ICCL Submission to Oireachtas Justice Committee on the Data Retention Bill 2017

ICCL2017, DIGITAL & DATA, Human Rights, Monitoring Human Rights, NEWS, POLICE & JUSTICE REFORM, SUBMISSION

On 16 November 2017 the Irish Council for Civil Liberties, together with Digital Rights Ireland, submitted a report to the Joint Oireachtas Committee for Justice and Equality on the Data Retention Bill. Here is the full text of our submission:

DRI ICCL DR submission 13.11.17

Here are the key recommendations:

Digital Rights Ireland (DRI) and the Irish Council for Civil Liberties (ICCL) thank the Committee for the opportunity to make submissions on the General Scheme of the Bill. We welcome the fact that some of the issues initially raised by Digital Rights Ireland in its constitutional challenge – commenced in 2005 – are being addressed by legislation.

That said, the General Scheme of the Bill fails to:

  1. Meet the requirements of European Union (EU) Law set by European Court of Justice (CJEU) in its judgments in Digital Rights Ireland and Tele2;
  2. Adequately reflect European Convention of Human Rights (ECHR) norms; and
  3. Include key recommendations from the Murray Review of data retention.

We therefore recommend:

Explicit protection of journalist sources. Per the Murray Review, expressly prohibit communications data access except in accordance with specific circumstances; allow prior authorisation only from a judge of the High Court or an independent judicial or administrative body; and permit data access only when a journalist – and not someone else – is the object of investigation for suspected commission of a serious criminal offence or for unlawful activity which poses a serious threat to the security of the State.[2]

Strict Necessity.  Per Tele2, a Ministerial order for data retention should only be made where strictly necessary, i.e. where ‘the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary’.[3]

Targeted Data retention. Per Tele2, a Ministerial Order for data retention must be targeted. There must be an established connection between the data to be retained and the objective pursued, including ‘objective evidence which makes it possible to identify a public whose data is likely to reveal a link, at least an indirect one, with serious criminal offences, and to contribute in one way or another to fighting serious crime or to preventing a serious risk to public security’.[4]

A Limited Retention Period. Uphold the requirements of Tele2 that a Ministerial Order for Data Retention must be limited to what is strictly necessary[5] and in any event no more than 3 months.

Limited Third Party Access. Uphold the requirements of Tele2 that the person whose information is demanded must be in some way implicated in the crime before access to their data can be granted.[6]

Precise Definitions of data being collected. Amend the definition of ‘traffic and location data’ to set out precise categories of data in order to preclude revealing content, as Schedule 2 of the Communications (Retention of Data) Act 2011 did previously.

In cases of urgency, mandate retrospective authorisation. Uphold the recommendations of Murray Review that urgency exceptions to disclosure authorization requirements must require retrospective authorization in the form of objective evidence of a need for urgent and immediate disclosure. [7]

In cases of urgency, require a Judge or Oversight body. Uphold the requirements of Sanoma that even urgent situations require independent review by a judge or similar body before information capable of identifying sources is handed over or accessed. [8]

Notification. Uphold the requirements of Tele2 that those whose communications data is retained must be notified as soon as notification is not liable to jeopardise the investigations undertaken.

Compensation. Retain the current power under the 2011 Act[9] of the Complaints Referee to award compensation to individuals whose data has been accessed in contravention of the legislation.

Complaint notification reasons. The Complaints Referee should give their reasons to the person who has applied for an investigation into data retention in the event of their decision that there was no contravention of the Act.

Complaint Reporting. Require the Complaints Referee to collate statistics as to the number of complaints made, including details as to the number of complaints upheld and amount of compensation awards made in respect of each state agency.

Establish an independent supervisory body. In keeping with the trend of European Union member states, replace the designated judge with a unified independent supervisory agency. This agency should include parliamentary accountability, be chaired by a judge in a nearly full time position, and be supported by a secretariat with sufficient technical expertise and financial resources to provide detailed support including formalised public reports.

Judicial Remedy. Per the Murray Review, ‘bearing in mind the coercive nature character of a data retention system, and the concomitant risk to fundamental rights associated with it, that a statue should expressly provide for an appropriate judicial remedy and associated procedures for breaches of rights, including fundamental rights, occasioned by its operation’.[10]