Disclaimer

The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Press Release - 24 February 2003

Retention of Communications Traffic Data

Statement by Joe Meade, Data Protection Commissioner at the Forum on the Retention of Communications Traffic Data on 24 February 2003

I very much welcome this forum and I compliment Minister McDowell for hosting it as it is necessary that an informed debate takes place on this important matter. Let me say at the outset that as Data Protection Commissioner I will be supportive of measures that are demonstrably necessary to protect against crime or terrorism but such measures must be proportionate and have regard to the human right to privacy. The purpose of today's forum is to analyze the parameters in which communications companies can retain communications traffic data so that security services can have access to such data while respecting our privacy rights.

So what is traffic data? Traffic data in the communications field refers to the data that is created by your phone company ( Telco) or Internet service provider (ISP) when you make a phone call, go on the Internet or send an e-mail. It is necessary for billing purposes and you are aware of its contents if you get an itemized bill. Traffic data reveals huge amounts about ones private life. They are your electronic footprints but unlike the physical fingerprints you leave around you in the real world, they are recorded. For land line phone calls it can reveal the number you dialed, the duration of the call and the time of the call . Traffic data also includes a record of the location of the cell phone in question as it moves about from cell to cell. For this reason, traffic data generated by mobile calls is far more personal and revealing. In relation to the Internet, traffic data would encompass the e-mail addresses on all correspondence to and from the subscriber, a record of date, time, and size of message as well as other transmission details but hopefully excluding message subject and content. It would also encompass a record of every login session, every web page visited and read, every search term entered, every file downloaded, every purchase made, and so forth - in short, virtually the entirety of one's online "session" but hopefully excluding the content of e-mail messages.

In the ideal world once the bill is paid such data should be deleted though aggregate or annonymised detail can be held. Of course it is personal data and communications whether by post , phone or e-mail are meant to be confidential unless otherwise regulated by law. Because most people put an important privacy value on their communications interception of or access to calls for law enforcement agencies is strictly regulated under the 1983 /1993 Postal and Telecommunications Services Acts and the 1988 Data Protection Act.

Are there privacy concerns? The retention of private communications, beyond the limited time necessary for billing purposes, therefore, is a significant measure in data protection terms. I do not doubt or question that there are extremely good law enforcement reasons for wanting such data to be retained for a longer period. However, if you can no longer feel secure that your telephone, web surfing and electronic communications are in fact private, then that signals a major change in the nature of the society in which we are living. Traffic data, if it is not securely controlled, could be used

  • as a source of great assistance to marketers including telcos and ISPs
  • as a way of profiling your habits
  • to monitor your movements by reference to location of call as an information source and /or to have a snoop on you if necessary
  • to make wrong assumptions about your personal behavior
  • to blackmail you perhaps if the communication service provider did not have adequate data security to provide against the potential for unlawful access by hackers and others
  • as a means of surveillance on every citizen just in case they did wrong.

It could therefore be easily abused unless stringent safeguards are in place. Unlike other forms of personal data as I have indicated traffic data can reveal very easily who you are communicating with and where you are in your normal private life even when there is no criminal activity of any sort contemplated or being carried out by you. In effect

  • would we avail of the phone or Internet if any of the foregoing was to be the norm and we were not clearly informed about them when we signed up to the service
  • would we be concerned if our emails were read by an ISP or the security service without just and legitimate cause
  • how can the legislation be framed to restrict access to law enforcement purposes only
  • as a democratic society would we be happy to forego some of our human rights to privacy in the absence of strict and proportionate measures to limit that right
  • do we want to live in a "surveillance society" where our normal activities could be routinely monitored and kept for inspection by the security services or what should the balance be
  • does the state want to keep data on everyone just in case we might become a criminal or does the state wish to treat us all as criminals.

Therefore today we are considering how long telcos and ISPs should routinely retain traffic data for security or law enforcement access purposes and the challenges this may pose for me in my role as Data Protection Commissioner and ultimately for every citizen. That is why this forum is very important.

What is the importance of Privacy? Privacy is one of the "unenumerated rights" of our Constitution as established in case law by Supreme Court judgments. May I also quote from the Law Reform Commission 1998 Report on Privacy, Surveillance and the Interception of Telecommunications

"Privacy is not merely instrumental to the achievement of other goals but is a basic human right that applies to all persons in virtue of their status as human beings. It is not possible to overstate just how fundamental privacy is in a civilized legal system".

What are the Data Protection angles therefore? Section 2(1)(c)(i) of the Data Protection Act, 1988 provides that data controllers shall keep personal data only for one or more specified and lawful purposes. Section 2(1)(c)(iv) provides that personal data shall not be kept longer than necessary for that purpose or those purposes. It is legitimate for telcos and ISPs to process personal data for billing purposes. In principle, there seems to be no reason why a telco or an ISP should retain billing data for any significant period of time after a particular bill has been settled. A short retention period, to allow for subsequent queries to be dealt with, would not appear unreasonable. It would also be legitimate for a telco or an ISP to retain personal data for longer periods in particular cases where a dispute has arisen regarding a bill, or where the telco has reasonable grounds to suspect that such a dispute may arise. However, it would be contrary to the Act to routinely retain billing data in all cases for a long period of time, irrespective of whether the bill has been settled, or of whether there is any reason to believe that a settled bill will subsequently be challenged. Apart from being retained longer than necessary, such data would appear to be "irrelevant and excessive", contrary to section 2(1)(c)(iii) of the Act. This then was my basis for demanding during 2001 that in line with the 1988 Act and EU directives traffic data, in general, should be routinely kept for a maximum period of six months- a position since formally adopted by the EU Data Protection Commissioners and the EU Commission.

As regards the current legal position I made an order, in January 2001, requiring telcos and ISPs to register with my Office. During the registration process I discovered that all traffic data for telcos was being routinely retained for a period of six years, the rationale being that it was necessary to do so in case a claim arose under the Statute of Limitations. I found it difficult to accept this reasoning and pressed for the six-month retention period to be the norm as outlined earlier. While this period was eventually acceptable to most of the telcos and ISPs it raised legitimate concerns in the Department of Justice regarding access for security and crime investigations. Following discussions with me the Department indicated that a retention period of three years, rather than the then six years, was necessary for security purposes for telcos. While I respected their view I consider that a maximum period of three years does not strike the correct balance. The Department however took my concerns to Government who decided in March 2002 that the Minister for Public Enterprise should issue Directions under s110(1) of the Postal and Telecommunications Services Act, 1983 , requiring telcos to retain detailed non-anonymous traffic data for a three-year period, for the purpose of facilitating requests from An Garda Síochána and from the Defence Forces under sections 98A and 98B of the 1983 Act, as inserted by the section 13 of the Interception of Postal Packets and Telecommunications Messages (Regulation) Act, 1993. The direction was issued in April 2002 to telcos. This measure was intended to be a temporary 'holding measure' pending the introduction of substantive legislation to this effect. The legislative process is now being finalised but I understand that ISPs could be included in the legislation also. While I was very unhappy with this approach I am much happier that the process has now been brought into the open for public debate.

EU law on the retention of telecommunication traffic data is regulated by Directive 97/66 which was transposed into Irish law on 8 May 2002-this is being replaced by Directive 2002/58, to be transposed by October 2003. Directive 2002/58 has not made significant changes to the existing provisions of retention of traffic data as it extends its scope to the more general context of electronic communications. Article 6 of Directive 97/66 provides that traffic data can be retained until the bill is paid while Article 14 of the Directive (Article 15 of Directive 2002/58) also provides that retention of traffic data for purposes of law enforcement should meet strict conditions i.e. in each case only for a limited period and where necessary, appropriate and proportionate in a democratic society.

Let me now address the matter of law enforcement access to traffic data and data protection. I, of course, recognise that privacy rights are in no sense absolute and must constantly be balanced against other competing interests not least the right to freedom of expression or society's right to be made aware of particular information which an involved individual might prefer to remain hidden. In my view the issues of public policy that need to be balanced are so delicate as to require fine tuning in stand alone legislation for particular serious issues. When a communications data controller is making disclosure of billing or traffic data to a law enforcement agency then it can rely on the provisions of Section 8(b) or (e) of the Data Protection Act which provide that

"Any restrictions in this Act on the disclosure of personal data do not apply if the disclosure is

(b) required for the purpose of preventing ,detecting or investigating offences, apprehending or prosecuting offenders or assessing or collecting any tax, duty or other moneys owed or payable to the State, a local authority or a health board, in any case in which the application of those restrictions would be likely to prejudice any of the matters aforesaid,

(e) required by or under any enactment or by a rule of law or order of court

(As regards security of the state this is covered under Section 8(a)). In my opinion, section 8 is permissive in that it lifts restrictions on the disclosure of personal data by a data controller, which would otherwise apply if none of the conditions specified in section 8 were met. Section 8(b) does not oblige a data controller to disclose personal data to anybody regardless of whether or not any of those conditions have been met. Furthermore I am of the opinion, that if section 8(b) is to be relied on it has to be established that there is a substantial risk rather than a mere chance that in a particular case at least one of the purposes mentioned (in 8(b)) would be noticeably damaged by the data controller's failure to provide the information sought. In other words, the prejudice test has to be clearly undertaken before any data can be disclosed or indeed requested. This is why any request by the law enforcement agencies to telcos or ISPs for access to traffic data have to be made by an officer not below the rank of Chief Superintendent or a Colonel in line with the terms of the 1983 and 1993 Postal and Telecommunications Acts.

I will now comment on my role as Data Protection Commissioner. I am independent in the exercise of my functions as a creature of the 1988 law passed by the Oireachtas. Because the Oireachtas has created me thus I am not a framer of legislation but in general my observations are sought by Departments when matters concerning data protection arise in any draft legislation or when schemes are being introduced. My main obligations under the law are to ensure that the privacy rights people are entitled to and the obligations placed on data controllers are fully respected . Data protection law is not a barrier to law enforcement agencies carrying out their difficult tasks but it tries to strike a reasonable and proportionate balance between personal privacy rights and other demands placed on any democratic government. I believe it appropriate to reiterate that I am conscious of the sensitive issues of security, including national security. The precise content of the legislation to be introduced in this regard is ultimately a matter for Government subject to enactment by the Oireachtas and hopefully after careful consideration of my views on the matter and those expressed at this seminar.

So what is my overall view on the retention period? Data protection law in this country is based on the principles outlined in the Council of Europe convention and in EU directives which this country has implemented. In my view and in the view of my EU and other Privacy Commissioners where traffic data are to be retained in specific cases for security purposes

  • the traffic data involved has to be clearly defined and the burden of proof that privacy invasive measures are necessary must always be on those who claim that some new intrusion or limitation on privacy is necessary.
  • it must be demonstrably necessary in order to meet some specific need
  • it must be demonstrably likely to be effective in achieving its intended purpose i.e. it must be likely to actually make us significantly safer, not just make us feel safer;
  • the intrusion on privacy must be proportional to the security benefit to be derived; and
  • it must be demonstrable that no other, less privacy-intrusive, measure would suffice to achieve the same purpose

The European Union Data Protection Commissioners have also noted with concern that in the third pillar of the EU, proposals are being considered which would result in the mandatory systematic retention of traffic data concerning all kinds of telecommunication for a period of one year or more, in order to permit possible access by law enforcement and security bodies. They have expressed grave doubts as to the legitimacy and legality of such broad measures and stated that systematic retention of all kinds of traffic data for a period of one year or more would be clearly disproportionate and therefore unacceptable in any case. They also drew attention to the excessive costs that would be involved for the telco and Internet industry, as well as to the absence of such measures in the United States. Finally the European Data Protection Commissioners have also repeatedly emphasized that such retention would be an improper invasion of the fundamental rights guaranteed to individuals by Article 8 of the European Convention on Human Rights

In conclusion you will appreciate this is a sensitive and complex issue for everyone where difficult choices have to be made. I welcome the measures to monitor this area by a judicial oversight and I accept that traffic data can be of valuable assistance to law enforcement agencies in particular instances. Data protection law is not a barrier to law enforcement agencies carrying out their difficult tasks but it tries to strike a reasonable balance between personal privacy rights and other demands placed on any democratic government. The privacy implications of traffic data retention are further compounded by the involvement of neutral third parties, i.e., the communication service provider, with all that this implies for data security and the potential for unlawful access by hackers and others . While I can well appreciate the arguments put forward in support of the systematic retention period of three years I remain to be convinced that a three year retention period is necessary for the Gardai, the Defence Forces and ultimately the state to carry out their delicate and responsible work. Therefore a balance has to be struck. To strike the correct balance certain questions need to be raised and answered. I pose the following questions

  • have a significant number of requests been made for traffic data held for longer than six months or twelve months
  • how vital is traffic data to detecting crime
  • how valuable is traffic data in the detection of crime overall i.e. what % of solved serious crime is dependant on access to traffic data
  • if we are being asked to sacrifice our privacy we must have details about what we get in return. Once privacy rights are surrendered they may be hard to recover. We should therefore surrender these rights reluctantly, on the basis of convincing arguments and facts about other interests of society
  • what level of proof of suspected wrongdoing would have to be available to a telco or ISP or a judge in order to enable access to the data. Are we talking about crime detection, intelligence, specific investigations or a store of data relating to suspicious activity?
  • will it be possible to ensure that access will only be allowed for security purposes or crime
  • will this type of legislation have a "sunset provision" so that the Oireachtas can review its appropriateness after a reasonable time period

It is a matter for the Oireachtas but I would ask you to reflect on the communiqué issued by over 50 Data Protection Commissioners following their annual conference in Cardiff in September 2002 which stated

" The Commissioners agreed that whilst there is the need to protect society from the outrages of 9/11 the reactions in many countries may have gone beyond a measured response to the terrorist threat with serious implications for personal privacy. The Commissioners agreed that the need to safeguard personal privacy in such developments remains an essential task for the world-wide data protection community. Unless an approach is taken by Governments which correctly weighs data protection and privacy concerns there is a real danger that they will start to undermine the very fundamental freedoms they are seeking to protect" .

I look forward to the Minister bringing forward new legislation to address matters of importance that he and I are concerned with. I have no doubt but that the Oireachtas will fully debate these concerns when considering this matter and will address it by enacting legislation at an early date.