Data retention in Ireland
February 7th, 2008 | Published in Google Public Policy
Data retention requirements have been controversial in Ireland and will likely remain so as the Irish government moves to introduce new legislation shortly.
At present, data retention for telecomms providers in Ireland is governed by the Criminal Justice (Terrorist Offences) Act 2005. The basic requirements are that, subject to a request from the police, service providers (fixed or mobile) must retain traffic and/or location data for a period of 3 years. The police request must be for the purpose of fighting crime. The content of this legislation has been controversial here, with the Data Protection Commissioner airing concerns about the length of retention periods.
New EU data retention legislation was agreed on in 2006 and seeks to harmonise the obligations on service providers to retain certain data for the purpose of fighting serious crime. The directive also expands the scope of data retention requirements to include a number of internet services. The period of retention is to be not less than six months and not more than two years. Member states were required to implement the legislation no later than 15 September 2007, although many availed of a derogation period.
We have previously blogged about the directive and raised concerns with its scope (which services are covered and which are not), the potential for inconsistent implementation and the difficulties this would raise for a global internet player like Google, and how the costs of compliance are going to be covered.
The Irish government took a legal challenge against the directive to the European Court of Justice, arguing that the wrong process was used to pass the directive. To make matters even more complicated an Irish privacy advocacy group (Digital Rights Ireland) has filed a legal case against both the current Irish law and the EU directive.
With the Irish government's legal challenge underway and a lack of progress across the EU on transposition, the Directive seemed to be going nowhere fast. But recent media reports state that the Irish government is now set to convert the directive into Irish law. This has caught many observers by surprise and has drawn criticism from the Data Protection Commissioner and the ISP Association of Ireland.
Ireland looks set to be amongst the first countries to transpose the directive. Concerns have been expressed that sufficient time may not be available for a full debate to discuss the very complex issues involved. There is also a real risk that a rushed transposition process could produce legislation which negatively impacts on consumer privacy and is harmful to the internet and telecomms sector. Our view is that it is vital that the reasonable concerns of privacy advocates and industry are taken into account. Google is going to take advantage of the current window of opportunity to get our views across, and we hope that other interested parties will do likewise.