Protection site

Data Protection Commission urged to act against alleged unlawful retention of data – The Irish Times

The government’s bid to deal with the fallout from convicted murderer Graham Dwyer’s successful challenge to cellphone metadata retention laws is hitting another hurdle, with the Data Protection Commission being urged to act immediately on the alleged continued unlawful retention of data by service providers.

There is also speculation in legal circles that a bill rushed through the Oireachtas this week as a stopgap following the European Court of Justice (ECJ) ruling upholding Dwyer’s challenge. could yet be referred by President Michael D Higgins to the Supreme Court for a ruling on its constitutionality.

The Data Protection Commission was called upon by lawyers from Digital Rights Ireland (DRI) – which in 2014 won a landmark CJEU decision ultimately leading to the cancellation of Ireland’s Data Retention Act 2011. Dwyer case – to take ‘immediate’ action against telecoms companies that continued to process nationwide data on all Irish users during the 2011 law.

In a letter to the commission on July 5, McGarr’s lawyers warned that unless such action is taken, his letter could be referenced in other proceedings or complaints regarding Ireland’s compliance with the EU law.

national law

The letter said the CJEU’s decision earlier this year in the Dwyer case meant it was “without question that the continued retention of data under the 2011 Act is unlawful”. The Dwyer judgment, he said, specifically finds that the retention provisions of the 2011 law are contrary to the provisions of the ePrivacy Directive. When a state body encounters a disagreement between a national law and an EU law, it is the duty of the state body not to directly apply the national law, the lawyers wrote.

The lawyers asked the commission to immediately order the telecommunications operators to delete the data retained under this law and to stop retaining other data under this law. The committee was urged to take all necessary steps to ensure the full effectiveness of EU law.

The letter was sent just days before the Oireachtas this week passed a controversial bill – the Communications (Data Retention) Amendment Bill 2022 – aimed at remedying the situation after Dwyer’s victory at the CJEU.

Several provisions of the bill – passed on Thursday just before the Oireachtas summer recess – had been strongly criticized by bodies such as DRI and the Irish Council for Civil Liberties.

The CJEU ruled in the Dwyer case that EU law prevents the blanket and indiscriminate retention of electronic traffic and location data for the purposes of combating serious crime.

The 2022 bill authorizes the blanket and indiscriminate retention of communications traffic and location data only for national security reasons, when approved by a designated judge.

It establishes a system of preservation orders and production orders to facilitate the preservation of and access to specified data held by telecommunications companies for national security and to investigate serious crimes, when authorized by an authorization judge. A preservation order will act as a “quick freeze,” requiring service providers to retain specified data for a period of time.

“Indefinite retention”

A production order will allow natural security/law enforcement access to specified data held by a service provider for commercial or other reasons. Traffic and location data held for national security purposes, and subscriber data retained for national security or law enforcement purposes, may both be retained for 12 months.

The Irish Council for Civil Liberties (ICCL) has argued that the bill will allow renewable data retention for one year, makes it ‘indefinite retention’ and does not define national security or provide for the protection of sources. journalists and an adequate oversight mechanism.

The bill, said the ICCL, attempts to retrospectively validate unlawful retention of data contrary to EU law, “will create more legal uncertainty” and lead to more Dwyer-like cases in which evidence is contested. A provision to legitimize data currently stored illegally “creates a particular risk in this area”, he said.

The bill is effectively intended as a stopgap before the introduction of a more comprehensive measure – the Data Retention and Governance Bill – but industry and legal sources remain concerned about the situation in the interim.

Industry sources say there is a great deal of uncertainty about their position, particularly about the status of the underlying data they hold and about the practicalities of implementing law enforcement measures. 2022. “The Retention and Governance Bill needs to be finalized by the government urgently, there are simply too many unknowns,” a source said.