Cianan Brennan: Minister creates a de facto mass surveillance system of entire population
Justice Minister Helen McEntee announced that she had, via a court order, informed Ireland’s telecommunications providers they must preserve the mobile phone records of all citizens for a period of 12 months in the interests of the security of the State.
Tuesday was a hectic day in the land of media. With the furore surrounding Ryan Tubridy’s hidden payments reaching fever pitch ahead of a planned statement from RTÉ on the matter that afternoon, the scene was set for that most desirable of situations in the corridors of power — a good day to drop bad news.
First, Minister for Public Expenditure Paschal Donohoe announced the results of a review of senior public servant pay, which concluded that departmental secretaries general should be entitled to a year’s wages upon concluding their terms. Not a headline likely to garner an especially happy response.
Then, three hours later, Justice Minister Helen McEntee announced that she had, via a court order, informed Ireland’s telecommunications providers they must preserve the mobile phone records of all citizens for a period of 12 months in the interests of the security of the State.
This is no small matter — in one fell swoop the minister had created a de facto mass surveillance system of the entire population and all based upon the need to safeguard the State’s security.
Ms McEntee said, in announcing the move, that having assessed a threat to that security she had “satisfied myself that there exists a serious and genuine, present or foreseeable threat to the security of the State and that such threat is likely to continue for at least the next 12 months”.
What that threat is, no one has been told.
To the layperson, the minister’s action might seem like a step replete with ramifications, not one to be taken lightly.
In truth, what she has done is a great deal more problematic, because there are issues at a European level with how the new law her action was based on was implemented. And they’re not going to go away.
To get a feel for why, you have to consider the State’s relationship with data retention law. It’s a long one, and little of it is positive.
Under the 2011 Data Retention Act, which until last Monday was the sole law of the land, mobile telephony data was held by the various phone companies for two years (one year for internet data).
What that meant in practice is that licenced State organisations like the Defence Forces and (especially) An Garda Síochána could access people’s mobile phone history — without having to go to court — as an aid to their investigations.
Probably the most noteworthy conviction achieved via the use of such data was the life sentence handed down in 2015 to infamous murderer Graham Dwyer for the killing of Elaine O’Hara three years earlier.
That particular case hinged almost entirely on circumstantial mobile phone evidence — such as locations being generally ascertained via pings off mobile network towers — no physical incriminating evidence existed. Dwyer’s subsequent multi-year appeal attacked the use of such data as unlawful.
He had a genuine case. In 2014, privacy advocates Digital Rights Ireland had challenged the European law under which Ireland’s 2011 data retention legislation was based at the Court of Justice of the European Union — on the basis it represented indiscriminate mass surveillance without judicial oversight — and won.
From that moment, Ireland’s law was effectively illegal, given the primacy of EU law over domestic. That same decision was subsequently reiterated on at least two further occasions by the European court, and given that precedent it’s unlikely the court’s opinion will change in the future.
As far back as November 2017 Department of Justice officials had admitted on the Oireachtas record that the law as it stood was unworkable.
A draft replacement Bill was put in place that same year during the tenure of Ms McEntee’s predecessor Charlie Flanagan. It never passed the Oireachtas.
Three years later in 2020, the Court of Justice of the European Union (CJEU) indicated to the Irish Supreme Court, which had referred the data retention segments of Dwyer’s appeal to Europe for its expert opinion, that any decision it made would likely favour the murderer.
Queried on this, the Department of Justice said at the time that it would await the final decision before deciding what to do, six years after its own law had been deemed invalid.
In truth, the Dwyer case was just the tip of the iceberg in terms of what was at stake — thousands of convictions had been secured under the 2011 law in terms of historic phone records. While Dwyer’s appeal ultimately foundered, the door had been left open for a glut of legal challenges to those thousands of convictions secured by the gardaí.
An Garda Síochána finally began to take the hint, and the instances of it accessing mobile phone records decreased exponentially at the turn of the decade.
Nevertheless, nothing changed until the summer of 2022, when the Supreme Court here dismissed the State’s appeal against a ruling in favour of Dwyer, clearing the way for him to appeal his conviction.
Suddenly, it became very important to Ms McEntee’s department to update its rogue law. In just over a month, the Department of Justice rammed an updated data retention Act through the Oireachtas, with a minimum of democratic oversight, immediately before the Dáil recess, a fact which did not go down well with opposition TDs.
And then the law went uncommenced for just under 12 months. In other words, it may as well not have existed, which sort of gave the lie to the urgency in which it had been enacted in the first place.
A further spanner in the works emerged last December when the revealed that the law had, during its expedited draft stage, never been run through a European Commission (EC) procedure (the Technical Regulation Information System (TRIS) designed to ensure that any individual EU State’s laws would have no negative impact on the bloc of countries as a whole.
At the time the Department told this paper that it did not believe the law should have been run through Europe, without specifying why.
It then quietly engaged TRIS anyway two weeks later, only to be told by the EC that given the law had already been enacted it could not be considered, and as such was possibly “inapplicable and unenforceable”.
From there, you might have thought the State’s options were pretty limited. The law would surely have to be redone and submitted to TRIS, a tacit admission of fault by the department, but better to admit that fault and get things right than drag the whole farrago on indefinitely.
After all, the new bill is generally considered an improvement on its flawed predecessor. Other European nations have introduced similar updated laws.
Gardaí now have to go to court to access mobile records, those records are only being retained for a year, and only on the admittedly fuzzy grounds of ‘national security’ (it’s not hard to see that data accessed in gangland cases for example).
Instead, the minister had the Act commenced last Monday. On the same day, she went before High Court judge Alexander Owens to invoke the section of the new Act requiring the indiscriminate retention of phone records for 12 months.
The law as it stands is almost certainly illegitimate, the EC has made that clear.
“The overall problem is that no other country has screwed up the implementation of this like we have,” privacy solicitor Simon McGarr said.
“We stuck with the horrible 2011 Act because we wouldn’t admit it was wrong. Then Dwyer flattened it and they rammed a new one through after waiting eight years. But no one told them they had to do TRIS. If you don’t follow the proper procedure, if you rush things, you get bad legislation. And this clearly wasn’t that urgent given they didn’t commence it for another year,” he said.
Asked why the Department had commenced the law despite the European Commission saying it may be inapplicable due to it missing the TRIS window, a spokesperson said that given the notification period for TRIS had expired in March “without comment or opinion from either the EC or other member states ... accordingly, Ireland was free to commence the 2022 Act”.
This would seem to ignore the fact the EC had told the Department of Justice in January that they had applied for TRIS long after the horse had bolted.
The spokesperson also said that “the general and indiscriminate retention of communications data in accordance with the High Court order does not equate to mass surveillance”.
They said that the data concerned is meta, that is, it does not include the content of communications, and that “in the vast majority of cases, nobody will ever access this data”. This again misses the point however. If the law is flawed from a European perspective, then surely it is vulnerable to appeal.
“This will jeopardise hundreds of convictions, despite countless warnings from legal experts,” said Dr TJ McIntyre, professor of law at UCD and chair of Digital Rights Ireland.
“The data is stored, and the gardaí will be applying for it. And all the while legal challenges will be stored up, totally avoidably,” Mr McGarr said.
“The Law Library is well aware of what has happened here. You can be sure they will make use of it.”
CONNECT WITH US TODAY
Be the first to know the latest news and updates
