State agencies target Irish phone and internet records

Irish authorities made 27 times as many requests for people's stored phone and internet use data compared to law enforcement agencies in comparably sized Austria, according to submissions to the European Court of Justice (ECJ) in Luxembourg.

The information was supplied in a day-long hearing on July 9th by parties to an ECJ case which is considering the legality of the European Data Retention Directive (2006/24/ EC), which allows member states to store data on daily call and internet activity for the EU’s 500 million residents.

The case originates in a challenge to the constitutionality of Ireland's data-retention laws, taken by privacy advocates Digital Rights Ireland. The case was referred by the Irish High Court to the ECJ.

Ireland, which stores Irish residents’ landline and mobile call access data, as well as some data related to internet usage, for two years, told a panel of ECJ judges that “6,000 to 10,000” requests were made annually under Irish law.

The directive limits the use of such data to combating serious crime and terrorism.

Retention statistics
Counsel representing Austria said authorities there had made 326 requests for data in a recent one-year period.

The UK refused to disclose figures at the hearing.

It is not clear to what the figure of “6,000 to 10,000” requests presented by Irish counsel to the ECJ refers.

According to statistics released in a 2012 European Commission report by member states on data requests made in 2010, and cited at the hearing as evidence in support of the directive's implementation, Irish authorities – comprising the Garda, Revenue Commissioners or Defence Forces – made 14,928 data orders.

The Department of Justice released 2011 figures last week, confirming 12,675 data requests.

Asked this week by The Irish Times to clarify whether the figures presented were an average or if they referred to as yet unreleased 2012 data request figures, a spokesman for the Department of Justice said: "The communications data retention statistics for Ireland for 2012 are in the order of 9,000 requests."

The spokesman declined to offer further detail on the nature of the requests, stating: “It is not the practice nor would it be in the public interest to go into further detail of the provision of the data to the relevant authorities.”

Asked whether Ireland had a much higher rate of serious crime than Austria, the department responded: “The operation of data retention regimes in other EU member states is a matter for the authorities of those states.”

The European Court of Justice is focused on whether the European Union’s Data Retention Directive, which allows states to choose a retention period of six months to two years, represents a proportional approach to ensuring that some call and internet data are available for law enforcement and security needs.

Data requests
Unusual for the ECJ, the hearing concentrated on human rights aspects of data retention, in particular how the directive fits with articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

According to the European Commission’s 2010 study, for those countries that supplied (often incomplete) information, the vast majority of data requests were made within the first three months of the data being created, and most of the remainder in the first six months.

For example, Ireland stated that of 14,928 data requests granted in 2010, 10,962 related to data under three months old and a further 1,612 requests related to data less than six months old.

In that report, member states varied widely in the number of data requests made.

Eastern and Baltic European countries generally made the largest number of requests, including 130,000 for Hungary, 38,861 for Bulgaria, 289,169 for the Czech Republic, 105,108 for Lithuania, and 34,467 for Latvia.

Denmark noted 4,235 requests, Finland, 5,558 and Portugal, 23. Fourteen states, including the UK, failed to provide any information.

At the hearing, the Irish State argued that Irish data retention laws were proportionate and that opposition to them is centred on fears of abuse and data breaches.

However the laws had been important in the prosecution of serious crime, the Irish representative said, and struck the right balance between security needs and human rights.

The Irish Human Rights Commission told judges that it felt the ECJ was unusually and exceptionally reliant on local courts to determine whether countries, in their enactment of data-retention legislation, were in compliance with the charter.

It also argued that there must be serious doubt as to whether the directive made a significant difference in the prosecution of serious crime.

Breach of rights
Digital Rights Ireland contended that the directive was in breach of human rights guaranteed in the charter and was disproportionate in its implementation in Ireland. It also argued there was no clear evidence that the directive had improved crime detention and prosecution rates.

Judges at the hearing asked parties about the status of data outsourced to third parties, particularly countries (such as the United States and Canada) that had signed up to Safe Harbor agreements to handle European data with regard to greater EU protections.

According to a summary of the hearing from the European Digital Rights Institute (EDRi): “Thirty-six per cent of the retained data is subject to outsourcing and the third largest provider is based in a third country operating on the basis of the Safe Harbor agreement.”

Whether European citizen data held outside of Europe could come under surveillance under the US's own laws has been a subject of contention between the EU and US following the revelations about the Prism surveillance programme by whistleblower Edward Snowden.

The representative for the EU Commission was unable to provide an answer to this issue to judges at the hearing.

The Irish State representative noted that all the Irish phone operators stored data within the EU and one within the UK, subject to Safe Harbor.

An opinion on the case will be provided by the European Union’s advocate general on November 7th. Regardless of the outcome, the original case will return to the High Court in Ireland to determine if Ireland’s implementation is constitutional.