:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/EKERXUQKF5BDFH4LL2A4UQFVGI.jpg)
The Department of Justice has rejected a claim that a court order requiring telecoms firms to retain mobile phone metadata for State security reasons for one year equates to “mass surveillance” of all citizens.
The claim was made by Dr TJ McIntyre, of Digital Rights Ireland (DRI), when he informed a lawyers’ conference last Friday that the Minster for Justice, Helen McEntee, intended to seek the order on Monday. DRI had written to the Minister raising a number of concerns, he outlined.
In a statement on Monday, the Minister confirmed the order was obtained under section 3A of the Communications (Retention of Data) (Amendment) Act 2022 on Monday, the same day that Act came into operation.
The 2022 Act is a workaround response by the legislature to the successful legal challenge by convicted murderer Graham Dwyer to provisions of a 2011 data retention Act under which mobile phone metadata relied on by the prosecution at his trial for the murder of childcare worker Elaine O’Hara was retained and accessed. The 2022 Act amends provisions of the 2011 Act.
:quality(70):focal(1875x674:1885x684)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/OJKVKLPINVAJLHPD6IEZWV2VXM.jpg)
:quality(70):focal(1770x1675:1780x1685)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/4BVNTHXHSZE7VEU3UAZW3WDPZQ.jpg)
:quality(70)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/UCM7WQSYCBDIBM43Z2EVXNLYDE.jpg)
:quality(70):focal(1175x575:1185x585)/cloudfront-eu-central-1.images.arcpublishing.com/irishtimes/2AR4O3HUWNBDNETG6PFNP4NN4A.jpg)
In a written response on Thursday evening to further media queries about Monday’s application, the department said the order was granted by Mr Justice Alexander Owens under section 3A, which provides such applications shall be made ex parte (one side only represented) and shall be heard “otherwise than in public”.
The application, heard over one hour and 40 minutes, was grounded on information sworn by a senior official concerning the Minister’s assessment the order was necessary to safeguard the security of the State.
The Minister, as provided for under the 2022 Act, had written to the President of the High Court on July 21st, 2022, who had on July 29th, 2022, designated Mr Justice David Keane and Mr Justice Owens as relevant judges to hear applications under section 3A, the department outlined.
Digital Rights Ireland, in its letter to the Minister last Friday, asked whether the Minister had carried out a data protection impact assessment regarding the retention of the mobile phone data in advance of any such application.
The group also asked, inter alia, why the 2022 Act was commenced when the European Commission had raised concerns about the draft legislation not having been submitted to the commission which, DRI said, is required under EU law. It asked that its concerns be outlined to the High Court.
In its response, the department said the amended legislation specifically states an application for a section 3A order shall be made ex parte. Notwithstanding this, counsel for the Minister nonetheless brought the correspondence from DRI to the attention of the judge, it said.
The department said Section 84 of the Data Protection Act 2018 sets out the circumstances in which a data controller is required to conduct a data impact assessment.
In the case of the 2022 Act, the conduct of such an assessment is not a matter for the Minister and is rather a matter for each data controller concerned, it said.
As regards access to data (as distinct from retention of the data), where data is disclosed to, and processed by, a member of An Garda Síochána or the Defence Forces, such processing must take place in compliance with data protection law and is subject to supervision and audit by the Data Protection Commission, the department added.
The department said it notified the 2022 Act to the European Commission’s TRIS process in December 2022, on a ‘without prejudice’ basis, as Ireland was of the view this was not legally required.
The notification period “elapsed in March without comment or opinion from either the EU Commission or other Member States on the Act”, it said. “Accordingly, Ireland was free to commence the 2022 Act.”
The department disagreed with claims by DRI the general and indiscriminate retention of communications data in accordance with the High Court order equates to “mass surveillance”.
The provisions of the 2022 Act were enacted in light of the case law of the Court of Justice of the EU (CJEU), it said.
In circumstances where there is a serious, genuine and present or foreseeable threat to national security, the case law of the CJEU “makes it clear that Members States are not precluded from making provision for the preventive retention of traffic and location data, subject to such provision being subject to effective review, being limited in time to what is strictly necessary and being circumscribed by strict safeguards to protect effectively against abuse”.
The data concerned is metadata, does not include the content of any communications and, in the vast majority of cases, nobody will ever access this data, it said.
“It is only where data are required for the purposes of safeguarding the security of the State, or in cases where an individual poses a threat to the security of the State, that data may be accessed.”
That access is subject to very strict controls including prior review of applications at a senior level in An Garda Síochána or the Defence Forces and a requirement for judicial authorisation, it said.
:quality(70)/s3.amazonaws.com/arc-authors/irishtimes/7d6f4bef-80c2-4932-9cb4-a7164db31957.png)