Recent developments with traffic data retention – variously updated

EyePhoneIn my post on the Communications (Retention of Data) (Amendment) Act 2022: ignore the warnings, legislate in haste, repent at leisure, I sketched how the Government came to enact Communications (Retention of Data) (Amendment) Act 2022 (also here) last Summer.

Since then, there have been several developments.

First, the 2022 Act was intended to buy the government some time to complete a thorough overhaul of the Communications (Retention of Data) Act 2011 (also here). A Bill to that effect has been listed in every Legislation Programme since 2018. So, it is unsurprising that, on 19 April 2023, a Communications (Data, Retention and Disclosure) Bill, to consolidate and replace the 2011 Act, was listed in the Government’s Legislation Programme for the Summer Session 2023 (pdf). However, not only is that Bill not listed as a priority, but we are told simply that the Heads are still “in preparation” (p21).

Still? Still?? Since 2018??? (Indeed, even 2018 was slow, because the underlying Directive was struck down by the CJEU in 2014). Give me a break. Better still, give us all a break by publishing the Bill already!

Second, earlier this month, on 6 June 2023, Minister McEntee signed the Communications (Retention of Data) (Amendment) Act 2022 (Commencement) Order 2023 (SI No 287 of 2023) (also here) to bring most of the Act into effect on 26 June 2023.

Third, last Friday, the Irish Times reported:

McEntee to seek private hearing of court application under law dealing with Dwyer data challenge, digital rights group claims

Department of Justice has ‘no comment’ on allegation by Digital Rights Ireland

by Mary Carolan

The Minister for Justice will ask the High Court on Monday to hear an application in camera concerning a controversial new law rushed in to deal with the fallout from a legal challenge by convicted murderer Graham Dwyer, Digital Rights Ireland has claimed.

Asked by The Irish Times on Friday about the claim made by Dr TJ McIntyre, chairman of Digital Rights Ireland (DRI), a Department of Justice spokesman said it had no comment to make. …

DRI wrote to the Minister outlining their concerns; and, with their permission, I am happy to make the letter available here (.pdf). In particular, it enquires whether the Department had conducted a data protection impact assessment pursuant to Article 35 GDPR, whether it had consulted with the Data Protection Commission pursuant to Article 36 GDPR, and whether the State’s correspondence with the EU Commission about compliance with the obligation in Directive (EU) 2015/1535 to notify the Bill to the Commission will be brought to the attention of the Court. There does not seem to have been a response by the Minister to this letter.

Fourth, once the 2022 Act had come into effect yesterday, an application was duly made in the High Court pursuant to section 3A of the 2011 Act, as inserted by section 4 of the 2022 Act (also here); and, pursuant to section 3A(5), the High Court duly made the order. It really doesn’t look as if any lessons have been learnt. The Minister for Justice has thus gambled with all future prosecutions of serious crimes which rely on the evidence gathered using this order. Litigation against it, and the 2002 Act, is inevitable.

Update (28 June 2023): section 3A(6) of the 2011 Act (as inserted by section 4 of the 2022 Act) provides that:

Where a relevant judge makes an order under subsection (5), the Minister shall, without delay arrange for—
(a) the order to be publicised in the national media,
(b) the order to be notified, in so far as practicable, to service providers, and
(c) a notice of the making of the order to be published in Iris Oifigiúil.

(2023) 52 Iris Oifigiuil 772On foot of that obligation, the Minister published a press release that she had obtained the order requiring the retention of data for State security. The Minister makes no mention of a data protection impact assessment, of consultation with the DPC, or of correspondence with the EU Commission. She does, however, say she consulted with the Garda Commissioner prior to making the application, which demonstrates her priorities.

Update (30 June 2023): it is in Iris Oifigiúil for 30 June 2023 (issue 52, page 772; pdf) (pictured right).

As a consequence of that application, DRI have published 20 questions for the Minister [expanding on the letter mentioned above] and 2 for the Data Protection Commission. Prof McIntyre told the Irish Examiner that “people recognise that this is very sensitive and how it can be abused … the amount of data left behind us is far greater than ever. It’s very misleading for gardaí to say they need this extra data”. And he told Irish Legal News that the legislation

… is certain to be challenged in the European courts … the government’s failure to properly notify the European Commission during the legislative process represents a “fatal flaw” in the 2022 Act. … It’s grossly irresponsible to [enact legislation with such an uncertain legal foundation] … The 2022 Act needs to be repealed and proper legislation put in place that actually complies with the law.

I could not agree more.

Update (29 June 2023): Mary Carolan has another excellent article about all of this in today’s Irish Times. The whole article is well worth a read; here are some extracts:

New law on phone data retention likely to be challenged in court

Data privacy campaigner concerned law permits Minister to get ‘mass surveillance’ orders after private court hearing

A legal challenge appears likely to a controversial law under which the Minister for Justice received High Court orders this week, after a private hearing, requiring the retention of mobile phone metadata and internet source data on State security grounds. … According to civil liberties and data privacy lawyers and campaigners, the 2022 Act does not meet the requirements of EU law concerning data privacy. The Oireachtas justice committee is also among those to warn it may be vulnerable to legal challenge.

Solicitor Simon McGarr, a data rights specialist, has suggested the Act may also risk the validity of criminal prosecutions that rely on data gathered under it. … Among several concerns of Dr TJ McIntyre … is that … [a] legal challenge [to the 2022 Act] is very likely. … The uncertainty about the legal position is a growing source of concern for telecoms companies, an informed source said. “To say they are frustrated is an understatement.”

In the same edition, Karlin Lillington, who has been covering the State’s shambolic data retention policies for over twenty years, characterises this develoopment as a dark day for Irish democracy.

Update (30 June 2023): Mary Carolan has yet another excellent article about this in today’s Irish Times. Again, the whole article is well worth a read; here are some extracts:

Court order obtained by Minister does not equate to ‘mass surveillance’ of citizens, says Department of Justice

Order requires telecoms firms to retain mobile phone metadata for State security reasons for one year

The Department of Justice has rejected a claim that a court order requiring telecoms firms to retain mobile phone metadata for State security reasons for one year equates to “mass surveillance” of all citizens. …

In a statement on Monday, the Minister confirmed the order was obtained … on Monday, … In a written response on Thursday evening to further media queries about Monday’s application, the department said the order was granted by Mr Justice Alexander Owens … The application, heard over one hour and 40 minutes, was grounded on information sworn by a senior official concerning the Minister’s assessment the order was necessary to safeguard the security of the State. …

The Thursday statement does not seem to be on the Department’s website, but it is described quite fully in this article, and it seems to engages with many of the issues raised by DRI in their letter and blogpost. Their response will, no doubt, be interesting.

Update (02 July 2023): Cianan Brennan has an excellent summary of all of this in the Irish Examiner. The whole article is well worth a read; here are some extracts:

Minister creates a de facto mass surveillance system of entire population

Justice Minister Helen McEntee has made an attempt to address issues in the State’s flawed data retention laws, but they’re open to legal challenges

… Ms McEntee said, in announcing the move, that having assessed a threat to that security she had “satisfied myself that there exists a serious and genuine, present or foreseeable threat to the security of the State and that such threat is likely to continue for at least the next 12 months”.

What that threat is, no one has been told. … the State’s relationship with data retention law … [is] a long one, and little of it is positive. …

Asked why the Department had commenced the law despite the European Commission saying it may be inapplicable due to it missing the TRIS window, a spokesperson said that given the notification period for TRIS had expired in March “without comment or opinion from either the EC or other member states … accordingly, Ireland was free to commence the 2022 Act”.

This would seem to ignore the fact the EC had told the Department of Justice in January that they had applied for TRIS long after the horse had bolted. … If the law is flawed from a European perspective, then surely it is vulnerable to appeal.

“This will jeopardise hundreds of convictions, despite countless warnings from legal experts,” said Dr TJ McIntyre …

I’ll leave the last word to Karlin:

It is to Ireland’s continuing shame and international embarrassment that the State remains so inept in implementing and enforcing data protection laws, especially when Ireland carries regulatory responsibility for the world’s most powerful data-gathering multinationals.