Joint Committee on Justice díospóireacht -
Tuesday, 5 Mar 2024

I welcome our witnesses. We have Mr. Jimmy Martin, adviser and former assistant secretary at the Department of Justice, and Ms Julie Dockry, assistant principal officer in the criminal justice legislation unit at the Department. The purpose of this session is to have a briefing on the general scheme of the criminal justice (protection, preservation of and access to data on information systems) Bill 2024. I will invite the witnesses to make their opening statement but before I do I must deal with some procedural matters. The witnesses are familiar with the format of these meetings. Some members are participating online and others are in the room. We will take the witnesses' briefing first and members may then have questions. I do not expect this to be a terribly long session but we will see what questions people have. I thank the witnesses for being available to have engagement with us.

I will briefly outline the position regarding parliamentary privilege. Given the witnesses' position in-house, as it were, they are familiar with it but I will state it for the record. Witnesses and members are reminded of the long-standing parliamentary practice that they should not criticise or make charges against any person or entity by name or in such a way to make him, her or it identifiable or engage in speech that might be regarded as damaging to the good name of that person or entity. If their statements offend in such a manner, they may be directed to discontinue those remarks. I invite Mr. Martin to make his opening statement and update the committee on the Bill.

The primary purpose of the general scheme is to give effect to the outstanding provisions of the 2001 Council of Europe Budapest Convention on Cybercrime, known as the Budapest Convention, other than articles relating to the real-time collection and recording of data which are being looked at in the context of separate legislation by the Department.

The Budapest Convention is the main international instrument on cybercrime and has been given effect in almost 70 states, including all of the member states of the European Union other than Ireland. The majority of articles of the Budapest Convention have already been given effect in Irish law, mainly by the Criminal Justice (Offences Relating to Information Systems) Act 2017. The main new provisions of substance introduced by the scheme relate to preservation orders and production orders required by the Budapest Convention. They are addressed in heads 5 and 6 of the scheme. There are already statutory provisions to provide for access to records held on paper or computers. These existing procedures include search warrants and other court orders to make material available or orders to produce documents or provide information. These mechanisms are not comprehensive and were introduced at a time when most data was held either in paper form or on a particular computer in a known physical location and under the control of a person.

Data is still held in this way and these provisions are still required. However, most data, whether personal or business, is now held in the cloud under the control of multinational Internet service providers. Records held in this way may be temporarily broken up into multiple segments or shards and stored in different servers in different jurisdictions or moved to different servers in different geographic areas, depending on the availability at particular times of the day. This means that it is not viable to establish the physical location of the data as far as establishing jurisdiction is concerned. This has implications for some of the existing legal provisions. Furthermore, the role of multinational Internet service providers also complicates issues. The purpose of heads 5 and 6 is to provide a modern, comprehensive procedure to protect and access such data via preservation and production orders, which can be served directly to Internet service providers for the purpose of criminal investigations and prosecutions but subject to appropriate safeguards. Accompanying these measures are provisions to deal with admissibility of evidence and situations where information might be privileged, such as legal advice or journalist sources. The heads follow the requirements of the 2001 Budapest Convention, and the procedures set out also follow the most up-to-date template provided by the European Union regulation on European production and preservation orders for electronic evidence in criminal proceedings. This was adopted in July 2023 and will come into effect from 18 August 2026. I will come back to this regulation later.

The purpose of a preservation order is to preserve targeted data for a temporary period with a view to giving effect to a subsequent production order. It is temporary and does not allow any access to the data itself. To avoid confusion, I will explain the difference between the concept of data retention and a preservation order. The European Court of Justice has held that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating crime. In this context, data relates to the mass-storage of data that will be collected in the future. This scheme only relates to data already being stored as part of the services of an internet services provider on the date the court order is served on a service provider. It does not require the future storage of data yet to be generated. The preservation order provided for in head 5 requires temporary preservation of targeted data being held by the service provider on the date the order was served. It is normally for a period not exceeding 90 days.

Jurisdiction, as set out in head 6(2) for both preservation and reduction orders, is based primarily on where the person who has control or lawful access to the data is based, regardless of where the data itself is held. The term "person" includes a company.

I mentioned that the procedure is subject to appropriate safeguards. The Budapest Convention itself contains a number of safeguards that must be met and we sought and obtained legal advice that these are complied with. In addition, the scheme is intended to comply with EU data protection law and the Data Protection Act 2018. Also, we have initiated a formal consultation process with the Data Protection Commission to ensure that it has no issues. All orders under this scheme must be considered and determined upon by an independent judge. For example, in the case of a production order seeking traffic or content data, the judge must be satisfied that it relates to a serious criminal offence and that the issuing of the order is necessary and proportionate.

There are a number of other technical provisions outstanding from the Budapest Convention and these have been given effect by heads 4, 7A and 7B, and head 8 and 8A, which are all technical. In head 12, we refer to the EU evidence regulation on European production and preservation orders that I mentioned earlier. This EU evidence regulation forms part of the EU e-evidence package, which is a directive and regulation aimed at making it easier and faster for law enforcement and judicial authorities to obtain the electronic evidence they need to investigate and prosecute criminals. It will have direct effect in Irish law from August 2026. The regulation provides for an EU cross-border regime whereby law enforcement authorities in a given member state can request an order for data controlled by an Internet service provider based in another EU member state in the form of an European production and preservation order. It is a cross-border measure. While the EU regulation will have direct effect in Ireland, Ireland must designate an Irish authority competent to issue European production orders. To ensure consistency for both practitioners and Internet service providers based in Ireland, it was decided that the procedures to be followed for obtaining a domestic production order should mirror those required for a European order.

Head 12 identifies the Irish authority, namely, designated District Court judges, that will issue European production and preservation orders sought by Irish competent authorities, such as An Garda Síochána, in respect of data held by Internet service providers based elsewhere in the European Union. It is also worth noting that there are other measures to be implemented to give full effect to the e-evidence package, particularly the designation of an enforcing authority that can raise grounds for refusing a European production order from another member state, as well as a designation of a central authority. This will be addressed by legislation in due course.

Finally, head 13 relates to measures under the European Union regulation on addressing the dissemination of terrorist content online. This regulation provides a mechanism for the issuing of EU-wide orders requiring service providers that host online content to remove terrorist content within a short timeframe. The regulation came into effect on 7 June 2022 and as an EU regulation, it has direct effect in Irish law. An Garda Síochána has been designated as the competent authority to issue removal orders. The regulation also requires the designation of a national body to oversee the imposition of sanctions for non-compliance and the Attorney General has advised that primary legislation is required to give the necessary powers to a national body to issue such financial penalties. The Government has decided that Coimisiún na Meán should be designated as a national body for Ireland. The scheme proposes to amend the Online Safety and Media Regulation Act 2022, which amends the Broadcasting Act 2009, to provide us with the necessary powers after which formal designation will take place. Until the necessary amendment is made, Ireland will not be in full compliance with our EU obligations.

I thank Mr. Martin. There are a few members participating online, however, if no member wishes to speak first, I will ask a question.

My first question is a general one on something Mr. Martin has somewhat touched on. I presume he is talking about the European Court of Justice as to how the EU law precludes the general and indiscriminate retention of traffic and location data. Is Mr. Martin referring to the Graham Dwyer case?

Therefore, that is where this is coming from. It may or may not be related to this but it is certainly relevant. Last year, we processed a Bill introduced by the Minister to address ruling effectively. This committee was a little bit uncomfortable with the pace of that Bill, which progressed rapidly through this committee and the Houses. We felt - and indeed this point was made in our report and in the committee and in the Chamber by me and other members of the committee - that while we accepted there was a desire by the Minister at the time to put that through in a speedy fashion, we strongly recommended that it would be revisited at the earliest opportunity because we felt it was imperfect, to put it diplomatically. Does this Bill go in any way towards addressing that? Would there be an opportunity to include some measures in this that would address some of those concerns?

There is a certain overlap. This Bill deals with subscriber ID traffic data and content. The Act the Chair referred to only dealt with subscriber ID and traffic content. We will be providing a new method of accessing that data. In ours, we deliberately exclude data where the Minister has made an order to retain it for security reasons. While the 2022 Act dealt with that retention for security reasons and dealt with criminal, we are just dealing with criminal and not security. We provided specifically that we cannot access data that is being held on the basis of an order for security only.

It is to ensure that we are not overlapping. The courts allowed data to be retained for national security reasons. To ensure that, for example, the Garda does not access data that would not be there if it was not it being retained for national security reasons, we have specifically excluded. The security side of the Garda would be able to access data related to national security that is ordered to be retained but it will not be able to access it for the purpose of a criminal investigation and a criminal prosecution.

I refer to the point that emerged during those hearings and which Mr. Martin has explained to us again today. I understand where he is coming from, in that his hands are tied to a large extent, but it strikes me that it would be far better legislation at European level and domestically as a result if it included both national security and serious crime. It would be far more robust and useful to our law-and-order authorities.

That concludes our scrutiny. It was a short session, but it was important for us to hear the rationale and have some engagement on it and allow members an opportunity. Whether they want to take it up or not depends on the day. This place is busy, as Mr. Martin will understand.

I thank Mr. Martin and Ms Dockry for being available today. I am sure we will have them in again for another session.