All is not well on the data protection front

ANALYSIS:Data retention proposals about to become law here have been declared an invasion of privacy in Germany. Government please take note

IF THE Government fails to reconsider the terms of its Data Retention Bill, currently in its final stages before the Houses of the Oireachtas, it is likely to find that costly court challenges and a forced reworking of the legislation lie ahead.

The Retention of Data Bill 2009 seeks the overdue implementation of an EU directive on data retention (storage of call data for two years and internet-use data for one year, for everyone in the country, including children). It is the tail-end of a long process in which the right to privacy has been pitted against the needs of law enforcement to have access to records for criminal investigations.

Even as the Bill passed a Dáil vote that cements in its current provisions, there are signs that all is not well on the European front for national data retention legislation.

On Tuesday, in a significant finding, the German constitutional court threw out Germany’s existing data retention laws for a range of reasons, many of which have direct application to Ireland.

The German court echoed precisely the concerns expressed by many groups and individuals here about our own legislation – worries that were given a lone voice in the Dáil debate by Labour TD Seán Sherlock.

The German court found that enacting any data retention legislation requires a regard for what it termed the exceptional intensity of the interference with human rights that result from such measures. It therefore obligates the government to have clear and transparent measures in place to ensure data safety, data use, and adequate legal remedy available to citizens for misuse of personal data.

It said retention legislation must set a very high standard for safety of all data, and this cannot be balanced against a general burden of cost, whoever that may lie with. It underlined that access to data should only be allowed in cases targeting most serious crimes and terrorist offences. It argued that individuals must be notified after the fact that their information was accessed for an inquiry.

All of these issues have been highlighted as a concern in Ireland, where the Government has tried to downgrade the level of the crimes that our legislation applies to; does not outline a quality of service that must be met to protect data; does not cover the costs of managing and protecting data, but passes them on to the internet and telecoms sector; and does not give adequate legal remedy to citizens nor adequate oversight. Irish legislation would not meet the provisions laid out by the German court.

Privacy advocacy group Digital Rights Ireland has already brought a constitutional case against the Government in the High Court on the constitutionality of Irish legislation. This is widely expected to be referred to the European Court of Human Rights and prove a test case on the issue for the EU as a whole, where the German case will signal issues likely to prove troublesome for Irish and other EU nations’ retention laws.

Data retention legislation has proven controversial in all countries. This is not, as many data retention proponents try to make out, because some feel that data should not be retained at all. The debate has been about finding a reasonable balance between privacy and trying to ensure citizen safety by giving law enforcement adequate investigative tools.

Few deny that call and internet records can be critical in prosecutions, and allowing access has provided important evidence for the Garda in several cases, including some high-profile murder trials. On the other hand, the Government and law enforcement officials have failed to make an adequate or persuasive case – or even supplied evidence from previous investigations – to show that they need to hold data for such excessive periods of time. The recommended period for retention from the EU’s data protection commissioners organisation, the Article 29 working group, is six months. Evidence given during Dáil debate was that in almost every case where call data has been used, the Garda requested data within three months of it being created.

Yet the retention time periods chosen for Ireland are among the most excessive in Europe and internationally. In the Dáil, Sherlock’s highlighting of this fact was met with a feeble response that each EU nation could pick its own retention periods, failing to address the issue that long periods of retention pose greater data breach risks.

At a time when, almost every month, we read of identity theft and privacy violations due to inadequately protected data, this must be a serious concern for every citizen, not least because all the stored data would be held by many of the same entities that have had data breaches. Reassurances of Government parties during the debate that adequate protections were in place within the current legislation go against concerns expressed by legal experts and business leaders.

It is not as if this Government has set the example of good intentions with data retention in the past. Its clumsy and inept implementation of an initial EU directive in 2005 effectively gave law enforcement carte blanche to fish around in citizens’ records for the most trivial of reasons, with almost no protections at all for citizens. Figures from the Data Protection Commissioner’s office revealed that call records were accessed over 10,000 times in the first 18 months that legislation was in place.

The Government has shown indifference in the debate to the cautions and pleas from its business community, almost none of whom were asked for input in the designing of this legislation. Such groups repeatedly have asked for shorter retention terms and greater oversight, and warned of damage to Ireland’s budding digital economy. When the nation is staking economic recovery on internet-based business, overzealous retention periods and poor oversight will downgrade Ireland’s attractiveness as a business location.

The German court decision is a timely warning shot. The time for this legislation to be reconsidered is right now, before it is signed into law.

Karlin Lillington writes about new technology and the internet in Business This Week, Friday's business supplement with The Irish Times