Dr TJ McIntyre

The Communications (Retention of Data) (Amendment) Act 2022 — drawn up in response to the ruling of the Court of Justice of the European Union (CJEU) in the Graham Dwyer case — and related regulations came into operation on Monday.

Yesterday evening, justice minister Helen McEntee confirmed that the government had obtained a High Court order under the Act requiring telecommunications service providers to retain certain data — including user, traffic and location data — for a period of 12 months for the purpose of safeguarding the security of the State.

Under section 3A of the Act, the general and indiscriminate retention of data is permissible to safeguard the security of the State, and where an order of a designated judge of the High Court has been made. Access to retained data is subject to judicial authorisation.

The application, as required by section 3A(3), was made on an ex parte basis and was heard in camera.

Mrs McEntee said: “I made an application for an order having assessed the threat to the security of the State and having satisfied myself that there exists a serious and genuine, present or foreseeable threat to the security of the State and that such threat is likely to continue for at least the next 12 months.

“In doing so I had regard to the necessity and proportionality of the retention of the data concerned and took account of the impact on the fundamental rights of individuals as required.

“The 2022 Act was developed in light of important European Court of Justice rulings in this area and the provisions under which I applied for this order reflects the case law of that court.”

However, Dr TJ McIntyre, an associate professor at UCD Sutherland School of Law and chair of Digital Rights Ireland, told Irish Legal News that the government’s failure to properly notify the European Commission during the legislative process represents a “fatal flaw” in the 2022 Act.

“The 2022 Act has to be treated as of no legal value,” he said. “You can’t have a measure that’s supposed to authorise mass surveillance of the entire population, and be the basis for criminal investigations and prosecutions for years to come, where its foundation is so uncertain. It’s grossly irresponsible to do that.

“The 2022 Act needs to be repealed and proper legislation put in place that actually complies with the law.”

He pointed out: “The Supreme Court and the CJEU have confirmed that the past 20 years of data protection practice in Ireland have been illegal and have been contrary to fundamental rights, and it’s striking that the Department of Justice hasn’t acknowledged this or apologised for it in any way.”

Dr McIntyre also warned of a “lack of transparency in this whole procedure”, noting that the government’s decision to seek a High Court order was made “behind closed doors, without any consultation with the data protection commissioner, with civil society, or with the industry” and with no detail on the supposed national security threat.

“It seems astonishing to me that you can turn up in the High Court on a Monday morning with some unknown bundle of papers and leave the High Court later that day with an order for mass surveillance of the entire population,” he said.