Helen McEntee (Meath East, Fine Gael) | Oireachtas source

Let me get into some of the detail. First, on amendment No. 4, the recent ruling and the 2020 ruling essentially state user data were not classified as serious in that they do not show the traffic or location details. Retention and access to these data can be justified by the objective of dealing with criminal offences in general. There is no requirement for a specific time-limited arrangement in these circumstances, particularly given that there will no longer be scope for the general retention of the Schedule 2 data, which relate to the traffic and location details. I do not believe it is unreasonable or disproportionate to set a period of 12 months for the retention of these types of data, and the Court of Justice of the European Union accepts this given that the information involves somebody’s name and information willingly given. Obviously, looking at traffic location and where you are is seen as a much greater invasion of somebody’s rights and privacy.

Essentially, the 12 months represents a 50% reduction on the default period of 24 months, which entails the retention of all Schedule 2 data relating to telecommunications, as in the principal Act of a number of years ago. I am future-proofing section 3A of the legislation. This allows for a shorter period up to a maximum of 24 months. It is prescribed by ministerial order. This is proposed given that there are further pending CJEU rulings that may impact on retention periods for user data. It is for that reason specifically that I cannot accept amendment No. 4.

With regard to amendments Nos. 5 and 6, the most significant aspect of the rulings is the requirement on the general retention of Schedule 2 data. This area is seen as more significant in terms of the impeding of individuals’ rights, so it is believed the arrangement must be limited to what is strictly necessary. Again, I believe that is what we are doing here. We are proposing a 50% reduction on the default period of 24 months, and this meets the requirement to have what is strictly necessary. When the platforms and providers contacted us after the most recent clarification and crystallising of the rulings over previous years, their concern was that they would immediately have to remove and get rid of all data, which is obviously not what we want to happen. We are trying to put in place a number of provisions, while the intention is obviously to try to work with our colleagues at European level to ensure data, be they Schedule 2 data or more general, can be used by our law enforcement agencies to deal with criminal offences and serious crime, not just security threats.

This has been fully proofed by the Attorney General. We have taken significant legal advice on this. The response is that we have set out what is strictly necessary. The CJEU has accepted this as well.