Steps finally being taken to change shameful data retention law
Indiscriminate surveillance trampled on privacy rights of ordinary citizens for years
Former chief justice John Murray: produced a damning report which draws pretty much the same conclusions about Irish law that the ECJ did about the EU directive. Photograph: Frank Miller
It’s taken quite a while for the Irish Government to properly notice that, in April 2014, the European Court of Justice (ECJ) resoundingly rejected the validity of the EU Data Retention Directive (Directive 2006/24/EC).
That landmark ECJ decision had a direct relationship to Ireland’s data retention laws. The case forwarded to the court, on which the decision hinged, was brought by Digital Rights Ireland (DRI). It questioned the constitutionality of Ireland’s data retention law, the Communications (Retention of Data) Act 2011, which implemented the EU directive. The ECJ was asked to assess the validity of the EU directive, the substantive basis of Ireland’s law.
The view of Europe’s highest court was that the directive amounted to indiscriminate surveillance on the entire population of the EU, could leave people with the sense that they had little personal privacy, and conflicted at numerous points with the European Charter of Fundamental Rights, “entail[ing] an interference with the fundamental rights of practically the entire European population.”
Data retention involves the mandatory storing of all telecommunications metadata for calls, texts, emails and, in some cases, other internet browsing activity for anywhere from months to years. Metadata is pretty much everything except the content of a communication – the date and time sent or received, who sent and received the item, the duration of a call, the size of an email, the location of a mobile and IP addresses.
For a long time, metadata was often referred to by those who wished to collect it as ‘just metadata’, as if merely trivial technical bits and bobs of minor privacy concern. But, reflecting the findings of many studies and experiments, the ECJ found otherwise.
“Those data, taken as a whole, may provide very precise information on the private lives of the persons whose data are retained, such as the habits of everyday life, permanent or temporary places of residence, daily or other movements, activities carried out, social relationships and the social environments frequented,” the court noted in a statement.
The judgment declared the directive invalid on a number of points including the indiscriminate collection of such data for long, arbitrary periods, and the failure to provide adequate security protections or oversight.
The judgment has since been followed by several more complementary decisions regarding data gathering, including that of Schrems v Facebook.
After the DRI judgment, years passed, but Irish law did not change. On the contrary, the Government continued to defend its position that Irish data retention legislation was not unconstitutional, despite the ECJ ruling.
Yet, on those key points noted by the ECJ in its DRI decision, little to nothing of import distinguished the Irish implementation of the EU directive from the EU directive, indicating that Irish data retention law surely must also violate fundamental rights guaranteed to European citizens.
Still, inconceivably, the domestic DRI case remained live. And the Government made no move to bring in replacement legislation.
Until now. Last week, the Department of Justice finally published proposals for a Communications (Retention of Data) Bill 2017. Not coincidentally, the announcement came alongside the department’s release, after nearly six months, of retired chief justice John Murray’s report to Government (at former minister for justice Frances Fitzgerald’s request), in which he reviewed Ireland’s existing data retention law.
But his review took place not because of an ECJ judgment made in relation to an Irish challenge to that legislation. Instead, the review came in the wake of questions about the legal basis by which Gsoc obtained access to several journalists’ call records, as revealed in January 2016.
As DRI chairman TJ McIntyre pointed out here last week (https://www.irishtimes.com/opinion/state-s-approach-to-data-privacy-is-a-national-scandal-1.3246055http://iti.ms/2y9ljbF), Mr Justice Murray chose to interpret the review request broadly and included a review of the data retention legislation.
He produced a damning report which draws pretty much the same conclusions about Irish law that the ECJ did about the EU directive. As McIntyre notes in his analysis of the report and the proposals, Mr Justice Murray left no doubt that the existing law stank, and the Government clearly moved swiftly, finally, to prepare new legislation following receipt of the report.
That’s what was announced last week. Yet not once does the Department of Justice’s official media release refer to the DRI case, the obvious reason why new legislation must be introduced. Instead, the need for change is credited to “evolving jurisprudence coming from the ECJ”.
Well, OK, but it evolved pretty definitively back in April 2014. The DRI decision on its own mandated the need to change the law here. We didn’t need further evolution.
Still at least – and at last – real steps are finally being taken to change this shameful legislation to something more balanced and proportionate.
But consider that neither the State nor the media seriously scrutinised a law so deleterious to human rights and the privacy of all Irish citizens, even after the ECJ decision, until journalists found it affected them, too, and made an almighty fuss.
The rights of ordinary citizens? Oh, them. They didn’t seem to matter that much.