I welcome the Minister for Justice, Deputy McEntee, back to the House. Amendments Nos. 1 to 3, inclusive, are related. Amendment No. 3 is a logical alternative to amendment No. 2. Amendments Nos. 1 to 3, inclusive, may be discussed together, by agreement. Is that agreed? Agreed.
Communications (Retention of Data) (Amendment) Bill 2022: Committee and Remaining Stages
I move amendment No. 1:
In page 4, between lines 38 and 39, to insert the following:
" 'security of the State’ means the territorial integrity and independence of the State from subversive activities by hostile states and from hostile groups within the State, and the safe and ongoing functioning of sovereign authority and the constitutional system of the State, and the security of its citizens (including the rights and freedoms of citizens);".
I welcome the Minister. Amendments Nos. 1 to 3, inclusive, attempt to provide clear definitions for the phrases "security of the State" and "threat to the security of the State". These definitions are essential to provide a clear legal threshold, which can form the basis of a decision about data retention. One of the core principles we need to follow as legislators is that the provisions we put into law must be clear and unambiguous and easily understood by all. It is not clear that this legislation currently meets that standard.
The Minister is given the responsibility in this Bill to determine whether there is a threat to the security of the State and to make a proposal to an authorising judge in respect of the retention of data in response to that threat. This responsibility is burdensome and a serious one for a Minister, and yet no clear definition is provided on which the Minister can base a decision. No criteria are provided in the legislation to distinguish between ordinary crime, organised crime or potential acts of terrorism. These are essential distinctions we need to make not just because it is good legislative practice but because the Court of Justice of the European Union, CJEU, ruling requires it.
The CJEU ruling has highlighted that in order to meet the data protection principles of necessity and proportionality, this legislation needs to provide clear criteria on which a data retention decision is based. This means we need a clear definition of national security. The CJEU ruling states:
In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measure ... and must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary.
As it is not clear in the legislation what "security of the State" actually means, we currently do not have "clear and precise rules governing the application" of this law. This emergency legislation may therefore still be in breach of EU law.
Our amendments propose a number of definitions which might help to create the necessary clarity in the Bill. Amendment No. 1 proposes that "security of the State" means safety and security from hostile actors that might threaten the independence or integrity of the State, the ongoing function of our democracy or the rights and security of our citizens. Amendment No. 2 proposes that a threat to that security would be a threat that is "greater than that posed by common criminal behaviour". This is an attempt to create a clear distinction between ordinary or organised crime and actual terrorism or threats to the State and therefore create a clear basis for a data retention decision. This clarity is essential to vindicate the data protection principles I have discussed.
Amendment No. 3 proposes alternatively that a threat to the security of the State might be defined as "one which cannot be eliminated by ordinary means". Again, this attempts to create that clear distinction between crime which can be dealt with ordinary powers of the State and those terrorist threats that may require additional powers in respect of data retention.
I hope the Minister will engage on this legislation, given it is an emergency response to a ruling that our current law is illegal. It would be very short-sighted to pass an emergency law open to legal challenge and which would also be ruled illegal if referred to the CJEU again. I am genuinely concerned this Bill would still be illegal under EU law due to its failure to establish clear criteria for data retention.
I will be very brief because Senator Ruane has outlined our concerns in this regard. There are specific amendments and specific approaches outlined but although we make suggestions for specific definitions, the crucial question is one of there being a definition. In an ideal scenario the Government would bring its own definition and make it clear in legislation. In its absence I urge that the Minister considers taking on one of the three definitions. If a different approach is sought, perhaps that definition could in future be amended.
We are really concerned about the Bill progressing with no definition at all. There are three cases of suggested language but I hope the Minister does not reply specifically to those suggestions but the really crucial issue of the absence of a definition, with the consequent absence of the necessary clarity around proportionality in line with the CJEU ruling.
I have some sympathy with the notion that clarity is required and I agree that CJEU jurisprudence indicates that. There is a difference between saying there must be clear criteria, which is what the court has said, and the requirement for a clear definition. I do not believe there is any ambiguity.
The difficulty is that nowhere in any of our legislation is the term "security of the State" defined. What the Senators suggest is a reasonable expectation of what that would mean, and it has a common meaning for all of us as we speak about this. Amendment No. 1, for example, mentions "subversive activities by hostile states and from hostile groups within the State" but what happens if an individual is the relevant actor? The point I am trying to make is not that there is a problem with this definition but that there is a problem with any definition. As soon as an exact meaning is put down on paper, people like me would try to pick it apart.
That is where one creates so-called loopholes that we build into the law, specifically, as protections for people. The danger is that if one gives a very specific worded definition as to what that means, one is also creating the possibility for somebody to place a given accused person outside that definition. That is why I would be much more comfortable that the courts get to interpret what that term, "security of the State", means, as they have in the past in different and nuanced cases. I would be much happier to leave that role to the courts than to take it upon ourselves as the Legislature to put in place an all-encompassing term that might leave something out or might have an unforeseen consequence on what might happen in the future. I would have difficult with these amendments for that reason.
I thank Senator Ward. The Senator made many of my responses and clarified them.
From the outset, we have not defined either "security of the State" or "threat to the security of the State" anywhere. If one thinks of the most recent legislation, the Offences against the State (Amendment) Act, which we re-enacted only in the past few weeks, in that there is no clear definition of "security of the State" or "threat to the security of the State". We have a situation where the courts interpret it. I would be of the view of Senator Ward that if one were to define something, the minute something arises that does not fit within that definition one finds oneself in a difficult situation.
If I could, to be helpful, I will give an indication of the type of issues that I would view as linked to the concepts of "threat to the security of the State". They may include: the terrorist threat level in the jurisdiction and on the island, bearing in mind the operational focus on preventing or disrupting attacks in Northern Ireland; the terrorist threat level in the wider neighbourhood - Britain and the EU - which is informed by assessments carried out by either the UK agencies or Europol; hostile state activity; cyberthreats to the State; the threat that might be posed by right-wing extremist groups; and the potentially destabilising effect on society of organised crime. These are all the types of potential definitions that one might have or that have been ruled on previously in a court by a judge but, as has been said previously by Senator Ward, to define it one leaves oneself open to excluding something from the overall definition.
Given the fact that we have not defined it in any legislation, I am not sure I would be comfortable with defining "security of the State" in an emergency Bill, particularly when I suppose the intention here is to respond to the court ruling. To assure the Senators, I have been given clear advice from the Attorney General on this. The Attorney General is absolutely satisfied with what we have included and that this replicates how we have not defined it, so to speak, but have referred to it in other legislation. If we were to go beyond that, an emergency Bill is not really the place to do it.
While I fully understand where both Senators are coming from, I will not be able to accept this amendment for those reasons.
To clarify, to be honest, much of that makes sense.
For my own understanding, in terms of the decision-making process, is it accurate to say that the Minister of the day would not be making a decision on what the security threat is? The Minister makes the decision on whether the application goes to court for the court to decide.
It would have to be decided by a judge in order to be able to retain those particular data, namely, the Schedule 2 data. A judge would have to decide on that.
I am happy with those responses.
I accept the Minister's point in terms of emergency legislation in general. That is why we endeavour to have clarity. It is emergency legislation, but emergency legislation that is responding to that lack of clarity. That is why we were seeking to be constructive in trying to nail down that clarity.
I accept the point in terms of case law. It is important for the Minister to give that clear signal that it should, and I understand will, be in the power of courts to decline a request from the Minister if they do not believe it to be necessary and proportionate. I suppose it is an area where we need to keep watch to ensure that the case law is built in an appropriate way. Given the Minister's point, I am satisfied, as well as my colleague is, in terms of waiting to see how that unfolds.
The Minister might reaffirm for those listening that it is the case that that necessity and proportionality test, which we tried to apply here in the legislation, will be applied by the courts in relation to the Minister's requests.
It will. I stress that what we have proposed here in terms of this emergency legislation reduces the amount of data that can be retained and puts additional safeguards in place that do not exist in the principal Act. There are more safeguards here. Specifically, when it comes to a threat or security, the type of data that now we are able to retain is still on a very restricted basis with that oversight. There is an extra layer that does not exist now.
Of course, my preference is that this would be the base that we work off and that we would be able to ensure An Garda Síochána is able to access the information that it needs, be it for security purposes or in fighting criminal offences, but the purpose of today is to respond to the ruling and to make sure that we are compliant. In anything after that, be it in terms or work at a European level or in terms of a more general wider Bill, which I hope to bring, as I said, by the end of the year where I will engage fully with all colleagues here, we will work on this and see where we can go from here.
I am happy to withdraw amendment No. 1.
Amendments Nos. 4 to 7, inclusive are related and may be discussed together, by agreement. Is that agreed? Agreed.
I move amendment No. 4:
In page 5, line 35, to delete "a period of one year, or".
Amendments Nos. 4 to 7, inclusive, seek to address the retention periods and safeguards in respect of data retention. Currently, the mechanism in the Bill provides for an automatic period of data retention of one year, which may be varied by the Minister or an authorising judge, depending on the type of data.
We need to be clear on this. The European Court of Justice ruling was clear that the duration of each data retention measure must be limited in time to what is strictly necessary and that such measures, while they can be renewed, cannot be systematic in nature. As the Irish Council for Civil Liberties, ICCL and others have highlighted, the current draft of the Bill is not in keeping with the spirit of this ruling, and the legislation may well be deemed illegal on these grounds if it is referred to the Court of Justice of the European Union, CJEU, again.
Each case must be individually assessed and the period of data retention should be prescribed specifically for the necessities of each case. While I acknowledge the Bill goes some way towards acknowledging these requirements, and grants power to the Minister and the judges in respect of varying the period of retention, there is still a question mark over the legality of the automatic period of one year in the absence of other instruction by the Minister or a judge. This implies that the majority of cases would automatically get a period of one-year retention unless otherwise specified, and this goes directly against the CJEU ruling that these periods cannot be systematic in nature. I urge the Minister to engage on this and be cautious about it because it is pointless to pass emergency legislation that would potentially also be illegal. Why replace one illegal Act with another?
Amendments Nos. 4, 6 and 7 all attempt to remove references to the automatic retention period of one year. These three amendments would delete the one-year period, and would require that a specific data retention period must be decided by the Minister or a judge in every case. If accepted, our amendments would remove the automatic one-year retention period, and thus ensure the Bill is in line with the CJEU's ruling. Amendment No. 5 is similar in that it reiterates that a judge must specify the data retention period in every case, not simply assign an automatic one-year period.
These amendments may be the difference between this House passing a legal or an illegal Bill. If the Minister still believes this automatic one-year retention period is legal or necessary, I hope she can clarify why that is.
I am also concerned by the different powers granted in the Bill in respect of "user data" versus "Schedule 2 data". From my reading of the Bill, it seems that these types of data are similar, and that both relate to names, addresses and Internet protocol, IP, addresses of users. Could the Minister clarify how these categories of data are substantively different, and whether we should be concerned about the wider powers granted in respect of "user data"?
When I first read this amendment, I did not understand where the Senator was coming from. Having heard what the Senator said, I understand much better.
I do not know whether the proposal is that there should be no default period once the law passes, for example, before the Minister had a chance to make regulations. I would have thought there should be provision. The Senator may feel that a year is arbitrary, but a year is one of those terms that exists since Roman civil law. "For a year and a day" is often the term that is used as a default period in law generally.
That makes sense to me. When I read the Act, it made sense to me that there would be a default period. I understand what is being said about the CJEU and will be delighted to hear what the Minister has to say about this, but it seems that in the absence of the default period, a much more dangerous lacuna is created. If, for example, the Minister declined to make regulations, would it mean there would be no retention period? Would it mean the retention period would be open-ended? I would have thought the purpose outlined in the Bill would get us around that. I presume that is the intention. I understand where the Senator is coming from but believe there is probably a basis for it.
Let me get into some of the detail. First, on amendment No. 4, the recent ruling and the 2020 ruling essentially state user data were not classified as serious in that they do not show the traffic or location details. Retention and access to these data can be justified by the objective of dealing with criminal offences in general. There is no requirement for a specific time-limited arrangement in these circumstances, particularly given that there will no longer be scope for the general retention of the Schedule 2 data, which relate to the traffic and location details. I do not believe it is unreasonable or disproportionate to set a period of 12 months for the retention of these types of data, and the Court of Justice of the European Union accepts this given that the information involves somebody’s name and information willingly given. Obviously, looking at traffic location and where you are is seen as a much greater invasion of somebody’s rights and privacy.
Essentially, the 12 months represents a 50% reduction on the default period of 24 months, which entails the retention of all Schedule 2 data relating to telecommunications, as in the principal Act of a number of years ago. I am future-proofing section 3A of the legislation. This allows for a shorter period up to a maximum of 24 months. It is prescribed by ministerial order. This is proposed given that there are further pending CJEU rulings that may impact on retention periods for user data. It is for that reason specifically that I cannot accept amendment No. 4.
With regard to amendments Nos. 5 and 6, the most significant aspect of the rulings is the requirement on the general retention of Schedule 2 data. This area is seen as more significant in terms of the impeding of individuals’ rights, so it is believed the arrangement must be limited to what is strictly necessary. Again, I believe that is what we are doing here. We are proposing a 50% reduction on the default period of 24 months, and this meets the requirement to have what is strictly necessary. When the platforms and providers contacted us after the most recent clarification and crystallising of the rulings over previous years, their concern was that they would immediately have to remove and get rid of all data, which is obviously not what we want to happen. We are trying to put in place a number of provisions, while the intention is obviously to try to work with our colleagues at European level to ensure data, be they Schedule 2 data or more general, can be used by our law enforcement agencies to deal with criminal offences and serious crime, not just security threats.
This has been fully proofed by the Attorney General. We have taken significant legal advice on this. The response is that we have set out what is strictly necessary. The CJEU has accepted this as well.
To facilitate my understanding, the Minister should correct me if I misrepresent what was said. She said the period of 12 months meets the requirement regarding what is necessary. Does what is necessary entail only an amount of time and not the individual reasons for the holding of the data?
Yes. It is in relation to time and not the actual data or case. It is the time itself overall for the data. The provision will apply to all general data irrespective of whether they are for a specific case or reason. It is the timeline we are referring to here.
So the CJEU ruling relates not to specific reasons or the potential crime but to necessity in terms of time?
It depends on which the Senator is referring to. The general data are not viewed as impeding on somebody’s rights in the same way as Schedule 2 data. When talking about what is strictly necessary, we are referring to the time limit, not the potential crime or the reason for it.
I thank the Minister.
While we acknowledge the case for the previous amendments was really strongly made, I still have concerns. I am thinking of amendment No. 4 in particular. It was asked what would happen if the Minister did not make regulations. That would be an issue for the Government, including the Minister, in that it would have failed to make them, but the point is that we are being asked to give the power to make regulations, with the usual caveats attached, and also a blanket provision. The scope of the regulations may be wide, but when we talk about necessity it is not just a matter of the time period but also of proportionality. Proportionality means being proportional in respect of a purpose. The regulations may provide for the retention of a large category of the Schedule 2 data by a certain kind of service provider because there is a relevant purpose but I am concerned about a blanket provision regarding retention. I am specifically concerned about when we move beyond the security of the State and some of the specific criminal provisions. The Minister mentioned potential future uses. It would be absolutely inappropriate to have information retained because of potential future uses. Information being retained needs to be retained because there is a purpose in mind, not because we might be able to think of a future purpose. While I have agreed with the Minister on the points on the security of the State, criminal investigation and so forth, I am concerned about overreach regarding the use of such data.
I am conscious of an equivalent example, which we flagged as a data-protection concern at the time in question. The Minister might recall the issue of the public service card and the fact that data were being retained on the movement across the State of those with free travel. That was an example of a blanket provision and blanket retention, which again was a matter of concern.
The purpose should be clear. Positing a potential future purpose is not adequate in itself without it being named. It is sufficient that the Minister would have the power to regulate in this area, and a blanket provision is too much. We might just disagree on that one.
Could I have a brief clarification? Does the user-data category also include the likes of a person’s – the acronym has gone out of my head-----
Geolocation or GPS?
Internet protocol, IP, addresses. Does it not include a person’s IP addresses and international mobile equipment identity, IMEI, which obviously involve much more data than a vehicle registration and location? The data are more related to a person’s phone-----
It does, but it does not give where a person is at a particular time or where he or she might have been. As with a given name and address, it does not necessarily tell anything more than one’s IP address. It is no different from having knowledge of a person’s name. In the case that brought a lot of this about, it was the location data that made the significant difference.
We should note that the courts themselves have ruled that general data do not really impede on somebody’s privacy because the information is voluntarily given in many instances. It is not information that gives away anything about a particular person; it is simply information about him or her. The regulations may allow for a shorter period, of 12 months, or longer; however, considering that the period is half of what would be allowed for the Schedule 2 data and that the courts themselves do not seem to have an issue with putting this type of timeframe in place, this is really why we are putting the measure in place. Again, I stress that even this in itself is less than what we currently have and is more of a safeguard than what we currently have. We are really just trying to respond to the overall ruling and ensure we are fully compliant. I appreciate that there have been several rulings in recent years but it is a question of the most recent one. It is on the basis that we do not expect the Supreme Court to change anything that we are now implementing this measure.
I am sorry for teasing this out on the floor. I am trying to understand stuff as it is happening. In relation to the idea-----
One still has to set out the reason-----
One has to meet that standard or bar.
-----one was looking for it. It is there, but one cannot just access it for no reason. The 12 months is because it is not seen as being as significant as accessing someone’s location.
For example, in relation to IP addresses or anything that one associates with one’s phone, etc., the idea is that it is given voluntarily to phone companies rather than State bodies such as Revenue or the Garda. Even though it is voluntarily given, where it is voluntarily given is differentiated a little in terms of it just being general user data that the Garda or Revenue would have access to anyway.
The court said that it does not feel this infringes in the same way so it included all user data, which includes what the Senator outlined, as not being as significant in terms of impeding. All of this is about whether retaining this type of data, Schedule 2 data or Internet data would create a greater impediment on someone’s privacy or right to privacy. However, the court ruled both in 2020 and more recently in April, and obviously the Supreme Court ruled the same way, that it is not as much of an infringement on somebody’s personal privacy rights.
Amendment Nos. 8 and 11 are related and may be discussed together by agreement. Is that agreed? Agreed.
I move amendment No. 8:
In page 8, line 7, to delete “an” and substitute “a serious”.
Amendments Nos. 8 and 11 seek to clarify that data retention powers should only be exercised in respect of serious offences or serious revenue offences. It is important we do not see situations where data privacy rights are being trampled over to tackle minor offences. Once again, powers of data retention are exceptional powers which stand down people’s data privacy rights. I am concerned by the perceived weakness of some of the provisions in respect of user data. It seems that Garda and Revenue officers currently have the scope to use these powers whenever they see fit in respect of user data. Notwithstanding the previous clarification of user data, it seems very similar to the Schedule 2 data that is more protected insofar as they both relate to names, addresses and IP addresses of users. We had that conversation previously in terms out teasing out a little bit around personal data.
The only amendments in this grouping are amendments Nos. 8 and 11. Is that correct?
Yes. Amendments Nos. 9, 10, 12 and 13 are the next grouping. We are not dealing with them just yet.
I apologise. We got the groupings quite late and we pre-empted them.
No problem. The Senators had their own groupings.
We have pre-empted fake groupings here. I will leave it at that, because the rest of what I have to say applies to the next grouping.
As I understand it, amendment No. 11, which seeks to amend the proposed substituted section 6(3)(a), proposes to replace “committed a revenue offence” with “committed a serious revenue offence”. However, the term “revenue offence” is defined in section 1(1) of the principal Act, which sets out exactly what sections apply. I think adding “serious” in there contradicts that definition in the first instance. In addition, it is unnecessary because section 1(1) of the principal Act defines a “revenue offence” as "an offence under any of the following provisions that is a serious offence", and it then lists out the various different Acts - various Finance Acts and the Customs Consolidation Act, etc. - under which offences are committed. That is very clear. I certainly think that amendment No. 11 creates more confusion than it solves.
While it is useful to reference the principal Act in respect of amendment No. 11, in terms of a "revenue offence", I feel quite strongly about amendment No. 8 and, indeed, the principles in amendments Nos. 9 and 10. An offence as constituted in that section is potentially extremely wide. We do not want a situation where there is a suspicion that a minor offence will become a justification or reason for a member of An Garda Síochána to be accessing user data. I will be frank; we know we have had situations in the past where access to data has been abused. Far too often, we see on television programmes the idea that you can just run a number and get some information. Again, that is actually inappropriate and it is not the case.
This comes to the other amendments, which are important to Members. Amendments Nos. 9 and 10-----
We are not dealing with those amendments yet.
Are we not on amendments Nos. 8 to 11?
No, we are on amendments Nos. 8 and 11.
I apologise. I will come to them in a moment.
The Senator will get her chance. For now, it is just amendments Nos. 8 and 11.
I accept the argument that there is a clarification to a degree on what constitutes a “revenue offence” in other legislation. However, in terms of the powers of An Garda Síochána in this section, I think that including the word "serious" as a parameter when describing an offence is an important safeguard in accessing data. I would not want a situation whereby a very generic offence can be used. I will just reference amendments Nos. 9 and 10 again because it comes to that. I am looking at the question of an offence alongside the provision, which is the idea of prevention in detecting in the widest sense. For example, there might be an excuse whereby someone is screening or checking for past traffic offences or some very minor offence, and that becomes a justification for accessing this data. Again, I am worried that it is too wide as a provision. I say that in the context of the need to be very careful about the overuse of surveillance, the targeting of certain communities and an imbalance in how policing is applied in the State. Having just gone through the whistleblower legislation and other Bills, I can say we have had situations in the past where individuals have been, sadly, targeted and intimated by members of An Garda Síochána. Therefore, it is important to have the parameter of “serious” attached to the word “offence”, as outlined in amendment No. 8. Such a measure, along with amendments Nos. 9 and 10, is important in addressing the question of these provisions being used in a preventative or speculative way.
It is a similar argument to the previous one. It is a question of what the court has ruled and what categories it has deemed general data to fall under. Specifically, the court concluded that the interference entailed by the retention of user data cannot be classified as "serious". That is what it set out in the ruling. It went on to state that legislative measures concerning the processing of user data are capable of being justified by the objective of preventing, investigating, detecting and prosecuting criminal offences in general and not just serious criminal offences. To stress, it has to be a criminal offence. A road traffic offence is not a criminal offence. It has to be a criminal offence, not just a minor misdemeanour that is not a criminal offence.
Based on the pre-legislative scrutiny that we engaged in, albeit in a short period of time, we changed the requirement for an inspector to be able to seek to access this information to the level of superintendent, which is an acknowledgement that not everybody should be able to access it. It must be someone at the level of superintendent who can actually seek to access this data or information.
It cannot be applied retrospectively or used to scan for previous cases. It is specific to a particular case involving a criminal offence rather than any other type of situation. That is clear from the ruling. The retention of user data cannot be classified as serious. There is also the fact that what has been outlined includes preventing, investigating, detecting and prosecuting criminal offences in general; not just serious criminal offences. We have tried to stick to the letter of the law as set down not just in 2020 but also in April.
As regards the second amendment in the grouping, what we are trying to do, insofar as is possible, is to replicate existing powers assigned to the Garda Síochána, the Defence Forces, the Revenue Commissioners and the Competition and Consumer Protection Commission to access user data retained by service providers. As Senator Ward outlined, we are replicating what is there already. It is on this basis that I cannot accept the amendments. We are very much sticking in line with what was set out in the court ruling in terms of what is deemed serious and what is not but we are trying to add in even more safeguards, such as that it must be a superintendent who seeks this information. I reassure Senators that this is not something that can be used to just access a database and generally scan information in order to use that against an individual or, potentially, to look at previous cases. It has to be specific to the criminal offence that is being investigated.
I might be missing something elsewhere in the legislation, but section 5 states:
A member of the Garda Síochána not below the rank of superintendent may require a service provider to disclose to that member user data in the possession or control of the service provider—
(a) where the member believes that the data relate to a person whom the member suspects, on reasonable grounds of—
(i) having committed an offence
It just refers to an offence; not a serious offence.
For general data, it can be just a criminal offence. It does not have to be a serious offence. That is on the basis that the court has ruled that, for the purposes of the detection, prevention or prosecution of crime, general data is not seen in the same way as Schedule 2 data, which is a person's location information. The latter is seen as impinging much more on a person's right to privacy. It is only for security issues that a person can retain or seek access to Schedule 2 data, whereas for a criminal offence or serious criminal offence access to the general data can be sought. In the case of a criminal offence, that is because the court has deemed it does not impinge on a person's privacy as much. Again, the safeguards are that it must be a superintendent who seeks access and it must be specific to what is being investigated; it cannot go beyond that.
It may be down to how I am interpreting it, but I am concerned that there is an element of pre-emption in the powers being granted under the Bill, even in the case of minor offences. The section refers to suspicion. It is not even a court order. It seems pre-emptive and that it could be used in respect of minor offences. My fear is that it dips over into the idea of powers of surveillance in terms of the Revenue Commissioners and the Garda having access to user data on suspicion of an offence having been committed, rather than an offence actually having been committed.
At present, a member of the Garda Síochána, the Revenue Commissioners or others can access this data without going through much of this process. We are reducing the amount of data that will be available in the longer term. It is about how it can be accessed. We have included an additional safeguard by inserting the words "reasonable grounds". It will be necessary to make a case. In the case of a suspicion or view that a person may have committed a crime, the garda or other person investigating will have to provide evidence and show reasonable grounds for the request. It then has to be approved. It is not a matter of saying there is a suspicion that a particular person might have done something, without any proof or evidence. There have to be reasonable grounds for the request. This is an extra layer on top of what we currently have. As I stated, it strips back the type of information that is kept and how it can be accessed. It adds additional layers to what we currently have. In terms of how these data are accessed now, I am not aware of widespread misuse. I do not think this type of data is being accessed by people who should not be accessing it or for unjustified reasons. To the best of our knowledge, it has not been misused to date. The section adds extra safeguards and makes it more difficult for the Revenue Commissioner, An Garda or whoever else to access the information.
It does not have to go before a court, however. Basically, a superintendent can make the decision. There is no court hearing. A superintendent can decide to give access to the data, potentially with reasonable grounds and evidence, but there is no court involved. A superintendent can make that decision.
There is no court hearing required in this instance. The court, in its ruling, did not ask for such a provision because it did not deem general data as being as serious as location data and the other information it specifically singled out. I should not get into it but, obviously, all present area aware that can have a greater impact in terms of cases. The court has deemed that more general data is not really in the same serious category. At the moment, it can be accessed. That is being changed to an extent because it can only be maintained for a certain amount of time when it comes to dealing with criminal offences or serious criminal offences. We are actually raising the bar in terms of who will be able to access that information. It must be at superintendent level and grounds must be given to show why the information is needed. It is a higher bar. Under the Bill, there are more safeguards and less information, or less time for which information will be retained.
I know Senator Higgins is waiting to come in, but it is easier to stay on this thread and jump back to her. I understand the point in respect of Schedule 2 data and the seriousness of the threat in terms of a threat to security or the State and all those things. Obviously, that needs to go before a court as that is where the bar needs to be set in that regard. It seems less harmful when we talk about minor offences or the presumption of minor offence or the general user data and that not being so harmful in terms of an individual, say. My fear is that access to general user data in the context of minor offences or presumed minor offences does not seem harmful in terms of the State, the status quo and the threat to the nation as a whole, but it feels like it could be a really big threat to poorer communities or communities where there are higher crime rates. Even though it is only user data that would potentially be used to prosecute minor offences, if that were accumulated in the collective sense of social class, it would feel like a threat. I know that is not the same kind of threat as those relating to the case that brought us here today and those high-profile matters, but, in terms of the potential for surveillance and access to that user data for minor offences, when all those instances are accumulated in the context of particular communities, that could be a threat to those communities specifically.
There is a disjoint. I understand that the Minister is addressing the court ruling, but we are also addressing what we believe to be good and best practice. I still have concerns in respect of this issue. I am especially concerned in the context of surveillance in the State, as was mentioned. There have previously been some very bad ideas floated in terms of what might be done in that regard. I note that the policy intent the Minister is describing and what is written down in the Bill are slightly different. I do not doubt the sincerity of the intent of the Minister but the Bill refers to suspicion, on reasonable grounds, of a person having committed an offence. Amendment No. 8 would insert the word "serious". That is not specified in the context of it being criminal. Maybe an offence means that it is criminal in that context.
The Minister stated that it is not retrospective but I do not see that safeguard in the Bill either. As I read the Bill, a superintendent who suspects that a person has committed an offence is able to access the data of that person. There is reference in a separate section to detecting or preventing future offences.
There is a danger of this becoming a situation. As we said, a superintendent must make a case using reasonable grounds but does not actually have to make that case unless challenged. The only person that he or she makes a case to and, indeed, he or she is not even required to write down that case, is to the service provider whom he or she asks for information. Of course, the onus is on the service provider, and there is a natural inclination by the service provider, which is being requested by a superintendent who says that the Garda is doing so on reasonable grounds, will be to say, "Yes, you can access that data".
I understand the provision is better than what we had but what we had was really bad and a draconian interpretation of the laws. I recall that some of the provisions, as they were brought in, were queried by a former Minister, and perhaps the then Minister was our Seanad colleague, Senator Michael McDowell. Concerns remain even though the provision is better than what we had and I believe that the provision is just a little too wide in terms of usage.
In response to one of the Senator's last comments, I wish to say that this is an emergency Bill and we are addressing the courts. That is specifically what we are doing in the provision. Everybody has expressed a view on the really short time that it has taken us to bring this legislation to the committee and bring it to Cabinet. Everything has been done at a much faster pace than I would have liked and I believe that such speed does not give us the time to tease through wider issues. That is why I have given a very clear commitment that we will have a general scheme by the end of the year. We will go through quite a lengthy process with Senators and we will engage with everybody from our different agencies, the communications platforms, the Data Protection Commission and others. We really are focused on what the ruling is here.
In response to the comment made by Senator Ruane, there are greater safeguards in this Bill than currently exist. At the moment this information can be accessed for a criminal offence. As far as I am aware, the technology is not being misused or mistreated. There has not been general access for any individual or targeting of groups of people, particular areas or anything like that. We had an extra layer in the form of reasonable grounds. If one has to show reasonable grounds then that must be reported on yearly so it is not that these cases are never seen by anybody. This has to be reported on and will be reviewed. If somebody has not given reasonable grounds, or has abused their position or their access to this information then that will be shown very clearly in the reports. There are safeguards at another level and this matter must be reported on.
I will now give my personal view and say that I think law enforcement agencies should be able to access information where there is a criminal offence, a serious offence. Where there is a threat or risk to my life, the lives of Senators or anybody's life then access should be allowed. I regret that I must bring forward some of these elements of the Bill because I think that gardaí should be able to access information if somebody's life is at risk. I do not think somebody's personal privacy should overrule a person's right to feel safe and protected, particularly where a serious crime has been committed. I appreciate that we are not talking about serious crimes but criminal offences in general, which is slightly different. The very fact that the courts have ruled that general data is not seen in the same way as Schedule 2 data is why we are applying this provision.
On the use of different terminology, there is prevention, detection, prosecution but also investigation. So if a person suspects someone to be guilty of a crime or is investigating that crime then, to me, that scenario fits in the provision. Again, that is part of the ruling and what the court stated when it ruled on this matter.
It is important to be clear that our amendment specifically states that we want to add the word "serious". Our amendments are not in respect of whether serious offences would be a basis. Our amendment specifies that it would be "serious" offences.
I note that the word "criminal" is not referenced in the Bill but the term "an offence" is. So we think that "a serious" offence is a reasonable piece. I also note that Bill shows section 6(1)(a) or (b). Therefore, (1)(a) is not contingent on (1)(b) and is, in itself, a basis for the information being accessed even without the caveats in (1)(b), which we will discuss later.
Amendments Nos. 9, 10, 12 and 13 are related and may be discussed together by agreement. Is that agreed? Agreed.
I move amendment No. 9:
In page 8, line 13, to delete “preventing,”.
Similar content has been covered in the last group of amendment but I will repeat for clarity. Amendments Nos. 9, 10, 12, and 13 would again limit the scope of Garda and Revenue officer powers in respect of “user data”. The Bill currently states that “user data” can be retained in order to prevent or detect crime, and this does not have to be for national security concerns nor does it have to be for serious crime.
I want to repeat the following for clarity. It seems to us that the Bill states that Garda and Revenue officers can retain user data in order to pre-emptively detect even minor crimes. I do not fully understand and do not accept the justification for this. Where do the Garda derive authority to pre-emptively check people's data for potential crimes? I ask that question as I think that this legislation, as currently drafted, allows for that. To me, that sounds like surveillance or there is a potential for surveillance, which violates the principles of a democratic society. Innocent until proven guilty is a core principle of the Irish justice system so nobody should be subjected to surveillance or violations of their data privacy rights unless there is reasonable evidence against them, unless they undergo due process, and the crime reaches a higher bar than just a minor offence.
I share the same concerns as my colleague. We have raised our concerns when discussing other matters like the use of CCTV cameras. It is that idea of "preventing, detecting, investigating or prosecuting offences". We have tabled two amendments regarding "preventing". Perhaps the Minister might clarify what is meant by "detecting". Amendment No. 9 seeks to delete the word “preventing,” and amendment No. 10 seeks to delete “preventing, detecting,”. We feel that "investigating" should cover the matter where there is a specific concern. It is important that the word "detecting" is deleted in terms of fishing for information.
Prevention is a concern as well because using the word "preventing" allows for the idea that, potentially, categories of persons may be identified as persons who might commit a crime, and using this information goes towards the very dangerous idea whereby persons are identified as persons who might commit a crime. I remember the outrageous situation where the name of a baby or a child from a minority community in this country was placed on the PULSE for monitoring purposes. Let us bear in mind the kinds of things that have happened in the past in terms of policing and discriminatory practices. I am not talking hypothetically because, sadly, there are plenty of examples of these cases around the world, and there are cases and examples in Ireland.
I am concerned about the use of certain words, in particular the word "preventing". For example, the idea of saying we need to have information on these persons without there being reasonable grounds and a proper case. Again, serious offences are not mentioned in the legislation just "offences" in terms of criminal offences.
It is important to remember that this Bill reacts to the jurisprudential framework that has been put in place. In fact, it puts in place greater safeguards for the citizens. I am very much in favour of a framework that is put in place to prevent the mass surveillance of citizenry. I do not hold with that at all. As I said during our Second Stage debate, this country has a very reasonable approach to data protection albeit it one that comes from Europe but we have taken it on board and I think that we behave very well with it. The notion that we would now turnaround and remove the word "preventing", in the context of preventing crime, from the legislation, to my mind, is a totally unwarranted tying of Garda hands or at least the tying of one hand behind the back, which is unnecessary. The safeguards the Minister has already spoken about, in terms of applications having to be made, are already in the Bill. I am concerned about the tenor of these amendments and I hope the Senators understand what I mean.
The starting point is an attitude that we must stop any action by the Garda in respect of data to prevent crime. If it can use data to prevent crime, so be it; that does not necessarily mean that the Garda is offending against the presumption of innocence. If the presumption of innocence was taken to its logical conclusion, the Garda would never robustly question or arrest a suspect or apply to deny that person bail because that offends against the presumption of innocence. There are other areas of law, particularly the Bail Act 1997, which allow the courts or An Garda Síochána in certain circumstances to take a particular view in respect of someone but it must be evidence-based. Even in respect of the proposed substituted section 6(1)(b), it does not mean the Garda can just pick someone, decide it does not like them and therefore anticipate that this person is going to commit a crime and, in a preventative fashion, gather data on that person. In all the circumstances of what is provided for in the Bill, that would be totally illegal. In fairness to An Garda Síochána, it does not have unlimited resources any more than any aspect of the State. It is not going to spend time gathering data in a preventative fashion on somebody when there is no basis to suspect that he or she might be likely to commit an offence.
It is entirely proportionate, in my view, that An Garda Síochána would be empowered to take steps it can take to prevent crime. To do otherwise, would be madness. We would be tying the garda's hands behind his or her back and doing society in general a disservice, all in the name of potentially cutting off possible breaches of the general data protection regulation, GDPR, when that is already there and built into the Act. I would not want to go too far in suggesting that we should not be trying to prevent crime, for example. We should of course be doing that. Insofar as the Bill can be used in that regard, it should be.
In one sense what we are proposing here, to comply with the European Court of Justice ruling, is tying members of the Garda's hands behind their backs because it limits what they can do. It limits their access in respect of national security grounds and the time for which the data can be kept. It absolutely limits what they can do when it comes to fighting crime, including serious crime.
The terms "preventing" and "preventing or detecting" are already in the principal Act. They are absolutely appropriate in the context of how An Garda Síochána or other agencies carry out their work and what they do. They are all captured together with investigating and prosecuting. I think in paragraph 158 of the 2020 ruling, which has not changed since the April 2022 ruling, the court itself outlines and discusses the four terms, namely, preventing, detecting, investigating or prosecuting. They are specifically used in this. I really would not see a reason for departing from the court's ruling when this specifically is what we are trying to do. We are trying to make sure we are in line with the European Court of Justice ruling. I do not see why we would detract from it, nor how this gives less of a right to people than they currently have. I would really see the opposite, in that there are more safeguards, less data can be retained and there are fewer ways in which they can be accessed.
We have not sought to remove the phrases pertaining to investigating or prosecuting offences. Where an offence is being investigated, of course it is appropriate that the data can be accessed. What we have addressed is the question of prevention and detection. It needs to be seen alongside the wide definition of "offences" that is given here. The Irish Human Rights and Equality Commission has highlighted to the UN the questions and dangers in respect of profiling in policing. That has been raised at UN level. Ireland cannot be complacent about its records in that regard. Despite there being limited resources, we often see that quite a lot of resources tend to be directed towards the prosecution of even very minor crimes in some communities yet there is not the same level of prosecution of equivalent or even more serious crimes in other communities. That has been the experience. It is part of a wider reform of policing culture. I am aware that a process is under way through the Commission on the Future of Policing and other initiatives. However, we certainly cannot be complacent. I will not be comfortable until we start seeing reports about the brilliant changes that have happened in policing, hearing how all of the great things in the Commission on the Future of Policing report have happened and until we have UN committees saying it is all going great. Then I will certainly be a little bit happier about widening the powers.
The proposed provision is narrower than what we have at the moment but what we have at the moment is not good. We are not arguing in favour of what we have at the moment. We are arguing in favour of going a little bit further in clarifying and narrowing the remit. I think we and the Minister will just have to disagree on this one. I am concerned that we will be on a watching brief as to how those powers of prevention of offences are being used.
The Minister mentioned that there is going to be work on legislation in the autumn. We need to start disaggregating data in terms of who uses these powers, where they are used and around what kinds of offences. This is the problem of the superintendent not having to go to anybody to seek this permission. Not now, but perhaps on some of our later amendments, the Minister might discuss how we track the patterns that are emerging and ensure we do not have inadvertent overuse of these powers in respect of minor offences or particular communities. We will need a watching brief on that.
I move amendment No. 11:
In page 8, line 33, after “a” to insert “serious”.
I second the amendment.
I move amendment No. 12
In page 8, line 36, to delete “preventing,”.
I second the amendment.
I move amendment No. 14:
In page 37, between lines 5 and 6, to insert the following:
“Protection of journalistic sources
7E. (1) Sections 6B, 6D, 6E, 7B, and 7D shall not apply in the case of data belonging to a journalist, and no powers may be exercised in respect of the retention, preservation or disclosure of data of a journalist as a matter of urgency, without relevant authorisation issued by an authorising judge.
(2) All sections of this Act, other than those listed under subsection (1),shall only apply in the case of data belonging to a journalist and orders may only be issued in respect of data belonging to a journalist, where the applicant convincingly establishes that there is an overriding requirement in the public interest that justifies such an order.”.”.
Is there a seconder?
We are on Committee Stage. I do not think we need a seconder, just for efficiency and time.
We are all in favour of that.
I will be delighted to anyway.
Amendment No. 14 seeks to insert a new section into the Bill which would provide additional protection in respect of data journalists. It would provide for the non-application of certain sections of the Bill in respect of journalists' data, specifically the sections which provide for the use of emergency powers in respect of data retention. Certain sections of the Bill, for example, the proposed sections 6B, 6D, 6E, 7B and 7D, provide for emergency powers to retain data in situations of urgency whereby members of the Garda or other relevant persons can bypass judicial approval. They can retain data and then get retrospective approval from a judge later . While I understand the need for these emergency powers in certain cases, such as scenarios where there may be an imminent threat of an act of terror, these powers need to be clearly limited and constrained. They are very serious powers which allow a person's data privacy rights be stood down without judicial approval. It is important that they would not apply, for example, to journalists. This is essential under Article 10 of the European Convention on Human Rights relating to freedom of expression. That convention clearly lays out that the protection of journalistic sources is one of the basic conditions for press freedom.
European Court of Human Rights case law has made it clear that the protection of journalistic sources must be given precedence in almost all matters relating to data sharing, disclosure or retention. To quote one piece of case law, "Without such protection, sources may be deterred from assisting the press in informing the public on matters of public interest". Thus, the lack of protection for journalistic sources in this Bill is not in line with the requirements of the ECHR. Case law clearly rules that surveillance aimed at identifying journalistic sources should go through a heightened screening process, including prior independent judicial approval. Any form of data retention in respect of a journalist simply cannot bypass judicial approval. Therefore, it is essential that the sections granting emergency powers to bypass judicial approval should not apply to the data of journalists. This is what amendment No. 14 would achieve.
I am sympathetic to what is being discussed in the amendment. Perhaps I have missed it but the words "journalist" and "journalism" are not defined. Am I correct in this? Does this not leave it wide open to interpretation in a way that was never intended?
I understand the concerns in the amendment. We have to be very sensitive to anything relating to data that journalists have collected. The Murray report published in 2017 made a number of recommendations on data retention issues specifically relating to journalists. There are two elements. One of these is what is being maintained from what was in the principal Act. The intention is to bring forward a general scheme later this year in which we will look at outstanding issues, including some of the issues relating to journalistic data set out in the Murray report. This will include consideration of whether the term "journalist" would need to be defined. As has been pointed out, the scope of people who would claim to be engaging in journalism, particularly online, would be much broader than previously. It is something we would need to look at.
The proposed section 7E(1) states data belonging to a journalist would not be covered by the power to seek disclosure of Schedule 2 data, Internet source data or cell site location data on an urgency basis. It would also be excluded from the application of the temporary preservation order and the temporary protection order. However, they would apply where there is an overriding public interest grounds. There must be necessity. There has to be a proportionality test. There are safeguards whereby we must have judicial authorisation for disclosure except for where it is user data. This goes back to the fact that it is not seen as being serious. This is very much where it is in the public interest. There has to be proportionality. There has to be necessity. It has to go through judicial authorisation. More generally the grounds will apply with regard to Schedule 2 data or data that would look at someone's source data or cell site location data on an urgent basis. This is something we will need to come back to in the general scheme, acknowledging there is a little bit more work to be done. It is very sensitive. We are responding to the court ruling. It is an emergency Bill. We look forward to working with the Senator and getting into more detail when we work through the general Bill.
I thank Senator Ward and the Minister. They have made a valid point on how to define the online space. This is where it stings us as Opposition Senators that we are doing all Stages together. We recognise there is an issue and if there was time in between the Stages we would have been able to work together to ensure that perhaps we could look at and sensitively handle what the definition of journalism would be and how to approach it.
It has been said many times that we are responding to a court ruling and this is emergency legislation. Even though I do not dispute this, it is still legislation that will apply more widely. It is still legislation that will be in existence. What also concerns me is that, unfortunately, an amendment was ruled out of order. It was a funny one to be ruled out of order because all it proposed was introducing a sunset clause. I do not know how a sunset clause in legislation would impose a cost on the State. It is another one for the book of weird rulings by the Seanad.
We would be a lot more comfortable if the sunset clause had been put in. At least then we would know that the arrival of the legislation to which the Minister referred will have urgency. In that Bill we will be able to define journalism and who is a journalist and deal with some of the other issues that have been raised today. I do not underestimate the Minister's ability in any shape or form to get it done but funny things can happen in politics in a year or two. We are a bit nervous about waiting for the legislation to come. It would be great to have a clearer idea from the Minister as to when she sees legislation being tabled to address some of the wider issues that have come from the need to put this legislation through the Houses.
With regard to the question on the definition of "journalist", the Minister is aware that as recently as last year Opposition Members in the other House have proposed legislation on the protection of journalists and clarifying exactly the definition of a journalist in law. They asked whether we should look to the National Union of Journalists for a definition or look at international definitions. These are discussions that Opposition Members have tried to lead. They are increasingly important at a time when we are acting and speaking about the rights of journalists internationally. They are under pressure. We have had statements in the House in respect of journalists who have been persecuted internationally. It is something on which we need to be clear. The fact there is ambiguity is not on us. It is something we can certainly work together to address.
The sunset clause is a serious concern. It is a concern we have noticed in general. When a Minister comes to us to ask for powers it is appropriate the House says we will give the powers but with certain constraints on the reach of such powers and the time and duration of such powers. The Minister has acknowledged that time is a relevant factor in terms of the extent and scope of powers. Sunset clauses are fundamental. I note we have had inconsistency. They should always be allowed. We have been told they can only be allowed in emergency legislation. We have also been told this Bill is emergency legislation but sunset clauses are not being allowed. This is not a point for the Minister but it is a debate we need to have as a House. If we go into a situation where the House is not able to set suitable amendments in our determination of the transfer of power to a Minister it is damaging to the legislative process. We will return to this. I know the Minister did not make the ruling but it needs to be noted.
The definition of "journalist" is something we will look at. It is a recommendation in the Murray report. The general scheme will be introduced by the end of this year. There will not be any time limits put on how we will debate it. I regret the timeline in which this Bill has been brought forward. It is based on the timeline of the 2020 ruling, the April ruling and getting clarity that it would not change in the Supreme Court. The legislation was brought to Cabinet the following week and we have moved as quickly as we can. The end of term has not helped us in this instance.
I stress again that what is in the Bill limits the data we can retain more than what already exists and adds additional safeguards. This includes even when we refer to journalists accessing certain information. We have to show it is in the overriding public interest. We have to make sure there is necessity and it is proportional. We must also have judicial authorisation. There are quite a number of safeguards. I appreciate it is something we need to come back to and discuss further with regard to the wider Bill.
I am not sure why the sunset clause was ruled out of order. Perhaps it was a technicality. This amendment was put forward and discussed in the Dáil. Perhaps that may have been the case. I did not accept it in the Dáil. I will not go through the discussion there. I am not sure what happened in this regard. I thank all Senators for their time on this. I appreciate the manner in which it has gone through. I must stress this is really a response to make sure we are compliant and do not find ourselves in a situation over the summer where the Supreme Court makes a ruling and suddenly data companies are potentially deleting data or information that could be retained for very important purposes.
Amendment No. 15 in the names of Senators Higgins and Ruane has been ruled out of order as it is in conflict with the principle of the Bill.
When is it proposed to take the next Stage?
Is that agreed? Agreed.
When is it proposed to take the next Stage?
Is that agreed? Agreed.