Ireland's Minister for Justice, Equality and Law Reform recently announced that a Data Protection Review Group would be reviewing Irish data protection legislation following a series of high profile data breaches, Deirdre Kilroy, Head of Intellectual Property and Technology at LK Shields Solicitors, examines the reasons for the review and difficulties concerning transposition of the Data Retention Directive.

Like a number of jurisdictions, Ireland has had its fair share of high profile data security and data protection breaches of late [1]. The Irish Data Protection Commissioner's comments and decisions - and the concerns of members of the public - have been well aired in the media. Reports of events such as the loss of a number of laptops and a USB key by Bank of Ireland, the discovery of hospital records in a landfill in Cork and unauthorised record access by staff at the Department of Social and Family Affairs have caused public criticism. The public have also gained a heightened awareness of data protection laws and of their consequent rights. In early October 2008, the Minister for Justice, Equality and Law Reform announced that he was considering introducing a regime of mandatory reporting to the Data Protection Commissioner where the security of personal data is compromised by the loss or theft of electronic devices [2]. He indicated that this regime would extend to both private and public bodies and that he was also considering compelling disclosure to the public in 'major cases'. Later that month, the Minister established a review process to examine the data protection laws dealing with data breaches [3]. On 28 November 2008, the Minister revealed the membership of the Data Protection Review Group, which is charged with a 'review of Data Protection legislation following recent data breaches in Ireland and elsewhere'.

The Group is led by former Secretary General at the Department of Finance, Eddie Sullivan. It is heartening to see that membership of the group includes the Data Protection Commissioner, a former Head of Comreg (the body responsible for, amongst other things, the regulation of telecommunications in Ireland), a respected professor of law as well as representatives from various interested government departments. However, there are no private industry representatives participating in the group. The Minister's press release announcing the composition of the group advised that it had already held its first meeting and that it is making arrangements for a public consultation exercise. The terms of reference of the Data Protection Review Group have yet to be published, but no doubt these will become clearer once the public consultation process begins.

In addition to dealing with the work of the Data Protection Review Group, the Irish Data Protection Commissioner is also dealing with the possibility that his Office may be amalgamated with the Irish Human Rights Commission, the National Disability Authority, the Equality Authority and the Equality Tribunal. Mooted as a cost-saving measure by the Irish government prior to the budget in October, the Office of the Data Protection Commissioner is participating in a consultation process with the government. Billy Hawkes, the current Data Protection Commissioner, has made representations expressing his concerns to the government regarding the possible negative consequences of the proposal [4].

Retention of Telecoms and Internet Data

2008 has been a busy year for those dealing with the subject of data retention in the electronic communications services sector. This is particularly the case for those in the telecoms industry who are required to deal with the EU's requirements to retain certain phone and Internet records for between six and 24 months, with Ireland's approach to implementation and with existing Irish legal requirements.

In spring this year, the Irish Department of Justice, Equality and Law Reform published the draft European Communities (Retention of Data) Regulations 2008 under the heading: 'Proposed Criminal Legislation'. On their face, these draft regulations purport to give effect, if enacted, to Directive 2006/24/EC [5] (the 'Data Retention Directive'). Ireland already has extensive data retention requirements under laws introduced prior to the date for transposition of the Data Retention Directive. Irish law currently requires certain extensive data to be retained for a three year period, which is in excess of the Data Retention Directive's permitted maximum. The requirements are prescribed by Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 [6].

When published, the draft regulations caused some concern to those to which they would apply. The proposed retention periods in the draft statutory instrument are for the maximum duration laid down by the Data Retention Directive, and the definition of the data to be retained is very broad. It is well known that that the Office of the Data Protection Commissioner raised objections in a letter to the Department pertaining to the draft regulations.

As a separate process, Ireland challenged the legal basis for the introduction of this Directive before the European Court of Justice. That challenge suffered a non-fatal blow in October 2008, when Advocate General Bot issued an opinion [7] finding against the Irish. He rejected Ireland's argument that the Data Retention Directive requirements to collect and retain telecommunications data ought to have been dealt with by way of an intergovernmental agreement. Ireland contends that the provisions of the Data Retention Directive are intended to facilitate the investigation, detection and prosecution of serious crime, including terrorism. For this reason it asserts that the manner in which the Data Retention Directive rules have been introduced by the EU Commission is procedurally flawed.

Advocate General Bot disagreed. It is interesting to note the emphasis placed on the financial burden of data retention borne by the providers of electronic communications services in his opinion. In his view, the Data Retention Directive restrictions introduce proportionality in terms of the categories of data required to be retained and the retention periods. These standards help manage the risk of disparities arising between Member States' requirements in the field of data retention and help reduce the risk of consequential differences in costs to competing service providers. Imposing a methodology through standard retention requirements, he contends, helps to harmonise the telecoms services market throughout the EU. He found against Ireland's request that the Data Retention Directive be annulled on procedural grounds.

The European Court of Justice has yet to give its view on the case. The Data Retention Directive was due to be transposed into Irish law by 17 September 2007, but the draft regulations have yet to be introduced.

In November 2008, there was a new development in the Irish story. In early November, the Irish Times reported that the Gardai (the Irish police force) had written to Vodafone requesting it to retain 'real-time web-browsing information - the content or the web address (URL) of every web page browsed by users of mobile handsets, palmtop devices or 3G modems'. Deputy Data Protection Commissioner Gary Davis was reported to have responded to the scope of the Gardai's request to Vodafone with a statement that: '[t]he directive does not pertain to the retention of content, and this would be very concerning' [8]. Other operators also expressed concern.

When faced with requests from Gardai for data or to retain content, entities such as Vodafone must grapple with compliance with a number of Irish laws. These include the provisions of the Data Retention Directive having direct effect, the Criminal Justice (Terrorist Offences) Act 2005, the Data Protection Acts 1988 to 2003, Irish constitutional rights, the European Convention on Human Rights Act 2003 and their contractual obligations to the data subjects. These issues arise for consideration despite the media report that the Gardai's request to Vodafone was based on an appeal to telecommunications operators to act as 'good citizens' and to aid criminal investigations if asked to do so.

Separate reports [9] highlight the ongoing tension between the mobile operators, the Office of the Data Protection Commissioner and the Irish government regarding the draft regulations. Operators complain of the cost of implementation of the draft statutory instrument, the fact that (unlike the majority of Member States) the Irish Government refuses to meet any cost. The Office of the Data Protection Commissioner is reported as stating the Data Retention Directive only allows for the retention of data that operators and Internet service providers currently retain for business and billing purposes. The data covered by the draft statutory instrument extends to a wider category of data.

Separately, an Irish lobby group - Digital Rights Ireland - is taking an action in the Irish High Court requesting that it refer the issue of the validity of Data Retention Directive to the European Court of Justice on the basis that it breaches fundamental principles of human rights. Judgment has been reserved by the High Court on a request to deny Digital Rights Ireland's locus standi to take the case and, in the alternative, a request for security of costs.

On the date of writing, in early December 2008, the website of the Department Justice, Equality and Law Reform still reads that '[n]otwithstanding and without prejudice to … proceedings, this Directive will be transposed in 2008…It is anticipated that the Minister will be in a position to sign this Statutory Instrument by the end of the year.' One thing is certain, 2009 will see further Irish developments which could have broader implications for operators across the EU.

This article was originally published in Data Protection Law & Policy, December 2008.