Subscriber OnlyTechnology

Data decisions create dark day for Irish democracy

Government move to force stop-gap data retention amendment that could gag discussion on complaints part of prolonged history of State bungling on data protection

Helen McEntee's Department of Justice is behind two controversial moves on data protection and retention this week that critics argue will further damage Ireland's international reputation in this area. Photograph: Niall Carson/PA Wire
Helen McEntee's Department of Justice is behind two controversial moves on data protection and retention this week that critics argue will further damage Ireland's international reputation in this area. Photograph: Niall Carson/PA Wire

Two extraordinary, last-minute actions by the Government this week trample on democracy, will further exacerbate unresolved dilemmas mostly of the Government’s own making and are certain to create further international, reputation-damaging complications in the future.

These are, first, the secretive, closed-door hearing Monday during which Minister for Justice Helen McEntee imposed 12-month blanket communications data retention on the Irish population and, second, a stupefying proposed amendment introduced only last week to year-old draft legislation, allowing the Irish Data Protection Commission to gag public discussion of what it determines to be “confidential” elements of any complaints it is considering. The bill passed a Dáil vote last night.

Each makes Ireland look less and less like an open and transparent democracy and more like a state beholden to and manipulated by powerful interests.

In the case of McEntee’s data retention order, those interests include security agencies and a justice department that has, at great taxpayer and societal cost, continued to ignore the landmark decade-old Digital Rights Ireland decision by Europe’s highest court – the Court of Justice of the European Union (ECJ). The ECJ ruling involving Ireland’s data retention laws required Ireland to introduce better, EU-compliant legislation governing the collection, storage and use of highly sensitive communications data.

READ MORE

The State chose not to be inconvenienced by this binding EU decision that has since become the foundation of successive ECJ data protection rulings. Exactly as predicted by digital rights advocates, the State’s inaction opened a door for challenges to serious criminal convictions secured using data that continued to be obtained under an invalidated law. The cases brought by convicted murderer Graham Dwyer are one result.

McEntee to seek private hearing of court application under law dealing with Dwyer data challenge, digital rights group claimsOpens in new window ]

Minister says phone data retention order will ‘safeguard’ State securityOpens in new window ]

After the ECJ last year made clear to the Government that Dwyer did have a valid case, the State hurried through new data protection legislation. Unfortunately, it did so in a haphazard, rushed way (again, in a week). The State failed to put the proposed law through a necessary EU consultative process, rendering the law unfit for purpose.

Hence, McEntee’s rushed order last week, granted in a closed court hearing, after she argued that the State needed to impose a stop-gap 12-month data-retention regime.

Numerous ECJ data protection and retention rulings in recent years have mandated the need for openness, transparency, public discussion, clear checks and balances, and proportionality. That baseline requirement for informed discussion and balanced protections would not seem to be met by failing to enact a fresh law for a decade, then quickly introducing an order, without Dáil or public input or response, beyond scrutiny and behind closed doors.

The so-called section 26 Amendment to the Data Protection Bill, a ministerial amendment put forward by Department of Justice junior minister James Browne, is equally appalling. It grants the Data Protection Commission (DPC) the right to ban discussion of elements of a complaint it determines to be confidential or business-sensitive.

This appears to be an anti-Max Schrems move, as the well-known Austrian lawyer and data protection campaigner whose name is attached to two significant CJEU decisions has drawn the ire of the DPC and Meta/Facebook for publicly discussing elements of his complaints. Meta/Facebook has its EU headquarters in Ireland, is on the Government lobby record and is overseen by the DPC.

The Department of Justice responded to vociferous national and international objections – including from Amnesty International, BEUC (the representative body for EU consumer rights organisations), and EDRi (the representative organisation for more than 40 European digital rights groups), insisting that the amendment was limited in scope and would not shut down all discussion.

But legal experts, including those at the Irish Council for Civil Liberties, have argued that the amendment is so broad and open to interpretation that it gives inappropriate powers with little accountability to a DPC already internationally criticised for a lack of transparency in its decisions.

Facebook owner granted stay on order that it suspend Europe-US data transfersOpens in new window ]

Court continues stay on decision that Meta must suspend EU-US data transferOpens in new window ]

As solicitor and director of Data Compliance Europe, Simon McGarr tweeted: “What is particularly striking is that the Dept of Justice is trying to deal with widespread – at a EU and even global level – criticism of DPC processes without addressing any of the things it is criticised for. Instead, it is looking to stifle complaints.”

Other EU national data protection officers have adjudicated on commercially sensitive issues involving global tech multinationals and have not found it necessary or appropriate to gag discussion. Doing so appears to be in conflict with GDPR complaint mechanisms and its focus on balance, proportionality and transparency. The amendment will undoubtedly be challenged here or in Europe.

But the damage to Ireland is already done by both State moves this week, regardless of whether the amendment had passed or been dropped.

In even proposing (and even worse, passing) such an amendment, and enacting the data retention order, Ireland has added to a decade of national legal stumbles in this extremely important and increasingly topical area of digital protection. It is to Ireland’s continuing shame and international embarrassment that the State remains so inept in implementing and enforcing data protection laws, especially when Ireland carries regulatory responsibility for the world’s most powerful data-gathering multinationals.