Unbelievable. That is the only word to describe the loophole that the new Retention of Data bill has created.
For those who missed it, the bill seeks to compel telephone and internet operators to retain details of emails, text messages and phone calls for up to two years. This is to help fight crime. But what are the most popular e-mail services for Irish users?
That’s right: Hotmail, Yahoo Mail and Gmail. Will any of these e-mail services be covered by the bill? Nope. Will messages or instant chat on Facebook, Bebo and Twitter be covered under the bill? No again.
And it gets worse. The bill is supposed to track telephone calls to identify who called who at what time. But will it cover calls made on Skype, Blueface or any of the dozens of VOIP services that Irish people use in their thousands? Nope. Will it cover Skype calls made on mobile phones (like the iPhone or 3’s Inq phone)? No again.
The state’s view of criminals’ communications habits is quite clear. They use a contract mobile phone to make and receive calls and texts. They use a Microsoft Exchange e-mail account hosted with a recognised Irish internet service provider.
And they have an Eircom phone line, on which they organise gang meetings with key lieutenants.
I would really like to know who drafted this bill. What age are they? Have they ever heard of social networking sites? Have they ever heard of Skype? Or do they simply think that organised criminals are complete idiots who openly converse with each other on server-hosted Microsoft Exchange e-mail accounts?
More from yesterday’s Sunday Business Post: 1, 2, 3.
In essence, the Bill requires telecommunications companies, internet service providers, and the like, to retain data about communications (though not the content of the communications); phone and mobile traffic data have to be retained for 2 years; internet communications have to be retained for one year. This is better than it could have been, in that the Directive would have allowed 2 years for all traffic data; but it is a lot worse than the minimum of 6 months allowed by the Directive. This will impose significant costs on those obliged to retain and secure the data, and those costs will be passed on to their already hard-pressed customers. And it is likely to drive international telecommunications and internet companies to European states which have introduced far less demanding regimes.
Traffic data retention (like any example of pre-emptive and widespread surveillance) is simply a bad idea; it is a massive invasion of privacy; it is founded on the illiberal and anti-democratic suspicion that someone somewhere might be doing something; and it is not good enough to reply that if you have nothing to hide, you have nothing to fear from surveillance. As the prolific and challenging AC Grayling argues in his new book Liberty in the Age of Terror: A Defence of Civil Society and Enlightenment Values (Bloomsbury, 2009; reviewed by The Economisthere), this perniciousassertion is “one of the most seductive betrayals of liberty” imaginable; it assumes that
the authorities will always be benign; will always reliably identify and interfere with genuinely bad people only; will never find themselves engaging in ‘mission creep’, with more and more uses to put their new powers and capabilities to; will not redefine crimes, nor redefine various behaviours or views now regarded as acceptable, to extend the range of things for which people can be placed under suspicion—and so considerably on.
The concerns might be met by strong protections coupled with meaningful oversight, but the Bill is worryingly bereft on this score. Although it imposes obligations to retain data, and to maintain it secure, and to prevent unauthorised access to data, it does not provide any redress to someone whose data is retained insecurely or accessed without authorisation; and the Data Protection Acts, 1988 (also here) and 2003 (also here) are inadequate to cope (for example, they would provide no criminal sanction for the News of the World’s recently-disclosed shenanigans). Worse than that, large-scale databases are peculiarly vulnerable to attack – an investigation by More4 News for Channel 4 reported last week (in a story that should give some pause to those planning a system to trace patients for Ireland) that more than 8,000 dangerous viruses have infected NHS computers in the last year, overloading networks, and massively compromising large amounts of personal data.
It is appropriate to restrict individual privacy provided that there is a good reason to do so, and the restrictions do not good too far. In the context of this Bill, the prevention of crime is a good reason, but the restrictions seem to go very far indeed, especially in the absence of proper protections and oversight. In S and Marper v UK 30562/04 [2008] ECHR 1581 (4 December 2008) one of the reasons given by the European Court of Human Rights for holding that the UK’s retention of innocent people’s DNA records on a criminal register infringed their right to privacy was the lack of sufficiently strong safeguards. I am a Director of Digital Rights Ireland; this is one aspect of our ongoing challenge to Ireland’s data retention regime; and this flawed Bill does nothing to alleviate these concerns.
Speaking on the Last Word with Matt Cooper earlier today FF TD Niall Collins trotted out that old canard – “if you’ve nothing to hide, you’ve nothing to fear” – in relation to the new data retention bill. Curiously, when asked if he’d be happy to provide us with his mobile phone bills for the last two years and details of his emails for the last year he claimed not to understand the question and refused to do so.
Just so there’s no confusion we’re repeating the request here – if he genuinely has nothing to hide then surely he’ll be happy to provide us with details of his (taxpayer funded!) mobile phone bills for the last two years and we’ll be happy to put them online. A request has been sent to him by email and by voicemail to his constituency office asking if he will make that information available to us and if not why not. Any reply will be posted to this blog. Though perhaps you shouldn’t hold your breath.
Update (14.07.09): The chutzpah of FF TDs knows no bounds. According to today’s Independent, at a recent FF meeting backbenchers opposed being required to use a swipe card to track attendance:
The TDs also resented the idea of a swipe card that would keep track of their comings and goings at Leinster House and prevent claims for expenses from absent members…
TDs and senators believe that a pilot scheme for civil servants where their attendance and hours in work would be monitored by a swipe card system will be used to check up on them. And while most privately acknowledge that a few may abuse their expenses and allowance privileges, they resent the idea of a “Big Brother system of electronic supervision”.
This piece appeared in the Sunday Business Post recently summarising why we think it’s time you had a right to be told if your personal information is lost or stolen. Here’s an excerpt:
In the last year alone, multiple cases have come to light: notably Bank of Ireland, which lost personal data on more than 30,000 life assurance customers; the Office of the Comptroller and Auditor General, which lost information on 380,000 social welfare recipients; and Airtricity which posted the financial details of 1,200 customers on its website for six weeks.
Why have Irish organisations been so slipshod with the information we have entrusted to them? One problem is that the bodies that hold the data suffer little direct damage if the data is lost – it is the individual, not the company, who suffers the harm. Consequently, there is little financial incentive for them to take adequate measures to protect our data.
This is compounded by a lack of transparency. Under Irish law, there is no express obligation for a company that has lost customer data to notify anyone – neither the customer nor the Data Protection Commissioner.
The result is that organisations try to cover up data breaches to save face. Consequently, if your details are leaked, it is entirely possible that the first you will know of it is when you discover that your fraudulent alter ego has enjoyed a spending spree on your credit card or run up huge debts in your name. By then, it’s too late.
Several Irish sources are reporting (Irish Times | Examiner) that the Data Retention Bill will be published today and will seek to establish a two year retention period for phone records, with one year for email and internet traffic. More details as they emerge.
You might have noticed that we think that Irish data retention laws are an invasion of our privacy. Unfortunately Irish law on interception of communications also fails to protect our privacy – and for that reason we’ve lodged a formal complaint with the European Commission, pointing out that Irish law doesn’t meet European standards and asking that they require the Irish government to introduce adequate protections. Read on for more details and to see what you can do to help.
What’s the difference between data retention and interception? While data retention focuses on traffic data – who called whom, when, where the mobile phone was, etc. – interception deals with attempts by the state or private parties to monitor the contents of communications – to listen in on telephone calls, read emails, and so on.
Interception is controlled to a limited extent by Irish law – under legislation from 1983 and a 1993 Act introduced after a scandal involving the Taoiseach and Minister for Justice illegally tapping journalists’ phones – but that law is now well out of date, and doesn’t meet the standards set out by European law in the 2002 e-Privacy Directive.
What’s wrong with the existing Irish law? There are two major limitations. First, it was introduced at a time when there were a limited number of players in the telecommunications market. As such, it applied initially to Telecom Éireann, and was extended to certain telecoms businesses operating under a licence or a general authorisation. It does not, however, apply to other businesses which don’t need an authorisation – which includes most online only businesses. Webmail, instant messaging or voice over IP, for example, would not be protected by the 1993 Act. Secondly, it applies only to messages which are “being transmitted” – something which appears to mean that e.g. the contents of a webmail inbox would not be protected.
As a result of these limitations, the protections of the 1983 and 1993 Acts – which make interception a criminal offence, require a warrant from the Minister for Justice before interception can be carried out by the police, and provide for judicial oversight – simply do not apply to a wide range of online communications. This lack of legislative control appears to be a relatively clear breach of the e-Privacy Directive, which requires states to “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so … [by] legislative measures [which are] necessary, appropriate and proportionate within a democratic society”.
In short, we think that Irish law doesn’t adequately protect the privacy of your online communications – and hopefully the European Commission will require the Government to introduce adequate protections. If you agree, you can support the complaint by contacting the Minister for Justice (Email: minister@justice.ie, Fax: 01 661-5461, Snail Mail: 94 St. Stephen’s Green, Dublin 2) and asking him to extend Irish interception law to adequately protect online communications and meet our European obligations. You can also email the Commission at InfsoB2@ec.europa.eu, referring to our complaint and indicating that you are also making a formal complaint that Irish law on the interception of communications is not in compliance with Art. 5 of the ePrivacy Directive.
(Update: 16.06.09 – The European Commission has now replied, indicating that it is now investigating this matter under reference 2009/4368, SG(2009) A/4871. You might include this reference if writing to support us.)
For those of you who can’t get enough legalese, the full text of our complaint is below:
Dear Mr. …
The purpose of this letter is to outline how Ireland has failed to implement Article 5 of Directive 2002/58/EC.
As you know, Article 5.1 provides that:
“Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.”
Between them, these pieces of domestic legislation do partially cover the requirements of Article 5. However, the scope of this legislation is limited and there are several situations which appear to fall within Article 5 but which would not be covered by Irish law. Three points in particular stand out:
* Section 98 applies only to messages being transmitted by persons who hold a general authorisation. Messages transmitted by other persons are not protected. Thus, it would appear that email sent via a webmail service such as Gmail would not be covered; nor would calls on VOIP services such as Skype.
* Section 98 applies only to messages “in the course of transmission”. Again using the example of a webmail service, it would appear that the stored contents of a person’s inbox would not be in transmission and thus would not be covered (perhaps depending on whether they had been read by the recipient).
* The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 regulates police interceptions of telecommunications messages, but again only where those messages are being transmitted by persons who hold a general authorisation. Consequently, the safeguards created by that Act (including judicial oversight) do not apply to other police interceptions.
I propose to outline briefly the Irish legal framework and to consider in more detail the places where Irish law falls short of the requirements of Article 5.
Persons to whom Irish interception law applies
Irish law on interception of telecommunications messages is contained in section 98 of the Postal and Telecommunications Services Act 1983 which prohibits interception and disclosure of telecommunications messages. That section, as originally enacted, applied only to the interception of messages being transmitted by the then state monopoly, Telecom Éireann.
However, this limitation of section 98 to messages being transmitted by persons operating under a general authorisation would appear to present a problem. There may be situations where telecommunications messages are being transmitted by means of a public communications network or through a publicly available telecommunications service, where that network or service is not being operated under a general authorisation. Webmail and VOIP services would appear to fall into this category. Accordingly, messages transmitted by such services do not appear to be protected against interception under Irish law.
In particular, there is no offence to address the situation where a private individual intercepts messages being transmitted by such a service, or where the proprietor of such a service improperly discloses such messages.
Restriction to messages in the course of transmission
Section 98(1) (as extended) provides:
“A person who-
(a) intercepts or attempts to intercept, or
(b) authorises, suffers or permits another person to intercept, or
(c) does anything that will enable him or another person to intercept,
telecommunications messages being transmitted by [a person deemed to be authorised under the Authorisation Regulations] or who discloses the existence, substance or purport of any such message which has been intercepted or uses for any purpose any information obtained from any such message shall be guilty of an offence.” (emphasis added and text changed to reflect extension of s.98 to other operators)
The reference to telecommunications messages being transmitted suggests that stored messages, such as voicemail messages, or a webmail inbox, would not be protected by section 98. (It might be said that such messages are “being transmitted” until the point at which they are initially accessed – however, once accessed it would seem more difficult to argue that they are still being transmitted.) This limitation appears to be incompatible with Art. 5 of Directive 2002/58/EC which applies to “communications” (as defined in Art. 2) generally. Indeed, Art. 5 would be significantly undermined if messages in storage were excluded.
Regulation of police interception of telecommunications messages
The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 sets out the Irish law on police interception of telecommunications. Under section 2, an authorisation to intercept the contents of communications can only be given by the Minister for Justice. Sections 4 and 5 set out conditions which must be satisfied before an authorisation can be granted. For example, section 4 provides (in respect of the investigation of crime) that:
“The conditions referred to in section 2 of this Act in relation to an interception for the purpose of criminal investigation are-
( a ) (i) that-
(I) investigations are being carried out by the Garda Síochána, or another public authority charged with the investigation of offences of the kind in question, concerning a serious offence or a suspected serious offence,
(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, either or, as the case may be, both of the following, that is to say:
(A) information such as to show whether the offence has been committed or as to the facts relating to it,
(B) evidence for the purpose of criminal proceedings in relation to the offence,
and
(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information or evidence) in providing information, or evidence, such as aforesaid,
or
(ii) that-
(I) in the case of a serious offence that is apprehended but has not been committed, investigations are being carried out, for the purpose of preventing the commission of the offence or of enabling it to be detected, if it is committed, by the Garda Síochána or another public authority charged with the prevention or investigation of offences of the kind in question,
(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, information as to the perpetrators, the time, the place, and the other circumstances, of the offence that would enable the offence to be prevented or detected, as the case may be, and
(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information) in preventing or detecting the offence, as the case may be,
and
(b) that the importance of obtaining the information or evidence concerned is, having regard to all the circumstances and notwithstanding the importance of preserving the privacy of postal packets and telecommunications messages, sufficient to justify the interception.”
This section provides important safeguards: interception is restricted to serious offences, investigation other than interception must be inadequate, interception is restricted to messages sent to or from a particular address, thus ruling out indiscriminate monitoring of traffic and “fishing expeditions”, and interception must, in the circumstances, be proportionate.
Section 8 of the Act then creates a judicial power of oversight over the interception system, while section 9 creates a complaints procedure for persons who allege that interceptions have been improperly carried out.
The 1993 Act is, however, limited to “interceptions” which would (if not authorised) amount to an offence under section 98. (See the definition of “interception” in section 1.) Consequently, the 1993 Act has no application to interceptions falling outside section 98. It follows that any interception by the police of, for example, emails transmitted by a webmail service will not be regulated by the provisions of section 98 and will escape regulation by Irish law – the section 98 safeguards, including proportionality, judicial oversight and the complaints procedure, will not be available.
This would appear to breach Article 15.1 of Directive 2002/58/EC. Article 15.1 specifies that any restriction by Member States of the rights and obligations provided for in Article 5 must be by way of “legislative measures” which are “necessary, appropriate and proportionate within a democratic society”. However, interception of emails in the circumstances I have outlined would appear not to be governed by any legislative measure, much less one which can be assessed as necessary, appropriate or proportionate. The unfettered discretion which this would appear to confer on the police would therefore appear to be incompatible with the Directive.
In summary, it appears that Irish law has not been properly updated to take account of the requirements of Article 5 of Directive 2002/58/EC, and I would respectfully ask that the Commission investigate whether Ireland has failed properly to implement this Directive.
Looks like we got it wrong. When we wrote about the deal between Eircom and the music industry we believed (as the early reports seemed to say) that it only involved a “three strikes” system and that the daft notion of internet filtering was off the table. But the nastygrams sent to the other ISPs have now been leaked (thanks Michele) so that we can now see just what was agreed with Eircom and what the music industry is demanding that other ISPs do – and filtering is still on the table:
Leave aside for a moment the nonsense of sending this letter to a business – Blacknight - which doesn’t in fact provide internet access. The key words are these:
Eircom has agreed that it will not oppose any application our client may make seeking the blocking of access from their network to the Pirate Bay or similar websites …
Please confirm that Blacknight will also work with the record industry to end the abuse of the internet by peer to peer infringers … in the event of a positive response to this letter it is proposed to make practical arrangements with Blacknight of a like nature to those made with eircom.
Irma is drawing up a list of websites it doesn’t like and Eircom will block them to all of its customers. And Irma is demanding that other ISPs do likewise, on pain of being sued.
Eircom says that it will only block a website if a court order requests it to. But it has undertaken not to oppose any application to a court… Our judicial system is an adversarial one: it depends on someone opposing the action for a judge to come to a conclusion. If the opposing party enters no opposition, a basic standard of proof will be enough to satisfy the court.
The net effect of this scheme, if it is allowed to go into effect, will be to impose an internet death penalty on two groups. On users, who will be cut off on the allegation of a private body, with no court involvement, and on websites, which could be blocked to Irish users based on a court hearing where only one side is heard. Damien Mulley makes the point well as usual:
So first they’ll start with the Pirate Bay. Then comes Mininova, IsoHunt, then comes YouTube (they have dodgy stuff, right?), how long before we have Boards.ie because someone quoted a newspaper article or a section of a book? And don’t think they’ll stop there too, any site that links to The Pirate Bay and the others on the hate list will probably be added to the list too…
I’m sure the business case for eircom was they didn’t want any more costly High Court actions with McDowell biting at their legs on the command of the music industry but this is going to open up a can of worms with IRMA demanding more and more attacks on how people surf the net, this is what it is in my view an attack on our freedom to read, our freedom to write, our freedom to move around the web. All so a very rich but rapidly becoming poor group of luddites can feel better for seeing the future and trying to fight it.
And of course the costs of communications with IRMA and of the filtering is going to be passed on to the consumer. The cost of blocking a single site will be almost nothing I suppose but as more sites get added and as the arms race between the pirates and the ISPs escalates, then it’ll become complicated and complicated costs more. So again the majority get to pay…
So what can you do about this? The first step is the most urgent. The other ISPs are at this very moment considering what steps to take. Although some (such as Bitbuzz) have been vocal in their opposition, caving in is the path of least resistance unless you show that this is an issue which matters to you and which determines where you’ll take your business. Contact your ISP – mark your email for the attention of their regulatory department – and let them know what you think. Contact emails for most ISPs are on the ISPAI website. Do it now – the decision on what to do will be made soon.
The next thing to do is to get involved with a group which will fight this. We’re currently working on a few ideas and will let you know soon. But in the meantime you should go to Blackout Ireland who have been quick off the mark with a plan to black out the Irish internet for a week from March 5th. The Digital Rights forum on Boards.ie has also been abuzz with this issue, as has this thread on their Broadband forum.
Having done that, let the Minister for Communications – Eamon Ryan – know the damage that this is likely to cause. Don’t just rely on the civil rights arguments – business impact is more likely to get attention. Point out that if ISPs are forced to become the (unpaid!) copyright cops of the music industry, it will drive up their costs and set a dangerous precedent for other Irish internet businesses. Would you choose to establish an internet start up in Ireland if you thought you’d be made responsible for policing what your users do? Ask him to intervene to prevent irreparable damage to the Irish internet. Eamon Ryan’s email addresses are eamon.ryan@oireachtas.ie and minister@dcenr.gov.ie but a paper letter (Department of Communications, Energy and Natural Resources, 29-31 Adelaide Road, Dublin 2) or fax ((01) 678 2029 or 2039) are more likely to get attention. You can also ring the Minister’s office on (01) 678 9807 – if you do, be polite and succinct. If you’re a constituent of his (in Dublin South) be sure to mention that fact and that this issue will influence how you vote in the next election.
The European Court of Justice has given its decision today in the Irish Government challenge to the Data Retention Directive - Ireland v. Parliament and Council (Press Release | Judgment). Unsurprisingly (in light of the Advocate General’s Opinion) it has held that the directive was properly adopted as an internal market measure (by qualified majority voting) rather than as a criminal matter (requiring unanimity). Where does this leave us and our case?
While it’s a pity to see the Directive upheld, the Government’s challenge was a very narrow one, dealing only with the essentially technical matter of the legal basis for the Directive. The Government didn’t raise and the ECJ wasn’t asked to decide on the fundamental rights issues. Indeed it expressly stated:
The Court notes at the outset that the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement by the directive of fundamental rights resulting from interference with the exercise of the right to privacy.
Consequently, the decision doesn’t affect the core of our challenge to the Directive, which will still go ahead on the basis that it infringes the rights to privacy and freedom of expression. At the moment we’re waiting on a decision from the High Court on our application to refer these issues to the ECJ – we’re confident that when these issues reach the ECJ that they will decide in our favour.
The internet is abuzz (Irish Times | EFF | ars technica | Boing Boing) with the news that Eircom and the record labels have reached an out of court settlement in which Eircom has agreed to implement a “three strikes” regime for disconnecting people accused of filesharing. In return, the music industry has dropped its demand that Eircom apply a filtering system to its network.
It’s undoubtedly a good thing that the idea of filtering has (at least for the time being) been dropped – and in case you’ve forgotten, here’s why it’s a bad idea. But this new three strikes system has the potential to be just as bad. Why?
It’s unreliable. The company which the Irish music industry used in previous cases to identify filesharers – MediaSentry – has a track record of false accusations and in fact was recently found to be operating illegally in several US states. As a result the music industry has now dumped MediaSentry and has turned to Danish firm Dtecnet – but the inherent unreliability of this process remains.
It’s secret. We normally expect rules to be made in public, to be accessible to citizens and to be applied publicly. In this case, though, the settlement is private to the parties and we don’t know how it will be implemented by Eircom. Do you expect the right to challenge evidence in court? Perhaps a right to appeal? Tough. On the face of it the music industry and Eircom will between them act as judge, jury and executioner.
It’s undemocratic. The European Parliament has already rejected a similar plan to disconnect individuals based on mere accusations. In other countries where three strikes has been discussed there has been public input via legislatures and public consultation. (And in the UK the democratic process led to three strikes being shelved.) Here, however, the music industry is trying to foist the system onto ISPs while sidelining the Oireachtas and the democratic process.
It’s disproportionate. Daithi makes this point well:
The present-day Internet includes communication (email), socialising (IM, social networking etc), media consumption (websites, blog, streaming, etc), media creation (ditto), access to Government services, online commerce, etc. Now imagine that the sanction for a, let’s face it, relatively minor crime (copyright infringement, while economically significant, is hardly manslaughter), includes no use of the postal services, highly limited access to shops, no permission to read a newspaper, reduced ability to use public services or get public information, and more. That’s no minor sanction. Indeed, most prisoners can get things like reading material and send and receive letters! Not to mention that a Net disconnection has an impact on family members and others.
It will affect innocent third parties. Internet connections are not generally unique to an individual. Instead they’re shared – amongst families, flatmates, etc. But this system will mean that others will suffer based on the alleged wrongdoing of another. As the Open Rights Group points out:
if Dad gets the connection cut off … suddenly Mum can’t run her business from home, and the kids can’t get access to the Web to do their homework.
Last week the Cabinet approved the heads of a Surveillance Bill which, if enacted, will allow Gardaí to break into private property to place covert video cameras and audio bugs, and to use evidence gathered in that way in criminal prosecutions. The Bill – which was already on the legislative programme but was rushed forward after the murder in Limerick of Shane Geoghegan – is intended to place existing Garda practices on a statutory basis in line with Ireland’s obligations under the European Convention on Human Rights.
At the moment, due to the lack of statutory controls, material gathered in this way (such as transcripts of conversations) can be used for intelligence purposes but would not be admissible in criminal trials. The Bill aims to remedy this by providing that Gardaí will have to obtain authorisation from a District Court judge before this type of surveillance can be carried out (except in cases of exceptional urgency) and that a designated judge of the High Court will keep the overall operation of the system under review. In addition, these methods can only be used in respect of crimes carrying a possible sentence of at least five years imprisonment and where the surveillance is, in all the circumstances, proportionate.
The Bill promises to regularise the law in this area and to that extent must be welcomed. It is unfortunate, however, that it took a high profile and tragic murder before this was given priority. As far back as 1996 the Law Reform Commission in a Consultation Paper identified a need for reform and in a 1998 Report it recommended that there should be a legal basis for Garda surveillance of this type. Successive Ministers for Justice have, however, largely ignored this recommendation. (The most remarkable example being in 2006 when the Privacy Bill introduced by then Minister for Justice Michael McDowell targeted surveillance by the media – but entirely excluded Garda surveillance from its scope.) In light of over a decade of government inactivity, the Bill is long overdue.
The timing of the Bill aside, its provisions generally represent a substantial step forward. It has clearly been influenced by the constitutional guarantee of the inviolability of the dwelling and the safeguards which it provides are more robust than those recommended by the Law Reform Commission. It introduces for the first time in Irish law the principle that judicial approval should be required before surveillance is carried out. Unlike other forms of surveillance such as data retention – which currently can be used in respect of even the most minor crimes – the Bill is limited to genuinely serious offences and also introduces a requirement that the surveillance must be proportionate having regard to the impact on the rights of innocent third parties.
There are of course some aspects of the Bill which could be improved. For example, the procedure to deal with cases of exceptional urgency is too lax. Under the Bill as it stands those cases would bypass the judicial process entirely, so that surveillance could take place for up to 14 days without any authorisation. There must be a question mark as to whether this provision would be constitutional if it was used to break into and bug a dwelling. Instead, it would be preferable to deal with cases of urgency by permitting Gardaí to commence surveillance without a judicial authorisation but then requiring that an application be made to the District Court for permission to continue the surveillance.
However, while the Bill is generally good as far as it goes, there is a strong argument to be made that it doesn’t go nearly far enough.
Despite its broad title, it addresses only one very narrow area – the covert surveillance of locations by devices which are physically planted in those locations. Many other forms of surveillance – such as the use of GPS devices to track the position of cars, the use of long range cameras and microphones to monitor locations from a distance and live monitoring of internet activity – will still be entirely unregulated. As a result there will continue to be doubt as to whether Gardaí have the power to use these types of surveillance and as to whether the resulting evidence can be used in criminal prosecutions.
Meanwhile, although there is some legislation regulating other forms of surveillance such as the interception of communications, data retention and Garda use of CCTV, that legislation has developed on an ad hoc and reactive basis with few consistent principles applying to its use or oversight. Much of it is also out of date, most notably the 1993 interception of communications legislation which due to technological changes no longer adequately protects email and other internet communications.
Considered as a whole, therefore, the wider Irish law is inadequate. Given that many of these issues were flagged by the Law Reform Commission in 1998, it is hard to see any justification for the failure to address them to date. Although this Bill does provide for some improvements, it is at best a piecemeal response which will not address similar problems with other forms of surveillance. It is clear that the time has come for comprehensive reform of the overall law relating to surveillance. This Bill is a good first step towards that reform. But it is only a first step, and it would be regrettable if the government were to continue to ignore this area until forced to act by another highly visible crime.