of our obligations due to the delay in transposing the directive. The Minister of State indicated one of the reasons for the delay was a desire to implement the directive through primary legislation. While I appreciate it is preferable to enact primary legislation to implement the directive, it was perfectly possible to draft and pass primary legislation in both Houses with much greater speed than has been the case with the Bill before us. This desire for primary legislation alone is not sufficient reason for the delay.

I note that on Tuesday last, the European Commission published a Green Paper outlining its initiatives in the area of freedom, security and justice for the years 2010 to 2014. One of the initiatives outlined on data retention is the need to evaluate and, if necessary, amend the data retention directive. The Commission states it will adopt an evaluation report in autumn 2010 and make it public. It is unfortunate that while a review and evaluation of how the directive has been operating in practice in domestic systems throughout the European Union is under way, Ireland is still transposing the directive into primary law.

While the Labour Party acknowledges that data retention is a useful and important principle and requires, as the Minister of State noted, a sound statutory framework, we and others have concerns about the extent of the safeguards in the Bill given the encroachments it makes on individual rights to privacy. I accept the Minister of State's point that the Bill does not relate to the content of communications which is not covered by its terms. Nonetheless, it permits the retention of data for a much longer period than that permitted in other member states.

While the timeframe for data retention is one issue, as others have highlighted, it is unfortunate that Ireland is among the small minority of member states to opt for the maximum period of two years for retention of telephone data, as provided for in Part 1 of Schedule 2. This decision is unfortunate and unnecessary. It would have been more appropriate to limit the retention period to a maximum of one year, which is the standard term in use in other member states. Some states use the minimum period of six months. I believe such a period would have been sufficient for the Internet data provided for in Part 2 of Schedule 2. Rather than having this data retained, as envisaged, for one year, it should be retained for six months.

The Data Protection Commissioner recommended that a one year retention period for telephone traffic data and a six month period for Internet data would have been sufficient. The commissioner pointed out that the Garda Síochána rarely requests data that is more than one year old. The two year retention period is, therefore, unnecessary and unduly onerous.

A good deal of representation has been made to the Minister on behalf of service providers. The Internet Service Providers Association of Ireland, for example, has been in consultation with the Minister and Department and has written to Members arguing that whereas Ireland will require a one year retention period for Internet data, countries such as Germany, the Netherlands, Slovakia, Luxembourg and Lithuania apply a six month retention period. The association argues that the extra costs and resources required to meet the one year requirement for Internet data will put many Irish Internet service providers at a distinct disadvantage.

In addition to the argument made from the business side, an argument is also made from the perspective of privacy rights and civil liberties. We should use the minimum period necessary to make the legislation effective. Given what the Data Protection Commissioner has advised, it is not necessary to use the two year maximum for telephone data and one year maximum for Internet data. Timeframes of one year for telephone data and six months for Internet data would have been more appropriate.

Deputy Sherlock raised concerns in the Dáil about whether the Bill has been superseded in some senses as a crime prevention measure by the Criminal Justice (Surveillance) Bill. He also referred to the volume of requests for retained data submitted by the Garda. For example, in 2006 Deputy Howlin noted in the Dáil that 10,000 requests were made by the Garda for access to personal telephone records under the powers contained in the Criminal Justice (Terrorist Offences) Act. With approximately 30 requests per day being made in 2006, it begs the question as to whether all these requests were necessary to investigate serious crime. Such requests must be subject to scrutiny and oversight.

One of the reasons a sound statutory framework is important is that it would provide a legislative basis for oversight and scrutiny. While I am pleased the Bill includes provisions on oversight and scrutiny, they are not sufficient to ensure adequate protections. The Data Protection Commissioner, in a forthright briefing provided in November 2009, stated that the safeguards provided for in the Bill and the 2005 Act were far from adequate.

A number of the oversight and safeguard mechanisms provided for in the legislation are flawed. A concern has arisen regarding section 12, which deals with the duties of the designated judge, that until now the annual reports of the designated judge have been rather cursory, consisting of one line stating that legislative provisions have been complied with. We need to ensure that under section 12 more detail is provided by the designated judge on the operation of the provisions of the legislation.

Further, provision is not made in section 12 or elsewhere for the officer of the Garda Síochána, Revenue Commissioners or Defence Forces who seeks disclosure to be held to account if there is an abuse of process, for example, if the officer abuses the facility to seek disclosure. The corollary of this flaw is the flaw in section 10. It provides in subsection (1) that a contravention of section 6, which provides for the process of requesting disclosure, does not of itself render the disclosure request invalid. This is unfortunate as it means a disclosure request made in breach of section 6 and in a manner that amounts to an abuse of power by an officer of the Garda, Revenue or Defence Forces may still be valid and will not constitute a cause of action according to section 10(1). This is unfortunate as it means the safeguards lack teeth.

When the Bill was first mooted I publicly highlighted a further point regarding safeguards. In February 2009 - this shows how long the Bill has been in gestation - in an article in The Irish Times, Karlin Lillington referred to a concern I had expressed regarding the comeback, if one likes, for an individual who believes a request for disclosure of data relating to him or her was made in breach of the Act or was an abuse of power. While an individual in such circumstances may apply to the referee under section 10(2) for an investigation into the matter, this is somewhat meaningless as a means of securing redress because the legislation does not include a mechanism whereby a person whose data has been disclosed would be informed or notified of such disclosure. I argued that section 10 should be amended to provide for a duty of notification of a person in respect of whom data had been requested. My criticism of the legislation in this regard was itself criticised. It is important to note, however, that in many other countries such a notification is in place. Clearly, notification would have to be made some time after the disclosure request is made because no one is suggesting a Garda, Revenue or Army investigation should be jeopardised in any way. It is not about notifying a person when a disclosure request is being made or shortly thereafter. There is a duty of notification in Germany, the US and Canada after a period of time has passed following the request for disclosure. There is no reason for not amending the Bill to provide for this.

The Internet service providers have certainly raised issues about budgetary implications and the effect the lengthy timeframe in the Bill will have on their competitiveness within the EU, which is a very valid concern. The Data Protection Commissioner has also suggested that oversight provisions need to be significantly strengthened and has expressed doubt about the inclusion of the Revenue Commissioners. I accept that the Minister of State has stated there are important reasons for that and that the Revenue Commissioners' powers will only be exercised in respect of six named revenue offences. Those offences should be named in the Bill, because they are not currently. If the Revenue Commissioners are to be included, they should then be made subject to some external oversight mechanism beyond this Bill, as occurs with the Garda Síochána Ombudsman Commission which has an oversight duty over any abuse of power by gardaí.

There are a number of flaws in this Bill. We will be tabling amendments on Committee Stage and I look forward to a more detailed debate.