Data Retention: Irish Times

Tom Young

I note from today's front page of the Irish Times that the government are to go ahead with plans to transpose the DRED - Data Retention Enforcement Directive.

There's a lot of interest in this for Internet and Communications companies and in addition questions from www.digitalrights.ie in respect of privacy concerns. Currently data is retained under the 2005 Counter Terrorism Act, for a period of 3 years, see section 44, 45, 46.

Recent trials in the criminal sphere of law have made this a most interesting topic e.g., O'Reilly trial.

Tom

Tom Young

http://www.digitalrights.ie/2008/01/19/dri-condemns-backdoor-implementation-of-surveillance-laws/

DRI condemns backdoor implementation of surveillance laws
January 19th, 2008

Government proposals to introduce surveillance of all internet users are unacceptable. The proposed law will require Internet Service Providers (ISPs) to keep records of every email, every instant message or chat message, and every time users log on or log off, and to store that information for up to 18 months. This information will then be available without any court order or warrant. These proposals, implementing European law, are being drafted without public consultation and would be implemented by a statutory instrument. There will be no scrutiny by the Oireachtas.

It is incredible that the Government proposes to introduce a law which would require every Internet user to be monitored without any warrant or prior judicial approval, without any public consultation and without any debate or vote in the Oireachtas. A law of this gravity should not be made by stealth.

The Department of Justice appears to be relying on the “urgency” of the matter to justify bypassing the Dail and Seanad. But the European law being implemented was passed in February 2006. The Department has had two years to introduce a Bill and it cannot rely on its own delay to justify sidelining democratic scrutiny.

In any case, it is inappropriate to implement this law whilst it is under court challenge. The Irish government itself has challenged the validity of the law before the European Court of Justice. Digital Rights Ireland has also brought a High Court action challenging the European law. These proposals will effectively pre-empt the judgment of the courts.

Goverment missed a critcal extension period as McDowell and the lads decided to litigate (and rightly) the pillar placement of the Council's vote on the Directive. Ah well.

johnnyskeleton

Is it "DIRECTIVE 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC" link?

If so:
1) Article 1 refers to "the obligations of the providers of publicly available electronic communications services or of public communications networks". But there is no definition of "publicly available".

It seems to me that this would include bebo, facebook etc, which you can access without being a member, but would not include email services such as gmail, eircom etc, where you have to be a member/customer to access and use the services. The article 2 definition of "user" is a person using a publicly
available electronic communications service, "for private or business purposes, without necessarily having subscribed to that service", and I think this is consistent with the interpretation of the service being public as opposed to subscription only. So it would apply to www.boards.ie, but not to, for example, a private, subscription only, chatroom.

2) Article 1.2 states that:

"This Directive shall apply to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered user. It shall not apply to the content of electronic communications, including information consulted using an electronic communications network."

This is reiterated in art 5.2. So the retention applies only to information on access to the internet or to certain sites, and not to the content of communications. Therefore, they are obliged to retain info that a person logged onto the internet in X location and accessed www.boards.ie, but they are not obliged to record that jonnyskeleton logged on and posted subvertive, borderline seditious, criticisms of the state.

3) However, article 5 refers to telephones, mobile devices and email services. I can't see how they are compatible with the ordinary meaning of publicly available, and it would seem to me that it is probably intended (but by no means clear) that they intended publicly available to include commercially or widely available services that any member of the public can avail of, provided they comply with certain conditions, which may include the payment of a fee.

4) Article 4 provides that:

"Member States shall adopt measures to ensure that data retained in accordance with this Directive are provided only to the competent national authorities in specific cases and in accordance with national law. The procedures to be followed and the conditions to be fulfilled in order to gain access to retained data in accordance with necessity and proportionality requirements shall be defined by each Member State in its national law, subject to the relevant provisions of European Union law or public international law, and in particular the ECHR as interpreted by the European Court of Human Rights."

To transpose this into Irish law, it would seem to me that before seeking such information, there must be some safeguards, either the necessity to first obtain a warrant, or else some other statutory regulation. The phrase "in specific cases" would suggest to me that a warrant procedure would be a more proportionate protection of the right to privacy than an internal garda procedure, as internal garda safeguards (e.g. detention under s.4, custody records etc) are appropriate when they are generally available for the investigation of offences. Where a garda power is only used where it is specifically necessary (e.g. search warrant), it should only allowed after judicial approval.

As for bringing it in by statutory instrument, I don't think the Directive is specific enough to have any real direct effect, any it would seem appropriate that the proceedures are set out in statute rather than simply introduced by SI.

Tom Young

Correct, however ..

My reading is that the margins are as follows:

1. Time limits for retention at between 6 months and 36 months (3 years);
2. Specific data types, whether server logs, sms messages, telephone records etc.; and
3. Cost recovery allocations to operators effective in member states.

So no issue with the S.I.

An adjunct to this is criminal sanctions against entities who do not comply. Effect in Ireland is barred by the constitutional provisions under Art 29.

Some really beautiful aspects of this legislation are:

1. Widening of the remits provided to the state in the 2005 CT Act and the 1983/1993 P&T acts in respect of telephone records;
2. The complete disjoin between Data Protection legislation and the Data Retention Directive; and
3. (although defined) the fact that records of illegal downloads and copyright infringements may also be retained.

Tom

Tom Young

'Publically Available' needs to be cross referenced to EU Communications Regulatory Framework - 2003 to be amended.

This is effectively also know as PATS - Publically Available Telephony Services, anything with a bi-directional element in communications capable of faciltating consumers.

johnnyskeleton

Tom Young wrote: »

1. Widening of the remits provided to the state in the 2005 CT Act and the 1983/1993 P&T acts in respect of telephone records;

I don't think these things really play well with juries. Fair enough the triangulation of Joe O'Reilly's mobile could well have been the critical piece of evidence in that case, but call and text records usually seem a bit irrelevant.

Also, the directive specifies that the contents of the communications shall not be recorded pursuant to the Directive (Art5.2), which for text messages, is less than they have at the moment.

Tom Young wrote: »

2. The complete disjoin between Data Protection legislation and the Data Retention Directive;

There's stuff in the directive about data protection, but that seems to be more about data security rather than the dissemination of data.

But it seems to me that data protection legislation would still apply under Irish domestic law, to anyone in charge of said material; and all the talk about giving the information to competent national authorities for the investigation of specific cases would be the specified purpose under the Data Protection Act.

Tom Young wrote: »

3. (although defined) the fact that records of illegal downloads and copyright infringements may also be retained.

Would the fact that they were illegal downloads or copyright infringements not be evidence of the contents of the communication rather than traffic and location data? It seems to me that it could be used to show that a person accessed a certain site, but not what they did on that site.

Tom Young

Take a look at this action, and plenary summons for some of the issues: http://www.mcgarrsolicitors.ie/2007/11/06/affaire-de-retention-des-donnees-de-%e2%80%98digital-rights-ireland-%e2%80%99/

Tom Young

More on this from TJ McIntyre's blog.

The case against data retention

I've written a piece for today's Irish Examiner on the Government's data retention proposals, which it published under the headline (not chosen by me!) "Big brother will be watching... everyone".

Full text:

How would you feel if someone followed you every day, writing down your movements, making a note of everyone you talked to, jotting down the address of every letter you post, and then storing that information for three years? What would you think if that system of surveillance was extended to every single person in the country? While this might sound like the stuff of science fiction, since 2002 the Government has required telephone companies to track the movements of all their users, to log details of every telephone call made and every text message sent and to store that information for three years. The Department of Justice now proposes to extend this further, to require ISPs to monitor everyone’s internet use, including details of every email or instant message we send, and every time we log on or off, and to store that information for up to two years. What’s more, it intends to do this by the stroke of a ministerial pen, with no debate before the Dáil or the Seanad.

The rather dull name for this surveillance is “data retention”. But it might be more informative to talk of “digital footprints”. As technology comes to be more and more part of our everyday lives, we leave a trail of digital footprints recording almost everything we do. Activities which once would have been private (posting a letter) may now leave a record (sending an email). Data retention laws – by storing these digital footprints – mean that the rights to privacy and freedom of expression we take for granted in the offline world might be lost in the digital age.

Of course, it is legitimate that police should have access to some call or internet data. This information can help in investigations and prosecutions. But the information stored and access to that information must be reasonable and proportionate. In particular, information should not be stored on everyone, but only on a targeted basis. Access should be granted only on the basis of a warrant, and only in respect of terrorism or serious crime. And the information should be stored for as short a period as possible, and certainly for no more than six months except in exceptional circumstances.

Indeed, in 2001 the Government accepted the need for safeguards by signing up to the Convention on Cybercrime, which achieved international agreement on a far less intrusive “data preservation” system, which would preserve evidence in individual cases without the blanket storage of information on all citizens. But the Government has since ignored that system and instead put in place laws which contain almost none of these safeguards.

Laws requiring monitoring of the entire population are astonishing in a democracy. Yet so far there has been very little public debate. One reason might be that this surveillance happens invisibly in the background. But compared to traditional surveillance it is potentially far more intrusive, and carries much greater risks of abuse. In the United Kingdom we have seen the loss of data on many millions of individuals. Here officials in the Department of Social Welfare have been found to be engaged in the systematic leaking and selling of personal information from government databases. There is no reason to think that this information will be treated any differently.

Public awareness has also been stifled by the tactics adopted by the Government. In 2002 data retention was initially brought in by a secret ministerial order, which the telephone companies were forbidden to reveal. Only after pressure from the Data Protection Commissioner was it made public. In 2005, the Minister for Justice again avoided public scrutiny by changing the law using a last minute amendment to an unrelated Bill – breaking a promise that there would be full consultation and a separate Bill for the Oireachtas to debate. Now the Department of Justice is proposing to implement a European Directive on data retention using a statutory instrument – again excluding the Dáil and the Seanad. They claim that the matter is urgent and that there is no time for legislation. But that Directive was passed in February 2006. The Department has had nearly two years to prepare a Bill and cannot now rely on its own delay to justify sidelining democratic scrutiny.

Digital Rights Ireland has brought a High Court challenge to these Irish and European data retention laws, which will ultimately decide whether surveillance of the entire population can be compatible with the rights to privacy and freedom of expression under our Constitution and the European Convention on Human Rights. Until then, however, there should at a minimum be full public awareness and discussion. And in the case of the Department of Justice proposals, at the very least any extension of these laws to the Internet should be by primary legislation and following a debate in the Oireachtas.

http://www.tjmcintyre.com/2008/01/case-against-data-retention.html