The Gist: National Surveillance, the Rush Job

The Government is trying to rush through a bad law on their national surveillance regime. This is the Gist.

The Gist: National Surveillance, the Rush Job
Photo by Matthew Henry / Unsplash

In 2014, the top court in Europe, the CJEU, delivered its judgement in the Digital Rights Ireland challenge on the system of surveillance that had been put in place covering 500 million EU citizens. They struck down the EU law it was based on and they found the model of general 'data retention' to be incompatible with the EU Charter of Fundamental Rights. Half a billion people's rights were protected. I am the solicitor for Digital Rights Ireland and count that as one of the days I did good work.

To this day, the Irish Government continues to base their legal defence of the Irish Data Retention regime on the Data Retention Directive the CJEU nullified eight years ago.

While even Wile E. Coyote eventually stops spinning his legs in mid-air and looks down, the Irish state has steadfastly continued with denial as its first and last response to a binding decision that they had built a national surveillance database, accessed between 10,000 and 12,000 times a year by Gardaí with no prior warrant or judicial oversight, based on an EU law that no longer existed.  

Case after case was taken to the CJEU, ( Tele2/Watson from Sweden and the UK, La Quadature du Net from France), on the Data Retention topic. Each one took a similar approach. The state party asked the CJEU maybe it didn't really mean what it had said in the Digital Rights Ireland case and the CJEU affirmed it did and gave greater and greater detail of what that meant in practice.

Eventually, the Irish state faced their own reference to the CJEU, and responded by asking it to again reconsider the DRI/Tele2 rulings. The law was, by now, so clear that the Court even asked the Irish state if it seriously wanted it to answer the referred questions again. As the Attorney General recently described it in a recent TCD seminar, Ireland was in a "dialog" with the CJEU and it wanted its answer.

To literally nobody's surprise (except maybe the Irish State) the CJEU came back with a response which confirmed all its previous reponses. It also clarified again exactly what a lawful data retention regime would look like, something the Irish Government had ignored when it brought forward a 2017 Bill to amend the 2011 Act.

In 2017, the Department of Justice's official admitted the Irish Data Retention regime was illegal

Then, after all these years of inaction, the Department of Justice suddenly produced an emergency piece of legislation last week. It was such an emergency that they hadn't even published the Bill while the Oireachtas Committee was doing a truncated pre-legislative scrutiny. As Thomas Pringle TD pointed out, the proposed timelines were so absurd that they had, quite literally, two minutes remaining to introduce amendments to a Bill they hadn't seen, while they were still in Committee meeting.

This timeline was so ridiculous that the Committee suspended proceedings and when they came back, it had been slightly improved.

The current plan is for the law to be on the books by the end of this week. There do seem to be some practical problems, however. The phone companies, who will have to actually take those laws and make them true, flagged during their submission to the Committee that there were some very significant technical issues. As the Department admitted, despite all these years since the DRI judgment in 2014, they hadn't actually effectively consulted with the telcos about the new law.

That's now also due to happen this week. Meaning the Department are finding out if the law they've written is impossible to implement at the same time as they are passing it.

On top of all that, there is the additional problem that the new law doesn't actually solve the problem of the old one. There are a series of legal requirements, identified by former Chief Justice Murray in a report on this exact subject which are still not being implemented.

The most obvious problem is that the new Bill creates a new basis for continuing to retain data on the whole population for 'national security' but then fails to provide any definition of national security.

By relying on an undefined threshold, it fails to meet the requirements of the CJEU that:  

‘In order to satisfy the requirement of proportionality, the legislation must lay down clear and precise rules governing the scope and application of the measure in question and imposing minimum safeguards, so that the persons whose personal data is affected have sufficient guarantees that data will be effectively protected against the risk of abuse. That legislation must be legally binding under domestic law and, in particular, must indicate in what circumstances and under which conditions a measure providing for the processing of such data may be adopted, thereby ensuring that the interference is limited to what is strictly necessary.’

In Zakharov v. Russia the European Court of Human Rights held that a Russian law which failed to define state security purposes was in breach of Article 8 ECHR:

‘It is significant that [Russian law] does not give any indication of the circumstances under which an individual’s communications may be intercepted on account of events or activities endangering Russia’s national, military, economic or ecological security. It leaves the authorities an almost unlimited degree of discretion in determining which events or acts constitute such a threat and whether that threat is serious enough to justify secret surveillance, thereby creating possibilities for abuse.’

In addition, a 'transitionary' provision in Section 9 of the Bill attempts to create a legal basis for all of the existing, illegally retained, data to be kept. Thomas Pringle TD inquired of the Department of Justice how this wouldn't fall foul of the long established principle that it is unconstitutional for the Oireachtas to try to pass a law that would determine a matter already before the courts. He even helpfully cited the caselaw (the Sinn Féin Funds case) and referred to the still ongoing DRI case. The official from the Department said he was unfamiliar with the case. We were left to wonder which case he was referring to.

The Justice Committee members were so unimpressed with the answers they were given, including a promise that the law was going to be replaced later, at a time unspecified, that both Government and Opposition members put down amendments to the law automatically killing it after a set number of months.

In her unpersausive speech tonight, the Minister for Justice argued that any such 'sunset clause' would introduce uncertainty. Presumably, having a vague promise to repeal and replace the law at some unknown point of time with unspecified terms is the Department of Justice's preferred means of delivering certainty.

And, in a microcosm of the Department's response to this issue for nearly a decade, she was still complaining about the CJEU's decisions; "It is actually the European Court rulings that are having the impact here, but also how the EU Charter of Human Rights is being interpreted." Pesky courts, and their law interpreting.

So we are faced with the sight of a Department of Justice which is, again, refusing to actually follow the law because it doesn't like how the courts found against the Department's wishes time after time.  In doing so, it is supplying fuel for appeals by every single person convicted by this evidence in the future, instead of admitting it Got It Wrong and following the CJEU's checklist on how to collect and store phone data legally.

We only need to look to our East to see that a scofflaw state is a danger to its citizens, and in the longer term, to its own legitimacy.