Communications (Retention of Data) Bill 2009: Second Stage.

I move: "That the Bill be now read a Second Time."

I am pleased to be in the House today to present the Communications (Retention of Data) Bill 2009. The primary purpose of the Bill is to transpose Directive 2006/24/EC of the European Parliament and Council into law. The directive requires service providers to retain data generated or processed in connection with the provision of publicly available electronic communications or public communications networks and to make it available on request for the detection, investigation and prosecution of serious crime.

Before I explain the provisions of the Bill and its background, I would like to speak more generally about data retention and its important role in the investigation of serious crime and in safeguarding the security of the State. It has been in the news at regular intervals over the past few years and some misconceptions may have arisen as to its scope and purpose. It is important to bear in mind that data retention is not new; it has been an essential feature of crime investigation and the safeguarding of State security for many years. Also to be borne in mind is that data information is not concerned with the content of a communication; it is about who, where and when. The intrusion into a person's privacy is minimal.

The retention of data in this country began in the days of the Department of Posts and Telegraphs, when communications were by means of fixed-line telephones and the postal system, of which the State was the only provider. Typically, telephony operators, even after the market was opened up, retained data for six years for their own purposes, such as billing and marketing. This made sense because the statute of limitations during which a telephone bill could be challenged or payment pursued was six years. The operators made the data information available to the Garda on request when required for fighting crime and safeguarding the security of the State. In those circumstances, relations between the operators and Garda developed so that the voluntary scheme was based on goodwill and common sense on both sides. Any Garda could request data in respect of a crime he or she was investigating. The system was not regulated by statute.

The first significant statutory intervention came in the form of the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, of which section 13 inserted new subsections into section 98 of the Postal and Telecommunications Services Act 1983. Under the inserted subsection (2A), a person employed by a company who disclosed to any person any information concerning the use made of telecommunications services provided for any other person by the company was guilty of an offence. There were exceptions, including disclosures made for the prevention or detection of crime or for the purpose of any criminal proceedings or in the interests of the security of the State. A request by a member of the Garda Síochána to make a disclosure had to be in writing and be signed by a member not below the rank of chief superintendent. In practice, this meant that all disclosure requests were made through one specified chief superintendent, a practice that continues to this day. A parallel inserted provision ensured that any request from the Permanent Defence Force for data required in the interests of safeguarding the security of the State must be made through an officer not below the rank of colonel.

This remained the case until the adoption of Directive 2002/58/EC of the European Parliament and Council in July 2002, which concerned the processing of personal data and the protection of privacy in the electronic communications sector. As interpreted for data protection purposes, the directive provided that traffic data could only be retained for six months. This posed a problem for Ireland, as the Garda required data to be retained for longer than six months if it was not to be severely handicapped in its ability to fight crime and safeguard State security. In practice, most retained data that is required is requested by the Garda or Permanent Defence Force within six months of its being generated or processed. However, the quality of data retained for longer periods can be equally important in fighting crime, including terrorist crime.

The Department of Justice, Equality and Law Reform and the then Department of Public Enterprise came to an agreement that telephony data should be retained by operators for three years; that is, half the period for which the operators voluntarily retained telephony data previously. That agreement was given statutory effect in directions issued by the Minister for Public Enterprise to the main telephony operators under section 110(1) of the Postal and Telecommunications Services Act 1983. It was intended to follow up the directions with primary legislation. However, in 2003 Ireland received an invitation from some of our colleagues in the EU to co-sponsor a framework decision on data retention. Agreement was reached on Ireland's participation in the preparation of the instrument, and further work on the legislation had to be deferred until the text of the framework decision was agreed and adopted.

The negotiations on the framework decision proved difficult and complex. They had effectively reached stalemate when the Madrid bombings during the Irish Presidency of the EU in 2004 highlighted the necessity and urgency of obtaining agreement on the retention of data. Negotiations recommenced in earnest but had not been concluded by January 2005 when the then Data Protection Commissioner issued notices to the main telephony operators directing that they retain data for no longer than six months. Rather than hamper the Garda Síochána and the Defence Forces in their vital work in investigating crime and safeguarding our security, a decision was taken to include provisions in the Criminal Justice (Terrorist Offences) Bill, which was then being debated in the Seanad, on the retention of telephony data. It was also decided not to deal with the more complex Internet provisions until an EU instrument had been agreed. I am glad to say the data retention proposals included in the Bill received a generally warm welcome. The urgency of ensuring that the Garda and Defence Forces could gain access to retained data in a controlled and supervised manner was acknowledged.

I have given this short background to the law and procedures relating to data retention in this country to put the record straight and also to place the Bill in its proper context. As we are all probably aware, agreement was never reached on the framework decision, and it was replaced by a directive of the European Parliament and Council, which is now being transposed in the Bill. It is normal practice, as provided for in the European Communities legislation, to transpose such directives by means of secondary legislation. Our legal advice suggested there would be no problem in using secondary legislation as our transposition vehicle. However, on the basis of later advice, it was decided for a technical reason to proceed by way of primary legislation. This partially explains the delay in publishing the Bill.

The preparation of the Bill was also delayed by prolonged consultations with service providers and, in particular, their representative associations and other interested parties. I express my appreciation of the constructive way in which the service providers entered into the consultative process. The process was long and, at times, complex, and negotiations are still continuing between the Garda Síochána and the representative associations on the implementation of the legislation.

The directive was adopted under Article 95 of the Treaty establishing the European Community, which provides for the adoption of measures for the approximation of provisions laid down by law, regulation or administrative action in member states which have as their object the establishment and functioning of the Internal Market. Ireland, supported by Slovakia, applied to the European Court of Justice to have the directive annulled on the basis that the choice of legal basis for the directive was fundamentally flawed. The Irish case was that neither Article 95 of the European Community treaty, nor any other provision of that treaty, could provide a proper legal base for the directive. Ireland submitted that the sole or at least main or predominant purpose of the directive was the investigation, detection and prosecution of serious crime. In those circumstances, Ireland submitted that the only permissible legal basis for the measures contained in the directive was Title VI of the Treaty on European Union, being the provisions on police and judicial co-operation in criminal matters. Articles 30, 31 and 34, in particular, were relevant. In a judgment last February, the court found against Ireland's application. The directive must now be transposed into national law and the legislation in Ireland is now well overdue. The European Commission has initiated infringement proceedings against Ireland in the European Court of Justice adding greater urgency to have the legislation enacted without delay.

I will now outline the provisions of the Bill which is relatively short and largely remains within the parameters established by the directive. The Bill has two main objectives. The first, at section 3, obliges service providers to retain data. The second, at sections 6 and 7, gives the relevant law enforcement agencies power to make a disclosure request for retained data and obliges the service providers to comply with such a request. I will explain these important elements in a moment but will first emphasise the importance of section 2.

Section 2 gives effect to Article 1.2 of the directive by providing that the Act does not apply to the content of communications. It does not, for example, apply to the content of a telephone conversation or an e-mail or to web browsing or websites visited. It simply allows law enforcement agencies in Ireland to seek information in regard to the who, where and when of a communication. In the case of the Internet, it obliges service providers to retain data equivalent to the type of telephony data that has been retained for many years. I would like, at this stage, to dispel another myth. Neither the Garda Síochana nor the Department of Justice, Equality and Law Reform will retain a vast database of information relating to the use of communications by our citizens. The fact is that the Garda Síochana, Permanent Defence Force and the Revenue Commissioners will be, under this legislation, able to request data information for the purposes established in the Bill and subject to the safeguards therein. It is the telephony operators and Internet service providers who will retain the data for the periods set out in the Bill.

Article 1.1 of the directive obliges member states to ensure that retained data is available for the purpose of the investigation, detection and prosecution of serious crime, as defined by each member state in its national law. This raises some important questions. I mentioned earlier that the intention was to transpose the directive by means of secondary legislation. This would have ensured that we could have avoided infringement proceedings. However, it was always intended to follow such secondary legislation with primary legislation. That legislation would have consolidated the data retention schemes for telephony and Internet data retention. More important, it would have allowed us to add to the list of purposes for which data could be sought. These are data necessary for safeguarding the security of the State and the saving of human life. They do not form part of the directive. The Bill consolidates the data retention schemes and includes provisions on State security and the saving of human life which means further legislation will not be required.

There has been much discussion on what constitutes a "serious offence". There are two basic points to bear in mind in any debate on what should be a serious offence for the purpose of the Bill. Currently, telephony data can be sought for the investigation of any offence. Any credible definition of "serious offence" used in the Bill will, therefore, restrict the offences for which data can be sought. There is no universal definition of "serious offence" in this country. The expression is described in some Acts as an offence punishable by a term of imprisonment of five years or more. However, such definitions are solely for specific purposes or Acts. Any offence that can be charged on indictment is, under our Constitution, a serious offence. This means it would have been feasible to define "serious offence" as any offence that carries a penalty of more than 12 months imprisonment. Following much thought and consultation with the Garda Síochana, I accepted a suggestion first made by the service providers that for the purposes of a disclosure request a penalty of imprisonment of five years or more would be appropriate. In addition, the First Schedule contains a handful of other serious offences, triable on indictment but with a maximum penalty of less than five years imprisonment, for which data can also be sought. This list was suggested by the Garda Síochana and represents its opinion on the offences for which it is essential it retains the ability to make a disclosure request, namely, offences carrying a penalty of up to five years imprisonment.

Regardless of how "serious offence" is defined, it will not affect the amount of data that is retained. It cannot be known in advance for what data may be required. The vast majority of data will not be required and will be destroyed after the appropriate time. However, by defining "serious offence" the amount of telephony data for which a disclosure request can be made will be less than under current law where data can be disclosed for the investigation of any offence.

It would have been possible under the terms of the directive to give every law enforcement agency in the country authority to make a disclosure request but this has not been done. In addition to the traditional role of the Garda Síochana and the Permanent Defence Force, I have given power to the Revenue Commissioners to make disclosure requests in respect of six specific revenue offences. The primary reason for the inclusion of the Revenue Commissioners in this Bill is to provide its investigating officers with access to communication data to assist them in tackling various forms of serious tax evasion that are undermining the collection of tax revenues in the State. Tackling tax evasion has always been a top priority for Revenue.

The Bill recognises the role of the Revenue Commissioners as a criminal law enforcement agency whose task it is to protect the Exchequer from fraud. Experience has shown that the lack of such access has been a hindrance in detecting certain cases of serious tax fraud and gathering the necessary evidence for the purposes of prosecution. This need is clearly justified and access to such information should improve the level of detection of serious tax evasion and the gathering of evidence necessary for criminal prosecution and will assist in depriving criminals of funds.

Modern telecommunications and the Internet are invariably utilised by those engaged in the type of illicit activities investigated by Revenue. For instance, documents encountered by Revenue officers in the course of investigating cigarette smuggling in maritime freight where bogus Bills of Lading are used, oil laundering and the distribution of laundered oil under cover of bogus invoices, alcohol fraud using bogus documentation, cross-border VAT fraud and other forms of serious tax evasion often include contact phone numbers which need to be traced and the identity of the subscriber established along with the usage of the phone if the investigation is to be progressed.

I find the case for access compelling and Revenue has given categorical assurance that requests for such information will be confined to investigations involving serious indictable revenue offences. I might add that the Revenue case for access has been supported in the past by the Attorney General, the DPP and An Garda Síochana and was one of the recommendations made by the Revenue powers group in its report to the Minister for Finance in November 2003.

Article 3 of the directive establishes the obligation to retain data and is given effect in section 3 of the Bill. It obliges service providers to retain telephony data for two years and Internet data for 12 months. Members may ask why two years and 12 months when the directive states between two years and six months? Under Part 7 of the Criminal Justice (Terrorist Offences) Act 2005 telephony data must be retained for three years. There are currently no statutory requirements in relation to the retention of Internet data. Some commentators have suggested that I am reducing the retention period for telephony data from three to two years to comply with the terms of the directive. This is not the case. Article 95(4) of the TEC states that if after the adoption of a harmonisation measure a member state deems it necessary to maintain national measures it can notify the Commission of those provisions and the grounds for maintaining them. The Commission has the power to approve or reject the national provisions involved. Following a re-evaluation by the Garda Síochana as to its requirements for the investigation of serious crime and safeguarding the security of the State, it was considered that a two year retention period for telephony data would be sufficient. Similarly, the 12 months retention period for Internet data is deemed to be the minimum necessary in respect of that data. Most retained data that is the subject of a disclosure request was generated or processed in the previous six months but the quality of longer held information makes retention periods provided for in the Bill necessary for efficient law enforcement and State security. I would suggest there is never a good time to deprive our law enforcement agencies of a vital weapon in the constant battle against criminals and terrorists who themselves are adept at using modern technology and now is certainly not a good time.

Section 4 ensures that the same level of security will attach to data retained under this Act as is retained for other purposes. It gives effect to Article 7 of the directive. The providers must destroy the data as soon as the retention periods have expired. However, one month’s grace is given to enable the data to be actually destroyed. Apparently there is more to destroying the data than simply pressing a button. This section also provides that the Data Protection Commissioner will be the supervisory authority in Ireland for the purpose of both the Act and the directive. The appointment of a supervisory authority is required by Article 9 of the directive.

I accept that in the light of some significant breaches of data security in recent times, such as the theft of laptops with unencrypted material, there is some concern about the security of retained data. There is an increasing appreciation of the need to ensure the highest level possible of security on data that are in the possession of service providers for use for their own purposes and the legislation can do no more than apply that heightened level of security to the data retained for the purposes of compliance with this Bill. In doing so, the legislation complies with the security requirements of the directive. Following the recent breaches of security, I established a data protection review group which I understand is almost ready to publish a consultative document describing the issues from a legal, technical and regulatory perspective. I hope that interested parties will contribute their views on the consultative document so that it will be in a position to begin writing its report without delay.

Section 5 repeats section 64(1) of the Criminal Justice (Terrorist Offences) Act 2005. It sets out the circumstances in which the service providers can access data retained under the Act.

Article 6 of the directive requires member states to adopt measures to ensure that data retained in accordance with the directive are provided only to the competent authorities in accordance with national law. This requirement is given effect in the Bill at section 6.

Section 6 establishes who can make a disclosure request and for what purposes. Unlike some other countries, the ability to make a disclosure request is confined to just three law enforcement agencies: the Garda Síochána, the Permanent Defence Force and the Revenue Commissioners. A member of the Garda Síochána not below the rank of chief superintendent will be entitled to make a disclosure request for the purpose of the prevention, detection, investigation and the prosecution of serious crime, safeguarding the security of the State and saving human life.

There are three differences between the powers of the gardaí under section 6 and the analogous provisions in the 2005 Act. Under the 2005 Act, the gardaí could make a disclosure request in respect of any offence, and not just a serious offence, and they could not make a request in respect of the saving of human life. Also, the 2005 Act did not provide for disclosure requests in respect of Internet data. These are three very desirable differences.

A colonel in the Permanent Defence Force will be able to make a disclosure request for the purpose of safeguarding the security of the State. This repeats the analogous provision in the 2005 Act but with the addition of the relevant Internet data. I have already mentioned that this provision could not have been included in a statutory instrument transposing the directive as safeguarding the security of the State is outside the scope of the directive. That is because of the legal base used for the directive.

For the first time, the Bill gives the Revenue Commissioners power to make a disclosure request in respect of six named revenue offences. These all come within the definition of serious offence in that they are all triable on indictment with a penalty of imprisonment of five years. As with requests from the Garda Síochána and Permanent Defence Force, requests will made by one person, in this case a revenue officer of at least principal officer rank. This is a highly desirable initiative. Deputies will recall a recent statement by the Revenue Commissioners of the likelihood of increased tax evasion in these economically difficult times.

Sections 9 to 12 in one way or the other provide safeguards to ensure that the data retention scheme is not misused. Section 9 gives effect to Article 10 of the directive under which member states are obliged to forward to the Commission statistics of the use of data retention during the previous year. Because so few Irish authorities have the right to make a disclosure request and because such requests are centralised, the compilation of statistics in Ireland is relatively straightforward. This year, we were one of the first countries to return telephony statistics, even though the legislation transposing the directive was not in force. The statistics will be compiled by the three law enforcement authorities with the right to make disclosure requests. The Garda Commissioner will forward Garda statistics to the Minister for Justice, Equality and Law Reform, the Chief of Staff of the Permanent Defence Force will forward statistics to the Minister for Defence and the Revenue Commissioners to the Minister for Finance. The Ministers for Defence and Finance will review the statistics submitted to them respectively before forwarding them to the Minister for Justice, Equality and Law Reform for transmission to the European Commission. In this way the Commission will be in a position to monitor the operation of the data retention provisions throughout the EU.

Under Article 14 of the directive, the Commission will submit to the European Parliament and the Council an evaluation of the application of the directive and its impact on the service providers and consumers, taking into account further developments in electronic communications technology and the statistics provided under Article 10. The evaluation will inform a view as to whether it will be necessary to amend the directive, in particular with regard to the list of data and the periods of retention. The results of the evaluation will be made public.

The safeguards provided at sections 10 to 12 are essential for the proper operation of the legislation. They are of the utmost importance in ensuring public confidence that the legislation is not being misused and will also reassure the service providers that it is only used for the stated purposes. Section 10 provides for the independent complaints procedure. It provides that where a person believes that data relating to him or her and in the possession of a service provider have been accessed following a disclosure request, that person may apply to the complaints referee for an investigation into the matter. Section 11 provides for an invitation by the President of the High Court to a serving judge of the High Court to undertake the duties of keeping the operation of the Act under review. Section 12 sets out those duties. These safeguards already operate satisfactorily for the retention of telephony data under the 2005 Act so there is no need at this stage for me to explain them in further detail.

There are two Schedules to the Bill. The first lists the indictable offences that have a maximum prison sentence of less than five years for which the chief superintendent of the Garda Síochána will be enabled to make a disclosure request. The offences include identifying an officer of the Criminal Assets Bureau, administering substances capable of inducing unconsciousness or sleep, reporting child abuse knowing it to be false and corruption of public officials.

The second Schedule gives effect to Article 5 of the directive. It lists the categories of data to be retained by the service providers. There can be argument and indeed disagreement as to the extent of the data mentioned in Article 5. This is especially so in the context of rapid advances in technology. For that reason, a committee of experts has been established by the European Commission to interpret and explain the directive in the light of prevailing circumstances and to give a guide as to what data need to be retained and, equally important, what does not need to be retained. Ireland is represented on that committee. Also, it would not be possible in legislation to set out exactly what each provision means, in particular, as I mentioned, when some requirements may be open to more than one meaning in the light of further advances in technology. The service providers and the Garda Síochána, Permanent Defence Force and the Office of the Revenue Commissioners have been in discussions for some time on drawing up a memorandum of understanding in which each can agree on what is required to be retained. Work on the memorandum is advanced and will be completed when the legislation becomes law.

In this introductory speech on the background, content and implications of the Communications (Retention of Data) Bill 2009, I have attempted to place the Bill in its proper context. Nothing new is created in the Bill; it does no more than extend, with some changes, existing obligations relating to telephony data to internet data. I would again emphasise the importance of data in the investigation of serious crime and safeguarding the security of the State. On a regular basis, one reads in the newspapers reports of telephony data given in evidence in some of the most notorious trials in recent years. We cannot expect the Garda Síochána to solve complex crimes if we do not give it the means to do so. Of course, we have to provide safeguards to ensure those means are not misused and this Bill provides the same safeguards as are available under the interception of communications provisions. This despite the fact that the intrusion into persons' privacy under this Bill is minimal.

I reiterate that the content of communications cannot be retained or disclosed under the Bill. This means, for example, that the law enforcement agencies cannot obtain information on the social networking sites that persons access. This may be regarded in some quarters as lessening its impact but, in the context of preserving privacy and compliance with international human rights instruments, I see it as one of its strengths.

I mentioned earlier that, for various reasons, the preparation of this Bill has been delayed. The present situation is that the European Commission has commenced infringement proceedings against Ireland before the European Court of Justice. Therefore, it is in all our interests that the Bill pass speedily through the Oireachtas and become law as soon as possible. While I look forward to a full debate on the Bill, I also look forward to its early enactment.

I welcome this Bill before the House. Fine Gael will be supporting it. Some issues of detail will be addressed on Committee Stage and I hope the Minister will be able to allay these concerns. Data retention has become a hugely important issue over the past decade. A range of factors including the proliferation of communications technology, the re-emergence of the threat of global terrorism and the insatiable demands of the marketing fraternity have put data retention issues at the forefront of national and international agendas.

Accordingly, I am somewhat surprised that it has taken three years to draft a Bill to facilitate the transposition of the EU data retention directive into Irish law, particularly as the Bill itself is so short. I listened with interest to what the Minister said regarding the delay on the matter of the preparation of the Bill. In the context of the recent debate on the Lisbon treaty and our relationship with the European Union, it is important that scrutiny committees in this House on matters European gain more attention. Some of the House committees might be reorganised to take these matters into account.

I note that Ireland has opted for a maximal retention scheme within the margin permitted by the directive. This has caused concern among some civil liberty advocacy groups, who are concerned about protecting the privacy rights of citizens. I understand their concerns and the Bill must have strong safeguards to ensure that the new system of data retention is not vulnerable to abuse. Moreover, should abuses be detected, there must be a commitment to immediately address any shortcomings. The Government is committed to compile a statistical report for the European Commission to show how many requests have been made by each State body covered by the Bill, and that telephone and Internet monitoring will be overseen by a High Court judge.

It is important that we look at what other jurisdictions have done under the directive. The UK system requires a surveillance commissioner to produce a substantial report every year to include statistics on problems that have emerged and what is being done to address them. Perhaps the Minister envisages a similar reporting style for the designated High Court judge who will be appointed under this Bill, or perhaps this will come under the remit of the Data Protection Commissioner , whose own office is under threat following the McCarthy report and other Government proposals on quangos and agencies. It is important that these particular provisions under this Bill be subject to annual reports, but also to annual reviews. A committee of the House should have the opportunity to deal with that review and report in some detail.

Section 12 of the Bill requires the designated judge to "include, in the report to the Taoiseach ... such matters relating to this Act that the designated judge deems appropriate". Will the judge's report include a list of problems with the legislation and solutions to those problems, as per the model in the United Kingdom? Will the President of the High Court consult the Government in the selection of the designated judge? Does the Minister believe it necessary to appoint a judge who has experience ruling on matters concerning data retention and privacy issues? We often include nothing more than aspirations that judges be designated to deal with certain issues and do no more than comply with a directive or what might be regarded as a safeguard. There is very little else done to ensure a positive, active role and function for that designated officer. What resources have been identified to allow the designated judge to fulfil his role? Will the judge appointed have his own office, including personnel? How will this impact on the day to day to work of that particular High Court judge, as such judges are very busy people in their own right? The designated judge will have an important role to play, so it is essential that he or she is supported by the Government in carrying out this work. Too often in the past, the Government has appointed good people to important jobs monitoring State activity and then starved them of resources or ignored their recommendations. We can get back to this on Committee Stage, but perhaps the Minister might deal with them at the end of this debate.

In respect of the provision to introduce a referee to scrutinise how data retention is implemented following complaints by members of the public, some critics have argued that this safeguard is undercut by leaving it up to an individual to determine whether his or her data has been accessed for an investigation. The lack of transparency about this process has been highlighted. I would like the Minister to give his views on this matter.

This Bill requires Internet service providers to retain, for a period of 12 months: the telephone number, the user ID and the registered address of the user or subscriber; the same information for the destination of the communication; the date and time of log-in and log-off, together with IP addresses; and data necessary to identify the equipment of the user. In the same manner, telephone providers are obliged to retain for two years: the calling phone number, and the address of that subscriber or registered user, dialled numbers, and the address to which that number is registered; the time at the start and the end of that communication; subscriber information for mobile phone users; and geographical information as to the location from which the call is made.

As we have seen in a number of recent high profile cases, records of mobile phone signals being detected and of e-mail correspondence have contributed enormously to the assemblage of circumstantial evidence in criminal trials. I welcome that development. Building a comprehensive body of evidence is essential to reach the high standard of proof in criminal trials. The EU data retention directive takes cognisance of that fact. Naturally, such information can help to prove innocence as well as guilt. Neither the directive nor the Bill allows the State to intrude into the content of phone calls, letters or e-mails. Section 2 of the Bill is worth stating, as there have been some misleading comments on data retention. It reads, "This Act does not apply to the content of communications transmitted by means of fixed network telephony, mobile telephony, Internet access, Internet email or Internet telephony." Given the history of gross invasion of journalists' privacy carried out by a Fianna Fáil Administration in the 1980s for political gain, this is an important provision. I am pleased the Minister has made specific reference to it.

When other jurisdictions speak about data retention and terrorism, they are generally referring to international terrorism. However, in Ireland we have a dual problem. We must play our part in the fight against international terrorism while combating particular terrorism within our jurisdiction and that of our neighbour. I recently received a telephone call at my office from a concerned citizen informing me that dissident republicans are using the Internet to recruit members. I was directed to a website used by the 32 county sovereignty movement to recruit members and spread bile and hatred in this jurisdiction and beyond. This group has, reportedly, been recently engaged in vigilante activity in Cavan, Fermanagh and Cork. The use by this group and its fellow travellers of the Internet is not surprising, given that since its creation the Internet has been used on the one hand for great good and, on the other, sadly, to evil effect. It is a straightforward, if covert, way for dissident republicans and terrorists to get their message out and recruit members. Therefore, in the context of this Bill, we can see how the retention of Internet data for a period of 12 months is significant.

It is regrettable that there has been an upsurge in dissident republican violence this year. In Northern Ireland a large number of bombs have been planted, members of the police attacked and in some tragic cases lives have been lost. There seems to be a determination on the part of some murderers to attack innocent people going about their jobs protecting both communities in Northern Ireland. It has been acknowledged by the Garda Commissioner that while these groups are a greater threat to life in the North than in the South, nevertheless they are active in the South and their movements are being monitored by the Garda Síochána. I welcome this and urge the Minister to keep in close contact with the Garda authorities on the matter.

I hope data retention measures will help to combat the scourge of renewed paramilitary activity by facilitating intelligence and evidence gathering and bringing these criminals to justice before they inflict further carnage on this island. The lines are often blurred between dissident republicans and gangland criminals. While many dissident republicans have made a fortune from drug smuggling, using routes formerly exploited for the importation of arms, drug gangs without paramilitary links have recruited terrorists from time to time as mercenaries to carry out attacks on rivals. Last year, there was a fourfold increase in the number of grenade and pipe-bomb attacks in Dublin. Gardaí believe these devices to have been the work of dissident mercenaries helping drug gangs. The INLA, in particular, is thought to be playing a key role in this development.

Figures show that in 2008 there were more than 100 separate bomb attacks involving crime gangs and dissident republicans in the Dublin region, compared to 24 the previous year. This extraordinary and disturbing increase requires attention. We are fighting terrorism on three fronts currently, dissidents involved in gangland crime, dissidents involved in terrorism in the Border area and international terrorism. Therefore, the ability of the Garda to access certain types of communication data will undoubtedly assist in the struggle to keep communities safe from gangland criminals.

At a more local level, the Bill will be of assistance to agencies such as the Criminal Assets Bureau, which comprises both gardaí and Revenue officials as well as representatives of the Department of Social and Family Affairs. Computer analysis is already an important tool used by the CAB in building a case against alleged criminals. This Bill will assist in that regard when enacted.

A number of concerns have been expressed by advocacy groups and business interests. I understand the Irish Human Rights Commission has expressed concern about the broad provisions of the Bill and is currently joined, as an amicus curiae, to a High Court action being taken by Digital Rights Ireland against the State on grounds relating to data retention. I am not aware whether the Minister consulted with the Human Rights Commission when considering appropriate safeguards in the Bill, but I believe consultation with civil liberty and human rights groups is important. It is essential we strike a balance between introducing measures to protect people’s safety and security and the infringement of citizens’ right to privacy. We do not want this legislation to be incompatible with or to adversely affect the European Convention on Human Rights.

The Telecommunications and Internet Federation, TIF, expressed concern some time ago about the costs this Bill will place on operators. As well as the TIF, numerous business leaders, including the past chief executives of Oracle Ireland, Microsoft Ireland and lona Technologies, have expressed concern that Ireland's data retention policies are a potential deterrent to business, especially to inward investment. Will the Minister clarify whether he or his officials have met with the TIF and other concerned parties and will he outline what measures, if any, he has taken to meet their concerns?

Fine Gael members have been concerned about the matter of data retention for some time. We are aware there is concern in the public domain about privacy matters, a concern that has grown due to the careless loss of personal data by a range of institutions, companies and State departments in recent years. Last October, my colleague, Deputy Simon Coveney, introduced a Private Members' Bill proposing a new disclosure law which would create a legal obligation on organisations to disclose within a certain period of time any breaches of data security. Deputy Coveney argued that such an obligation would create a strong incentive for all organisations to ensure that their data protection procedures were adequate, in order to avoid the potential negative publicity that would come with having to disclose a breach of customers' sensitive personal data.

Fine Gael takes the view that people have a right to know if their personal data are used. They must also have a right to know when organisations mishandle their personal information. We should look at the possibility of ensuring that no financial or sensitive data will be held on laptops. I recognise this might cause difficulty, but it would be a way of dealing with a huge problem, one that is treated with carelessness, particularly on the part of banks and financial institutions. The State has also been culpable in the manner in which laptops containing sensitive information have been left in places where they should not have been. To compound matters by failure to disclose is unacceptable. Disclosure laws are essential to alert people to the fact they may be potential victims of identity fraud or theft. People must take the precautions necessary to minimise the risk of such fraud occurring.

Disclosure laws are essential to alert people to the fact that they may be potential victims of identity fraud. People will have to take the precautions necessary to minimise the risk of such fraud taking place. Furthermore, the existence of a disclosure law would guarantee the presence of a catalogue of information regarding identity theft which helps law enforcement organisations. This would help research organisations, too, and inform us as policy makers and legislators.

It was a pity that the Government failed to engage on these proposals earlier this year. We can come back to that, perhaps, on Committee Stage and see whether we can incorporate the type of safeguards that were envisaged by Deputy Coveney in his legislation. Looking at the Fine Gael Bill on disclosure and the current Bill we can see that the Government's viewpoint is from the perspective of the State institutions and how to increase their rights. The rights of the Revenue Commissioners and the powers of the Garda Síochána and the Defence Forces are being enhanced and further developed in this legislation. The Government is granting power to State institutions whereas what we were doing in the matter of disclosure was to look at it from the viewpoint of the citizen, advancing or indeed protecting people's rights. It is important, therefore, that we should have a balance. It is a pity that there was not appropriate engagement on the part of Government earlier in the year because I believe that any debate on the retention of data such as we are having would be far more balanced if the State took the rights of the citizen into account alongside the need of certain State institutions to combat serious crime and fraud.

I support the Bill. There are some concerns which can be addressed on Committee Stage. More than anything else, when considering this legislation we must bear in mind the need to strike a balance between fighting crime on the one hand, and protecting privacy and citizen rights on the other. The introduction of robust safeguards to ensure that we can strike such a balance is important.

That we are only now transposing a directive which was agreed in 2006 is typical of the manner in which the Government has been remiss in its obligations vis-à-vis the transposition of EU directives in general. Ireland is behind the curve again because our European counterparts, in some instances, are already preparing to undertake a review of the directive that we have yet to transpose.

This House, for the first time, will bring about legislation specifically charged with the retention of communications data. This legislation is so flawed that it will have to be completely rewritten if the Labour Party is to support it. It is bad for business, too costly to implement, undemocratic and the oversight provisions are too weak. I hope it will be significantly amended to make it more realistic and not the sham we have before us.

The reason for Ireland's delay in following our EU counterparts in introducing such a Bill is well documented. An attempt by previous Administrations to exclude the European Parliament and the European Court of Justice delayed the adoption of the directive here. Thankfully, with the exception of Slovakia, the overzealous and restrictive measures favoured by the former Minister for Justice, Equality and Law Reform, Michael McDowell, curried little favour in Europe. This directive was seen as the lesser of two evils by the Party of European Socialists in the European Parliament, in 2004-05. This is where we differ with the Minister's interpretation in terms of the historical perspective of the directive.

Following the Madrid bombing in 2005 the Irish, British and two other governments came forward with proposals for a third pillar intergovernmental decision on data retention. Such a measure would have been adopted by the Justice Council with consultation rights only for the European Parliament and no oversight role for the European Court of Justice afterwards. This course of action was opposed by the Commission and the European Parliament, largely on the grounds that such a measure should be approved by the European Parliament. The Commission then issued a proposal for a draft directive in September 2005 and the socialist group negotiated amendments in the European Parliament and adopted it December.

One of those amendments concerned a full review of the measure in September 2010. My colleague in the European Parliament, Mr. Proinsias de Rossa, MEP, voted in favour of the compromise and the four Fianna Fáil MEPs at that time abstained. The directive was approved by the Council in 2006 and was to have been transposed into Irish law by September 2007. However, the then Minister, Mr. McDowell, took a case to the European Court of Justice, arguing that the Council had no authority to adopt the directive and that only a third pillar initiative was permitted. The Government refused to transpose the directive while this case was ongoing. In response the European Commission began legal proceedings over Ireland's failure to transpose. Last February the European Court of Justice rejected the Government's argument and upheld the directive.

My understanding is that civil liberties groups did not have an opinion about the four countries' initiative in 2005, but had written in opposition to the draft directive. If there were no directive, it could be argued, it is likely that the four countries' initiative would have been adopted. In that context there are two views that can be taken on the directive, and consequently this Bill. One is that we transpose and thereby pass the Bill into law without question and accept it as a fait accompli. The second is that we seek to amend the Bill and ground it in reality by addressing the cost of its implementation for businesses and the issue of oversight. The Labour Party takes the view that there are circumstances in which data retention is needed and useful. However, there are some many flaws in the proposed legislation that it would have to be considerably amended before we could be satisfied with its passing into law. If we take the historical perspective and the context in the which the directive was fashioned, then we must speak of the Madrid bombings and the Omagh atrocity, which occurred prior to the instigation of the directive. However, much water has passed under the bridge and the need to transpose and legislate remains. We have an obligation in that respect.

It could be argued that this legislation has been superseded in some respects by the surveillance Bill in its use as a crime prevention measure. Whether this Bill is a complement to recently adopted legislation is open to question. Generally speaking, the provisions within the Bill must be such that they are only allowed in clearly prescribed circumstances and we must guard against any nefarious use of the Act when it comes into force. The provisions must be subject to democratic review. They must also be subject to proper judicial review.

A criticism of the Bill relates to its timing. I have already stated that we are behind the curve and Ireland should now be preparing for the 2010 review of the directive. It should also be pointed out that the European Court of Justice will now be bound by the data protection article of the Charter of Fundamental Rights because of Lisbon. If there are claims from any quarter that this represents excessive interference from Brussels, it would be my view that Mr. McDowell's alternative was far more draconian and that the Fianna Fáil-Progressive Democrats arrangement originally sought to extend this measure to the entire EU. If one argues this Bill from the civil libertarian perspective, then I respectfully suggest that the only alternative was Fianna Fáil's original proposal. It is better that, rather than having "an intergovernmental measure", we have a "Community measure" that gives a voice to the European parliament, and gives the European Court of Justice a meaningful role.

Concerns have previously arisen as to the nature and specifically the volume of requests made for retained data. Previously, Deputy Brendan Howlin highlighted how, in 2006, there were 10,000 Garda requests for access to personal telephone records under powers arising from the amendment to the Criminal Justice (Terrorist Offences) Act. This amounts to almost 30 requests for every day in 2006, and it is evident that a review of the practice has been long required. That we are finally to address this directive with a Bill is positive but it is not without its perils.

The Labour Party fully supports data retention but only for specific circumstances. With these powers, there is a responsibility, and it is our hope that through the legislative process we will address some of the ambiguities and issues arising from what has been presented in the Bill. I am concerned with the provisions in the Bill in regard to the timeframe within which data will be retained by service providers. There are concerns also in regard to costs undertaken by those service providers to adhere to such a provision. It is our considered view that the minimum period of six months may be sufficient. However, we will take this under advisement and speak about this on Committee Stage. I fear that if the maximum allowable retention period will be two years, then we will open this process to an abuse and the cost to business will reduce competitiveness and will ultimately affect the consumer.

I fail to see how 10,000 requests per annum could possibly be pertinent to a serious crime investigation. Further, the lack of a role for the Garda Ombudsman is of itself a cause for concern. Where an officer of the Garda Síochána Ombudsman Commission is investigating a complaint against a Garda that may involve a criminal offence, the officer of the commission has all the powers, immunities and privileges of a member of the Garda Síochána. This includes common law powers and powers under any Act, whether passed before or after the Garda Síochána Act 2005. So, it seems that officers of the Garda Síochána Ombudsman Commission will have the powers vested in the Garda under this Bill. While this is reasonable, it raises the question as to why the Garda Síochána Ombudsman Commission and its officers have been specifically excluded from exercising the powers to be vested in gardaí under the Criminal Justice (Surveillance) Bill. Consistency in application would require that the ombudsman commission should have investigative powers equivalent to those of gardaí under both these pieces of legislation. What is the reason for excluding the ombudsman commission under one Bill and including it in the other? I hope the Minister will address this point.

On the issue of oversight, I must ask whether the Minister is seriously asking this Legislature to accept section 11 as it is worded at present. If we speak specifically to the issue of oversight, section 11 would have to be modified to give a more structured role for judicial oversight other than that which is proposed. The wording in sections 11 and 12 is as weak as water and pays lip service to the notion of oversight. There is no provision for redress for a person who has been investigated inappropriately under this provision. There is no provision for a Revenue officer, member of the Garda Síochána or member of the Permanent Defence Force to be brought to book where a misuse or abuse of the process is proven. The oversight process must investigate an adequate number of files and this must be on a random basis.

The question again arises as to what real powers a judge has in regard to any abuse of process. There is none that I can see in the Bill. I refer the Leas-Cheann Comhairle to the Bills Digest produced by the Oireachtas Library, which produced an excellent paper on this matter, and I acknowledge its invaluable service in this respect. On the matter of judicial supervision, the paper states: "In carrying out his-her duties the judge may investigate any case in which a disclosure request is made, communicate with the Taoiseach or the Minister concerning disclosure requests, and the Data Protection Commissioner in connection with the Commissioner's functions under the Data Protection Acts 1988 and 2003." While this oversight broadly echoes similar approaches used in, for example, the Criminal Justice (Surveillance) Bill 2009, Mr. Tom McIntyre, speaking in the context of the Criminal Justice (Terrorist Offences) Act 2005, raised concerns about the effectiveness of this form of supervision scheme. He stated:

. . . this oversight system has been almost entirely opaque from the outset. The annual reports of the Designated Judge — since the position was created in 1993 — have consisted every year of no more than a single line stating that the operation of the Act has been kept under review and its provisions have been complied with. There has been for example no discussion of what steps have been taken to keep the operation of the Act under review; whether the individual files were reviewed; the volume of surveillance being carried out; and whether mistakes were made in carrying out surveillance (such as targeting of the wrong individual or number) and, if so, what steps were taken to safeguard against such mistakes in future. There is similarly no publicly available report of the Complaints Referee indicating what complaints, if any, have been made and-or upheld. This may be contrasted with the most recent Annual Report of the UK Chief Surveillance Commissioner which reveals, amongst other things, that 23,628 authorisations for directed surveillance were granted to law enforcement agencies; and 60 different law enforcement agencies were inspected during the year. . .

The reports of the designated judge are not exactly what one would call models of transparency. There is no reason that we should not have a provision in the Bill which would guarantee that statistical data is made available. There is an irony in that because, if one examines section 9 of the Bill, one will see there is provision for an annual statistical report to the European Commission, as required by the directive, but not to the Oireachtas or to Irish citizens. At least this report should be laid before the Oireachtas.

The opaque nature of the Irish oversight system also becomes obvious when compared with the equivalent report in the United Kingdom. The relevant official in the UK is the Interception of Communications Commissioner. That individual is a retired judge who has similar functions to our designated judge. However, his most recent annual report runs to 24 pages in total, nine of which are devoted to data retention issues. Granted, the UK system is on a much larger scale, but one key difference is that the UK commissioner does not see his role as limited to the narrow question of legality — instead his report goes into detail about mistakes which were made and explains what is being done to prevent further mistakes. It would be desirable to establish a greater role for the designated judge along these lines. I hope we can address those issues on Committee Stage.

The functions of the designated judge and complaints referee are too limited. One of the problems with the role of the designated judge under section 12 is that it envisages him or her as being engaged in a largely paper-based exercise. Section 12 gives the designated judge "the power to investigate any case in which a disclosure request is made". Let us suppose however that a junior garda informally pressurises an Internet service provider, ISP, employee to hand over information — perhaps for some private purpose. In that case no "disclosure request", as defined in section 6, would have been made, thus leaving a question mark as to whether the judge has any power to investigate. It might be possible to read section 12 widely to find such a power — but it would be desirable for it to be made clear.

The judge's role under section 12 is also limited to "ascertain[ing] whether the Garda Síochána, the Permanent Defence Force and the Revenue Commissioners are complying with" the Act. As such, the judge does not appear to enjoy any power to, for example, make sure that ISPs and telcos are storing this information securely or are responding appropriately to requests.

Similarly, the role of the complaints referee under section 10 hinges on there being a "disclosure request". As such, he or she would have no power to investigate if, for example, a newspaper were to bribe a telecoms employee for access to information. I refer to a recent case where a red top, which I will not name, was recently implicated in a similar phone tapping scandal. Those problems are to some extent mitigated by the fact that the Data Protection Commissioner might investigate those situations but the Data Protection Commissioner will not have the same oversight powers. The Act should clarify the functions of the designated judge and complaints referee and make clear what is to happen in borderline cases.

There is uncertainty about to whom the Bill will apply. The Bill takes, essentially verbatim, the loose language of the directive and in section 1 defines a service provider as "a person who is engaged in the provision of a publicly available electronic communications service or a public communications network by means of fixed line or mobile telephones or the Internet". Those are wide, and imprecise definitions and given that specific statutory obligations are created an element of doubt can arise. There are many various applications and we do not know how the provisions would apply to or affect those who use webmail, webmail-like applications, open WiFi, and voice Internet messaging. The list is endless. There is such a broad scope and range of technologies that it is our view that the definitions need to be clearer. That will cause panic and confusion across the sector and will have seriously damaging consequences for Ireland's ability to promote itself as a destination for high-tech industries.

I wish to read into the record a copy of a letter received by the Minister from the ICT Division of Engineers which speaks further to the concerns they have about the Bill:

We first observe that electronic data is diverse, and increasing in its diversity. Telephone, mobile phone and text messaging are well established, along with electronic email messaging. However, in many communities it is now more common to use social networking sites — such as Facebook, Bebo, and LinkedIn — for direct person to person, and person to group communication. Such communications use a different technology than email, and cannot necessarily be detected by software which specifically tracks email. Further, direct internet messaging — such as AIM, MSN, Yahoo Messenger and Skype messaging — are also extremely common. Finally of course Twitter is also now perhaps the most prevalent of them all, and can be used both for instant person to person communication, as well as person to group communication. No doubt next year, there will be another new communication technology..

Our concern is that as criminals become aware of the legislation pertaining in Ireland, they may well be able to displace their electronic communication modes to new ones for which legislation has yet to be passed. [That issue needs to be raised as well.]

On a different track, we would note that in today's world, much electronic communication is international in nature. Correspondents (of instant messaging, email, social networking, twitter and so) may not always be within the Irish jurisdiction, and not even within the EU. We gently draw this to your attention, and assume your legal advisors are considering the consequences of capturing information relating to citizens and companies from outside the EU who may not be covered by Irish legislation. [That point must be addressed by the Minister in response to this debate.]

With today's falling costs of storage, there is no particular great concern over the cost of the physical hardware. However, safely and securely storing and then retrieving (perhaps after several years) increasing quantities of information does have implications on the business processes of the service providers concerned.

There is the aspect of capturing the information in the first instance, based on the number of modes of communication. That will run into billions if one takes the two year retention period into account. That issue will have to be addressed. Following that, there is a significant cost implication for businesses as a result of that. In this country we are talking about the possibility of a smart economy. What the legislation does is incur a further cost on businesses by virtue of the data retention period. Wider issues arise in terms of the jurisdiction of the legislation vis-à-vis the fact that we trade internationally and messages pass internationally. That is something that must be addressed by the legislation.

No justification has been given for a two-year retention period for phone data. Under the directive, member states are free to choose a data retention period between six months and two years. The UK adopted a standard 12 month period. I am not aware of any justification as to why the Bill opts for the maximum two years for telephone data. The European Commission's own research on police requests for data has shown that the overwhelming majority of requests are for data which are less than three months old. If the Garda experience is different then some evidence to that effect would be desirable.

As to the budgetary implications of this legislation, I have serious reservations about the undue cost that would be borne by businesses as a result of that measure.

Again, I refer to the Oireachtas research service that focused on the budgetary implications. It stated the Bill is silent on the likely costs to be involved in implementing and complying with the provisions of the directive. According to the status report on the transposition of the directive by EU member states and EFTA and the regulatory impact assessment prepared by the Department of Justice, Equality and Law Reform, the State will not reimburse service providers the costs involved in complying with the obligations under the Bill, even though "service providers have complained that management of data would impose heavy costs that they would in turn have to pass on to businesses and consumers". The net effect of the legislation, arguably, is that we will retain all sorts of data, 99.9% of which will be superfluous messages that pass between ordinary citizens. This will be stored by the service providers. There will be a cost for that storage and the consumer will end up paying that cost.

I accept the principle that there must be data retention. However, there must be balance in terms of how long it is retained and whether it is necessary to retain data for two years. I believe it is unnecessary. It is impractical and in the context of crime prevention measures, I am not convinced that retaining data, particularly Internet data, for a period of two years will catch more criminals or undo a terrorist organisation. We must exercise a little common sense in our approach to the legislation. With that in mind, we will seek to amend the legislation significantly to reflect our views.

This is a very important Bill relating to the retention of data. Since I was first elected to the House in 2002 I have argued that while I accept there is a requirement to retain some level of data, we should not go down this road unless there is legislation to protect that data, give power to the Data Commissioner to investigate and have full access to what is being retained and provide for protections and safeguards to ensure nothing untoward can happen with the data that is retained.

People have argued that the reasons for data retention are mainly to help law enforcement agencies and make it easier for those agencies to secure convictions quickly. There is some logic to that argument. However, consider the rapidly changing nature of the data we are discussing — we are talking about telecommunications and, in particular, the significant use of the Internet — and the rapid turnaround of mobile telephone numbers and mobile telephones. Two year old data would be obsolete and, in fact, might end up hampering criminal investigations by causing the diversion of time and resources to chasing up culs-de-sac. The connection between information retained two years ago and somebody who had access to a mobile telephone two years ago might not lead to the expected results.

The proliferation of telecommunications and other forms of digital media has made data retention a great deal easier. Now, one can retain data by pressing a button whereas back when Sherlock Holmes and others were investigating crimes everything had to be written in longhand and duplicated. They did not have access to technology. By pressing a button one can retain all the bills for mobile telephones and all the connections made between one mobile telephone and another. The same applies to computers. A very significant amount, probably too much data, will be stored. It then becomes a difficulty when one must interrogate the database to glean some type of information which might offer a lead, only for that lead to end up in a cul-de-sac. Obviously, the Garda and other law enforcement agencies are accustomed to chasing leads that bring them down culs-de-sac, but given the potential scale of the data we will be retaining the potential for many culs-de-sac is overwhelming. Also, given the fact that the Garda Síochána is hampered by not having the best equipment or the required number of gardaí dedicated to tackling crime, because many of them are stuck behind desks where they should not be, it means valuable time could be wasted. There are major problems in thatregard.

A six month data retention regime would probably be far more efficient and help law enforcement agencies across the European Union. This Bill was triggered by our failure to transpose properly into Irish law what was required under a European Union directive. I believe it was in 2002 that the former Minister, former Deputy Síle de Valera, in the last item of business of that Dáil, rushed through the data retention legislation with little scrutiny or thought. It provided for retaining data for over three years, rather than for a maximum of two years as the European Union had requested.

Obviously, the Garda Síochána, with the additional powers it has been given and with the ability to seek judicial power to retain certain data, could identify the key targets it has rather than have the wholesale trawling exercise for which this type of legislation provides. Every last item of telecommunication or correspondence will be retained. I might pick up my telephone and dial a number inadvertently which reaches somebody who, in two years, might be the subject of an investigation. What if I dial that number and then sit on the telephone and it rings the number ten times again? That has happened. The first name in the telephone book in my mobile telephone is my wife's. If I sit on the telephone, it might ring that number ten times. However, what if the wrong telephone number is the last number dialled? I could become the subject of a criminal investigation two years hence, with all that it entails, if that number happened to belong to somebody who warranted a criminal investigation. This applies to hundreds of thousands, if not millions, of mobile telephone numbers and mobile telephone users across the European Union.

There is major concern about this data and the failure of the European Union, particularly of some member states, to put in place proper data retention safeguards. A 2007 report, the Privacy and Human Rights Report, ranked different countries in the European Union in this regard. It refers to the endemic surveillance society — the "Big Brother" concept. The report found that the 12 member states, including Ireland, which it examined were involved in a systematic failure to uphold safeguards. Nine member states were held in the report to have some safeguards but weakened protections. Only one member state, Greece, was described as having adequate safeguards against abuse. There is a potential for abuse and one could have inadvertent incidents, of which I could cite many more examples, or miscarriages of justice.

In respect of data retention, Ireland and ten other member states were awarded the lowest grading of "extensive surveillance/leading in bad practice". Under the directive, retention is required for between six months and two years. In Britain, the standard retention period is 12 months, whereas under these proposals data will be retained for one year in the case of Internet records and two years in the case of telephone records. Those who propose the reduced periods claim it is a great decision but they fail to mention that we are in breach of European law. As I and others have pointed out since 2002 and, in particular, since the introduction of the 2005 legislation, Ireland is in contravention of European Union rules. Despite this, it has taken until now to reduce retention periods and rather than reducing them to below the maximum permitted by the EU, they have been set at the maximum levels.

Digital Rights Ireland has raised major concerns about data retention by State agencies, such as the Garda Síochána and Revenue Commissioners, under existing rules. The industry has also raised concerns about who will manage and pay for the system and the potential for abuse. What will happen if laptop computers containing stored data are lost, as has occurred regularly? It is easy to store this data and just as easy to leak, lose or sell it. What will happen if this occurs?

As far as I can determine from the text, there is no compulsion on the service provider or the State to inform people whose personal data is lost or inadvertently or intentionally leaked. The data to be stored is not a couple of names or addresses but includes details of a person's Internet use for one year, including all sites visited. There is no guarantee that the owner of a computer is the person who visited the sites in question or that the owner of mobile telephone made a particular call. The potential for leaks of information is significant.

Some people argue that those who have nothing to hide have nothing to fear. After 15 years in jail, members of the Birmingham Six and Guildford Four and others who have been falsely imprisoned in this State and in other jurisdictions will say that argument does not hold in every circumstance. Deputy Niall Collins of the Fianna Fáil Party used a similar argument in July during an interview on Matt Cooper's radio programme, "The Last Word". When he was asked whether he would publish his telephone bills, including his telephone records for the previous year, he answered to the effect that he did not understand what was meant by the question.

Under this legislation, information will be retained on every single call one has made on one's mobile phone. This data could be leaked or inadvertently or maliciously used against individuals. No one can argue there are not those in the Department of Justice, Equality and Law Reform and Garda Síochána who have not engaged in malicious leaking of data against republicans and others. I have seen photographs which were taken in Garda stations published in newspapers in this State. The only people who have access to this information are gardaí. Similarly, a previous Minister for Justice, Equality and Law Reform would not even admit to me in the House how many Deputies were having their telephones monitored. I have not yet asked the same question of the current Minister. How many current Deputies have their telephones monitored by the State? Despite the fact that this type of activity, which is unacceptable in a democracy, is taking place, the Minister expects us to sign away access to all information about our telecommunications in order that it can be analysed, interrogated and, possibly, leaked.

Laptop computers containing significant amounts of data have been lost in this State and overseas. The Health Service Executive, for instance, recently lost a laptop containing a substantial quantity of data. The information people provide when filling in application forms for the HSE, FÁS and other organisations could be useful to journalists and the private sector. Marketing companies want access to names, addresses and information on who one calls and so forth. Providers of Internet and mobile telephone services could use information on an individual's mobile phone and Internet usage to try to sell him or her their products. For example, a mobile telephone company which retains information on my telephone usage for two years will be able to determine that I mainly use numbers with the 085 prefix and make most of my calls at night. It could then try to encourage me to buy into a programme or scheme which makes it more money and costs me more money. That is a potential outcome of this legislation. While I accept that the data will be retained for a specific purpose, questions remain as to who will manage it. Will the Minister provide an assurance that nothing untoward will happen?

I recognise the additional safeguards in the Bill, including a provision on judicial supervision, but they do not go far enough. Under this provision, I must submit an application to find out what data has been retained and whether it has been leaked, rather than the other way around. Data protection should have been strengthened before the legislation was introduced.

Data retention will create significant costs, even in terms of physical storage, although I accept that technological devices are becoming smaller. For example, a small, 500 GB external hard drive I recently installed in my office would have taken up a full office ten years ago. Nevertheless, given the scale of the data to be retained and the periods for which it must be held, large-scale systems will be necessary. These will also have to be secured and monitored and a backup provided in case the system shuts down or something happens to the storage facility. Providing these systems and the necessary safeguards will generate a cost. Is it a cost to the State or to the Internet service providers or telecommunications providers? There is a cost — it might be outlined in the Bill; I may have overlooked that part. In Finland the Ministry of the Interior, when the original proposal by the EU was put to it, worked out that if the measure was adopted at the full scale as intended at the time it would cost €5.5 billion to operate it properly and efficiently in line with what was expected of it. That is a huge cost. Finland would have a similar cost to here. What is the cost? Who will pay for it? The taxpayer always ends up paying for it — are people aware of what is intended? They are some of the concerns. I will enjoy the opportunity to tease out some aspects of this if I get a chance to do so on Committee Stage.

When I first started to research the retention of data I came across a story — I do not know if it is true — that when the European Union first started discussing the retention of data by all of the member states it explained the concept to the various Ministers. One Minister or official at the meeting said his or her country — it was Britain — had a system in place for the previous five years. It had what was called the ECHELON programme in place well ahead of the European Union whereby it, along with the US, tracked every single item of telecommunications traffic between Ireland, the European Union and America through the Cheltenham and Capenhurst facility. Everything went across the ocean. The system was retained for the benefit of MI5. It was not in place just to look at terrorism. There were financial implications. It was tracking businesses and everything else, which had nothing to do with anything. It was planning the future of its economy and was using the data to facilitate it. That was when the European Union discovered the extent of surveillance by the British on it, not just on Ireland. There are significant dangers, in terms of the "Big Brother" society or potential for that when one starts to retain data at the scale we are discussing. That is why I urge, once again, that we bring in proper data protection legislation which allows the consumer — those whom the surveillance is geared at — access to the information which is being stored so it is not wrongly stored or abused.

I welcome the opportunity to contribute at the end of this debate and thank all Deputies who contributed to it. In his opening speech the Minister for Justice, Equality and Law Reform, Deputy Dermot Ahern, conveyed the importance of data information in the investigation of serious crime, including gangland and transnational crime, and in safeguarding our country against terrorist activity. As data retention is a tried and tested valuable tool in the investigation of crime and in safeguarding the security of the State, it has not received as much attention as some of the more recent high profile initiatives from my colleague, the Minister, Deputy Ahern, for fighting crime, in particular gangland crime. These include the Criminal Justice (Amendment) Act and the Criminal Justice (Surveillance) Act, which passed into law as recently as July. It is ironic that criticism of this legislation, indeed criticism generally of the need to retain and disclose data, even if only coming from a small number of sources, comes as we are ensuring that the practice has a firm statutory backing with real and credible safeguards which have been called for all around the House.

I would like to refer to the memorandum of understanding, mentioned in the debate, that is being negotiated between the Garda Síochána, the Permanent Defence Force, the Revenue Commissioners and the representative associations of the vast majority of telephony operators and Internet service providers in the State. There have been recent misleading references to the memorandum in the press and the media. It is neither secret nor sinister. It is a work in progress and will not be finalised until the Bill is enacted. As the legislation will come into operation on the day it is signed into law, it is very important that the providers are in a position to comply with their responsibilities under it and the only way that can be achieved is for advance discussions to take place with the law enforcement authorities that are entitled under the legislation to make disclosure requests.

The negotiations in Brussels on the directive took place at a time of very rapid developments in technology. This was recognised by the Commission and the member states. It was clear that the directive could soon become out of date and less useful as an investigatory tool for law enforcement agencies if it tried to over-interpret the data which it was intended should be retained and disclosed. For that reason, the Commission established two committees for the purpose of identifying problems in implementing the directive. One of the Committees consists of national experts from a number of member states, including Ireland. The types of problems the committees addressed were related to matters such as the obligation to retain data, who should retain it and the type of data that need not be retained, such as spam. These issues fed into the discussions on the memorandum of understanding. All sides involved in those discussions recognise that it is to the benefit of all of them, and ultimately to the benefit of law enforcement in this country, if the Garda, Revenue Commissioners and the Defence Forces know what the providers can reasonably retain, within the parameters established in the directive, and that the providers know what is required of them under the directive by the law enforcement authorities.

Far from being a sinister or arrogant development, the purpose of the memorandum is to simply ensure that the directive operates as intended and it is a very welcome initiative by all concerned in its negotiations. It does what would not be feasible in the Bill, that is, set out in more detail what is required to be retained under the directive. For example, there has been some comment on which provider should retain a particular piece of data. Recital 13 of the directive states that data should be retained in such a way as to avoid it being retained more than once. Accordingly, if more than one service provider is in possession of particular data, only one need retain it for the purposes of the directive. The detail on which provider retains duplicated data can only be agreed in discussions between the service providers and the law enforcement authorities.

The question of human rights and privacy rights always arises when legislation such as this Bill is proposed. I have already mentioned that the intrusion into persons' privacy is minimal. No content is retained or disclosed under the directive or the legislation, contrary to what might be taken from Deputy Ó Snodaigh's contribution when he referred to my fellow Limerick man, Deputy Collins. Deputy Collins was merely making the point that he, like any other person, is entitled to his privacy and should not have all his telephone data and records open for public scrutiny. That is a certainly a matter of privacy, but it is not unreasonable to expect it. This is what Deputy Collins referred to — I heard the interview to which Deputy Ó Snodaigh referred. Deputy Collins stated very clearly that if he was a suspect in a serious criminal investigation it is not unreasonable that his telephone records and the contacts he may have had with particular alleged criminals would be available to the Garda. There is a real distinction between having one's private records open to the public and one's specific telephone calls to alleged perpetrators of crime being available to the gardaí and the Bill reflects that distinction.

What is meant, for example, regarding the content of a telephone call or e-mail or websites visited is that what is retained could be compared to an envelope with a note inside. What is required to be retained is the address on the envelope with the note inside being destroyed. That is the correct analogy.

The directive itself addresses the human rights implications in recital 9. The directive states:

Public authorities may interfere with the exercise of that right only in accordance with the law and where necessary in a democratic society, inter alia, in the interests of national security or public safety, for the prevention of disorder or crime, or for the protection of the rights and freedoms of others. Because retention of data has proved to be such a necessary and effective investigative tool for law enforcement in several Member States, and in particular concerning serious matters such as organised crime and [transnational] terrorism, it is necessary to ensure retained data are made available to law enforcement authorities for a certain period, subject to the conditions provided for in the Directive [and which are obviously now enshrined in this legislation]. The adoption of an instrument on data retention that complies with the requirements of Article 8 of the ECHR is therefore a necessary measure.

It can be deduced, therefore, that the directive has been fully examined and cleared from a human rights perspective.

I would like to respond to some of the points that were made during this debate. Deputy Ó Snodaigh suggested that the accidental dialling of wrong numbers could lead to a criminal investigation. If a person is found to have made ten telephone calls to the same person, accidentally or otherwise, that could not form the basis of a criminal investigation. However, it could be used as corroborative evidence of a pattern that might lead to the building of a case. The Deputy's suggestion that such a pattern could form the basis of a criminal investigation calls into question his support for the concept underpinning the legislation. The retention of data of this nature is a real and effective investigative tool, as it can provide the sort of alibis and exculpatory evidence that can lead to people being cleared. It is ironic that the Deputy mentioned the case of the Birmingham Six because if this legislation had been in force and in effect when that case was first considered, and if the technology necessary for it had been available, it is distinctly possible that the Birmingham Six would not have been convicted.

Deputies Charles Flanagan and Sherlock questioned the need to retain data for two years, given that most other countries have provided for periods of six or 12 months. It is clear that the directive allows data to be retained for between six months and two years. The Minister has been advised by this country's law enforcement authorities that the minimum period required for the retention of telephony data is two years. Similarly, he has been advised that the minimum period in the case of Internet data should be 12 months. As the Minister explained in his opening speech, the provision of a two-year period for telephony data represents a reduction of one year on the law that pertains in this country at present. The majority of data is requested within six months of it first being generated. However, the quality and potential of older data make their retention for a longer period essential. When a gangland criminal is charged with an offence, it may be necessary to request telephony data that is up to two years old as they might help to identify other members of the gang. Similarly, if a person is arrested in this State on suspicion of being a member of an international terrorist organisation, telephony data from the previous two years may help to identify whether the organisation in question has been preparing a major terrorist outrage.

I remind Deputy Charles Flanagan that it is not very long ago since an innocent member of the public was gunned down in my home city of Limerick, a number of years after a member of his family had given evidence in a criminal case. We have introduced legislation to try to deal with such cases. I can easily foresee circumstances in which data retained for longer than 12 months might prove to be relevant when a prosecution is brought. While such examples make the case for a longer period to be provided for in this legislation, I accept that an appropriate balance needs to be struck. As Deputy Sherlock correctly pointed out, we need to retain a sense of reality in this regard. Law-abiding members of the community who are not expected to be the subject of requests by gardaí under these provisions have nothing to fear from the legislation. Instead, their rights and freedoms will be protected by effective legislation that helps to track down those criminals who are prepared to threaten the freedoms and rights of ordinary citizens. The proposed two-year retention period for telephony data would be one of the longest retention periods in the EU. Most member states have legislated for a retention period of 12 months, with two or three opting for a mere six months. It is understandable that member states which are legislating for data retention for the first time would wish to steer a middle course. The 12-month retention period for Internet data seems to be consistent with the mainstream approach taken by other member states when implementing this aspect of the directive. Issues such as the retention periods are likely to be addressed in the Commission's review of the operation of the directive, which will take place towards the end of 2010.

When Deputy Ó Snodaigh spoke about the security of retained data, he questioned whether Members of this House might be under surveillance. I hope I understood his point correctly. It would be odd if Members of this House had some form of immunity from prosecution or investigation by this country's authorities. The Italian constitutional court ruled yesterday that the idea that those in public life — members of the government, parliamentarians and legislators — might be treated differently is offensive to that country's constitutional position. I suggest that the same applies in Ireland. Deputy Ó Snodaigh's suggestion, if I understood it correctly, was an odd one. The Deputy also raised concerns about the security of retained data. I assure him that the Minister and I, like all Deputies, are concerned about recent high-profile lapses in security, many of which have been due to computers being mislaid. The directive obliges the providers of such services to attach the same security measures to retained data that they would attach to all other data. In light of recent stories about data being lost, service providers and public bodies have been reviewing and tightening their security measures, particularly those relating to encryption. In his opening speech, the Minister mentioned that he established a data protection review group about a year ago on foot of lapses in data security. The review group called for submissions from the public and various interested parties. Given his interest in the matter, I assume Deputy Ó Snodaigh made a submission to that forum. The Minister called for submissions on the website and by invitation to parties that had previously expressed an interest in this issue. The group is putting together a consultative document that will describe the various issues from legal, technical and regulatory perspectives. The options identified by the group will be outlined in the document, which is almost ready for publication. A final call for contributions will be made when that document has been published, before work commences on the review group's final report. The Deputy will have an opportunity to make comments at that stage.

I have dealt with most of the issues that were raised while I was in the Chamber. The important legislation before the House has to be examined in the overall context of recent surveillance Bills and other Bills that have been introduced to tackle gangland crime. It responds to the fact that we are living in an era of highly organised crime. It has been mentioned that we have all been familiar with organised crime over many years, but it should be stressed that the modern version of such crime is organised on a much more technically sophisticated level.

It behoves us as legislators to respond to these new technologies by introducing effective tools to deal with them while at the same time protecting the rights and freedoms enshrined in the Constitution.

Question put and agreed to.