Net Results: Balance must be struck between security and privacy

Evidence shows data gathering does not increase security or convictions

In a current appeal of a high-profile murder conviction, lawyers are arguing that evidence based on the accessing of old phone records should theoretically be inadmissible, because the European Court of Justice (ECJ) threw out the 2006 data retention directive last year.

The directive had mandated the collection and storage, for nationally variable periods of six months to two years, of all mobile, fixed-line, fax, email and some web metadata (the details about the communications, but not the content). Data are lawfully held for up to six months by service providers for business purposes.

The validity of the appeal has yet to be decided.

However, the situation has spurred some to ask whether data retention for multiple-year periods is needed in cases where it is necessary for a conviction.

READ MORE

But this is a false argument.

To understand why, let's go back to the original judgment of the ECJ in this important case, in which the core arguments were made by McGarr Solicitors on behalf of its client, privacy advocate Digital Rights Ireland (DRI).

The ECJ solicited input from a wide range of parties, including national governments and law enforcement agencies, in advance of a full-day hearing set aside to consider the case in 2013.

Having considered all evidence, the court agreed with arguments made by DRI and found that no government or law enforcement agency had put forward any convincing argument as to why data need to be retained for periods longer than six months.

DRI, the Office of the Irish Data Protection Commissioner and other Irish privacy advocates had made a similar counter-argument to scaremongering by the Department of Justice and An Garda Síochána here that long periods of data retention were needed to get convictions such as those in the Veronica Guerin murder case and that of the Omagh bombing.

Conviction

Yet – as more than one Irish data protection commissioner has argued over the years – the call data used in both those cases were gathered within days of the events and proved adequate to obtain a conviction.

Clearly, no other state or police force offered the court convincing evidence, either.

The court’s ruling stated that although the EU directive – which forms the basis of still-standing Irish data retention laws – mandates data be retained for a period of between six months and two years, no adequate reason was given for using such varied periods.

Furthermore, “it is not stated that the determination of the period of retention must be based on objective criteria in order to ensure that it is limited to what is strictly necessary”.

Nor did the directive provide for adequate limitations on how data might be used, who might have access to them or how they would be safeguarded.

The most critical finding of the ECJ was that the directive was not “proportionate”. In other words, gathering and storing all the call and email metadata for every single person in the EU solely on the basis that, at some point in the future, some small number of them might commit a crime that was not investigated in a timely way were not reasonable approaches to law enforcement or national security.

Proportionality is not a hasty notion introduced on a whim for this case, but the basis on which all laws in any democracy are made. Proportionality seeks a balance between competing rights and freedoms.

Security’s price

As the ECJ justices note, as well as a right to privacy, every EU citizen also has the right to security. But security cannot come with privacy as its price. Nor can absolute privacy be promised, at the sacrifice of security. The balancing point is proportionality.

The justices found it was not proportionate that nearly one billion Europeans be placed under what it termed effective daily surveillance without any specific reason nor any evidence that doing so yielded any greater security for EU citizens collectively.

Now, bring that back to Ireland. First, set aside the pertinent fact that before the ECJ in 2013, the State could not give a single example of a case that would have been lost if it could not access data more than six months old.

But even were such a case to present itself in the future, it is simply not proportionate to privilege a single conviction over the ongoing, data-gathering surveillance of millions of perfectly innocent people, especially when evidence consistently shows that such data-gathering does not increase security or convictions.

Balance

And there is actually a useful, proportionate, targeted tool law enforcement can use called data preservation. Gardaí can ask communications providers to preserve and hold call data for individuals going back six months, and on into the future, for the duration of a specific investigation.

So, in the case of a missing person, gardaí could ask that their call metadata be preserved if they had cause to believe there might be a suspicious cause for the disappearance.

Cases may well come to light some day where a conviction for a serious crime failed because it could only have been achieved with call metadata greater than six months old or gathered in an unlawful way.

But evidence cannot be gathered at any expense. Such an unfortunate rarity is an acceptable and necessary risk in democratic societies with proportionate laws that balance the safety of communities with an equal right to privacy.