I was somewhat surprised by the posture taken by the Department today. I did not recognise many of the points departmental officials made as accurate statements of the law. The overall posture of the Department was that this was a new issue that had crept up on us and taken all of us by surprise in December last year, when the Tele2 judgment came out.
I am surprised by that because I feel like I have been talking about this issue for decades. In fact, I have been, because we commenced our constitutional challenge in 2006. At that stage, we highlighted the exact issues that we are talking about today. The Department has known for many years that these are live issues. In fact, prior to this matter getting to the European Court of Justice in Luxembourg, national data retention laws were struck down by national constitutional courts in quick succession in 2008, 2009 and 2010 before the German Federal Constitutional Court and the constitutional courts in Bulgaria and Romania. At this stage we have had literally a decade to address the issue. It is remarkable that it is only being done now.
It is also remarkable that the Department continues to fight our case. The Department is in the remarkable position of having commissioned a report from the retired Chief Justice that describes the existing scheme under the 2011 Act as a form of mass surveillance that is in breach of European Union standards, while, at the same time, maintaining the position in the High Court that the matter must go to full trial because the allegations against the State are denied in every regard.
If only from the perspective of the hard-pressed taxpayer, it is remarkable that the Department will continue to subsidise the legal profession in this regard. As a lawyer, I suppose I am grateful for that to some extent. It is, nevertheless, undesirable.
This summer the Department fought our application to have a preliminary hearing that would expedite the resolution by the courts of these matters. We sought a preliminary hearing on purely the European law issues. In other words, to save time and expense we sought to have these European law points determined separately before we got into the constitutional issues that arose. While the Murray review was on its desk, which made these points which determined that, as a matter of European law, the scheme was illegal, the Department, nevertheless, opposed our application claiming it was a matter where it would be inappropriate to determine the European points separately and that the European constitutional points should all be folded into one much longer and much wider hearing.
Obviously, we cannot do justice to the 170-odd pages of the Murray report nor even the 16 pages in our written submissions. I am happy to answer any questions committee members might have, however.
I want to address the points that were relied on by departmental officials who attended the committee earlier on. Mr. Dermot Woods, in particular, laid great emphasis on the three layers of judicial protection, which he described as involved in the new scheme. I would like to take issue with one of his characterisations. He said the complaints referee system to be established under the new scheme will include provision for compensation to be awarded to people whose communications have been wrongfully accessed. That is not in fact the case. If one looks at our submission and head 22 of the Bill, one will see that the existing power to award compensation has been expressly taken away. In fact, it no longer appears in the powers of the complaints referee under head 22. It has been taken away without any explanation or justification.
The role of the designated judge was stressed at great length. Some committee members have already heard me making the point in respect of the designated judge that the oversight system, as it currently exists, is inadequate. It is worth repeating that the designated judge has to date issued annual reports, consisting of a single page in most cases containing two or three paragraphs with no substantive detail of any sort on the actions he or she has taken to oversee surveillance in Ireland. It is worth bearing in mind that the designated judge does not just oversee data retention but also interception of the content of communications. This is all done on a part-time basis, on top of their day jobs, which are enough in themselves to keep them quite busy in the Four Courts. They do this on the basis of one day or one or two mornings or afternoons, attending the various offices in the Department of Justice and Equality and in the Defence Forces, and so on.
This is inadequate. It is entirely insufficient to provide an adequate and transparent system of oversight. In fairness, the new designated judge in the area, Ms Justice Marie Baker, has taken a more expansive approach and she has already issued one ad hoc report in response to a particular allegation of wrongful interception which contained considerable more detail than any prior reports. It may be that she intends to issue annual reports which are more detailed in future. We do not know, however. The problem is there is no requirement on the designated judge to do so. It is left up to them to decide how they are going to fulfil their statutory responsibility. To date, they have done so in this entirely opaque way.
Why is this inadequate? Is it because it is entirely lacking in transparency? Fortunately, we can evaluate how effective the designated judge has been because we can look to some issues exposed elsewhere. The Data Protection Commissioner carried out a review in 2014 of the handling of communications data by An Garda Síochána. The Murray review updated that to a limited extent. We can identify from these several areas where the designated judge has missed fundamental breaches of the existing schemes.
The 2014 report revealed a systematic practice in An Garda Síochána of retrospectively rubber-stamping requests. The theory was that requests had to be approved in advance by a senior member, namely, a chief superintendent or above. In practice, requests for communications data were being made by individual gardaí without any prior authorisation and were being delivered in batches to the chief superintendent after the fact to be rubber-stamped. The statutory criteria were being entirely ignored. We discovered from the 2014 audit that the Communications (Retention of Data) Act 2011 had been misapplied. Gardaí had been citing it in applications to access data held by firms which were not subject to the legislation. It was being used entirely beyond its scope. Again, the designated judge failed to pick up on this.
We also know, courtesy of the Murray review, that requests for retained data were made in cases other than serious offences. They were made in respect of criminal offences which did not meet the statutory threshold that the offence be punishable by five years or more imprisonment. This is remarkably significant because successive justice Ministers have told the Houses that retained data is only used for the purposes of investigating serious crime and is not used in respect of more trivial matters. It emerged from the Murray review that, to this day, retained data is being accessed for this purpose on the basis of what is essentially voluntary disclosure by the communications providers, which is entirely outside the remit of the 2011 Act. Again, the designated judge for many years failed to pick up on this effective evasion of the requirements of the 2005 and 2011 Acts.
While there is no reason to think that the designated judges are not individuals of the highest probity who are committed to carrying out the functions in this area as best they can, our position is that the designated judge system is inadequate and has been shown to be so. One cannot expect a part-time, busy, High Court judge, with no expertise in the area and no secretarial or technical expert support, no guidance as to how to carry out their functions, to do so on an ad hoc basis and point to it as sufficient for oversight.
Mr. Dermot Woods also mentioned the role the Data Protection Commissioner has in this regard. What he did not mention was that the Data Protection Commissioner is in effect gagged in what it can do and say. The commissioner is limited in what she can do in that there are significant carve-outs from the remit of the Data Protection Commissioner. As we stated in our written submissions, the Data Protection Commissioner is precluded from investigating certain matters relating to national security which covers a great deal of surveillance. On top of that, the Data Protection Commissioner is precluded from publishing reports of what they discover in carrying out their investigations.
In 2016, at around the same time as the GSOC revelations were emerging, the Data Protection Commissioner indicated she was going to audit the handling of communications data by the relevant State bodies, in particular the Defence Forces and An Garda Síochána. She was going to evaluate how they carried out their obligations and functions under the 2011 Act, how they handled the data they accessed and so on. We have since asked, by means of requests from journalists and freedom of information requests, for these reports. The Data Protection Commissioner has taken the view that she is not entitled to give us copies of these reports. The bodies which were audited have refused to release these reports. The role of the Data Protection Commissioner in ensuring transparency is a limited one. Again, in the current state of legislation, the Data Protection Commissioner cannot act as a sufficient oversight body.
Broadly speaking, we can identify the legislation as having three areas where we have to think about the safeguards that will be put in place. What are the safeguards for making a ministerial retention order? What are the safeguards in respect of accessing retained data? What are the safeguards in respect of notifying people that data have been accessed and then a remedy being available to them? The starting point is the retention order by the Minister. There is no provision for these retention orders to be made public. There is no provision for any review of the proportionality or necessity of detention orders. The departmental officials indicated the retention orders would be targeted. The Tele2 case requires that they be targeted.
However, that was not included in the legislation. There is no provision in the relevant head that retention orders must be targeted or specifically limited in this way.
The Tele2 case also sets a very high standard. A retention order, because it is so invasive, can only be made if it is strictly necessary. This is a point that Deputy Jack Chambers made earlier. Again, that is not something that appears in the legislation. The test here is essentially one of whether it would be proportionate to retain the data, not whether it is strictly necessary, that is, that any other means of achieving the same goal can be completely excluded.
Accessing the data, the second area in which we expect to see safeguards, also does not meet the requirements set out in Tele2. Tele2 focuses on the investigation of crime. It pertains to accessing data of people who are in some way implicated in crime and, again, this is a point that Deputies raised earlier. However, the heads of Bill do not reflect it. They allow for accessing - indeed they explicitly allow for accessing - of data of people who are not in any way implicated in crime, and that would include journalists. The point was made earlier, again primarily by Deputy Jack Chambers, that there is no journalistic protection in the legislation. We say that this is not just in breach of the recommendations made by Mr. Justice Murray, it is in clear breach of European Convention on Human Rights, ECHR, case law. The latter stresses that journalistic data has to be carved out as a special entity requiring special protections. It also requires that in all cases - even in cases of urgency - there should be a prior judicial authorisation process before journalistic data is handed over. The reasoning here is very simple; one cannot unring the bell. One cannot restore the confidentiality to a source once that source has been identified. In the case law we cited in the submissions, the European Court of Human Rights has said that even in cases of urgency, it might be possible to devise situations where, for example, it is required that data be stripped out to eliminate any information that would identify a source before any remaining information was handed over. Mechanisms must be put in place in national law to allow it. However, the Bill that is in front of the committee does not do that.
Finally, in respect of the third category, those situations in which we have access and we look at the notification and the remedies available for access, we have a number of concerns that again, the standards set out in Tele2 are not met. Here we say that we have a failure to meet the core standard in respect of notification. The problem here is that the legislation contains a very vague exemption. People may be refused notification of the fact of access if notification would be incompatible with the purposes for which the data was retained. That appears to be a very wide carve-out. It is not entirely clear what is meant by it. I do not think it is the world's greatest example of drafting. On the face of it, however, it appears to allow a very wide exclusion, particularly because it refers to investigations which may take place in future. For example, it might allow for an exclusion of notification in situations where there is a desire not to give away the use of this data as an investigative technique in unrelated cases involving other people. It is not the case that it is limited to the possibility that further investigations will be carried out against an individual or other individuals who are affiliated with those involved in some way.
Second, as already stated, the role of the complaints referee is limited and the power to award compensation is taken away. In addition, the complaints referee is gagged in what he or she can say where no violation of the legislation has been found. One might ask why that matters. Surely it is enough that the complaints referee says there is no violation. It matters because the complaints referee, in finding that there is no violation, might be exposing, for example, a very wide and possibly questionable interpretation of the legislation being relied upon, which individuals might wish to challenge. It matters because the complaints referee, by being precluded from giving reasons, will not be in a position to satisfy individuals as to why a particular authorisation to access data might have been justified. It matters because, fundamentally, there is no reason for this blanket gag to be placed on the complaints referee. This is a holdover from the Communications (Retention of Data) Act 2011 and, before that, the Criminal Justice (Terrorist Offences) Act 2005. There, the thinking was that there had to be a blanket secrecy provision, otherwise the complaints referee could be used for what the computer scientists term an "oracle attack". If an individual thinks they have been under surveillance, they could go to the complaints referee. If he or she gets a full decision, fine. If he or she gets a decision which simply says, essentially, that the complaints referee is unable to confirm or deny, then he or she will realise that he or she has been placed under surveillance and that his or her data has been accessed. In other words, the secrecy provision was a mechanism to prevent people from determining whether their data had been accessed.
This is not appropriate any more because the 2017 Bill provides a presumption that one should be notified. The general rule, by default, is that notification should be made, except in certain narrow circumstances. It is possible, therefore, to say that the complaints referee should be able to discuss the facts of the matter and should be able to give reasons, if an individual already knows that his or her data has been accessed, having already received a notification. There is no good reason for saying that someone has been notified that his or her data has been accessed but that the complaints referee will still be precluded from explaining the circumstances in which that took place.
There are obviously a lot more points contained in the written submissions. At this stage, I would be happy to help committee members any further if I can.