Bill to give guidelines on data has bizarre features

Attempts to regulate data retention have a long and tortuous history, writes KARLIN LILLINGTON

Attempts to regulate data retention have a long and tortuous history, writes KARLIN LILLINGTON

THE LEAKING of the Government’s draft Bill on data retention this week has revealed the State’s latest policy approach to this troublesome and controversial topic. It is just the latest stage in a saga that began in 2001. How did we get from there to here?

What is data retention, anyway?

Data retention originally referred to the storage of call data records for mobile and landline phone calls (numbers, time, length, origin and termination of a call, and name and address of the user and recipient of the call as well as the equipment used for the call, and location data).

READ MORE

However, a 2006 EU directive requires states also to store information about internet and email usage, with Ireland proposing to record data on internet telephony as well.

How long is that data kept, and who keeps it?

Storage times differ by country. The EU directive allows data to be stored for six to 24 months. Countries can select different storage periods for different types of information (many choose to hold internet and email data for a shorter period than call data).

Under existing Irish data retention legislation from 2005, only call data are kept, and for three years (one of the longest periods internationally). Data are held by the service provider.

Why did we have data retention before the EU issued a directive requiring it?

Because The Irish Timesrevealed in 2001 that the telecommunications providers were holding call data for six years, in violation of data protection laws. Then data protection commissioner Joe Meade demanded the telcos comply with EU and Irish data protection law – allowing six months' storage – or cease operation.

The Garda and Department of Justice were alarmed, and the Cabinet issued a secret directive in 2002 requiring telcos hold call data for a year.

When Meade learned of this, he threatened the government with a High Court action on the constitutionality of secretly retaining citizen call data. Eventually, three-year data retention was introduced via a last-minute amendment to a 2005 Bill on terrorism, by then minister for justice Michael McDowell. Little debate occurred in an almost empty Dáil and the amendment was passed.

Why does anyone want this stuff?

Because sometimes this information is useful in prosecuting crimes – from now on, what the EU directive terms “serious crimes”. However, therein lies the rub for Ireland.

Under the 2005 legislation, data could be accessed for just about any crime.

Though the Department of Justice originally promised data would only ever be used for prosecuting serious crimes such as terrorist offences, in reality it can be accessed for cycling through the Phoenix Park without a bike light.

Now, under the EU directive, data can only be accessed for fighting “serious crime”. Rather than lose the ability to access data for all sorts of other cases, the Department of Justice has decided to redefine “serious crime” from a crime with a minimum five-year sentence to one with a minimum 12-month sentence.

At one point, in a statutory instrument enacting the directive, drafted last spring, they were aiming to pitch the level at crimes carrying a maximum six-month sentences – which would have included crimes like loitering.

It is understood that the Attorney General advised that using a statutory instrument, which does not require Oireachtas debate, could raise constitutional problems. Hence the need for primary legislation and the new draft Bill.

But didn’t the Government challenge the data retention directive in the European Court of Justice?

Yes and no. This week, it lost a challenge which related only to how the directive was approved – by a simple majority of ministers rather than a unanimous vote. The Government was concerned that smaller countries could be steamrolled by a simple vote on directives.

That the subject of the directive was data retention is merely an ironic twist, as the State has been an early and long-time champion of data retention at EU level.

The constitutionality of Irish data retention legislation is being challenged, though, by privacy advocates Digital Rights Ireland (DRI) in a High Court case that will likely be referred to Europe.

So what’s in the current Irish Bill?

You can see for yourself, as DRI has uploaded it in full at www.digitalrights.ie. In general, the Bill is supposed to give clear guidelines on storing and accessing data.

But it has several bizarre provisions, including a clause that allows data to be used even when procedures for legally obtaining it were not followed, and another that allows the Minister for Justice to order certain offences to be removed from the remit of the Bill.

The Bill also lays out for service providers a range of requirements for securing, managing and destroying data – all of which will carry large costs and greater liability for the providers.

And is that going to be what we are stuck with?

Unlikely. It is hard to see how the State could possibly implement the Bill in its current form and still call itself a democracy.