NET RESULTS:Why wait for a decision to be made at EU level? The Government should redraft proposed legislation on data retention now, writes KARLIN LILLINGTON

IRELAND’S DATA-retention law looks increasingly like it may be on the ropes, and it is becoming ever-more difficult to justify.

A serious body blow came last week from the success of a High Court challenge by privacy advocate Digital Rights Ireland to the underlying principle of Ireland’s current data retention- law. The ruling also has implications for fresh legislation now before the Oireachtas.

The decision was groundbreaking. It was the first time that the equivalent of a class-action suit was allowed in the courts in Ireland.

But even more important is why it was allowed: the court agreed that the case involved fundamental issues of privacy.

As Digital Rights Ireland has argued, a 2006 EU directive on data retention raises the question of whether a state should be allowed to impose a regime of mass surveillance on its entire population without any evidence of wrongdoing, on the basis that someone might do something wrong in the future.

Such an approach to security is a significant departure from long- standing democratic principles and legal fundamentals – that a person is innocent until proven guilty and evidence is gathered in the prosecution of an actual case, not assembled for everyone on the off-chance that it might be useful in the future.

The High Court agreed that these issues needed to be considered at the highest level in the EU. This means the EU directive will now come under the scrutiny of the European Court of Justice.

Digital Rights Ireland, represented by McGarr Solicitors, will argue that data retention being imposed in this way is repugnant to human and civil rights granted to all European citizens.

The EU directive was a contentious issue in the European Parliament. When it was passed, privacy advocates and many MEPs indicated that they felt the issue would go to the European courts eventually.

Three EU countries – Germany, Hungary and Romania – have successfully challenged the imposition of data retention at state level. From an EU perspective, the strongest of these cases was in Germany, in its constitutional court.

However, legal experts say a challenge is needed at European level to decide whether the entire concept of holding information for long periods, in many cases beyond the six-month framework allowed under Europe’s data protection laws, is acceptable.

The fact that the Irish Human Rights Commission made the unusual move of coming in on the Digital Rights Ireland case as a friend of the court – indicating agreement that this issue affected the entire Irish population and had serious human rights ramifications – must have added significant weight to the High Court’s decision.

So what happens now? It could be up to two years before the case is heard at EU level. When it is heard, there are compelling arguments to be made to justify throwing out the data retention directive. And, of course, there is national case law indicating that the same issues are raising concerns at state level.

In addition, a newly leaked EU report from an expert group that gathers information from each state on its implementation of data retention offers evidence that 85 per cent of data requests continue to be made for data gathered within the six-month period, with the majority of these made within three months.

The document also indicates that the majority of states consider the directive to be a piece of “failed harmonisation”, which does not create a level playing field for law enforcement or private industry, because of different retention periods and approaches to managing costs.

The High Court result for the Digital Rights Ireland case and the leaking of this data-retention report are timely, as the Dáil is debating a new Irish implementation of the EU directive: the Data Retention Bill.

How can any member of the Oireachtas continue to argue for periods of retention longer than six months when there is already widespread EU recognition, contained in the report, that longer periods are deeply problematic for business and human rights reasons and produce little or no concrete results to benefit citizens, law enforcement or the state?

It is ironic that, in the Dáil in recent weeks, our Government has voted to support the long periods of retention contained in the proposed Bill – in direct conflict with its stated aims to support an innovation economy.

That innovation economy concept is based on the very organisations that would be most affected by long data retention periods, which could hinder foreign investment and the growth of indigenous companies while placing cost burdens on our communications industry.

In addition, if the directive is overturned at European level, it would bring a challenge back to our national courts again, where it would be difficult to defend bringing in retention periods that Europe had determined were incompatible with human rights.

This means our legislation would be thrown out and a new Bill would need to be drawn up, debated and passed, a waste of taxpayers’ money and legislators’ time.

The only sensible approach is for the Oireachtas to reconsider this Bill right now and lower our retention periods to the six-month norm that exists in many EU countries. It can rest assured that, not only does this period fit with data protection legislation, but it is also adequate for law enforcement needs, going on the evidence provided by departments of justice across the EU in the leaked report.

Klillington@irishtimes.com

Blog: Techno-culture.com

Twitter: Twitter.com/klillington