Tomorrow the European Court of Justice will give judgment in our case challenging mass surveillance under the Data Retention Directive. Here’s a summary of the background.
What is the case about?
It’s a challenge to data retention – i.e. laws which require ISPs and mobile phone companies to spy on you by logging details about your location, your text messages, your emails, your internet use and to store that information on you for up to two years. We say that this type of mass surveillance on the entire population – without any suspicion of any sort – is a breach of the right to privacy under the Constitution, the European Convention on Human Rights and the Charter of Fundamental Rights.
What sort of information is kept under Irish and EU data retention laws?
Almost everything bar the actual content of a particular phone call, email or text message. Who called who when and for how long; where you were at any given time (via your mobile); who you emailed or texted and when – all of this information is stored and open to abuse.
Is this information sensitive?
Very much so. For example, the fact that a person phoned the Samaritans, a cancer support helpline or an addiction counsellor is obviously sensitive in itself and a German study has shown that people will be deterred from contacting these types of services if they know their calls are being logged. US research on phone records has shown that they reveal matters as personal as the decision to have an abortion.
This is a particular issue for journalists as data retention laws allow states and even private companies to track down whistleblowers and other confidential sources in order to retaliate against them. In a recent article in the Guardian a number of Irish journalists expressed concern that the data retention system was being used to do just that.
Has this information been abused?
By definition it is difficult to know exactly how secret surveillance systems are being abused, particularly where Irish oversight is so weak. However what we do know already reveals that abuse can take place with no accountability.
The best example is that of Detective Sergeant Eve Doherty who abused the data retention system to spy on an ex-boyfriend. This was discovered after the former boyfriend became suspicious, not as the result of any internal oversight. However no criminal prosecution was brought against her for this abuse nor was she even demoted – incredibly, despite this fundamental breach of the law she was simply moved sideways to the Special Branch.
This case showed that the system was wide open to abuse, and the revelations of a later Data Protection Commissioner audit were just as worrying. In theory, this type of information should only be given to gardaí on the request of a Chief Superintendent. In practice, however, such requests were routinely made by gardaí without the knowledge of the Chief Superintendent and simply rubber stamped retrospectively (PDF, p.64). In an astonishing indictment of garda practices this procedure continued even after the Eve Doherty case and was changed only after the involvement of the Data Protection Commissioner.
When was the case started?
Hasn’t it taken a long time to get this far?
Yes. The delay is down to a number of factors – the aggressive approach taken by the Irish government which tried every procedural mechanism to try to prevent the case from proceeding, the need to refer the case from the High Court in Dublin to the European Court of Justice in Luxembourg, and the fact that our judge in the High Court was promoted to the Supreme Court in the middle of the proceedings.
At the same time, the delay may have been helpful. The political and legal debate around privacy is very different following the Snowden revelations.
What happens after tomorrow’s judgment?
That depends on the judgment, but whatever the outcome the case will return to the High Court in Dublin so that the court can apply the ECJ decision to the Irish data retention laws.
Hang on – didn’t you already get a ruling in this case in December?
Yes - but that was a non-binding opinion only, which the court can choose to follow or not. Tomorrow’s decision is the final decision of the full court.
What can I do to help promote privacy online?
Obviously we’d love to see you donate to DRI to help us with this and future cases! Apart from that, the most pressing issue at the moment is to ensure that the next European Parliament is friendly towards privacy and other online issues. Please consider signing up at WePromise.eu and contacting your candidates in the European elections to ask them to support digital rights.
Where can I find out about tomorrow’s decision once it’s announced?
We’ll put up a summary and the full text of the judgment once we have it. The judgment is announced in Luxembourg at 9.30am local time (8.30am Dublin time) and we should have a copy soon after. Keep an eye on @DRIalerts and @tjmcintyre for updates.