Controversial rule allows gardaí to access three years of telephone, mobile and fax data even for the most minor offences, writes Karlin Lillington

Revelations by the Data Protection Commissioner this week that gardaí can access three years of phone, mobile and fax data held under the State's controversial data retention legislation even for the most minor offences, has again raised business concerns about abuse of the system.

In the two-year run up to introducing data retention legislation last year, Minister for Justice Michael McDowell repeatedly stated access would be strictly controlled and specifically limited to investigations for the most serious criminal and terrorist offences.

However, according to the Data Protection Commissioner, Billy Hawkes, such restrictions have never been introduced here and the current legislation is worded to allow access to such data for any type of "crime". This means gardaí may legally examine call data even for a misdemeanour.

"Gardaí are allowed to access data for the most trivial situations," he says. He has called for new legislation to limit access to such data to serious criminal and terrorism investigations.

Accessing such data for any type of crime "should not be a first option for gardaí. Current legislation gives the opportunity to access phone records of perfectly innocent people," he says.

Hawkes gave the example of a cyclist in the Phoenix Park travelling without bike lights but seen talking on a mobile.

Because cycling without lights is a crime, gardaí could request the call records on every individual using a phone at that time within a wide radius of the Phoenix Park. Hundreds of innocent people's records could be examined, he says.

He says his office had learned that the gardaí were using the new data retention scheme "fairly extensively" and asking for hundreds of call records every month. He therefore asked for further detail on the range of requests.

While he says he has no reason to believe the records are being misused, he wants legislation to restrict access to such records.

Hawkes says that an incoming EU directive on data retention would require the Government to impose narrower limits on what call data can be used for. However, the directive also greatly widens the definition of data that can be held, from call data to internet and e-mail data as well.

In addition, McDowell has indicated he will challenge the EU directive in court because it would require the Republic to retain data for no longer than two years instead of the current three-year regime - one of the longest in the world.

Because call data is so revealing of an individual's location and activities, particularly because of the way in which mobile phones maintain a signal by constantly relaying data to area mobile masts, holding call data for long periods of time has been extremely controversial internationally.

Irish technology companies and lobby groups long opposed the introduction of data retention because they feared sensitive business and personal information could be leaked to third parties. Now they are alarmed at the way in which the regime is being managed here and the long-term effect such a regime will have on the Irish economy.

Last month, three of Ireland's top technology leaders, from three of the State's highest profile companies, warned that the Republic's data retention laws are set to seriously damage this State's business climate and competitiveness.

Joe Macri, managing director, Microsoft Ireland; Paul Riordan, managing director, Oracle Ireland; and Chris Horn, co-founder and vice chairman of Iona Technologies, all expressed deep concern at Irish data retention laws, which currently go beyond what is required by the EU.

Dr Horn said that law enforcement has legitimate concerns about tackling crime and terrorism and protecting citizens. But, he added: "Our society also has a right to protect itself from unwarranted personal intrusion by agencies of this State and those of other states.

In addition, businesses have a right, in particular, to protect themselves against accidental disclosure of commercially sensitive information and industrial espionage."

All three businessman had assumed that, as long indicated to the industry by McDowell, the existing data retention scheme only allowed access to call data for serious criminal investigations.

On learning that call data records may be accessed for any type of investigation, Kathryn Raleigh, director of ICT Ireland said: "The Irish ICT industry is committed to co-operating with law enforcement agencies to combat crime, consistent with legal requirements, as it has done successfully to date.

"There is, however, a need to ensure that the circumstances under which data can be accessed by An Garda Síochána is very clearly defined."

Both Riordan and Dr Horn have called for an independent body to oversee the use of warrants and requests for such sensitive data.

At the moment this process is observed only by a single, Government-appointed judge who is commissioned with producing an annual report.

In contrast to a similar process in the UK whereby a detailed report on all such requests is produced, including incidents in which warrants were wrongfully granted or in which telecoms operators accidentally handed over the wrong people's data, the Irish reports have never contained more than a single sentence noting that in the judge's opinion, the system was working properly.

TJ McIntyre, lecturer in law at UCD and chairman of civil rights group Digital Rights Ireland, says he does not believe the failure by government to limit existing data retention legislation to serious crime or terrorism was an accident, especially not when the Minister involved is himself a lawyer.

"On the contrary, it was very carefully phrased to include as much as possible. They knew what they were doing." He says that contrary to Hawkes's belief, the incoming EU directive would not automatically limit the use of call, internet and e-mail data to serious criminal or terrorism investigations.

"The preamble to the directive directly refers to serious crime, but then the directive goes on to say it is without prejudice to member states using the data in other ways. It doesn't define serious crime, nor does it restrict access to serious crime."

He says the existing Irish data retention legislation is "the perfect example of mission creep," where laws are introduced supposedly to be used only in very restricted circumstances but encompass a much wider usage.

If the Minister challenges the EU directive, expect at least an 18-month delay during which the current regime will remain in place, he says.

Instead, McIntyre says the Dáil should move immediately to introduce limitations on the existing data retention scheme to serious crime, which already applies to phone-tapping requests.

It should also ensure the legislation is proportional to the circumstances it is addressing, especially for the length of time any data is held.

Gardaí should have to work through a checklist of actions before access to such data would be considered, even in a serious investigation.

McIntyre agrees with Dr Horn and Riordan that a proper system of external scrutiny is needed to oversee data retention and other forms of surveillance of Irish citizens, such as CCTV (closed circuit television systems). McIntyre also notes that most of these points were made 10 years ago in a report to Government from the Law Reform Commission.

"We have seen that the Government can move quite quickly when it wants to restrict civil liberties. But for a decade, they have done precisely nothing with the Law Reform Commission report," he says.