The New European Law of

Surveillance: Implications for

Ireland as a Data Hub
Dr TJ McIntyre, Digital Rights Ireland and
UCD Sutherland School of Law
ICEL, Dublin, 1 July 2016

Outline
After Snowden, we can see
the emergence of a new
European law of surveillance
in cases such as Digital Rights
Ireland, Schrems and Zakharov
Ireland has become a key
location for data storage
but Irish laws have not kept
pace with European
developments
This talk will discuss the state
of Irish law and implications
for privacy rights of users
worldwide

CC BY-SA 2.0 Brian Robert Marshall

Significance
of Ireland?
EMEA headquarters/key
offices/data centres of
many internet firms
Google, Facebook,
Yahoo, LinkedIn,
Microsoft, Twitter, Apple
Increasingly so following
collapse of Safe Harbor
(and also Brexit?)

Irish law affects 100s of

millions of users
worldwide

Image from Newenham, ed., Silicon Docks (2015)

Ireland already finding it

difficult to meet growing MLAT
requests for user data

Department of Justice, Ministerial briefing document (2016)

Quite by accident,
Ireland has become
a central if reluctant
participant in the
international
surveillance debate

Where are
surveillance
standards
adjudicated?

Court of Justice of the EU:

Charter of Fundamental Rights, e-Privacy Directive, Data Protection
Directive / GDPR / Law Enforcement Data Protection Directive

European Court of
Human Rights:
ECHR

National Courts:
Domestic constitutions, EU norms, ECHR

What do those
surveillance
standards require?

Foreseeability, controls on
downstream use, deletion
Weber and Saravia v. Germany (2006)
In its case-law on secret measures of surveillance, the Court
has developed the following minimum safeguards that should
be set out in statute law in order to avoid abuses of power:
the nature of the offences which may give rise to an interception
order;
a definition of the categories of people liable to have their
telephones tapped;
a limit on the duration of telephone tapping;
the procedure to be followed for examining, using and storing the
data obtained;
the precautions to be taken when communicating the data to
other parties;
and the circumstances in which recordings may or must be erased
or the tapes destroyed.

Adequate and effective

guarantees against abuse,
including remedies for abuse
Uzun v. Germany (2010)
Adequate and effective guarantees against abuse
determined by:
all the circumstances of the case, such as the nature, scope and
duration of the possible measures, the grounds required for
ordering them, the authorities competent to permit, carry out and
supervise them, and the kind of remedy provided by the national
law

Case C-362/14 Schrems (2015)

Likewise, legislation not providing for any possibility for an
individual to pursue legal remedies in order to have access to
personal data relating to him, or to obtain the rectification or
erasure of such data, does not respect the essence of the
fundamental right to effective judicial protection, as enshrined
in Article 47 of the Charter.

Possibility of notification
after surveillance
Klass v. Germany (1978)
Notification is strongly desirable: there is in principle little
scope for recourse to the courts unless the individual is
advised of the measures taken without his knowledge and thus
able retrospectively to challenge their legality.

Association for European Integration and Human Rights and

Ekimdzhiev v. Bulgaria (2007)
as soon as notification can be made without jeopardising the
purpose of the surveillance after its termination, information
should be provided to the persons concerned
National laws contrary to Article 8 & Article 13 (right to
effective remedy) where they didnt provide for notification
and expressly prohibited any disclosure of information
whether a person subject to surveillance

Possibility of notification
after surveillance
Zakharov v. Russia (2015)
The fact that persons concerned by secret surveillance
measures are not subsequently notified once surveillance has
ceased cannot by itself warrant the conclusion that the
interference was not necessary in a democratic society, as it
is the very absence of knowledge of surveillance which ensures
the efficacy of the interference.
As soon as notification can be carried out without
jeopardising the purpose of the restriction after the
termination of the surveillance measure, information should,
however, be provided to the persons concerned.
Availability of an inquisitorial remedy may suffice as an
alternative (citing Kennedy v. UK)

Judicial
authorisation/oversight
Klass v. Germany (1978)
Judicial authorisation and supervision preferable
Other supervisory bodies permissible if independent of the
authorities carrying out the surveillance, objective and
vested with sufficient powers and competence to exercise an
effective and continuous control

Kennedy v. United Kingdom (2010)

Accepted executive (ministerial) authorisation of phone
tapping where the totality of the oversight system provided
adequate safeguards against abuse.
Significant that the Investigatory Powers Tribunal system was
available to any person and could provide a remedy based on
an inquisitorial system

Judicial
authorisation/oversight
Joined Cases C-293/12 and C-594/12 Digital Rights Ireland
and Seitlinger (2014)
Data Retention Directive invalid as, inter alia,
Above all, the access is not made dependent on a prior review carried
out by a court or by an independent administrative body whose decision
seeks to limit access to the data and their use to what is strictly necessary
for the purpose of attaining the objective pursued and which intervenes
following a reasoned request of those authorities

Szabo & Vissy v. Hungary (2016)

Rejects political authorisation in cases of mass surveillance:
Given that the scope of the measures could include virtually anyone,
that the ordering is taking place entirely within the realm of the
executive and without an assessment of strict necessity, that new
technologies enable the Government to intercept masses of data
easily concerning even persons outside the original range of operation,
and given the absence of any effective remedial measures, let alone
judicial ones, the Court concludes that there has been a violation

Direct access to networks is

disfavoured
Zakharov v. Russia (2015)
the requirement to show an interception authorisation to
the communications service provider before obtaining
access is one of the important safeguards against abuse
by the law-enforcement authorities
a system, such as the Russian one, which enables the
secret services and the police to intercept directly the
communications of each and every citizen without requiring
them to show an interception authorisation to the
communications service provider, or to anyone else, is
particularly prone to abuse.

Protection of journalists
sources
Telegraaf Media v. Netherlands (2013)
Surveillance (seizure of records) to identify journalist sources
requires prior review by an independent body with the power
to prevent or terminate it
review post factum, whether by the Supervisory Board, the
Committee on the Intelligence and Security Services of the
Lower House of Parliament or the National Ombudsman,
cannot restore the confidentiality of journalistic sources once it
is destroyed.
The Court thus finds that the law did not provide safeguards
appropriate to the use of powers of surveillance against
journalists with a view to discovering their journalistic sources.
There has therefore been a violation of Articles 8 and 10 of the
Convention.

Restrictions on bulk
collection
Weber & Saravia v. Germany (2006)
Strategic monitoring acceptable subject to adequate
safeguards against abuse

Case C-362/14 Schrems (2015)

legislation permitting the public authorities to have access on
a generalised basis to the content of electronic
communications must be regarded as compromising the
essence of the fundamental right to respect for private life, as
guaranteed by Article 7 of the Charter

Szabo & Vissy v. Hungary (2016)

Expresses serious concern about indiscriminate capturing
of vast amounts of communications.

Does Irish law meet

those standards?

Context: No separate
intelligence agency
National security is primarily a police responsibility
Blurred lines between criminal and national security
investigation
E.g. dissident republican fundraising

No general legislative basis for intelligence gathering /

sharing with other states
Police force is responsible only to Minister, not Policing
Authority, in relation to security services
Data protection law including role of DPC does not apply
to personal data which Minister certifies is kept for the
purpose of safeguarding the security of the State
No parliamentary oversight of intelligence

Four types of surveillance

regulated:
1.

Interception of communications
Interception of Postal Packets and Telecommunications
Messages (Regulation) Act 1993
Limited to authorised undertakings essentially, traditional
telecoms providers

2.

Data Retention
Communications (Retention of Data) Act 2011

3.

Surveillance devices (covert bugs, cameras)

Criminal Justice Surveillance Act 2009

4.

Tracking devices (GPS trackers on cars, containers)

Criminal Justice Surveillance Act 2009

Not regulated by statute:

Access to stored communications (e.g. webmail)
Use of malware (government Trojans)
Irish Defence Forces recently attempted to purchase malware
from Hacking Team firm no legal basis for use

Use of open source information (e.g. data mining of social

media)
Use of informants / undercover police
Remote searches (e.g. use of computer in Ireland to access
information held in cloud elsewhere)
Cf. s.48, Criminal Justice (Theft and Fraud Offences) Act, 2001

Criteria for surveillance?

Interception of
Investigation of serious offences or threat to
communications security of the state*; other investigations
insufficient; proportionality test (ss.4,5)
Data retention

Investigation of serious crime or threat to

security of the state*; saving of human life (s.6).
No proportionality test.

Surveillance
devices (covert
bugs, cameras)

Necessary for investigation of arrestable

offences, maintaining security of the state*;
proportionality test (ss.4,5)

Tracking devices Ditto (s.8).

* State security not further defined

Serious crime includes e.g. simple theft

Prior judicial authorisation

required?
Interception of
No. Ministerial warrant only.
communications
Data retention

No. Internal authorisation only.

Surveillance
devices (covert
bugs, cameras)

Yes.
(Except in cases of urgency.)

Tracking devices No. Internal authorisation only.

Notification after
surveillance?
Interception of
No.
communications
Data retention

No.

Surveillance
devices (covert
bugs, cameras)

No.
(S.10(3) permits regulations for notification but these were
never made.)

Tracking devices No.

(S.10(3) permits regulations for notification but these were
never made.)

Protection for journalists

sources?
Interception of
No.
communications
Data retention

No.

Surveillance
devices (covert
bugs, cameras)

No.

Tracking devices No.

Protection for legal

privilege?
Interception of
No.
communications
Data retention

No.

Surveillance
devices (covert
bugs, cameras)

Yes.
(Only prohibits surveillance primarily targeting privileged
communications s.5(4))

Tracking devices N/A.

Protection for
parliamentarians?
Interception of
No.
communications
Data retention

No.

Surveillance
devices (covert
bugs, cameras)

No.

Tracking devices No.

Controls on storage,
downstream use and sharing?
Interception of
Storage, sharing and use permitted to extent
communications necessary for the purpose of the prevention or
detection of serious offences or in the interests of
the security of the State (S.12)
Data retention

No.

Surveillance
devices (covert
bugs, cameras)

Minimum 3 year retention, disclosure allowed to

any person for crime prevention, investigation,
prosecution or in interests of security of the
State. (Ss. 10, 13)

Tracking devices Ditto.

Judicial
oversight?
Two separate designated
judge roles
Intercept/data retention
Surveillance & tracking
devices

One produces detailed

reports with statistics and
assessments of practice

The other, identical onepage reports

Both are part-time jobs of
busy judges with no
specialist support

See Digital Rights Ireland, Surveillance Library

Other surveillance
oversight?
Data Protection Commissioner audit of An Garda Sochna
(March 2014)

Examined access to retained communications data

Identified misuse of 2011 Act
Wrongfully used to make access requests to technology
companies not covered by it
Data access being made by junior garda and retrospectively
rubberstamped by Chief Superintendent

Once-off audit no continuous supervision

Remedies?
Complaints Referee
Circuit Court judge
Investigates complaints in inquisitorial manner
Can direct payment of compensation
(Capped at 5,000 for surveillance and tracking devices)

May conceal finding of breach if in public interest to do so

No successful complaint to date

Complaint to Data Protection Commissioner

Subject to national security exclusion

Ordinary civil actions

Factors promoting
reform?

Some media pressure for

source protection

Technology firms seeking

change to Irish law

Data retention litigation

continues
Digital Rights Ireland continues before the High Court in
relation to domestic law

Davis & Watson will provide guidance on application of CFR

to national data retention laws
AGs Opinion due 19 July

Recent gangland murders

may finally prompt action

What should reform look

like? Preliminary thoughts
Abolition of generalised data retention
Independent judicial authorisation of surveillance measures,
applying proportionality test
Notification provisions introduced
Stored communications given same protection as those in
transit
Designated judge roles merged into a judicially chaired
oversight body with specialist expertise
Oversight extended to downstream use (especially sharing)
of surveillance information
Greater cooperation between surveillance oversight body
and DPC

Background reading
T.J. McIntyre, Judicial Oversight of Surveillance: The Case
of Ireland in Comparative Perspective, in Judges as
Guardians of Constitutionalism and Human Rights, ed. Martin
Scheinin, Helle Krunke, and Marina Aksenova (Cheltenham:
Edward Elgar, 2016).
T.J. McIntyre, Implementing Information Privacy Rights in
Ireland, in Implementing Human Rights in Ireland, ed.
Suzanne Egan (Dublin: Bloomsbury Academic, 2015).
T.J. McIntyre and Alexandrine Pirlot de Corbion, The Right
to Privacy in Ireland: Stakeholder Report for the Universal
Periodic Review 25th Session (Privacy International and
Digital Rights Ireland, 2015)

Thank you
Questions or comments?
DigitalRights.ie | TJMcIntyre.com | @TJMcIntyre