Speaking on the Last Word with Matt Cooper earlier today FF TD Niall Collins trotted out that old canard – “if you’ve nothing to hide, you’ve nothing to fear” – in relation to the new data retention bill. Curiously, when asked if he’d be happy to provide us with his mobile phone bills for the last two years and details of his emails for the last year he claimed not to understand the question and refused to do so.
Just so there’s no confusion we’re repeating the request here – if he genuinely has nothing to hide then surely he’ll be happy to provide us with details of his (taxpayer funded!) mobile phone bills for the last two years and we’ll be happy to put them online. A request has been sent to him by email and by voicemail to his constituency office asking if he will make that information available to us and if not why not. Any reply will be posted to this blog. Though perhaps you shouldn’t hold your breath.
Update (14.07.09): The chutzpah of FF TDs knows no bounds. According to today’s Independent, at a recent FF meeting backbenchers opposed being required to use a swipe card to track attendance:
The TDs also resented the idea of a swipe card that would keep track of their comings and goings at Leinster House and prevent claims for expenses from absent members…
TDs and senators believe that a pilot scheme for civil servants where their attendance and hours in work would be monitored by a swipe card system will be used to check up on them. And while most privately acknowledge that a few may abuse their expenses and allowance privileges, they resent the idea of a “Big Brother system of electronic supervision”.
Good news from our friends in the German Working Group against Data Retention:
As the first German court, the Administrative Court of Wiesbaden has found the blanket recording of the entire population’s telephone, mobile phone, e-mail and Internet usage (known as data retention) disproportionate.
The decision published today by the Working Group on Data Retention (decision of 27.02.2009, file 6 K 1045/08.WI) reads: “The court is of the opinion that data retention violates the fundamental right to privacy. It is not necessary in a democratic society. The individual does not provoke the interference but can be intimidated by the risks of abuse and the feeling of being under surveillance [...] The directive [on data retention] does not respect the principle of proportionality guaranteed in Article 8 ECHR, which is why it is invalid.”
The Working Group on Data Retention which has initiated a class action of over 34,000 citizens against the total logging of the entire population’s communications and movements welcomes the court decision very much. It calls on social democrats and christian democrats to reject the latest government project to allow Internet service providers to record everybody’s Internet surfing habits.
“We call on all citizens to contact their MPs now in order to protest against the proposed retention of web surfing habits,” says Werner Hülsmann, member of the board of the forum of computer scientists for peace and social responsibility and actively working in the Working Group on Data Retention. To stop the project, which the Bundestag will debate on Thursday in the first reading, the Working Group on Data Retention has set up a campaign page on the Internet. In early March, the Federal Council of Germany (Bundesrat) also warned that the proposed “storage of all Internet usage data without a specific cause or with blanket coverage [...] violates” the Constitution.
“The recent criticism by Federal Minister of the Interior Wolfgang Schäuble (CDU) of the Constitutional Court’s preliminary decision on data retention proves that his surveillance mania is limitless”, criticizes Patrick Breyer of the Working Group on Data Retention. “It is not ‘a matter for the legislature’ to keep eroding our constitutional guarantees protecting us from errors and abuses by the authorities. We urgently need to establish a Fundamental Rights Agency to have all existing powers and programs of the security authorities systematically and scientifically reviewed as to their effectiveness, cost, adverse effects, alternatives and compatibility with our fundamental rights.”
Granted, this isn’t the end of the matter in Germany. It’s a decision of one court but may be appealed, while the highest court in Germany (the Constitutional Court) has yet to make a final ruling. It is, however, a very encouraging sign – particularly as the Constitutional Court has already indicated a provisional view that data retention may be invalid. It’s also very helpful for our own case with its finding that data retention is disproportionate and unnecessary.
You might have noticed Karlin Lillington’s story in the Irish Times today about the Department of Justice’s new proposals on data retention. To make a long story short, it turns out that the Attorney General was not impressed with its remarkable plans to change the law to extend surveillance on every citizen in Ireland via a ministerial order – sidestepping the need for the Oireachtas to review these changes. Having been rebuffed on this issue, the Department of Justice has now decided to proceed (as it should have done to begin with) via primary legislation.
An improvement for transparency? It would be, if Justice lived up to their past promises to hold an open consultation process. But they haven’t. Their website still claims that the Directive will be transposed via a statutory instrument – notwithstanding the fact that they have prepared a draft Bill which they have been circulating to industry groups. Nor are they willing to show the draft Bill to the public – consultation for Justice appears to mean a secret process controlled by them and excluding citizens.
We’ve contacted Justice for their comments. In the meantime, we think that the public should have the same right to see the draft Bill as industry insiders, so here’s a copy of what we understand is the latest draft: COMMUNICATIONS (RETENTION OF DATA) BILL 2009
The European Court of Justice has given its decision today in the Irish Government challenge to the Data Retention Directive - Ireland v. Parliament and Council (Press Release | Judgment). Unsurprisingly (in light of the Advocate General’s Opinion) it has held that the directive was properly adopted as an internal market measure (by qualified majority voting) rather than as a criminal matter (requiring unanimity). Where does this leave us and our case?
While it’s a pity to see the Directive upheld, the Government’s challenge was a very narrow one, dealing only with the essentially technical matter of the legal basis for the Directive. The Government didn’t raise and the ECJ wasn’t asked to decide on the fundamental rights issues. Indeed it expressly stated:
The Court notes at the outset that the action brought by Ireland relates solely to the choice of legal basis and not to any possible infringement by the directive of fundamental rights resulting from interference with the exercise of the right to privacy.
Consequently, the decision doesn’t affect the core of our challenge to the Directive, which will still go ahead on the basis that it infringes the rights to privacy and freedom of expression. At the moment we’re waiting on a decision from the High Court on our application to refer these issues to the ECJ – we’re confident that when these issues reach the ECJ that they will decide in our favour.
Karlin Lillington has an interesting story in today’s Irish Times on recent UK developments in surveillance and what they might mean for Ireland. Here’s an excerpt:
NET RESULTS: When it comes to abuse of privacy, where Britain goes, Ireland tends to follow. That’s why we should be worried – very worried – about developments across the Irish Sea that emerged as the year rolled over into 2009, writes Karlin Lillington.
First came a New Year’s Eve story in the Guardian that home secretary Jacqui Smith will propose the creation of a single giant communications database and the option of outsourcing the storage of all the personal details held under the UK’s data retention regime to a private firm.
That means potentially that a single repository – a massive, national communications database – would hold all the details about, though not the content of, everyone’s e-mails, phone calls, faxes, text messages and internet use.
The same array of data is retained in Ireland as well, though at the moment, as is the case in Britain, data is retained by the communications providers, not in a central database.
Gathering such a spread of private information into a single database would create a “hellhouse” of personal private data that would not only be vulnerable to security breaches on a massive scale but would prove too great a temptation for law enforcement, according to Britain’s former director of public prosecutions, Sir Ken McDonald.
McDonald was scathing in his criticism of the idea. “Authorisations for access might be written into statute,” he told the Guardian. “But none of this means anything. All history tells us that assurances like these are worthless in the long run. In the first security crisis, the locks would loosen.”
While “security” would be cited as the main impetus for such a database, “the notion of total security is a paranoid fantasy that would destroy everything that makes living worthwhile” and bring an “ugly future”, he said.
One of the areas she points out – remote searches or the ability of the police to remotely hack into your computer to find evidence or monitor your activity – will certainly be one of the big issues of 2009. While Irish law doesn’t currently deal with this issue, there are moves at EU level to encourage (and possibly eventually require) all member states to allow remote searches. This becomes more worrying when combined with a growing law enforcement desire to be able to conduct “remote cross border searches” – that is, for the police in country A to be able to hack into a computer in country B. This strategy – also known as “chasing bits across borders” presents its own problems for privacy and especially accountability.
Last week the Cabinet approved the heads of a Surveillance Bill which, if enacted, will allow Gardaí to break into private property to place covert video cameras and audio bugs, and to use evidence gathered in that way in criminal prosecutions. The Bill – which was already on the legislative programme but was rushed forward after the murder in Limerick of Shane Geoghegan – is intended to place existing Garda practices on a statutory basis in line with Ireland’s obligations under the European Convention on Human Rights.
At the moment, due to the lack of statutory controls, material gathered in this way (such as transcripts of conversations) can be used for intelligence purposes but would not be admissible in criminal trials. The Bill aims to remedy this by providing that Gardaí will have to obtain authorisation from a District Court judge before this type of surveillance can be carried out (except in cases of exceptional urgency) and that a designated judge of the High Court will keep the overall operation of the system under review. In addition, these methods can only be used in respect of crimes carrying a possible sentence of at least five years imprisonment and where the surveillance is, in all the circumstances, proportionate.
The Bill promises to regularise the law in this area and to that extent must be welcomed. It is unfortunate, however, that it took a high profile and tragic murder before this was given priority. As far back as 1996 the Law Reform Commission in a Consultation Paper identified a need for reform and in a 1998 Report it recommended that there should be a legal basis for Garda surveillance of this type. Successive Ministers for Justice have, however, largely ignored this recommendation. (The most remarkable example being in 2006 when the Privacy Bill introduced by then Minister for Justice Michael McDowell targeted surveillance by the media – but entirely excluded Garda surveillance from its scope.) In light of over a decade of government inactivity, the Bill is long overdue.
The timing of the Bill aside, its provisions generally represent a substantial step forward. It has clearly been influenced by the constitutional guarantee of the inviolability of the dwelling and the safeguards which it provides are more robust than those recommended by the Law Reform Commission. It introduces for the first time in Irish law the principle that judicial approval should be required before surveillance is carried out. Unlike other forms of surveillance such as data retention – which currently can be used in respect of even the most minor crimes – the Bill is limited to genuinely serious offences and also introduces a requirement that the surveillance must be proportionate having regard to the impact on the rights of innocent third parties.
There are of course some aspects of the Bill which could be improved. For example, the procedure to deal with cases of exceptional urgency is too lax. Under the Bill as it stands those cases would bypass the judicial process entirely, so that surveillance could take place for up to 14 days without any authorisation. There must be a question mark as to whether this provision would be constitutional if it was used to break into and bug a dwelling. Instead, it would be preferable to deal with cases of urgency by permitting Gardaí to commence surveillance without a judicial authorisation but then requiring that an application be made to the District Court for permission to continue the surveillance.
However, while the Bill is generally good as far as it goes, there is a strong argument to be made that it doesn’t go nearly far enough.
Despite its broad title, it addresses only one very narrow area – the covert surveillance of locations by devices which are physically planted in those locations. Many other forms of surveillance – such as the use of GPS devices to track the position of cars, the use of long range cameras and microphones to monitor locations from a distance and live monitoring of internet activity – will still be entirely unregulated. As a result there will continue to be doubt as to whether Gardaí have the power to use these types of surveillance and as to whether the resulting evidence can be used in criminal prosecutions.
Meanwhile, although there is some legislation regulating other forms of surveillance such as the interception of communications, data retention and Garda use of CCTV, that legislation has developed on an ad hoc and reactive basis with few consistent principles applying to its use or oversight. Much of it is also out of date, most notably the 1993 interception of communications legislation which due to technological changes no longer adequately protects email and other internet communications.
Considered as a whole, therefore, the wider Irish law is inadequate. Given that many of these issues were flagged by the Law Reform Commission in 1998, it is hard to see any justification for the failure to address them to date. Although this Bill does provide for some improvements, it is at best a piecemeal response which will not address similar problems with other forms of surveillance. It is clear that the time has come for comprehensive reform of the overall law relating to surveillance. This Bill is a good first step towards that reform. But it is only a first step, and it would be regrettable if the government were to continue to ignore this area until forced to act by another highly visible crime.
The Irish Times is reporting that the Joint Committee on European Scrutiny (a cross party committee which examines proposed EU legislation) has published a report which is highly critical of European proposals on passenger records.
The draft Framework Decision on the Use of Passenger Name Record (PNR) for Law Enforcement is an astonishing proposal which, if passed, would establish giant databases tracking the travel of every individual, logging details of every flight they make and keeping that information for 13 years. That information could then be accessed and shared with other countries without any individual suspicion, much less any form of warrant or prior permission. The proposal envisages using this information for “profiling” of all passengers. As originally proposed, the database would apply only to international flights (entering or leaving the EU) but some states are now pushing to extend this to include all flights within the EU while the UK is taking this further still and is seeking to create a database of all ferry and rail traffic within the EU.
We all support reasonable and proportionate measures to counter violence perpetrated against innocent people, but such measures should represent a proper balance between the need to combat such illegality and the rights of the innocent majority to go about their daily lives without undue interference by the State. In my opinion, and that of my EU colleagues, the Commission proposal fails this test. The proposal involves an obligation on air carriers to transmit to a state authority, called a “passenger information unit”, the PNR information that the passenger has provided to the air carrier in respect of any journey by air into or out of the European Union. The information typically includes contact details, such as address, phone number and e-mail, as well as payment information, such as credit card details. Under the proposal, the information has to be retained by the passenger information unit for a total of 13 years.
Such information is given by a passenger for the purpose of the provision of a service, namely air travel. The Commission proposal is that this information should be transmitted to state authorities for a totally different purpose, the combating of what is described as terrorism and organised crime. It is a basic data protection principle that information collected for one purpose should not be used for another purpose and should be deleted when no longer required for the purpose for which it was collected. The Commission proposal offends against this basic principle. Under the proposal, air carriers will have no choice but to hand over a complete record of an individual’s movements in and out of the European Union to a state entity that will retain it for 13 years, and not only a record of travel, but also of contact and payment information.
Many regular travellers would have difficulty recalling where they had travelled to, even in the past year. With this proposal, the state will have a detailed record of all such travel in and out of the European Union, and for a period going back 13 years. Therefore, whether it is a business trip to Singapore, a shopping trip to New York or a holiday in Morocco, the state will have full details. Can this invasion of individual privacy be considered a proportionate response to threats from the small number who may be tempted to engage in terrorism or organised crime?
One must also have concern for the ability of the state to protect the confidentiality of such information. Recent cases investigated by my office have, unfortunately, demonstrated that deliberate or inadvertent leaking or misuse of such information is a significant risk. Experience in other EU countries is no different…
There is little hard evidence of the actual usefulness of PNR passenger data in combating terrorism or organised crime. All we are presented with is general comments that such information is useful, with a small number of examples. There is even less evidence of the additional utility of PNR data over the more reliable API data that is already being collected. The result is that a key test under European law — that of proportionality — does not seem to be met. Even if one were to accept the case presented for this proposal — I do not — the protection provided for the innocent majority who have nothing to do with terrorism or organised crime is vague and inadequate. These deficiencies are spelled out in the written opinion my EU colleagues have already delivered and which has been provided to the committee.
If this proposal is implemented, we will have taken a further step to what has been called the surveillance society, where our day-to-day activities are constantly monitored and our private space is more and more restricted. We already have a situation, under data retention law, where the details of who we communicate with electronically is compulsorily stored, in case it would be useful for the investigation of crime. With this proposal, our international travel movements will be monitored by the State for the same reason. Can it only be a matter of time before this is extended to all of our movements? (Emphasis added)
The Joint Committee has now accepted these points (and also pointed out that – incredibly – neither Ryanair nor EasyJet were consulted in relation to the proposal).
What can you do about this? The responsible Irish official is the Minister for Justice. You might like to let him know that your privacy is important, and that the proposals (which Ireland has supported) are unacceptable. Ask him why he has ignored the concerns raised by the Data Protection Commissioner and proceeded with a measure based on “little evidence” with “vague and inadequate protections” for your personal information. Ask him whether he plans to ignore the concerns raised by our democratic representatives in the Joint Oireachtas Committee. Contact details? Email: minister@justice.ie, Phone: 01 602-8202 (ask for the Minister’s Office), Fax: 01 661-5461, Snail Mail: 94 St. Stephen’s Green, Dublin 2. And of course you should cc your local TDs (details here) and let them know that this issue is important to you in deciding how you will vote.
As I near my conclusion, let me, in my final public speech as DPP, repeat my call for level headedness and for legislative restraint in an age of dangerous movements.
We need to take very great care not to fall into a way of life in which freedom’s back is broken by the relentless pressure of a security State.
Over the last thirty years technology has given each of us, as individual citizens, enormous gifts of access to information and knowledge. Sometimes it seems as if everything is at our fingertips and this has made our lives immeasurably richer.
But technology also gives the State enormous powers of access to knowledge and information about each one of us. And the ability to collect and store it at will. Every second of every day, in everything we do.
Of course modern technology is of critical importance to the struggle against serious crime.
Used wisely, it can protect us.
But we need to understand that it is in the nature of State power that decisions taken in the next few months and years about how the State may use these powers, and to what extent, are likely to be irreversible. They will be with us forever. And they in turn will be built upon.
So we should take very great care to imagine the world we are creating before we build it. We might end up living with something we can’t bear.
The Advocate General of the European Court of Justice has just given his Opinion (summary, PDF) on the Irish Government’s challenge and has recommended to the Court that the challenge should be rejected, holding that the Data Retention Directive was correctly dealt with as an internal market measure rather than a criminal justice measure (which would have required unanimity to pass). Opinions of the Advocate General aren’t binding but are generally followed by the Court, making it more likely that the Government’s challenge will now fail.
It’s important to point out, though, that this ruling only relates to the procedural way in which the Directive was passed. It doesn’t affect our case that the Directive breaches fundamental principles of human rights, and we still await a decision from the High Court referring these issues to the European Court of Justice.
Full text of the Advocate General’s opinion available here.
The German Working Group against Data Retention (Arbeitskreis Vorratsdatenspeicherung) is also bringing a legal challenge to data retention and has put out a press release on the Opinion.
What’s the significance of the State’s challenge? Here’s what we said about it before:
On the plus side, the challenge will certainly delay implementation of the Directive, and stands a very good chance of striking it down in its entirety. There is a very strong case that the passing of the Directive was flawed.
On the minus side, the challenge is purely procedural. The Government agrees with the principle of spying on every citizen – it merely alleges that the wrong legal mechanism was chosen. According to the Government, the measure should have been passed by unanimous agreement of all the member states – not by a majority voting procedure. We agree – the directive is clearly an attempt to deal with matters of criminal law that are reserved to the member states, and the fundamental rights of Irish citizens should not be set aside by the majority vote of other EU states. But we’re disappointed that the Government shows no interest in asserting the right to privacy of Irish citizens. The result is that the European Court of Justice, when it eventually deals with the case, will only be hearing about procedure – not privacy.
Obviously we hope that the Government’s challenge will succeed in invalidating the Directive. Whatever the outcome of their case, however, our own challenge to data retention – where we raise these privacy issues about Irish law as well as the Directive – will continue.
(Thanks to Joris van Hoboken for pointing out that the Opinion had been timetabled.)