Briefing on the Communications (Retention of Data) (Amendment) Bill 2022 July 5, 2022 The European Court of Justice has found that the Communications (Retention of Data) Act 2011 is contrary to EU law.1 However the Communications (Retention of Data) (Amendment) Bill 20222 only partially addresses the findings of the Court of Justice and the other issues with the 2011 Act identified by Mr Justice John Murray in his 2017 Review.3 If passed in its current form, this bill will create more legal uncertainty and result in more Dwyer4-type cases in which evidence is challenged. The unlawful provision under Section 9, seeking to legitimise the current unlawfully retained data, creates a particular risk in this area. Considering the speed with which this bill is being rushed through the Oireachtas,5 bypassing democratic scrutiny, and the extremely short timeframe with which we have had to consider this piece of legislation, we focus on the most significant points below: ● Section 4, inserting section 3A, permits rolling one-year renewable data retention: in effect, indefinite retention. ○ By providing for one-year data retention orders in all cases, it violates the requirement of the CJEU that the duration of each data retention measure must be ‘limited in time to what is strictly necessary’6 and that such measures, while they can be renewed, ‘cannot be systematic in nature’.7 Instead, each data retention order must 1 G.D. v Commissioner of An Garda Síochána, Minister for Communications, Energy and Natural Resources, Attorney General, Case C‑140/20, 5 April, 2022, accessible here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=257242&pageIndex=0&doclang=EN&mode=re q&dir=&occ=first&part=1&cid=15069305 2 Communications (Retention of Data) (Amendment) Bill 2022, accessible here: https://data.oireachtas.ie/ie/oireachtas/bill/2022/72/eng/initiated/b7222d.pdf 3 Review of the Law on the Retention of and Access to Communications Data, April 2017, accessible here: https://www.justice.ie/en/JELR/Review_of_the_Law_on_Retention_of_and_Access_to_Communications_Data.pd f/Files/Review_of_the_Law_on_Retention_of_and_Access_to_Communications_Data.pdf 4 G.D. v Commissioner of An Garda Síochána, Minister for Communications, Energy and Natural Resources, Attorney General, Case C‑140/20, 5 April, 2022, accessible here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=257242&pageIndex=0&doclang=EN&mode=re q&dir=&occ=first&part=1&cid=15069305 5 O'Keefe, C., ‘Rushed' legislation on new surveillance powers 'vulnerable to legal challenges’, Irish Examiner, 3 July, 2022, accessible here: https://www.irishexaminer.com/news/arid-40909493.html 6 La Quadrature du Net and Others v Premier ministre and Others, In Joined Cases C‑511/18, C‑512/18 and C‑520/18, para. 138, 6 October, 2020, accessible here: https://curia.europa.eu/juris/document/document.jsf?docid=232084&doclang=en 7 Ibid. be assessed individually and any interference must be precisely circumscribed by provisions to ensure that it is actually limited to what is strictly necessary,8 including the period of time that data will be retained.9 ● The bill fails to provide any definition of national security. ○ By relying on an undefined threshold, it fails to meet the requirements of the CJEU that: ‘In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse. That legislation must be legally binding under domestic law and, in particular, must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary.’10 ○ The failure to define national security echoes the case of Zakharov v. Russia in which the European Court of Human Rights held that Russian law which failed to define state security purposes was in breach of Article 8 ECHR: ‘It is significant that [Russian law] does not give any indication of the circumstances under which an individual’s communications may be intercepted on account of events or activities endangering Russia’s national, military, economic or ecological security. It leaves the authorities an almost unlimited degree of discretion in determining which events or acts constitute such a threat and whether that threat is serious enough to justify secret surveillance, thereby creating possibilities for abuse.’11 ● The bill fails to provide for protection of journalists’ sources. ○ It is a requirement under the ECHR that surveillance aimed at identifying journalistic sources should go through a heightened screening process including prior independent judicial approval. ○ Even in urgent situations there must be an independent review by a judge or similar body before information capable of identifying sources is handed over or accessed.12 ○ In April 2022, the Court of Appeal judgment in Corcoran v The Commissioner of An Garda Síochána13 held that this requires, in the case of search warrants, that: ‘The District Court judge must be informed that the application engages or potentially 8 Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others, Joined Cases C‑293/12 and C‑594/12, para. 65, 8 April, 2014, accessible here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=150642&pageIndex=0&doclang=EN&mode=lst &dir=&occ=first&part=1&cid=13830164 9 G.D. v Commissioner of An Garda Síochána, Minister for Communications, Energy and Natural Resources, Attorney General, Case C‑140/20, para.67, 5 April, 2022, accessible here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=257242&pageIndex=0&doclang=EN&mode=re q&dir=&occ=first&part=1&cid=15069305 10 La Quadrature du Net and Others, C‑511/18, C‑512/18 and C‑520/18, para. 132, 6 October, 2020, accessible here: https://curia.europa.eu/juris/document/document.jsf?docid=232084&doclang=en 11 Roman Zakharov v Russia, application 47143/0, 4 December 2015. https://hudoc.echr.coe.int/eng?i=001-159324 12 Sanoma Uitgevers BV v. the Netherlands, application 38224/03, 14 September 2010. 13  IECA 98, accessible here: https://www.bailii.org/ie/cases/IECA/2022/2022IECA98.html engages journalistic privilege, that this privilege is protected by the Constitution and the Convention, that it may be overridden, that the judge may only issue the warrant if the applicant convincingly establishes that there is an overriding requirement in the public interest that justifies such an order. The applicant is under an obligation to make full disclosure in order that the District Court judge may properly balance the competing rights of the public interest in the investigation and prevention of crime and the rights of journalists, their sources and the general public in the protection of journalistic sources from disclosure. A warrant issued where these minimum requirements are not met may be quashed. A review and ex post facto balancing of the rights after a warrant has issued and after it has been executed is not compliant with the requirements of the Constitution. The very fact of the issuing of the warrant to search the home or place of business of a journalist, even if it is not executed or no journalistic material is seized on foot of it, may in some circumstances amount to a breach of the rights of a journalist, and their sources, under the Constitution.’14 ○ By failing to provide these safeguards, the Bill fails to meet the requirements of the ECHR for protection of journalistic sources. ● The bill fails to provide an adequate oversight mechanism. ○ The ECHR requires that surveillance measures be subject to supervisory bodies which must be ‘independent of the authorities carrying out the surveillance’, ‘objective’ and ‘vested with sufficient powers and competence to exercise an effective and continuous control’.15 ○ This bill fails to provide this, keeping the system of a ‘designated judge’ who carries out a part-time function once a year, with no technical or legal expertise in this area, no administrative support, and no power to suspend illegal surveillance.16 ● There is no judicial remedy for a breach of the powers in this bill. ○ The Murray Review found that ‘bearing in mind the coercive nature character of a data retention system, and the concomitant risk to fundamental rights associated with it, that a statue should expressly provide for an appropriate judicial remedy and associated procedures for breaches of rights, including fundamental rights, occasioned by its operation’.17 ○ This bill does not provide any such remedy. ● The bill attempts to retrospectively validate illegal data retention, contrary to EU law. 14 Ibid, para. 154 15 Klass v Germany, application 5029/71, 6 September 1978, para. 56, accessible here: https://hudoc.echr.coe.int/fre?i=001-57510 16 T.J. McIntyre, 'Judicial Oversight of Surveillance: The Case of Ireland in Comparative Perspective,' in Judges as Guardians of Constitutionalism and Human Rights, ed. Martin Scheinin, Helle Krunke, and Marina Aksenova (Cheltenham: Edward Elgar, 2016), accessible here: http://hdl.handle.net/10197/7363 17 Murray J, Review of the Law on the Retention of and Access to Communications Data (April 2017) at para. 336, accessible here: https://www.justice.ie/en/JELR/Review_of_the_Law_on_Retention_of_and_Access_to_Communications_Data.pd f/Files/Review_of_the_Law_on_Retention_of_and_Access_to_Communications_Data.pdf ○ Section 9 of the bill purports to require providers to continue to retain data which is currently being held illegally. By doing so it attempts to retrospectively validate the retention of that data. This is contrary to EU law. Indeed, the CJEU explicitly stated in the Dwyer judgment that the retrospective effect of its judgment could not be limited, stating that: ‘Maintaining the effects of national legislation such as the 2011 Act would mean that the legislation would continue to impose on providers of electronic communications services obligations which are contrary to EU law and which seriously interfere with the fundamental rights of the persons whose data have been retained.’18 ● The bill attempts to interfere with the independence of the courts and of the Data Protection Commission. ○ By requiring continued retention of data which is currently being held illegally, section 9 also violates the principles of judicial independence and the independence of the Data Protection Commission. ○ In current litigation,19 DRI is challenging the retention of data under the 2011 Act, and DRI has also made a complaint to the DPC seeking that it take enforcement action against providers, requiring that they delete data which has been retained illegally. ○ By purporting to require ongoing retention of illegally retained data, this bill would interfere with the jurisdiction of the courts in a pending matter (contrary to the principle in the well-known Sinn Féin Funds case20 and e.g. Gorman v. Minister for Environment (No 2)21), and would limit the power of the DPC to act in relation to a pending complaint of illegality, interfering with the independence of the DPC contrary to Article 52 GDPR. 18 G.D. v Commissioner of An Garda Síochána, Minister for Communications, Energy and Natural Resources, Attorney General, Case C‑140/20, para.122, accessible here: https://curia.europa.eu/juris/document/document.jsf?text=&docid=257242&pageIndex=0&doclang=EN&mode=re q&dir=&occ=first&part=1&cid=15069305 19 Digital Rights Ireland Ltd v Minister for Communication & Ors 2006 3785 P. 20 Buckley v. Attorney General  1 IR 67. 21  1 IR 306.