On 3 October 2017, the Irish government published the general scheme of the Communications (Retention of Data) Bill 2017 (the “Bill”). The Bill is a response to recent judgments of the Court of Justice of the European Union (the “CJEU”), specifically the 2014 Digital Rights Ireland case and the 2016 Tele2/Watson case.
The Bill concerns the retention of metadata by communications service providers. Metadata includes IP addresses, time stamps, call durations, and the size of communications.
The Bill does not cover the retention of the actual content of communications. Nevertheless, the content of communications are likely to be captured by data protection legislation.
In 2014, the Digital Rights Ireland case was referred from the Irish High Court to the CJEU for a preliminary ruling on the validity of the EU Data Retention Directive 2006/24/EC (the “Directive”). In Ireland, the Directive was transposed into law by the Communications (Retention of Data) Act 2011 (the “2011 Act”).
The Directive introduced laws compelling the storage of telecommunications data. It required the collection and retention of traffic and location data by companies such as mobile and broadband providers for a period of up to two years.
In Digital Rights Ireland, the CJEU acknowledged that the Directive had a legitimate objective in seeking to fight serious crime. However, it ultimately held the Directive breached EU law for allowing indiscriminate surveillance of EU citizens. The broad and far-reaching Directive breached fundamental European rights. The Directive did not limit the:
- categories of individuals
- method of communications, or
- types of traffic data that were collected on foot of the Directive.
Further, the Directive was silent as to the retention period for this type of data. While fundamental rights can be limited in circumstances where the limitation is necessary and proportionate to the objectives sought, the Directive did not comply with this principle.
The judgment left the 2011 Act, which had largely mirrored the Directive, with questionable legal standing. The CJEU had declared the Directive invalid, but no domestic repeal of the 2011 Act followed.
In 2015, the European Parliament’s Legal Services published an opinion setting out specific guidance for legislating in the wake of the Digital Rights Ireland decision. The European Commission subsequently confirmed that “the decision of whether or not to introduce national data retention laws is a national decision”.
In late 2016, the CJEU delivered a ruling in the Tele2/Watson case, again holding that Member States cannot implement laws that require communications service providers to carry out general and indiscriminate retention of relevant data. The CJEU also held that any retained data can only be accessed by law enforcement agencies in specific limited circumstances. This judgment has significant implications for the UK Investigatory Powers Act 2016.
The Irish Bill
The Bill will replace the 2011 Act. It will set down limitations to the retention and access to data by law enforcement agencies. The Minister for Justice and Equality (the “Minister”) has acknowledged that the Bill takes account of the evolving case law of the CJEU and it takes account of the shortcomings identified in Digital Rights Ireland. The Bill is yet to be fully fleshed out and is currently set out under ‘Heads’ in draft form. It is likely to undergo amendments before it becomes law.
The highlights of the Bill are set out below:
- Head 5 of the Bill provides that the law enforcement agency must apply for an order from the Minister. This order is required to authorise service providers to retain traffic and location data for the purpose of the prevention, detection, investigation, or prosecution of serious crime or safeguarding the security of the State. The traffic and location data retained must relate to a specific category or else a specific person. Subsequent Heads require that the ministerial order may be granted where the order would be “proportionate” and “there are no less intrusive means” which may achieve the same objective.
- Head 8 of the Bill requires judicial authorisation before the data retained by the communications service provider can be released to the law enforcement agency. This Heading sets out objective criteria that the law enforcement agencies must use when they are seeking judicial authorisation for the disclosure of retained data.
- The Bill also provides that the retention period for relevant data shall be 12 months. Further, the service provider or law enforcement agency (depending on who is in possession of the data) must destroy the data within one month of the expiry of the 12 month period. Service providers should be wary of possible breaches of the law where they are holding metadata that is older than 13 months.
The Bill remedies many of the shortcomings of the 2011 Act, taking account of the Tele2/Watson and Digital Rights Ireland judgments. Any limitations on fundamental rights of privacy and personal data contained in the Bill are justified on the basis that they only go as far as is necessary and proportionate, unlike under the Directive and the 2011 Act.
Communications service providers should ensure to keep updated on the developments of the Bill. Once the Bill becomes law, it will be crucial for service providers, who are subject to the updated rules, to analyse their internal processes and implement compliant policies and procedures. With the GDPR allowing for significant fines for failure to comply with data retention and deletion obligations, these providers should ensure strict compliance with the new retention rules once published.