For the first time since 2011, Irish Legislation governing the retention of mobile phone data such as texts, call and location data is schedule to change. The Data Retention Bill (Communications (Retention of Data) Amendment Act 2022) will address the impact of recent EU case laws, including the Graham Dwyer murder conviction. The proposed legislation, which is not yet in force, could potentially impact data retention policies across all businesses and organisations in Ireland. This article will focus on the changes to the legislation and what it means for data retention.
The Bill will replace the Communications (Retention of Data) Act 2011 and will set down limitations to the retention and access to data by law enforcement agencies, remedying many shortcomings of the 2011 Act, taking account of the Tele2/Watson and Digital Rights Ireland judgments. Limitations on fundamental rights of privacy and personal data are addressed – an advancement on the Directive (EU Data Retention Directive 2006/24/EC (the Directive) and the 2011 Act.
Data Retention Directive 2006/24/EC, which introduced laws compelling the storage of telecommunications data was declared invalid by The Court of Justice of the European Union (CJEU) in Digital Rights Ireland in 2014. The Directive required the collection and retention of traffic and location data by companies such as mobile and broadband providers for a period of up to two years. However the Court’s judgement was based on the general obligation for service providers to retain all subscriber, traffic and location data was not limited to what was strictly necessary, and entailed an interference with the fundamental rights of “practically the entire European population”.
The main focus of the new Amendment is on how long data is being retained.
Under the new Amendment “general and indiscriminate retention of communications traffic and location data” will only be allowed on national security grounds and will require approval by a designated High Court judge; this differed from previous legislation where telecommunications companies were required to retain data on all customers for two years.
The new Amendment also provides a “quick freeze” system, allowing judges to order an organisation, such as a telecommunications company, to retain the data of a person once they become a suspect in a serious offence.
The new legislation will enable Gardai and judges to order the retention of communications data solely on national security grounds.
The new legislation will institute the following changes:
- The retention of “user data” and “internet source data” for a period of 12 months, for the purpose of combatting crime, safeguarding State security, protecting the life and safety of persons or locating missing persons
- General and indiscriminate retention of communications traffic and location data may only be permitted for national security purposes, and will require approval by an authorised judge
- Preservation Orders and Production Orders may be obtained by an Garda Síochána, the Defence Forces, the Revenue Commissioners or the Competition and Consumer Protection Commission
At the time of writing, the law is not actually in force. The Irish Government only submitted a notification to the EU on the 21 Dec 2022 under the Technical Regulations System (TRIS), which triggers a standstill period of 3 months to allow the EU Commission, Member States and the general public to submit any comments or express opinions about the proposed law.
It is anticipated that the EU will announce their judgement imminently. In the meantime, Ireland is still reliant on the 2011 law because the amending legislation in The Data Retention Bill (Communications (Retention of Data) Amendment Act 2022) was never “commenced” officially by ministerial order. Nevertheless, the 2011 law is outdated and unfit for purpose as it predates the General Data Protection Regulation (GDPR) and the changes brought about by that legislation.
When the new law is passed, it will mean better protection for data subjects’ rights and privacy and will prevent unnecessary or unlawful sharing of data with law enforcement agencies.
For all business and organisations within Ireland, data retention polices and schedules will need to be updated to reflect the new legislation and employee privacy notices will need to reflect the possibly sharing of personal data under the proposed legislation.
Law enforcement agencies will now need to seek prior approval from a judge before submitting an access request to a company seeking employee data. This will ensure that requests for data are legitimate and necessary, ensuring alignment with GDPR principles.
Trilateral’s Data Protection and Cyber-Risk Team has significant experience consulting organisations and other entities in advanced data management and compliance as well as supporting experts working with any request that you may receive from AGS or law enforcement agencies. For more information, please feel free to contact our advisers, who would be more than happy to help.