Startling memo on retaining data

KARLIN LILLINGTON: A ‘private’ data-retention agreement is based on sweeping assumptions, not articles of law

KARLIN LILLINGTON:A 'private' data-retention agreement is based on sweeping assumptions, not articles of law

A secret memorandum of understanding between State agencies and the communications industry on how to implement the as-yet non-existent Government data retention legislation, confirms longstanding concerns about who is managing the data retention agenda and to what end.

With data retention, it appears that the tail is wagging the dog, in blatant disregard for proper democratic legislative process. The agencies that want access to our call and internet data are bypassing the Oireachtas, which at least theoretically, is the body that draws up and implements legislation.

As one alarmed privacy advocate told me: “This is legislation by decree.”

READ MORE

The “Memorandum of Understanding (MoU)”, seen by The Irish Times, is dated August 17th and was drawn up “between the Communications Industry and the following State agencies: the Commissioner of An Garda Síochána, the Permanent Defence Forces and the Revenue Commissioners”, as stated in the opening paragraph of the memorandum.

The memorandum defines the “Communications Industry” as “the industry represented by: ALTO, TIF and ISPAI” – the main industry representative bodies, namely the Association of Licensed Telecommunications Operators, Ibec’s Telecommunications and Internet Forum, and the Internet Service Providers Association of Ireland.

Data retention legislation will require the storage of call data information for phone and mobile calls and faxes for two years, and, in the case of e-mails, for one year, for everyone in Ireland, including children. It does not require the retention of content, but of sensitive location and duration information.

Best practice should be to retain such data for a maximum of six months, according to Europe’s Data Protection Commissioners.

No doubt, the argument will be made – and indeed is, within the body of the 13 page memorandum – that the document exists to help streamline the process by which our data are requested and handed over to various bodies that will now be allowed to look at it. Or as the memorandum states: “to promote efficient and effective standards of co-operation between the State and the Communications Industry.”

But it is not the business of the agencies to arrange any such matters privately with the communications industry, especially in the absence of actual legislation, or any public discussion or input, or any significant Oireachtas debate on a Bill that has only recently been published and not yet debated.

A data retention bill has not been passed by the Oireachtas yet, so this extraordinary “agreement” is based on sweeping assumptions, not articles of law.

More startling is the fact that agencies and industry are making such secretive plans for co-operation at all. It is the job of the Oireachtas and, ultimately, the courts to determine how legislation will be interpreted and implemented, not the Garda Commissioner, the Revenue Commissioners or the Defence Forces by private agreement.

This is the equivalent of the Financial Regulator securing a private understanding with Irish companies and banks as to how they will be supervised and how evidence will be obtained from them for investigations.

Another concern is that the memorandum, as it stands, indicates an agreement to obtain data that goes beyond what has been proposed so far in the published data retention bill.

The memorandum arranges for communications companies to hand over ''any available personal details" of an IP address user, e-mail sender or VoIP user, even though the draft Bill (as seen by The Irish Timesearlier this year) only requires name and address.

The memorandum also contains an agreement to hand over the MAC address associated with a computer user – the numerical “address” of a physical piece of hardware, such as a laptop, that enables it to connect to a network – though not required by the Bill.

The memorandum concludes with supreme arrogance: a detailed schedule pertaining to what will be handed over and how, matched to the text from the “Act” – again, simply the proposed Bill the Oireachtas has not yet approved. The schedule has a column for the “mutual agreement of retained data” and another for “issues addressed and agreed”.

Excuse me? Since when do agencies and industry get to “mutually agree” how they will privately interpret and comply with publicly mandated legislation (setting aside the glaring absence of any such legislation on which to base their ‘mutual agreement’)?

The memorandum notes in conclusion that it should be disseminated within Government “where necessary” and copies of the signed agreement be filed with legal representatives and stored internally in company files.

So, we have a private deal arranged in advance, in disregard of the role of the democratically elected Oireachtas and with no public input or scrutiny, between State agencies and the communications industry on how they will interpret and act on one of the most controversial pieces of legislation proposed for the State and European Union.

Legislation that has massive privacy and security implications for citizens and for businesses, and which already has been criticised by several leading business figures from indigenous and multinational companies as a threat to Ireland’s business environment.

Such arrangements have no place in a democracy and will surely alarm businesses that have chosen to base themselves in Ireland. Revelations that they exist will not instill confidence that privacy safeguards will be respected for citizens or businesses, nor dispel concerns that other murky off the record arrangements will be made along the way.

Blog and podcasts: www.techno-culture. com Twitter: twitter.com/klillington