The government has published the long awaited Communications (Retention of Data) Bill 2009. The Bill will transpose EU Data Retention Directive 2006/24/EC. In essence it requires telephone and internet service providers to keep certain types of data on the activities of their subscribers and users, and to disclose it to relevant authorities on request.
The Bill requires telephone service providers to retain telephone data for two years, and internet data to be retained by internet service providers for one year. Telephone data is currently retained for three years pursuant to the Criminal Justice (Terrorist Offences) Act 2005, (which the Bill repeals). Under the Directive telephone and internet data is required to be retained for not less than six months and not more than two years. Other EU states have introduced less demanding retention periods than Ireland, for example, the equivalent UK Regulations (S.I. 2009/859) require retention of telephone and internet data for one year.
Telephone, and internet, data relating to unsuccessful call attempts (but not unconnected calls) must also be retained for two years, and one year, respectively. Data concerning the content of calls or emails is not required to be retained however the identity of the senders and receivers of the communication must be retained, as well as the date and time the communication was sent, and, in the case of mobile phones, the location of the phones.
The Bill also requires service providers retaining such data to take certain security measures in relation to the retained data. It makes no provision as to who will bear the costs of retaining the data, with the likelihood it will be borne by the service providers, and ultimately businesses and individual subscribers. In contrast the UK Regulations provide the government 'may reimburse any expenses incurred' in complying with the Regulations.
It is proposed that a service provider shall not access the data retained except: (a) at the request and with the consent of the data subject; (b) for the purpose of complying with a disclosure request; (c) in accordance with a court order; or (d) as may be authorised by the Data Protection Commissioner.
The Bill requires service providers to disclose the data retained, upon request, to:
- A senior Garda, where the data are required for: (a) the prevention, detection, investigation or prosecution of a 'serious offence' (an offence punishable by imprisonment for 5 years or more, or an offence listed in a schedule attached to the Bill, which includes offences relating to criminal assets, offences against the person, corruption and child abuse); (b) the safeguarding of the security of the State, or (c) the saving of human life.
- A senior army officer where the data are required for the purpose of safeguarding the security of the State.
- A senior officer of the Revenue Commissioners where the data is required for the prevention, detection, investigation or prosecution of a revenue offence.
The disclosure request should be made in writing, but in cases of exceptional urgency may be made orally, provided that the oral request is confirmed in writing to the service provider within 2 working days of the request being made.
The Bill contains some safeguards for the retained data, including the submission of an annual report by the Garda Commissioner, the Chief of Staff of the Permanent Defence Forces, and the Revenue Commissioners, to the relevant Minister, of data that were the subject of disclosure requests, and for the operation of the Act to be overseen by a High Court judge.
The Bill also provides for a complaints procedure which allows a person, who believes that data relating to him or her to have been accessed following a disclosure request, to apply to the Complaints Referee for an investigation into the matter. If the data has been requested and disclosed in contravention of the Act then the Referee must notify the data subject in writing and make a report of the Referee's findings to the Taoiseach. The Referee may also order the relevant data to be destroyed and compensation to be paid to the data subject. However as the Bill does not require people to be told their data has been requested and disclosed, it is questionable how practical or effective this complaints procedure will be.
A further example of the weaknesses of the Bill in safeguarding retained data is the provision which states that the fact that a disclosure request has been granted in contravention of the Act will not of itself render that disclosure request invalid nor constitute a cause of action at the suit of a person affected by the disclosure request.