Search News & Insights
The Communications (Retention of Data) Bill 2009
The Communications (Retention of Data) Bill, 2009 (the “Bill”) was published on 9 July 2009. The Bill is the draft legislation which implements the Irish Government’s obligations under European Directive 2006/24/EC (the “Directive”).
Requirement to retain data
As drafted, the Bill will require telecommunications companies, internet service providers and those who provide “publicly available electronic communications services” (“Service Providers”) to retain data in relation to phone calls (fixed line and mobile) for a period of two years and data in relation to internet communications for a period of one year, from the date of such communications.
The two year period for fixed network and mobile telephone data is a reduction on the current requirement under the Criminal Justice (Terrorist Offences) Act 2005 to retain call data for three years. The one year retention period for internet related data is an entirely new requirement. The Directive requires EU Member States to introduce a minimum retention period of six months, and several Member States have implemented retention periods shorter than those proposed by the Irish Government. In the United Kingdom for instance, the proposed retention period is twelve months regardless of the type of data concerned.
Type of data to be retained
The Bill makes it clear that its provisions do not apply to the content of the communications. Instead, details about communications, including as duration (for calls), size (for e-mails), the sender, the recipient, location, time and date made/sent, must be retained by Service Providers.
While this type of data can play a role in the prosecution of serious crimes (for instance, it was crucial in the prosecution of those accused of involvement in the Omagh bombings), it can also give an intimate portrait of a person’s or a business’ activities and contacts. Such data is more detailed than, say, a regular phone bill and could contain sensitive competitive information.
Data disclosure requests
The retained data must be disclosed in certain circumstances on the request of a senior member of an Garda Síochána (the Irish police force), the Permanent Defence Force, or the Revenue Commissioners. These include, for instance, circumstances where a senior Garda is satisfied that the data is required for the prevention, detection, investigation or prosecution of serious criminal offences.
The cost of retaining data
The Bill does not outline who will pay for the storage and maintenance of data of the quantity and type required by the Bill, and the cost of retaining such data is not insignificant. The Telecommunications and Internet Foundation has estimated this cost to run to millions of euro. Given the Bill’s silence on the issue, it must be assumed that the Service Providers will bear this cost. It is not inconceivable that the cost will be passed onto businesses and individual subscribers. Other Member States, such as the United Kingdom, have indicated that they will reimburse Service Providers the cost of the data storage. Accordingly, the Bill, if enacted in its current draft, could have a knock-on effect of making Ireland a more expensive place to do business when compared to other Member States.
Securing the data
The Bill states that the data shall be subject to appropriate technical and organisational measures to protect it and designates the Data Protection Commissioner as the supervisory authority in this regard. However, the Data Protection Commissioner is not given any powers to examine data security measures adopted by service providers or to compel them to comply with the provisions of the Bill in relation to data security. This contrasts with the Data Protection Acts 1988 and 2003, which empower the Data Commissioner to compel data controllers to comply with provisions in relation to data security. Failure to comply with the Data Protection Commissioner’s orders in relation to the Data Protection Acts is a criminal offence.
There is a real possibility of commercially sensitive data being leaked due to inadequate security measures, due both to the potential costs involved (of both secure processing and of storage of the data which the Bill would oblige Service Providers to retain) and to the lack of a supervisory function with powers. The vulnerability of Service Providers in this regard is highlighted by recent well publicised data leaks from a number of high profile businesses and government departments, both in Ireland and overseas.
Recourse for abuse of the data
The Bill fails to provide meaningful recourse for those whose data has been improperly accessed or leaked. The Bill does not require that a person be notified of any leaks of data relating to them and, where data has been disclosed properly under the Bill, a person has no right to be informed of this disclosure. In other Member States, persons are informed of both the disclosure of data relating to them and the reason for such disclosure. This only occurs after sufficient time has elapsed so as not to “tip-off” criminal suspects.
The Bill does provide a complaints procedure whereby a person, who believes data relating to them has been the subject of a disclosure request can request, that such disclosure be investigated. If the provisions of the Bill have been breached, the relevant data and any copies can be destroyed and the person may receive compensation. Given, however, that a person has no way of knowing when data relating to them is the subject of a data request, the provisions in the Bill in relation to this procedure may prove to be of little comfort to persons whose communications data has been disclosed. The procedure also fails to address the question of data leaks, such as theft or misplacement of data.
The industry has and will continue to lobby the Government heavily in order to effect some positive changes with regard to the above issues. The Bill is currently in first stage of the legislative process and it must pass through several more stages in both the Dáil and the Seanad (lower and upper houses of parliament, respectively). It is of course subject to change during this process. Given that Ireland is legally obliged to enact the Bill in some form, and indeed that the deadline for this enactment has already passed, the Bill’s passage through the remaining stages of the process can probably be measured in months rather than years.