|
Update: A full pdf article on the Data Retention in Ireland is available here
The Communications (Retention of Data) Act 2011 was passed on the 26th January 2011 before the dissolution of the 30th Dáil. Broad speaking the Act transposes Directive 2006/24/EC (The Data Retention Directive).
Section 3 of the Act provides that a service provider shall retain the data in the categories as set out in Schedule 2 of a period of 2 years in respect of “fixed network telephony and mobile telephony”, and one year in respect of “internet access, internet e-mail and internet telephony data”. It also provides that the periods of retention commence from the passing of the Criminal Justice (Terrorist Offences) Act in the case of data which was retained under that act (i.e data relating to voice communications), or from the date of the passing of the 2011 act in every other case (i.e. internet metadata).
The Act requires the following Data to be retained under section 3 in the case of “fixed network telephony and mobile telephony”:
1. Data necessary to trace and identify the source of a communication:
(a) the calling telephone number;
(b) the name and address of the subscriber or registered user.
2. Data necessary to identify the destination of a communication:
(a) the number dialled (the telephone number called) and, in cases involving supplementary services such as call for warding or call transfer, the number or numbers to which
the call is routed;
(b) the name and address of the subscriber or registered user.
3. Data necessary to identify the date and time of the start and end of a communication.
4. Data necessary to identify the type of communication:
the telephone service used.
5. Data necessary to identify users’ communications equipment or what purports to be their equipment:
(a) the calling and called telephone number;
(b) the International Mobile Subscriber Identifier (IMSI) of the called and calling parties (mobile telephony only);
(c) the International Mobile Equipment Identity (IMEI) of the called and calling parties (mobile telephony only);
(d) in the case of pre-paid anonymous services, the date and time of the initial activation of the service and the cell ID from which the service was activated (mobile telephony only).
6. Data necessary (mobile telephony only) to identify the location of mobile communication equipment:
(a) the cell ID at the start of the communication;
(b) data identifying the geographical location of cells by reference to their cell ID during the period for which communication data are retained.
The Act requires the following Data to be retained under section 3 in the case of “internet access, internet e-mail and internet telephony data”:
1. Data necessary to trace and identify the source of a communication:
(a) the user ID allocated;
(b) the user ID and telephone number allocated to any communication entering the public telephone network;
(c) the name and address of the subscriber or registered user to whom an Internet Protocol (IP) address, user ID or telephone number was allocated at the time of the communication.
2. Data necessary to identify the destination of a communication:
(a) the user ID or telephone number of the intended recipient of an Internet telephony call;
(b) the name and address of the subscriber or registered user and user ID of the intended recipient of the communication.
3. Data necessary to identify the date, time and duration of a communication:
(a) the date and time of the log-in and log-off of the Internet access service, based on a certain time zone, together with the IP address, whether dynamic or static, allocated by the Internet access service provider to a communication, and the user ID of the subscriber or registered user;
(b) the date and time of the log-in and log-off of the Internet e-mail service or Internet telephony service, based on a certain time zone.
4. Data necessary to identify the type of communication:
the Internet service used.
5. Data necessary to identify users’ communication equipment or what purports to be their equipment:
(a) the calling telephone number for dial-up access;
(b) the digital subscriber line (DSL) or other end point of the originator of the communication.
Section 4 of the Act implements Article 7 of the directive with regard to Data Security. It is however notable that the Article 19 Working Party have raised a number of issues with the security of retained data. In particular they suggest that there should be
- strong access control to the retained data:
definition of user responsibilities;
profiles with different user privileges
- strong authentication for system access:
dual authentication mechanisms, (i.e. password + biometrics, or password + token)
- detailed tracking of accesses and processing operations:
log retention
- log integrity:
encryption technology or equivalent measures
- logical separation from other systems processing traffic data for commercial purposes
- additional necessary measures:
detailing roles and functions of system administrators dealing with systems where traffic data are stored for law enforcement authority related purposes
ad-hoc policy documents
Section 5 of the Act provides that a service provider shall not access the retained data save as:
(a) at the request and with the consent of a person to whom the data relate,
(b) for the purpose of complying with a disclosure request,
(c) in accordance with a court order, o
(d) as may be authorised by the Data Protection Commissioner.
In light of Section 5(c) it is noteworthy that this appears to put on a firm footing the availability of a Norwich Pharmacal Order to disclose all information held by the Data Retention Act. In light of the decision in EMI v. Eircom, this appears to broaden exponentially the purposes for which retained data can be put. This issue is also the subject of a preliminary reference to the European Court of Justice in Bonnier Audio AB, Earbooks AB, Norstedts Förlagsgrupp AB, Piratförlaget Aktiebolag, Storyside AB v Perfect Communications AB. The fact Article 1(1) of the Directive explicitly states that the purpose for which data is retained is for the “investigation, detection and prosecution of serious crime, as defined by each Member State in its national law” this seems to be a step too far.
A disclosure request is made in accordance with section 6. It outlines three authorities who may make a request; the Garda Siochana, the Defence Forces and the Revenue Commissioners. A member of an Garda Siochana not below the rank of chief superintendent may request the disclosure of data retained for the purposes of:
(a) the prevention, detection, investigation or prosecution of a serious offence. In this case a serious offence means an offence punishable by imprisonment for a term of 5 years or more, and an offence listed in Schedule 1.
(b) the safeguarding of the security of the State,
(c) the saving of human life.
A Colonel of the Defence Forces may request a disclosure where that office is satisfied that disclosure is required for the purposes of safeguarding the security of the state.
A Principal office of the Revenue Commissioners may request data retained for the purpose of “the prevention, detection, investigation or prosecution of a revenue offence”. The definition of a “Revenue Offence” is defined in section 1, and essentially includes tax fraud; oil smuggling; non payment of excise duties; and smuggling of tobacco or alcohol. The ICCL in their submission on the Bill noted that giving powers of disclosure to Revenue Officials was a step too far, and that the Gardaí could just as easily request the data in the course of prosecuting a revenue offence. They also recommend requests should be subject to Judicial Approval.
A disclosure request must generally be made in writing under section 6(4), but in cases of extreme urgency the request may be made orally and followed up by written confirmation within 2 working days. Service providers are obliged to comply with the disclosure request due to section 7, and section 3(3) obliges a service provider to retain the data in a way that they may be disclosed without undue delay.
Section 10 of the Act provides for a complaints procedure. Section 10(1) provides that:
A contravention of section 6 in relation to a disclosure request shall not of itself render that disclosure request invalid or constitute a cause of action at the suit of a person affected by the disclosure request, but any such contravention shall be subject to investigation in accordance with the subsequent provisions of this section and nothing in this subsection shall affect a cause of action for the infringement of a constitutional right.
Not unlike the system provided for in the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 a person who feels hard done by shall make a complaint to a “referee”, who is one and the same person nominated under the 1993 Act. The referee may decide
(a) whether a disclosure request was made as alleged in the application, and
(b) if so, whether any provision of section 6 has been contravened in relation to the disclosure request.
If, after investigating the matter, the Referee concludes that a provision of section 6 has been contravened, the Referee shall—
(a) notify the applicant in writing of that conclusion, and
(b) make a report of the Referee’s findings to the Taoiseach.
At the referee's discretion, he may:
(a) direct the Garda Siochana, the Defence Force or the Revenue Commissioners to destroy the relevant data and any copies of the data,
(b) make a recommendation for the payment to the applicant of such sum by way of compensation as may be specified.
The Decision of the Referee is final.
|
that differentiates you from your competition. Registering your business name and logo as a trademark can protect you against other’s trying to freeload on your hard work and expense. O’Hanlon & O’Dowd Solicitors are registered Trademark agents and as such we are experts in filing Trademarks in the Irish Patent Office, and we will help you protect your business at a surprisingly affordable price.
