'No justification' for State data-collection powers in proposed bill, say experts
The new legislation will also allow for 'two entirely unprecedented' powers that are 'clearly in breach of European Court of Justice case law', according to TJ McIntyre, an associate professor of law at UCD and director of Digital Rights Ireland.
The Government has "no justification" for scanning the networks of small businesses, and even homes, under the National Cyber Security Bill, data protection advocates have said.
Two of Ireland’s most prominent privacy advocacy organisations, Digital Rights Ireland and the Irish Council for Civil Liberties, will today tell an Oireachtas committee that the pending bill will allow for the scanning of the networks, despite such provisions being absent from the European legislation from which the Irish bill takes its lead.
“There is no justification in the explanatory note for this power, and it is difficult to see why it is included,” TJ McIntyre, an associate professor of law at UCD and director of DRI, will tell the justice committee.
Mr McIntyre will stress that the issues raised by both DRI and ICCL with the bill are that it seeks to extend itself beyond the threats which the EU itself envisaged in its own legislation, and amount to “purely domestic innovations”.
He is expected to add that the bill will give “extremely wide” internet-blocking powers to the State’s own dedicated cyber security unit, the National Cyber Security Centre (NCSC) — powers for which the two bodies believe there are “very limited procedural safeguards”.
Meanwhile, the new legislation will also allow for “two entirely unprecedented” powers: The ability to scan and store all network traffic from public sector bodies — including sensitive information such as health data or legal correspondence — and the power to allow the NCSC to collect data from private communications on public networks such as mobile carriers or messaging apps, information which could be gathered without the consent of those affected.
Mr McIntyre will say that those two powers are “clearly in breach of European Court of Justice case law prohibiting the bulk collection of the contents of communications and metadata about communications”, particularly given the scanned information would be shareable with gardaí under another provision of the bill.
He will further raise concerns about yet another provision of the proposed law, which would give the NCSC the power to “compel communications providers such as WhatsApp and data centre operators to install surveillance devices on their networks”.
“This would permit collection of data on the telephone and internet use of the whole population, on national security grounds, without any requirement of proportionality,” Mr McIntyre will say, while noting further that ‘national security’ is not defined anywhere in the draft legislation.
Meanwhile, Garda Detective Superintendent Pat Ryan will tell the committee that, in his opinion, “offences that can only be committed using a computer, represent the greatest threat of societal-level disruption”.
He will say that the transposition of the EU’s cyber crime directive is therefore “most welcome”, given it will “create a more secure cyber eco-system in this jurisdiction”.
“There is little doubt that the cybercrime economy is now an economy of scale and one that is generating immense wealth for those who benefit from it, while causing immense harm to victims,” Det Supt Ryan will say, while citing the “disruptive impact” of the mass cyberattack which laid the HSE’s entire network low in May 2021.
CONNECT WITH US TODAY
Be the first to know the latest news and updates
