An epic fail for Ireland’s data protection laws
Gsoc’s demand for call records was carried out in direct opposition to the European Court of Justice
Bodies such as Gsoc apparently can gain access, outside the constraints intended in the original legislation, by sloppy back-door means that enable third-party investigations.
Today is European Data Protection Day. A good day, then, to grade the Government on its performance in this area.
Unfortunately, Ireland earns a depressingly consistent fail.
Let’s start with data retention, the gathering and long-term storage of calls (as well as some internet and email records) made by everyone in the State, children included, on the basis that a person might, at some future point, commit a crime. Over the past 15 years, Ireland has pioneered this sneaking, pervasive form of mass surveillance of a national population. Fail.
“Mass surveillance” is not hyperbole. The highest court in Europe, the European Court of Justice (ECJ), termed it so in 2014, in relation to a case that specifically referenced Irish data retention laws. But back to that in a moment.
First, it is important to understand that, for years, the State effectively required such data to be retained for seven years – well outside the stipulations of European data protection law at the time – with no access restrictions at all, and no oversight.
I discovered and wrote about this in 2001. It took two successive Irish data protection commissioners and nearly half a decade of threatening the State to eventually push the Government into bringing in data retention legislation.
But such an important law came not as the standalone piece of legislation that had been pledged. Instead, it was introduced in a near-empty Dáil chamber as an amendment to another piece of legislation.
The promised extensive public consultation and discussion, and open Dáil debate, also never happened. Instead, in the amendment of 2005, we got one of the longest retention periods in the world, with a laughable degree of semi-oversight and mild restrictions on access.
Gardaí made more than 10,000 data requests in the first 18 months of the new law’s existence.
DirectiveThe law was amended slightly when the EU brought in its own Data Retention Directive in 2006, a directive hugely influenced by Ireland, always to the forefront in cheerleading for data retention (another data protection fail). The new directive fixed two years as the maximum retention period.
Our national legislation formed a primary consideration for the ECJ when Digital Rights Ireland quickly challenged the constitutionality of Irish retention law in a case referred to the top court. In a monumental 2014 decision, the ECJ threw out the EU directive, the basis for Irish law, on the grounds that it was effectively “mass surveillance” – the court’s language – and a violation of the rights guaranteed to EU citizens under the EU Charter of Fundamental Rights.
Fast forward to 2016, and the Government here has still done nothing, nada, zilch, to address existing Irish data retention and access laws that are now clearly unlawful. Epic fail.
The implications of this have played out in the Gsoc case.
Gsoc is not named in Irish legislation as one of the supposedly carefully restricted bodies (the Garda Síochána, the Revenue, the Defence Forces) that may have access to retained data. But – making a further, shameful mockery of our law – bodies such as Gsoc apparently can gain access, outside the constraints intended in the original legislation, by sloppy back-door means that enable third-party investigations. A grotesque fail.
Pointless reviewThe State’s response has been to initiate a pointless review of the specific situation involving journalists’ records. This seems little more than a time-wasting attempt to divert attention from the real issue: that Irish data retention and access law in its repellent entirety – now, thanks to the Gsoc case, shown to be a paper-thin privacy and data protection garment – is unlawful. Fail.
So, inconvenient truth that it is, Gsoc’s demand for call records in 2015 was a manoeuvre carried out in direct opposition to the rule of that supreme arbiter of justice, the ECJ.
The sole area in which the State can be seen as a laudable defender of privacy and lawful data access is in the ongoing case in the United States, in which Microsoft is refusing direct access by the US government to emails held in Microsoft’s Irish data centre. These are wanted for a trial in New York State.
In a case with huge potential impact for businesses and, especially, the booming, multibillion-euro cloud-computing sector, Microsoft is arguing that the US government should use existing legal channels, such as established international treaties, to request digital evidence, just as it would do if the evidence were in paper form.
Microsoft’s case also features an opinion written by former minister for justice Michael McDowell – notably, and ironically, the minister who drove our approach to data retention for years, and brought in the initial 2005 Act.
In the Microsoft case, the Government’s stance is right. But it is also staggeringly duplicitous. It shows that the State will defend critical data protection and privacy rights when they are directly interwoven with corporate interests. But it will not do so when the fundamental rights of its own citizens are at stake.