Posts filed under 'Data Retention'
The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.
It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice.
Full text of the Advocate General’s opinion available here.
The German Working Group against Data Retention (Arbeitskreis Vorratsdatenspeicherung) is also bringing a legal challenge to data retention and has put out a press release on the Opinion.
October 14th, 2008
The agenda of the European Court of Justice has just listed Tuesday, October 14 for the Advocate General’s opinion on the State’s challenge to the Data Retention Directive. This won’t be a final decision – the Advocate General gives an opinion which is merely advisory and the court is not bound by it. In most cases, however, the court will follow the broad approach of the Advocate General.
What’s the significance of the State’s challenge? Here’s what we said about it before:
On the plus side, the challenge will certainly delay implementation of the Directive, and stands a very good chance of striking it down in its entirety. There is a very strong case that the passing of the Directive was flawed.
On the minus side, the challenge is purely procedural. The Government agrees with the principle of spying on every citizen – it merely alleges that the wrong legal mechanism was chosen. According to the Government, the measure should have been passed by unanimous agreement of all the member states – not by a majority voting procedure. We agree – the directive is clearly an attempt to deal with matters of criminal law that are reserved to the member states, and the fundamental rights of Irish citizens should not be set aside by the majority vote of other EU states. But we’re disappointed that the Government shows no interest in asserting the right to privacy of Irish citizens. The result is that the European Court of Justice, when it eventually deals with the case, will only be hearing about procedure – not privacy.
Obviously we hope that the Government’s challenge will succeed in invalidating the Directive. Whatever the outcome of their case, however, our own challenge to data retention – where we raise these privacy issues about Irish law as well as the Directive – will continue.
(Thanks to Joris van Hoboken for pointing out that the Opinion had been timetabled.)
October 3rd, 2008
The Irish Times published an opinion piece today from us on data retention. A subscription is required to read it at that link, so here’s the full text:
Violations only made worse by new plans for data retention
The Government is planning an alarming expansion of its surveillance of citizens, writes TJ McIntyre .
SUPPOSE THAT someone was monitoring you every day, writing down your movements, making a note of everyone you talked to, copying the name and address on every letter you posted, and then storing that information for three years. Now suppose that every person in the country was under similar surveillance.
While this might seem like science fiction, since a secret ministerial order of 2002 the Government has required telephone companies to do just that. They are required to track the whereabouts of all users via their mobile phones, to log details (but not the content) of every telephone call made and every text message sent and to store that information for three years.
The Department of Justice now proposes to extend this to the internet, by requiring internet service providers to monitor the internet use of every person in Ireland, recording names, details of every e-mail or instant message sent and every time a user logs on, and to store that information for 12 months.
Moreover, they plan to do this in a way which will limit democratic scrutiny, by using a statutory instrument and not a Bill which would be examined by the Dáil and Seanad.
(Ironically, these proposals were revealed on the same day that thousands of Bank of Ireland customers learned that their confidential data had been stolen.)
This system has been given the bureaucratic and innocuous-sounding name “data retention”. A more apt term, however, is “dataveillance” – surveillance through the use of databases. Unlike traditional targeted surveillance, it involves the gathering of information on all citizens – judge, journalist and jailbird alike – creating a digital dossier of their movements and communications, without any requirement for judicial authorisation or even police suspicion.
What protections are in place to limit the use of this information? The former minister for justice, Michael McDowell, promised that access to these databases would be an extraordinary measure, used to deal with serious crime and terrorism.
However, such safeguards were never implemented. Under current law gardaí can access these databases without a warrant, in respect of any crime (or even possible future crime), however trivial, and in respect of any person (not merely suspects). The result, according to the Data Protection Commissioner, is that more than 10,000 requests are made for this information every year – more than 300 per day.
European law should have changed this, by restricting access to cases of serious crime only. Generally under Irish law a serious offence is one which carries a possible prison sentence of five years or more. However, the current Department of Justice proposals cynically negate this safeguard by redefining serious offences for the purpose of data retention to mean offences which have a possible sentence of six months’ imprisonment.
This will include such crimes as failure to move on when asked to do so by a garda.
There is also a likelihood that others will abuse or simply lose these records. In Germany it was revealed recently that Deutsche Telekom had been using telephone databases to spy on journalists who wrote unfavourably about the company. In the United Kingdom government departments have allowed confidential data on many millions of individuals to be compromised.
Here in Ireland officials in the Department of Social Welfare have been found by the Data Protection Commissioner to be engaged in the systematic leaking and selling of personal information from government databases. There is no reason to think that this information will be treated any differently.
Information gained from telephone and internet records can be valuable in the investigation and prosecution of crime – but there are other ways of ensuring that police can have access to this data without jeopardising the right to privacy.
In 2001 Ireland signed the Council of Europe Convention on Cybercrime, which achieved international agreement on a more proportionate “data preservation” system, which would enable police to mount surveillance and preserve evidence but would avoid blanket surveillance of all citizens at all times.
This system would still have provided for the use of this information in, for example, investigating the Omagh bombing.
But without any explanation, the Government has failed to implement the convention, jumping straight to the more intrusive option of data retention without first testing data preservation.
Privacy is a fundamental right, guaranteed under Irish, European and international law. Being able to go about our everyday business without systematic state scrutiny is an essential part of a democratic society. Data retention is something entirely new – it provides for pre-emptive surveillance of the entire population on the basis that some of them might at some stage commit some crime and that this information might then be of assistance.
In effect, it treats everyone as potentially guilty and as such reverses the presumption of innocence. Such ongoing monitoring of the entire population is remarkable in a democracy and is so excessive and disproportionate as to violate the right to privacy. No evidence has been put forward to show that it is necessary or that less intrusive alternatives would not suffice.
Digital Rights Ireland has brought a High Court challenge to Irish and European data retention laws, which will ultimately determine whether surveillance of all citizens can be compatible with the Constitution and the European Convention on Human Rights.
In the meantime, the Department of Justice proposals to extend data retention to the internet should at the very least be the subject of primary legislation, allowing for a full public discussion of these issues and democratic scrutiny by the Oireachtas.
TJ McIntyre is a solicitor, lecturer in law in UCD and chairman of Digital Rights Ireland
June 4th, 2008
This is a letter which the Department of Justice wrote in July 2006 indicating that they would consult us before drafting any measures implementing the Data Retention Directive. 18 months later we still haven’t heard anything concrete from them, despite reports that they plan to put laws in place within the next month. Equally in the dark are the ISPs and others in the internet industry who will face the technical challenges and cost of implementation:
Given the short timeframe for putting this legislation into action, the industry – ie ISPs – should know the score. They are charged with the responsibility of storing this vast bank of data on the Irish citizen, but frustratingly they are still not quite sure of their role in the process.
“We, as ISPs, do not have any difficulty with the objective of fighting serious crime but what we need are clear instructions on the expectations of governments across Europe as to what exactly it is we have to retain and when,” says Durrant.
Shane Deasy, managing director for wireless internet provider BitBuzz, while willing and able to comply with the new legislation, echoes Durrant’s sentiment: “There is a grey area – details we have yet to get answers to.
“The industry has met with the Department of Justice and has had several discussions on this forthcoming legislation but to my knowledge the industry has not yet been given information on exactly what data they are required to store and for how long.
“It may require a lot more storage on the part of the ISPs but at the moment we simply don’t know exactly what we are going to be asked to retain.”
Such is the confusion that Google has recently voiced its concerns on its Public Policy blog, stating that the approach taken by Justice may have the effect of damaging the Irish internet industry:
Ireland looks set to be amongst the first countries to transpose the directive. Concerns have been expressed that sufficient time may not be available for a full debate to discuss the very complex issues involved. There is also a real risk that a rushed transposition process could produce legislation which negatively impacts on consumer privacy and is harmful to the internet and telecomms sector. Our view is that it is vital that the reasonable concerns of privacy advocates and industry are taken into account. Google is going to take advantage of the current window of opportunity to get our views across, and we hope that other interested parties will do likewise.
So what will it take before the Department of Justice is prepared to engage in real consultation?
February 28th, 2008
Today, Monday 28th, is European Data Protection Day. Last year we marked this with a post giving some practical ways in which you could protect your privacy.
This year, the single most important thing you could do is to help stop data retention in Ireland. What exactly is data retention? TJ wrote this explanation of the issues for the Irish Examiner:
How would you feel if someone followed you every day, writing down your movements, making a note of everyone you talked to, jotting down the address of every letter you post, and then storing that information for three years? What would you think if that system of surveillance was extended to every single person in the country? While this might sound like the stuff of science fiction, since 2002 the Government has required telephone companies to track the movements of all their users, to log details of every telephone call made and every text message sent and to store that information for three years. The Department of Justice now proposes to extend this further, to require ISPs to monitor everyone’s internet use, including details of every email or instant message we send, and every time we log on or off, and to store that information for up to two years. What’s more, it intends to do this by the stroke of a ministerial pen, with no debate before the Dáil or the Seanad.
The rather dull name for this surveillance is “data retention”. But it might be more informative to talk of “digital footprints”. As technology comes to be more and more part of our everyday lives, we leave a trail of digital footprints recording almost everything we do. Activities which once would have been private (posting a letter) may now leave a record (sending an email). Data retention laws – by storing these digital footprints – mean that the rights to privacy and freedom of expression we take for granted in the offline world might be lost in the digital age.
Since the Department of Justice admitted these plans there has been a surge of interest. The primary question has been what can individuals do to stop this.
The most potent assistance anyone can give is to write a letter to the Ministers responsible, as well as to their local TDs.
If they’re in government, ask them why Ireland is introducing data retention so urgently. And don’t accept “Because European law requires it” as an answer. There is an EU Directive requiring data retention. But it is being challenged by multiple court cases. One is being taken by the Irish State itself at the European Court of Justice. One is being taken by DRI in the High Court. And one is being taken by 30,000 signatories objecting to the German Government’s implementation of the Directive. There is no reason why our Government should implement the Directive before these court cases have been heard – especially given that the Government itself agrees that the Directive is invalid.
Ask them why the Oireachtas is being sidelined. A law such as this should be subject to democratic scrutiny.
Member states of the EU had the right to seek an 18 month derogation from having to transpose this law. Ask the Ministers and your public representatives why Ireland did not avail of this breathing period.
In addition, you might ask the Minister for Communications to put a figure on how much the additional costs of collecting, storaging and accessing of this data will add to the price of broadband for the average consumer.
Brian Lenihan TD is the Minister for Justice. It is the Department of Justice who have responsibility for the introduction of data retention in Ireland. His email is: info@justice.ie.
Eamon Ryan TD is the Minister for Communications. The Minister for Communications is responsible for the regulation of Internet Service Providers who will need to implement Government policy in this area. His email is: minister.ryan@dcmnr.gov.ie.
Your local TD (if they use email) will usually have the address: firstname.surname@oireachtas.ie. You can find full contact details for your local TD here.
January 28th, 2008
Government proposals to introduce surveillance of all internet users are unacceptable. The proposed law will require Internet Service Providers (ISPs) to log details of every email, every instant message or chat message, and every time users log on or log off, and to store that information for up to 18 months. This information will then be available without any court order or warrant. These proposals, implementing European law, are being drafted without public consultation and would be implemented by a statutory instrument. There will be no scrutiny by the Oireachtas.
It is incredible that the Government proposes to introduce a law which would require every Internet user to be monitored without any warrant or prior judicial approval, without any public consultation and without any debate or vote in the Oireachtas. A law of this gravity should not be made by stealth.
The Department of Justice appears to be relying on the “urgency” of the matter to justify bypassing the Dail and Seanad. But the European law being implemented was passed in February 2006. The Department has had two years to introduce a Bill and it cannot rely on its own delay to justify sidelining democratic scrutiny.
In any case, it is inappropriate to implement this law whilst it is under court challenge. The Irish government itself has challenged the validity of the law before the European Court of Justice. Digital Rights Ireland has also brought a High Court action challenging the European law. These proposals will effectively pre-empt the judgment of the courts.
January 19th, 2008
From the Irish Times:
Britain’s prime minister Gordon Brown and chancellor Alistair Darling were left reeling last night after the astonishing disclosure that the personal data of 25 million people and 7.25 million families across the UK has been lost.
The Metropolitan Police are now leading the search for two disks containing details of the UK’s entire child benefits database. The data was downloaded in breach of all standing procedures by junior officials at HM Revenue and Customs (HMRC) and then sent to the National Audit Office via an internal postal system that was not recorded or registered….
The data contains names and addresses of parents and children, national insurance and child benefit numbers and, in some cases, bank or building society details.
How long will it be before the giant databases created by data retention laws are compromised? Governments worldwide, and the Irish Government in particular, have shown that they cannot be trusted with the information they already have. Now is not the time to create even more databases.
This case also highlights the importance of our call for a right to be warned when your personal data is exposed. Under Irish law as it stands there is no obligation on the State – or anybody else – to warn you when they have allowed your personal information to be compromised. The first you may know about it is when you feel the effects of identity theft. But by then it will be too late.
November 21st, 2007
DRI opposes Government proposals to introduce mandatory registration of mobile phones. These proposals will infringe on the privacy of every mobile phone user, as well as being expensive, impracticable and ineffective. But you don’t have to take our word for it. Here’s what the Department of Communications, Marine and Natural Resources had to say in January:
The idea for a Register of mobile phones was extensively reviewed by officials in the Department. There were many complex legal, technical, data protection and practical issues to be considered. In theory, a Register of mobile phones might seem like a good idea. However, having looked at the situation in other administrations, considered the ease with which an unregistered foreign or stolen SIM card can be used and the difficulties that would be posed in verifying identity in the absence of a national identification card system, and having consulted with the Office of the Attorney General and other interested parties, it was concluded that the proposal would be of limited benefit, in that it would not solve the illegal and inappropriate use of pre-paid mobile phones and was not practical.
As the earlier Communications comments suggest, the current proposals don’t appear to have given any thought to some fundamental issues:
What’s to stop purchasers giving false details?
What’s to stop drug dealers from using phones belonging to others?
What about phones bought before the register comes into effect?
Stolen phones?
Foreign SIM cards?
Not to mention the most important question: how can a failed drug policy justify treating the entire population as suspects?
Let the government know what you think of these proposals. You can contact Pat Carey (the responsible junior minister) here and the Minister for Communications Eamon Ryan here.
July 23rd, 2007
The Rachel O’Reilly murder trial has focused attention on the use of mobile phone tracking. RTÉ’s This Week programme has a segment on the risks of tracking and data retention with contributions from the Data Protection Commissioner and DRI.
July 16th, 2007
The European Court of Human rights gave a decision earlier this month in Copland v. UK which will be very helpful to us in arguing our data retention case. Ms. Copland worked in a Welsh college as a personal assistant, and discovered that the college was secretly monitoring her telephone, email and internet use. She claimed that this amounted to a breach of her right to privacy under Article 8 of the European Convention on Human Rights. The UK government admitted that monitoring took place, but claimed (using the same arguments trotted out in the data retention context) that this did not amount to an interference where there was no actual listening in on telephone calls or reading of emails:
Although there had been some monitoring of the applicant’s telephone calls, e-mails and internet usage … this did not extend to the interception of telephone calls or the analysis of the content of websites visited by her. The monitoring thus amounted to nothing more than the analysis of automatically generated information … which, of itself, did not constitute a failure to respect private life or correspondence.
The Court disagreed, holding that this monitoring and storage of details of telephone and internet use was itself an interference under Article 8:
43. The Court recalls that the use of information relating to the date and length of telephone conversations and in particular the numbers dialled can give rise to an issue under Article 8 as such information constitutes an “integral element of the communications made by telephone” (see Malone v. the United Kingdom, judgment of 2 August 1984, Series A no. 82, § 84). The mere fact that these data may have been legitimately obtained by the College, in the form of telephone bills, is no bar to finding an interference with rights guaranteed under Article 8 (ibid). Moreover, storing of personal data relating to the private life of an individual also falls within the application of Article 8 § 1 (see Amann, cited above, § 65). Thus, it is irrelevant that the data held by the college were not disclosed or used against the applicant in disciplinary or other proceedings.
44. Accordingly, the Court considers that the collection and storage of personal information relating to the applicant’s telephone, as well as to her e-mail and internet usage, without her knowledge, amounted to an interference with her right to respect for her private life and correspondence within the meaning of Article 8. (emphasis added)
Although these principles aren’t new, it’s still useful to have them so clearly restated in a way which is directly applicable to data retention under both Irish and European law.
(Many thanks to Daithí for bringing this to our attention.)
April 16th, 2007
Next Posts
Previous Posts