Complaint to European Commission over Irish Interception Laws

You might have noticed that we think that Irish data retention laws are an invasion of our privacy. Unfortunately Irish law on interception of communications also fails to protect our privacy – and for that reason we’ve lodged a formal complaint with the European Commission, pointing out that Irish law doesn’t meet European standards and asking that they require the Irish government to introduce adequate protections. Read on for more details and to see what you can do to help.

What’s the difference between data retention and interception? While data retention focuses on traffic data – who called whom, when, where the mobile phone was, etc. – interception deals with attempts by the state or private parties to monitor the contents of communications – to listen in on telephone calls, read emails, and so on.

Interception is controlled to a limited extent by Irish law – under legislation from 1983 and a 1993 Act introduced after a scandal involving the Taoiseach and Minister for Justice illegally tapping journalists’ phones – but that law is now well out of date, and doesn’t meet the standards set out by European law in the 2002 e-Privacy Directive.

What’s wrong with the existing Irish law? There are two major limitations. First, it was introduced at a time when there were a limited number of players in the telecommunications market. As such, it applied initially to Telecom Éireann, and was extended to certain telecoms businesses operating under a licence or a general authorisation. It does not, however, apply to other businesses which don’t need an authorisation – which includes most online only businesses. Webmail, instant messaging or voice over IP, for example, would not be protected by the 1993 Act. Secondly, it applies only to messages which are “being transmitted” – something which appears to mean that e.g. the contents of a webmail inbox would not be protected.

As a result of these limitations, the protections of the 1983 and 1993 Acts – which make interception a criminal offence, require a warrant from the Minister for Justice before interception can be carried out by the police, and provide for judicial oversight – simply do not apply to a wide range of online communications. This lack of legislative control appears to be a relatively clear breach of the e-Privacy Directive, which requires states to “prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so … [by] legislative measures [which are] necessary, appropriate and proportionate within a democratic society”.

In short, we think that Irish law doesn’t adequately protect the privacy of your online communications – and hopefully the European Commission will require the Government to introduce adequate protections. If you agree, you can support the complaint by contacting the Minister for Justice (Email: minister@justice.ie, Fax: 01 661-5461, Snail Mail: 94 St. Stephen’s Green, Dublin 2) and asking him to extend Irish interception law to adequately protect online communications and meet our European obligations. You can also email the Commission at InfsoB2@ec.europa.eu, referring to our complaint and indicating that you are also making a formal complaint that Irish law on the interception of communications is not in compliance with Art. 5 of the ePrivacy Directive.

(Update: 16.06.09 – The European Commission has now replied, indicating that it is now investigating this matter under reference 2009/4368, SG(2009) A/4871. You might include this reference if writing to support us.)

For those of you who can’t get enough legalese, the full text of our complaint is below:

Dear Mr. …

The purpose of this letter is to outline how Ireland has failed to implement Article 5 of Directive 2002/58/EC.

As you know, Article 5.1 provides that:

“Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.”

When implementing the Directive, it was the view of national authorities that Article 5.1 was already adequately provided for in Irish law by section 98 of the Postal and Telecommunications Services Act 1983 in combination with the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993. See the comments of the Department of Communications, Marine & Natural Resources in their Guidance Notes on the Transposition into Irish Law of EU Directive 2002/58/EC. (29 July 2003) Since transposition, Part 7 of the recent Criminal Justice (Terrorist Offences) Act 2005 has also become relevant.

Between them, these pieces of domestic legislation do partially cover the requirements of Article 5. However, the scope of this legislation is limited and there are several situations which appear to fall within Article 5 but which would not be covered by Irish law. Three points in particular stand out:

* Section 98 applies only to messages being transmitted by persons who hold a general authorisation. Messages transmitted by other persons are not protected. Thus, it would appear that email sent via a webmail service such as Gmail would not be covered; nor would calls on VOIP services such as Skype.

* Section 98 applies only to messages “in the course of transmission”. Again using the example of a webmail service, it would appear that the stored contents of a person’s inbox would not be in transmission and thus would not be covered (perhaps depending on whether they had been read by the recipient).

* The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 regulates police interceptions of telecommunications messages, but again only where those messages are being transmitted by persons who hold a general authorisation. Consequently, the safeguards created by that Act (including judicial oversight) do not apply to other police interceptions.

I propose to outline briefly the Irish legal framework and to consider in more detail the places where Irish law falls short of the requirements of Article 5.

Persons to whom Irish interception law applies

Irish law on interception of telecommunications messages is contained in section 98 of the Postal and Telecommunications Services Act 1983 which prohibits interception and disclosure of telecommunications messages. That section, as originally enacted, applied only to the interception of messages being transmitted by the then state monopoly, Telecom Éireann.

With the advent of deregulation, section 98 was extended to cover other licensed operators (the Postal and Telecommunications Services (Amendment) Act, 1999, section 7). Subsequently, with the introduction of a general authorisation framework, the provisions of section 98 were extended to any person operating under a general authorisation (Regulation 4(8) of the European Communities (Electronic Communications Networks and Services)(Authorisation) Regulations 2003).

However, this limitation of section 98 to messages being transmitted by persons operating under a general authorisation would appear to present a problem. There may be situations where telecommunications messages are being transmitted by means of a public communications network or through a publicly available telecommunications service, where that network or service is not being operated under a general authorisation. Webmail and VOIP services would appear to fall into this category. Accordingly, messages transmitted by such services do not appear to be protected against interception under Irish law.

In particular, there is no offence to address the situation where a private individual intercepts messages being transmitted by such a service, or where the proprietor of such a service improperly discloses such messages.

Restriction to messages in the course of transmission

Section 98(1) (as extended) provides:

“A person who-
(a) intercepts or attempts to intercept, or
(b) authorises, suffers or permits another person to intercept, or
(c) does anything that will enable him or another person to intercept,
telecommunications messages being transmitted by [a person deemed to be authorised under the Authorisation Regulations] or who discloses the existence, substance or purport of any such message which has been intercepted or uses for any purpose any information obtained from any such message shall be guilty of an offence.” (emphasis added and text changed to reflect extension of s.98 to other operators)

The reference to telecommunications messages being transmitted suggests that stored messages, such as voicemail messages, or a webmail inbox, would not be protected by section 98. (It might be said that such messages are “being transmitted” until the point at which they are initially accessed – however, once accessed it would seem more difficult to argue that they are still being transmitted.) This limitation appears to be incompatible with Art. 5 of Directive 2002/58/EC which applies to “communications” (as defined in Art. 2) generally. Indeed, Art. 5 would be significantly undermined if messages in storage were excluded.

Regulation of police interception of telecommunications messages

The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 sets out the Irish law on police interception of telecommunications. Under section 2, an authorisation to intercept the contents of communications can only be given by the Minister for Justice. Sections 4 and 5 set out conditions which must be satisfied before an authorisation can be granted. For example, section 4 provides (in respect of the investigation of crime) that:

“The conditions referred to in section 2 of this Act in relation to an interception for the purpose of criminal investigation are-

( a ) (i) that-

(I) investigations are being carried out by the Garda Síochána, or another public authority charged with the investigation of offences of the kind in question, concerning a serious offence or a suspected serious offence,

(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, either or, as the case may be, both of the following, that is to say:

(A) information such as to show whether the offence has been committed or as to the facts relating to it,

(B) evidence for the purpose of criminal proceedings in relation to the offence,

and

(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information or evidence) in providing information, or evidence, such as aforesaid,

or

(ii) that-

(I) in the case of a serious offence that is apprehended but has not been committed, investigations are being carried out, for the purpose of preventing the commission of the offence or of enabling it to be detected, if it is committed, by the Garda Síochána or another public authority charged with the prevention or investigation of offences of the kind in question,

(II) investigations not involving interception have failed, or are likely to fail, to produce, or to produce sufficiently quickly, information as to the perpetrators, the time, the place, and the other circumstances, of the offence that would enable the offence to be prevented or detected, as the case may be, and

(III) there is a reasonable prospect that the interception of postal packets sent to a particular postal address or of telecommunications messages sent to or from a particular telecommunications address would be of material assistance (by itself or in conjunction with other information) in preventing or detecting the offence, as the case may be,

and

(b) that the importance of obtaining the information or evidence concerned is, having regard to all the circumstances and notwithstanding the importance of preserving the privacy of postal packets and telecommunications messages, sufficient to justify the interception.”

This section provides important safeguards: interception is restricted to serious offences, investigation other than interception must be inadequate, interception is restricted to messages sent to or from a particular address, thus ruling out indiscriminate monitoring of traffic and “fishing expeditions”, and interception must, in the circumstances, be proportionate.

Section 8 of the Act then creates a judicial power of oversight over the interception system, while section 9 creates a complaints procedure for persons who allege that interceptions have been improperly carried out.

The 1993 Act is, however, limited to “interceptions” which would (if not authorised) amount to an offence under section 98. (See the definition of “interception” in section 1.) Consequently, the 1993 Act has no application to interceptions falling outside section 98. It follows that any interception by the police of, for example, emails transmitted by a webmail service will not be regulated by the provisions of section 98 and will escape regulation by Irish law – the section 98 safeguards, including proportionality, judicial oversight and the complaints procedure, will not be available.

This would appear to breach Article 15.1 of Directive 2002/58/EC. Article 15.1 specifies that any restriction by Member States of the rights and obligations provided for in Article 5 must be by way of “legislative measures” which are “necessary, appropriate and proportionate within a democratic society”. However, interception of emails in the circumstances I have outlined would appear not to be governed by any legislative measure, much less one which can be assessed as necessary, appropriate or proportionate. The unfettered discretion which this would appear to confer on the police would therefore appear to be incompatible with the Directive.

In summary, it appears that Irish law has not been properly updated to take account of the requirements of Article 5 of Directive 2002/58/EC, and I would respectfully ask that the Commission investigate whether Ireland has failed properly to implement this Directive.