TechnologyOpinion

Government inaction leaves our data retention laws in limbo

Ireland still relying on outdated 2011 legislation

Despite having had years to rectify the situation, Ireland remains suspended in a strange limbo on an urgent piece of policing legislation, a data retention law to lawfully define when and how communications data may be gathered and used as evidence.

Ireland is still relying on its outdated 2011 data retention law, even though in 2014 the Court of Justice of the European Union (CJEU) invalidated the EU’s 2006 Data Retention Directive on which it is based. Incredibly, even though that decision had an Irish context, involving a case brought by digital privacy advocates Digital Rights Ireland (DRI) against the Irish State, the Irish law still has not been updated, eight years on.

Consequences include the ongoing case brought by convicted murderer Graham Dwyer against the State for using communications data evidence gathered under an outdated law.

Another CJEU decision going against the State, on the admissibility of that evidence last spring, at last prompted a response. The Department of Justice rushed through amending legislation to the 2011 law. Little discussion or consultation could take place, we were told, because the need to amend the law was so urgent (yet somehow, not urgent enough to be rectified for eight years).

READ MORE

This saga has not yet played itself out. Now it appears that we are still reliant on, yes, the 2011 law because the amending legislation was never “commenced” – officially greenlighted, as required, by ministerial order. Why? No explanation was forthcoming from the Department of Justice, but Irish Examiner journalist Cianan Brennan revealed on Monday that the legislation pushed through months ago is possibly null and void because the Government didn’t comply with an obligation to notify the European Commission about aspects of the proposed law, under the Single Market Transparency Directive’s Technical Regulation Information System (TRIS) procedure.

This is a long-standing directive, revised in 2015, intended to prevent member states from enacting rules that feature “technical regulations” that could fragment the single market by erecting barriers to the free movement of goods and – note! – “information society services”.

Using the TRIS procedure EU states must upload to a public database any draft legislation that might pose a concern. The commission, member states and the other participating regional countries can issue comments, or if there’s special concern, a “detailed opinion”. A dialogue can be opened and any problematical elements addressed.

Two important details: if a law is passed that should have been, but wasn’t, notified to TRIS, the commission can declare it void, a power reaffirmed in past cases by the CJEU, according to solicitor Simon McGarr’s newsletter the Gist. (McGarr’s firm represented DRI in the 2014 CJEU case.) And, if an EU proposal covering the same is in the pipeline – and we have several such proposals, for example, for online safety and for using facial recognition – the commission can block and postpone adoption of the national measure.

Ireland has not once, in five years, submitted a single comment or detailed opinion on any other EU state’s notified legislation... Are we so disengaged as an EU member state?

When DRI chairman TJ McIntyre informed the commission that the data retention amendment had been passed, the commission responded that the directive requires the commission be notified by the Government so reactions could have been issued during draft stage. In other words, the Government missed the TRIS process. So the commission could nullify the law. Is this why it hasn’t been commenced?

Perhaps the Government didn’t feel the legislation needed notifying. However, as McGarr says, the State did feel obliged to notify with the draft Online Safety and Media Regulation Bill in 2020. Yet data retention surely would have much wider potential impact on companies, as it allows law enforcement to reach into company databases to obtain sensitive data about EU citizens.

Data retention laws are of significant concern to citizens, companies and other organisations. Given the presence of so many technology companies here, including dozens of data centres and multinationals holding information on EU citizens that comes from many third-party companies, the Government needs to explain why the 2022 data retention amendment wouldn’t require notification.

But it gets odder. Ireland has not once, in the five years of 2016-2020, submitted a single comment or detailed opinion on any other EU state’s notified legislation. An EU report put Ireland at the bottom of the participation list with zero activity, alongside Cyprus and Luxembourg. Is the State that indifferent to laws passed elsewhere, which could impact the operation of technology companies based here, and Irish companies generally? Are we so disengaged as an EU member state?

Ireland also only gave 37 notifications on its own proposed legislation in that same five-year period, a paltry 1.04 per cent of the EU total. By contrast, Austria gave 258, Denmark 190, Lithuania 57.

Do we really do so little that might impact the single market, given Ireland’s position as home to some of the globe’s providers of “information society services”? Might we have previous laws that should have been notified, and which are now possibly in breach of the Single Market Transparency Directive?