Mary White (Carlow-Kilkenny, Green Party)

I thank all Senators who contributed to this debate. I hope the importance of data information in the investigation of serious crime, including gangland and transnational crime, and in safeguarding our country against terrorist activity, has been conveyed. I also hope the importance of the balance between this use of data retention to fight serious crime and the right of every citizen to privacy has been clearly shown.

Data retention is a tried and tested valuable tool in the investigation of crime and in safeguarding the security of the State and it has not received as much attention as some of the more recent initiatives for fighting crime, in particular gangland crime. These include the Criminal Justice (Amendment) Act and the Criminal Justice (Surveillance) Act, which were passed into law as recently as last July.

I wish to refer to the memorandum of understanding that is being negotiated between the Garda Síochána, the Permanent Defence Forces, the Revenue Commissioners and the representative associations of the vast majority of telephony operators and Internet service providers in the State. It is a work in progress and, while virtually complete, can not be finalised until the Bill is enacted. As the legislation will come into operation on the day it is signed into law, it is important the providers are in a position to comply with their duties under it. The only way that can be achieved is for advance discussions to take place with the law enforcement authorities that are entitled to make disclosure requests under the legislation.

The negotiations in Brussels on the directive took place at a time of very rapid developments in technology. This was recognised by the Commission and the member states. It was clear that the directive could soon become out of date, and less useful as an investigatory tool for law enforcement agencies, if it tried to over-interpret the data which it was intended should be retained and disclosed. For that reason, the Commission established two committees for the purpose of identifying problems in implementing the directive.

One of the committees consists of national experts from a selected group of member states, including Ireland. The types of problems that committee addresses are related to matters such as the obligation to retain data, who should retain it, and the type of data that need not be retained, such as spam. These issues feed into the other committee consisting of representatives of all member states. The latter committee reports on the implementation of the directive in member states, and hears from experts from the technology companies on relevant issues. In our case, they also feed into the discussions on the memorandum of understanding.

All sides involved in the discussions on the memorandum of understanding recognise that it is to the benefit of all of them, and ultimately to the benefit of law enforcement in this country, if the Garda Síochána, Revenue Commissioners and the Defence Forces know what providers can reasonably retain, within the parameters established in the directive, and that the providers know what is required of them under the directive by the law enforcement authorities.

The purpose of the memorandum is simply to ensure the directive operates as intended. I greatly welcome the initiative of all concerned in its negotiations. It does what would not be feasible in the Bill - that is, it sets out in more detail what is required to be retained under the directive. For example, there has been some comment on which provider should retain a particular piece of data. Recital 13 of the directive states that data should be retained in such a way as to avoid being retained more than once. Accordingly, if more than one service provider is in possession of particular data, only one need retain it for the purposes of the directive. The detail on which provider retains duplicated data can only be agreed in discussions between the service providers and the law enforcement authorities.

The question of human rights and privacy arises when legislation such as this Bill is proposed. It is recognised that all personal information is important to the individual and that is why the intrusion into a person's privacy is kept to a minimum and is only used in serious instances. No content is retained or disclosed under the directive or the legislation, for example, the content of a telephone call or e-mail or web sites visited. What is retained could be compared to an envelope with a note inside where what is required to be retained is the address on the envelope with the note inside being destroyed. The directive addresses the human rights implications in recital 9. It refers to Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, under which everyone has the right to respect for his or her private life and correspondence. It states:

Public authorities may interfere with the exercise of that right only in accordance with the law and where necessary in a democratic society, inter alia, in the interests of national security or public safety, for the prevention of disorder or crime, or for the protection of the rights and freedoms of others. Because retention of data has proved to be such a necessary and effective investigative tool for law enforcement in several Member States, and in particular concerning serious matters such as organised crime and terrorism, it is necessary to ensure retained data are made available to law enforcement authorities for a certain period, subject to the conditions provided for in the Directive. The adoption of an instrument on data retention that complies with the requirements of Article 8 of the ECHR is therefore a necessary measure.

It can be deduced from this that the directive has been fully examined and cleared from a human rights perspective.

Like approximately half of the member states, we do not reimburse the costs associated with the retention of data. It is recognised that this is a burden on the providers and that, naturally, they would prefer if the State did reimburse the costs. They have argued strongly in discussions with officials from the Department of Justice, Equality and Law Reform for the costs to be reimbursed but, ultimately, they have accepted that the money, which would have to come from the Garda Vote, is not available. The willingness of the providers to bear the cost of implementation is appreciated. It is an example of civic mindedness at its best, where companies with information at their disposal make it available in accordance with strict statutory guidelines to the law enforcement authorities. In order that there would be a full understanding of the costs of implementing the legislation, the service providers were asked to provide their best estimate of those costs. The composite figure we received, which represents the total costs of the nine biggest players in the industry, was a once-off amount of €2.9 million on capital expenditure and annual running costs of approximately €1.6 million.

Reference has been made to the recent decision of the German Constitutional Court which struck down the German legislation transposing the directive. Two important points should be borne in mind when discussing that decision. The court did not find that data retention was unconstitutional in Germany, but simply the way the directive was transposed. Second, this was a German court examining German legislation in the context of the German Constitution. The issue was with transposition, which apparently went beyond what was required, not the directive. This does not affect the way we transpose the directive or our timescale for transposition. As matters stand, any further delay in our transposition process could entail a substantial fine being levied on Ireland.

I would like to respond to some of points raised in the course of the debate. Senator Regan criticised the delay in publishing the Bill. There were two reasons for the delay. The consultation process with the service providers took longer than expected and the original plan to transpose the directive by means of secondary legislation had to be abandoned, resulting in a delay in publishing the Bill.

Senator O'Donovan asked why it was necessary to give the Revenue Commissioners power to make disclosure requests and if they could not make them through the Garda. The Revenue Commissioners received legal advice some time ago that a law enforcement authority could only make a disclosure request for its own purposes. That ruled out any question of the Revenue Commissioners making their requests through the Garda. The Customs Service, in particular, is involved in the investigation of serious crimes, such as the importation of illegal goods such as drugs, which have international crime implications. It would be illogical to deprive it of the investigating tool provided for in the Bill.

Senator O'Donovan also asked why it was necessary to retain data for two years when most other countries can make do with 12 or six months. He referred to standard retention practices in the European Union. The directive allows data to be retained for between six months and two years. The Department of Justice, Equality and Law Reform has been advised by our law enforcement authorities that the minimum period required for the retention of telephony data is two years and for Internet data, 12 months. It was explained in the opening remarks that the two-year period for telephony data is a reduction of one year from the present law and a four-year reduction from past practice. The vast majority of data are requested within the first six months of being generated. However, the quality and potential of data that is older makes the retaining of data for a longer period essential. For example, when a gangland criminal is charged with an offence, it may be necessary to request data that is up to two years old in the case of telephony data that might help to identify other members of the gang. Similarly, if a person is arrested in the State on suspicion of being a member of an international terrorist organisation, telephony data going back for two years may help in identifying a gang preparing a major terrorist outrage.

The two-year retention period for telephony data is among the highest retention periods provided by other member states. Most have legislated for 12 months, with two or three opting for six months. It is understandable that some member states legislating for data retention for the first time might wish to steer a middle course. The 12-month retention period for Internet data seems to be in the mainstream of how other member states have implemented that aspect. The European Commission is reviewing the operation of the directive and issues such as the retention periods are likely to be addressed in that review.

Senator Norris asked what was the technical reason the directive could not be transposed by way of secondary legislation. In the normal course, directives are implemented by way of secondary legislation. The European Communities Act 1972, as amended, so provides and given the volume of directives, that is the only practical way of implementing the majority of directives. However, primary legislation is required under Article 29 of the Constitution where the State exercises an option or discretion in the transposition procedure. In the Data Retention Directive, there is a provision in Article 1 requiring each member state to ensure data are available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law. Advice was received in the Department of Justice, Equality and Law Reform that defining serious crime for the purpose of transposing the directive could be interpreted as exercising a discretion and it would be safer to proceed by way of primary legislation. Accordingly, in order to ensure that the implementation would not be held up through a court challenge, it was decided to cease work on the statutory instrument that had been prepared and to proceed by way of a Bill. Another reason it was originally decided to transpose by way of secondary legislation was to meet the implementation deadline. It was always intended after that to prepare the type of legislation now proposed in order to fill in some gaps in the directive, such as requiring data for the purpose of saving human life and safeguarding the security of the State.

Senator Bacik asked about the six Revenue offences. These are named in section 1 of the Bill under the definition of "Revenue offence". In response to Senator Walsh, all the Revenue offences have a maximum prison sentence of five years.

I reiterate that I hope the importance of the balance between this use of data retention to fight serious crime and the right of every citizen to privacy has been clearly shown.