The Communications (Retention of Data) Act 2011 (the Act) was signed into law by the President on 26 January 2011. The Act has not yet been published, but there appear to have been no amendments to the Bill after the Committee Stage in the Dáil.
The Act transposes the Data Retention Directive (the Directive) (2006/24/EC). The Directive requires telephone and internet service providers to retain details of internet and call data for not less than 6 months and not more than 2 years, in order to ensure that the data is available for the purpose of the investigation, detection and prosecution of serious crime.
The Act requires telephone service providers to retain telephone data for two years, and internet data to be retained by internet service providers for 12 months. Telephone data was previously retained for three years pursuant to Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 (which the Act repeals). Internet data was not previously required by law to be monitored or retained.
Data concerning the content of calls or emails does not need to be retained; however the identity of the senders and receivers of the communication must be retained as well as the date and time the communication was sent, and in the case of mobile phones, the location of the phones.
Service providers retaining such data are required to take certain security measures in relation to the retained data. For example, data (with the exception of data accessed and preserved as a result of a disclosure request) must be destroyed by the service providers at the end of the specified retention periods, however a grace period of one month after the retention period has expired is provided for, in order to facilitate any last minute requests.
The Act enables the Garda Síochána, members of the Defence Forces, and Revenue Officials to make a disclosure request to access retained data. Disclosure requests can only be made in limited circumstances, including the prevention, detection, investigation or prosecution of a serious offence, the safeguarding of the security of the State, and the saving of human life, as well as the prevention, detection and investigation of Revenue offences. Disclosure requests are required to be made in writing, but in cases of exceptional urgency, (such as a terrorist threat), requests may be made orally, provided that the oral request is confirmed in writing to the service provider within 2 working days of the request being made.
Service providers cannot access the data retained except where they have the consent of the person to whom the data relates; in order to comply with a disclosure request from the Garda Síochána, Defence Forces or Revenue Commissioners; to comply with a court order, or as authorised by the Data Protection Commissioner.
The Act contains some safeguards for the retained data. A High Court judge will be designated to review the operation of the Act; to ascertain whether the Garda Síochána, Defence Forces and the Revenue Commissioners are complying with its provisions and will be responsible for reporting to the Taoiseach (at least every 12 months) in relation to the general operation of the Act. The designated judge has the power to investigate any case in which a disclosure request is made, and may access and inspect any official documents relating to that request. It is hoped that these provisions will serve to protect service providers, so as to ensure that they are not subject to unreasonable disclosure requests which would place an undue burden on them.
The Act requires the Minister for Justice, Equality and Law Reform to submit a State Report to the European Commission every 12 months. The State Report must contain certain statistics, including the number of times when data was disclosed in response to a disclosure request, the number of times when a disclosure request could not be met, and the average period of time between the date on which the retained data were first processed and the disclosure request. The compilation of these statistics should clarify the actual use being made of the powers provided under the Act, and ensure the Act is not being abused.
The Act also provides for a complaints procedure which allows a person, who believes that data relating to him or her has been accessed following a disclosure request, to apply to the Complaints Referee for an investigation into the matter. However there is no requirement to notify a person to inform them that a disclosure request has been made, as it was believed that to do so would severely compromise the actions of the Garda Síochána, the Defence Forces and the Revenue Commissioners in dealing with serious crime.
To conclude, the primary purpose of this Act is to transpose the Directive and to aid the State's fight against crime. The Directive was required to be transposed into national law by 15 September 2007, so implementation of the Directive in Ireland is well overdue. The Act reduces the retention period for telephone data (from three to two years) and introduces an obligation to retain internet data (for 12 months). It is not concerned with content of transmitted data, rather it is about the who, where, and when of a communication, and should therefore not cause any further intrusion into a data subject's personal privacy.
A memorandum of understanding is being drawn up between the Garda Síochána, the Defence Forces, the Revenue Commissioners and service providers to ensure that both sides are clear on how the system in respect of disclosure of retained data will operate.
1 The latest draft of the Bill contains no commencement provisions, and if none were contained in the Bill as passed by both Houses of the Oireachtas, then the Bill came into operation on the day it was signed by the President, pursuant to Article 25(4) of the Constitution of Ireland.
2 'Serious offence' is defined in the Act as an offence punishable by imprisonment for a term of five years or more. In addition, the First Schedule to the Act lists five further indictable offences as serious offences for the purposes of this Act, including corruption in public bodies.