In one of its last acts in office, the Irish government has finalized legislation that will require ISPs to keep logs of their subscribers’ use of the Web for one year. The information will be available to the police and other government authorities upon request. Ireland’s adoption of the storage requirement is significant as Ireland is home to many Internet hosting businesses and company data centers and the Irish authorities have argued for a broad application of the law to Internet-based businesses with activities in Ireland.

IP addresses, destination of e-mails and recipients of VoIP calls to be kept for a year

The new law—the Communications (Retention of Data) Act 2011—was signed into law on Jan. 26, 2011. It requires both telephone companies and ISPs to keep records of communications traffic and location data on their networks—the “who”, “when” and “where” information about telephone calls, Internet access, and e-mail.

ISPs must retain a range of specific information about Internet communications traffic and subscribers’ identities, including the following:

  • Subscribers’ names and addresses;
  • The IP addresses assigned to users;
  • Their log-on and log-off times;
  • The email addresses to which they send e-mails; and
  • Identifying information about who they call using VoIP telephony services.

While Ireland has adopted a one-year retention period for Internet data, other European countries have opted for reasons of privacy to require a shorter retention period of 6 months.

Unlike many other EU countries, Ireland will not help pay for the costs incurred by companies in storing and providing access to data upon police request. All Irish communications providers are expected to have traffic data available—not just those ISPs that have been notified by the government as in the case in the UK.

The one-year retention period applies only to traffic-related information as the body of e-mail messages and the content of VoIP calls are specifically excluded from the retention requirements.

EU’s controversial Data Retention Directive

The new legislation completes the long-delayed transposition into Irish law of the EU’s Data Retention Directive (Directive 2006/24/EC), a controversial measure that has spawned several legal challenges and is currently the subject of a comprehensive policy review by the European Commission.

While fixed-line and mobile telephony providers and ISPs are clearly covered by the law, web-based email services, Internet VoIP applications and social media communications should be exempt, even if they locate their servers in Ireland, as they fall outside the definition of public communications services under European telecommunications law, which generally does not cover purely Internet-based services and applications. Nevertheless, law enforcement authorities in Europe have argued for a broader application of the data retention requirements.