NET RESULTS:The new Bill is worrying in that it provides little framework for safeguarding our data, writes KARLIN LILLINGTON
FINALLY, THE Government has published its proposed, often-postponed, but still overly-surveillant Data Retention Bill requiring the mandatory storage of people’s phone call data and e-mail details, the former for two years, the latter for one.
Content will not be retained, but the details about the calls or e-mails will, such as size (for e-mails), duration (for calls), time and date made or sent, the sender, the recipient, location.
One or two years of such information gives a quite intimate portrait of a person’s activities and contacts – which can also be easily misinterpreted if viewed in isolation.
In the case of businesses, such detail – similar to viewing a phone bill – can contain extremely sensitive competitive information.
All of this information is to be held and managed by telecommunications operators and internet service providers – the same people who have brought you various hacking incidents and accidental data breaches.
Only this week Eircom was enduring a hacking attack.
The Bill is being presented as an improvement over the existing (2005) legislation’s three-year period for call data storage, while conveniently ignoring that many EU states have opted for the minimum period of six months allowed in the EU directive. And retention of e-mail details is a new element.
Oddly, given our serious economic problems, business concerns still don’t seem to worry the Government or agencies such as IDA Ireland and Enterprise Ireland. Indeed, they seem rather out of touch with how alarmed businesses, especially in the desired technology sector, find our data-retention proposals.
I understand that business leaders sent letters to the Minister for Justice expressing their alarm, so perhaps that helped tone down the published Bill.
But as those business leaders would note: not enough.
For example, the Bill still fails to outline who will pay for storage and management of the data – presumably the providers, a cost one can only assume will be passed on to businesses and individual subscribers. So much for encouraging the climate for a “knowledge economy”.
The UK and many other countries vying for business with us, meanwhile, have indicated the government will cover such costs.
There’s a definite improvement in the Department of Justice’s backing off its intention to actually redefine serious crime for the purposes of this Bill. Yes, you read that right.
Originally, the intention was to redefine serious crimes from those punishable by a five-year sentence to just a paltry one-year sentence, which would have meant loitering would be on the serious crimes list.
Instead, no doubt due to some concerns about the constitutionality of going down that road, the Bill applies to serious crimes under the standing definition and some specifically defined other instances.
Yet most “serious crimes” do not come close to terrorism and child pornography, the only type of serious crime the 2005 legislation was supposed to target (as promised by then minister for justice Michael McDowell) and which current Minister for Justice Dermot Ahern yet again referred to in defence of the Bill this week.
Funny how we are consistently told these are the only crimes for which the State would need to hold our personal data. Yet the State blithely brought in legislation giving virtually open access to this sensitive information for the past four years.
I’d like to call the Minister’s bluff on this issue. If data retention is needed for fighting terrorism, child pornography and similarly horrendous crimes, and this is regularly used to defend the need for this level of long-term surveillance of the entire population, why weren’t these properly defined as the relevant crimes in the current Bill?
Why should anyone believe there won’t be the “mission creep” seen over and over again once data are retained?
Having a pool of information inevitably becomes useful for the prosecution of even the most petty misdemeanours. Hence, UK residents have found data and mandated surveillance used to target the evil crime of failing to clean up after one’s dog.
The published Bill is most worrying though in that it still provides little framework for safeguarding our data – neither any meaningful recourse for people who feel their data have been improperly accessed nor a regime for safeguarding it generally if there is a data breach.
This is not to suggest that people under surveillance be told their data are being accessed, but that – as in several other countries – after a period of time people would be entitled to know their data were obtained and for what ostensible purpose.
The Bill allows people to file a complaint if they discover misuse of their data, but given they have no way of finding this out, the Bill’s current “safeguard” is nonsensical.
Likewise, Ireland is long overdue for a data disclosure law that would mandate any individual to be notified of any breach of personal data. Such a law in California led to the revelation of major national data thefts and losses, now this type of law is in place in most states, with proposals at a federal level.
With all of our recent cases of lost, hacked and missing data, we need such a law urgently, but we also need major reconsideration of the published Data Retention Bill.
Let’s hope it receives vigorous scrutiny when the Dáil returns.
klillington@irishtmes.com; podcasts and blog: www.techno-culture.com; Twitter: www.twitter.com/klillington
