Ireland sneaks data retention into law

By EDRi · March 10, 2005

After pushing a framework decision on data retention at the EU, Ireland’s Government has decided to focus on its national parliament and to pass a law on data retention there. Data retention was snuck into the Criminal Justice (Terrorist Offences) Act, first introduced in 2002, in the final hours before the Bill became law in February 2005.

The law now calls for three years data retention at all phone companies that provide fixed line and mobile services. The obligation does not extend to more complex information such as location data.

In April 2002, the Minister for Public Enterprise issued directions at the request of the Minister of Justice to oblige service providers to retain data for at least three years. The Government argued that this was a necessary temporary bridging of the gap between the transposition of the EU Directive on privacy and electronic communications into Irish law. This is misleading because the 2002 Directive did not require data retention.

The transposition into law was approved in March 2002, and providers were not required to retain the data for the full three years. The legislation was never published, however, as they were subject to a “gagging order” requiring that the service providers not disclose the fact of the directions were made. Eventually the details were leaked, and the documentation accessed under the Freedom of Information.

In January 2005 the Irish Data Protection Commissioner, Joseph Meade, issued an order to service providers to erase data that is more than six months old, as of May of 2005. The Commissioner argued that the temporary directions were in force for too long without legal mandate. The Government interpreted this as a requirement to move forward with primary legislation calling for retention. The Minister of Justice argued “Without some contrary action being taken, the initiative by the Data Protection Commissioner would, if the telecommunications companies accepted its validity, seriously undermine the ability of the Garda Síochána to investigate criminal activity, including terrorism and to protect the security of the State.”

The Government contends that service providers need this legislation because of a current conflict of obligations. The Government believes that service providers are compelled to retain data for 36 months under section 110 of the Postal and Telecommunications Act 1983; but the Data Protection Commissioner’s notice required them to delete this data after six months.

On 27 January 2005 the Minister of Justice announced his intent to comply with ‘international obligations’ and to help fight terrorism through introducing a policy on data retention. Such international obligations do not exist, however, despite the great attempts by the Irish Government to create these international obligations in the first instance.

The Government accepted that its strategy to launder this policy through the EU was facing some challenges. As the Minister of Justice admitted, “I had hoped to avail of the European basis for making rules in this area but it did not materialise.” When it held the presidency of the EU the government pushed the ‘framework decision’ that would compel all service providers of all types (telephone, mobile, internet, etc.) to retain data for up to three years. This initiative was also pushed by the French, Swedish, and British governments. In the summer of 2004, however, the European Commission decided to intervene in this Council process arguing that it was a first pillar issue, and thus internal market considerations were required.

The Minister of Justice found this to be a frustrating situation, however. “The framework decision ran into difficulties with the European Commission. It is difficult to understand exactly what has happened to the
framework decision but it appears that the commissioner is of the strong view that data retention should be dealt with in the first pillar of the European Union treaties, that is the same pillar as data protection and communications. While it is probably safe to assume that the framework decision in its present form is moribund, we do not know what proposal will take its place. The Commission has apparently promised a first pillar on data retention but, whatever the outcome, it seems that any EU initiative will not now take place in a time frame that would allow me to meet the May deadline set by the Data Protection Commissioner. Faced with that I must act now before 5 May. There is no EU cavalry coming down the hill to help me. I must sort out this conflict.”

The ‘EU cavalry’ is facing increased trouble, so having failed at the strategy of policy laundering the Minister of Justice relied on obscuring the policy to minimise debate.

Full article: Ireland begins communications data retention (15.02.2005)

(Contribution by Gus Hosein, Privacy International)