Surveillance and interception of data.
The digital recording of images greatly enhances the possibility for surveillance. CCTV cameras have become common in many public locations. Mobile phone technology allows effective capture and transmission of live images and footage from Smartphones which can be immediately uplifted to the Internet.
Surveillance and tracking offers possibility of enhanced efficiency in policing. Surveillance of individuals in a private setting, prospectively breaches Constitutional personal rights including, in particular, the right to privacy. It is well established that evidence obtained in breach of constitutional rights is admissible, only if there are extraordinary excusing circumstances. The general provision by which illegally obtained evidence might be admitted at the discretion of the trial judge, does not apply.
It is possible in principle to have lawful surveillance, subject to appropriate protections and procedures. Some early cases involved intense surveillance and following by the Gardai. The courts have been willing to accept, that in some cases involving notorious suspects, that intense targeted surveillance may be permissible.
Data protection law applies to CCTV in so far as it is capable of identifying individuals. Accordingly, the CCTV must be processed lawfully, fairly and explicitly for legitimate purposes. The processing of CCTV must be for based on one the permitted purposes, including with consent, compliance with legal obligations, performance of a task carried out in the public interest in the exercise of official authority which balances the interest of the party affected.
Where data controller has information which would identify an individual, it is a personal data and is subject to the legislation as such. Where there is no information to hand which identifies the individual, there is no personal data. It becomes personal data at the point at which the data can be readily correlated so as to identify an living person. A person whose face is shown on CCTV may be identifiable, so that it constitutes personal data.
The data subject is entitled to information on what data is kept. He has rights to access and may object to the data process other than on grounds which are permitted in the Data Protection Act. He may object to automated decision-making. He may be entitled to prior notice of processing.
The Data Protection Commissioner has indicated that the user of CCTV should specify the purpose for which it is used. The user should ensure that it is obtaining personal data fairly. People should be aware that the system is in operation, the purposes for which it is used to and the identity of the person or entity who is responsible for it. There should be clear parameters to use in order to ensure that the information collected is adequate, relevant and not excessive in relation to the purposes.
Waiver of Privacy in Public
There is support for the proposition that the right of privacy is waived in a public place. The is a far reaching position and the better view is that personal or other intimate information about an individual is within the scope of the private life and privacy protected by the European Convention on Human Right and is likely to enjoy measure of protection, even in a public setting. Accordingly, it is likely that he may claim a reasonable expectation of privacy even in a public place.
It appears that the collection of CCTV data while walking in public streets does not constitute a breach of the ECHR right to privacy. However, if this data is then used in inappropriate mechanism, such as public broadcast, the right to privacy may be breached. The use of CCTV for a legitimate aim in a proportionate manner, appear to be consistent with the ECHR. If it is possible to achieve the legitimate aim by a means which does not compromise privacy, then this will be generally required.
Garda Licensing of Public Place CCTV
The Garda Commissioner is entitled, under the Garda Síochána Act 2005 to specify the areas within which, based on the information available to him, the installation of CCTV is warranted. The Commissioner may grant certain categories of CCTV licence. This does not apply to installation of CCTV on premises by the owner or occupier for the purpose of safeguarding the premises and its locality.
The licence may be granted to members of Garda Síochána, persons retained under a contract with the Garda Síochána Commissioner who meet certain criteria and to persons whose application for a specified area has been approved by the local authority after consulting with joint policing committee for that area. The authorisation must contain terms and conditions that are required.
The Garda Commissioner may make directions to authorised persons in relation to the installation and operation of CCTV. Authorisations may be revoked, the authorizations issued to local authorities for failure to comply with terms and conditions on the Commissioner’s direction. Failure to comply is a criminal offense subject to fine up to €2,500, six months imprisonment or both.
Community based CCTV
Community-based CCTV system has been the subject to a code of practice by local authorities. They must assure that signs are in place and that members of the public are aware that they are entering an area covered by the system. Images should not be retained for longer than necessary. It is contemplated in the case of tapes, that they be reused after 31 days, unless required for investigation or as evidence.
Copies may be made by the local authority, where the incident is serious and may lead to criminal proceedings, where formally requested by the guards, where the matter is proceeding to trail, where a request is received from the DPP, where the circumstance are such that replaying of the incident is required such as for witnesses or where a copy has been sought by the person affected.
Telecommunicaitons Surveillance I
The infamous cases of unlawful governmental phone tapping of journalists in the early 1980s resulted in High Court judgments to the effect that their Constitutional rights had been deliberately and consciously violated. The journalists were awarded substantial compensation against the State.
The Postal and Telecommunication Services Act, 1983 provides that a person is guilty of an offence, if he
- intercepts or attempts to intercept, authorises, suffers or permits another person to intercept or does anything that will enable him or another person to intercept, any telecommunication message transmitted by a licensed operator,
- discloses the existence, substance or purport of any such message which has been intercepted or
- who uses any such information.
Telecommunications Surveillance II
It is likely that these provisions apply to electronic communications. The restrictions on the interception and surveillance of telecommunications, apply to internet use. It is arguable that legislation is limited to authorised undertakings. Electronic communication networks and services are not subject to authorisation in all cases, in particular, where private networks are involved.
Modern 2017 legislation has provided for updated legislation on the interception of data. See the chapter on data offences.
The recording of telephone calls raises issues under Data Protection legislation. Consent is usually required. Where a party has a legitimate interest in recording a call, an explicit communication that the call is being recorded will be usually required.
Data Processing, Security and Criminal Law
Under both the Constitution and the European Convention on Human Rights, a person’s privacy is protected. Interference with the right may be permitted, where it is strictly necessary for justifiable security reasons and there are adequate guarantees and safeguards against abuse. The nature, scope and duration of the measures are relevant. There may be a conflict between fundamental right to privacy and what is necessary in the public interest in a democratic society.
The monitoring of personal telephone calls and communications, in the absence of legal authority which is properly and objectivity justified, is likely to be a breach of Constitutional rights. In a notorious case where the State tapped the telephones of two journalist, there was held to be a breach of their constitutional rights and they were entitled to damages, including exemplary damages.
It is likely that the installation of a listening device in a dwelling house would breach the Constitutional guarantee of the inviolability of the dwelling house, without strict prior process, most likely by way of a warrant. The warrant, if the courts were minded to grant it, would have to permit entry into a dwelling house, in order to install a listening device.
Justifying Interception and Surveillance
The interception of communications in the above circumstances is capable of being consistent with the European Convention on Human Rights, provided that there are substantive and procedural protections on the exercise of the powers. The laws must be sufficiently certain and accessible. The scope and manner of exercise of the discretion must be indicated. It must not be overly discretionary.
The courts accept that investigatory powers are necessary in a democratic society for the prevention of crime and disorder. There must be adequate and effective guarantees against abuse. The offences concerned must be sufficiently serious. There must be precautions and procedures. There must be time limits on duration of the orders, with provision for review.
Data processing operations concerning public security and the activities of the State in relation to criminal law are subject to special provisions under the Data Protection Act 2018. There is an exemption form the ordinary data rights in relation to processing personal data, which is required for preventing, detecting, investigating offenses, apprehending or prosecuting offenders. The exemption is likely to be strictly interpreted, as limited to systems which are directly concerned with public security and the operation of the criminal law.
State Interception I
The Interception of Postal Packets and Telecommunication Messages Act, 1993 provided procedures and process for the interception of such communications. The EU Directive on electronic communication networks and the Data Protection Act also apply to governmental interception of electronic and other communications.
Phone tapping and recording is interception for the purposes of the legislation. Interception by false means such as impersonating another is interception without consent. The consent is relative to the identity of the person concerned. The offence is subject on conviction on indictment to imprisonment up to five years and a fine.
Under the 1993 Act, a warrant may be granted by the Minister. Authorisation is permitted only for criminal investigations or in the interests of the security of the State. Interception is only permissible in certain limited circumstances. The offence must be serious. Investigations not involving interception must have failed or be likely to fail to produce sufficiently quickly, information that the offence has been committed or evidence for criminal proceedings.
There must be a reasonable prospect that the interception of the particular telecommunications would be of material assistance in providing information or evidence. The authorisation lasts for three months, which may be extended.
State Interception II
There is a complaints referee who may be a judge or legally qualified person. A person who believes that a communication sent to or by him, has been intercepted may apply to the referee for investigation. The referee may quash the authorisation and order the destruction of communications. He may recommend the payment of compensation.
A High Court judge may be designated to review the operation of the Act and reports to the Taoiseach. He may advise the Minister that a particular authorisation should not be given, in which event it must be cancelled. In some cases, the complaints referee may refer certain matters to the judge who has power to review authorisations and make consequential orders.
The Garda Commissioner may initiate procedures under the Criminal Justice Terrorist Offenses Act in order to retain telecommunications data. Generally, the telecommunications provider may not retain data for more than a particular period, save in limited circumstances.
When a senior Garda officer determines that the disclosure is necessary for the prevention, detection, investigation or prosecution of crime, (including terrorist offences) or for safeguarding the security of the State, a disclosure order may be served. Service providers must comply. The provisions for complaints referee apply.
EU Directive on Confidentiality and Interception
EU Directive 2002/58 requires States to preserve the confidentiality of electronic communications. The Directive and regulations apply to a wide range of networks and services, including, wire, wireless optical and electromagnetic networks.
The Directive provides that the interception of telecommunications messages must be prohibited, unless expressly authorised in accordance with minimum standards. The authorisation must be a necessary, appropriate and proportionate measure in a democratic society, in order to safeguard national security, defence, public security, the investigation, detection or prosecution of criminal offences or the unauthorised use of the electronic communication system.
It must be prominently displayed and easily accessible. It must set out and include the purpose of the processing. The subscriber must be offered the right to refuse its processing by the data controller.
A person aggrieved or affected by an unlawful interception of communications may apply to ComReg, which may seek a High Court injunction. The person affected may also seek an injunction or claim damages on their own behalf. They may also be entitled to invoke the Data Protection Act.
The Criminal Justice (surveillance) Act 2009 is designed to facilitate covert surveillance by An Garda Siochana the Defence Forces and the Revenue Commissioners in the prevention and detection of serious crime and in safeguarding the security of the State against subversion and terrorism.
The Act provides for the admissibility of evidence obtained by means of surveillance. It provides that such evidence, notwithstanding any error or omission on the face of an authorisation or a written record of approval, or notwithstanding any failure by any member/officer to comply with a requirement of an authorisation or written record, is admissible in certain defined circumstances.
The Surveillance Act provides for the creation of written records in all cases where surveillance is used. In most cases a prior authorisation for surveillance from the District Court will be required. Authorisations may be for a period of up to 3 months and are renewable on application. It will be possible in cases of urgency to undertake surveillance without an authorisation from the Court for a period of up to 72 hours, subject to strict conditions.
Provision is made in the Surveillance Act for a judicial mechanism for dealing with complaints, and for separate oversight of the operation of the Surveillance Act by a judge of the High Court.
Application for Authorisation to District Court
Only members/officers of a sufficiently high level in the Garda Siochana the Defence Forces or the Revenue Commissioners apply to the District Court for authorisations, on the basis of the statutory criteria. In each case, reasonable grounds must exist also for believing that the surveillance sought to be approved is the least intrusive means available, is proportionate from a rights perspective, and is for a period which is limited to its objectives.
The authorisation may be applied for to a District Court Judge on oath on a unilateral basis in private. The authorisation will be in writing and contain the relevant details. It will be valid for a period of up to 3 months, which is renewable or variable in accordance with the provisions of the Act.
The authorisation may allow the authorised member/officer, accompanied if necessary by any other person to gain entry to property for the purposes of surveillance. This may involve the use of such reasonable force as is necessary in the particular circumstances.
Where time is of the essence and the matter is urgent to prevent a person absconding to avoid justice, the possible destruction of evidence, or where the security of the State would likely be compromised. In such a case, a superior officer, as defined, in the relevant agency may give approval for surveillance on grounds connected with the issuing of an authorisation for a limited operational period of up to 72 hours. If continued surveillance is required, an authorisation is required from a judge of the District Court.
The use of tracking devices, a less intrusive form of surveillance, is also regulated by the Surveillance Act and is subject to prior written approval by a superior officer. Provision is made for internal organisation level approvals for the use of tracking devices for a maximum period of 4 months.
Judicial authorisations are not required for their use, but the approval of a superior officer is necessary based on the qualifying criteria set out in the Surveillance Act. The Surveillance Act requires that written records and reports have to be maintained in these cases.
The Minister for Justice, Equality and Law Reform may, in the interests of privacy and other rights, make Regulations prescribing a period of less than 4 months for the use of tracking devices, or for different periods for different purposes.
Records and Confidentiality
The Surveillance Act provides for the retention for specified periods of all official documents relating to authorisations for surveillance, reports, written records of approval sanctioning surveillance in urgent cases, the use of tracking devices and surveillance.
There is provision for the secure storage of, and authorised access to, information and documents generated as a result of the carrying out of surveillance, to protect privacy and other rights.
The Minister for Justice, Equality and Law Reform in the case of the Garda Sıochana, the Minister for Defence in the case of the Defence Forces and the Minister for Finance in the case of the Revenue Commissioners may make Regulations in this regard insofar as their respective functional areas are concerned.
The Act prohibits the disclosure of any information about the operation of the Surveillance Act, unless it is made to an authorised person, as defined, and it is connected with specified criteria. The provisions apply both to members/officers of the agencies concerned, as well as to persons engaged on contract work. It also applies to persons generally.
Oversight and Complaints
A judge of the High Court to is appointed to oversee the operation of the main provisions of the Surveillance Act and to make regular reports to the Taoiseach in the matter. Such reports will be laid before both Houses of the Oireachtas.
There is a procedure for dealing with complaints where a person believes that they may be the subject of surveillance. In such cases, the matter will be dealt with by a Complaints Referee who is the judge of the Circuit Court who handles similar issues arising from the operation of the telephone interception legislation
In a case where there has been a contravention of the Surveillance Act, the Referee has the power to recommend payment of compensation up to €5,000. The matter may also be referred to the Garda Siochana Ombudsman Commission, the Minister for Defence or the Minister for Finance depending on the particular State agency concerned.
References and Sources
Data Protection Act 1988
Data Protection (Amendment) Act 2003
Data Protection Act 2018
Communications (Retention of Data) Act 2011
Criminal Justice (Surveillance) Act 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (An Garda Síochána) Regulations 2009, S.I. No. 275 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Revenue Commissioners) Regulations 2009, S.I. No. 290 of 2009
Criminal Justice (Surveillance) Act 2009 (Written Record of Approval) (Defence Forces) Regulations 2010, S.I. No. 80 of 2010
Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (Official Journal L 8 of 12.1.2001, pp. 1-22)
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).
Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending (declared invalid by Court of Justice ruling, see below).
Directive 2002/58/EC (Official Journal L 105 of 13.4.2006, pp. 54-63)
Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009
Commission Regulation (EU) No 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (Official Journal L 173 of 26.6.2013, pp. 2-8).
European Communities (Directive 2000/31/Ec) Regulations 2003
European Communities (Electronic Communications Networks and Services) (Privacy and Electronic Communications) Regulations 2011, S.I. No. 336 of 2011
EU Data Protection Law Kelleher & Murray 2018
Information & Technology Communications Law Kennedy & Murphy 2017
Social Networking Lambert 2014
Law Society PPG Hyland Technology & Intellectual Property Law 2008
Information Technology Law in Ireland 2 Kelleher & Murray 2007
Data Protection Law in Ireland: Sources & Issues 2 Lambert 2016
Privacy & Data Protection Law in Ireland Kelleher 2015
Data Protection: A Practical Guide to Irish & EU Law Carey 2010
Practical Guide to Data Protection Law in Ireland A&L Goodbody 2003
Privacy and Data Protection Law in Ireland 2nd ed Denis Kelleher 2015
EU and UK Texts
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2016
Privacy and Legal Issues in Cloud Computing Privacy and Legal Issues in Cloud Computing Edited by: A. S. Y. Cheung, R. H. Weber 2015
Information Rights: Law and Practice Information Rights: Law and Practice 4th ed Philip Coppel 2014
Cloud Computing Law Christopher Millard 2013
Transborder Data Flow Regulation and Data Privacy Law (eBook) Christopher Kuner 2013
Consent in European Data Protection Law Consent in European Data Protection Law Eleni Kosta 2013
A User’s Guide to Data Protection A User’s Guide to Data Protection Paul Lambert 2013
Confidentiality (Book & eBook Pack) Confidentiality 3rd ed The Hon Mr Justice Toulson, Charles Phipps 2012
Binding Corporate Rules: Corporate Self-Regulation of Global Data Lokke Moerel 2012
Property Rights in Personal Data: A European Perspective Property Rights in Personal Data: A European Perspective Nadezhda Purtova 2011
Global Employee Privacy and Data Security Law 2nd ed Morrison & Foerster LLP 2011
Computers, Privacy and Data Protection: An Element of Choice Computers, Privacy and Data Protection: An Element of Choice Edited by: S. Gutwirth, Y. Poullet, P. De Hert, R. Leenes 2011
Information Rights: Law and Practice Information Rights: Law and Practice 3rd ed Philip Coppel 2010
Data Protection: Legal Compliance and Good Practice for Employers Data Protection: 2ed Lynda Macdonald 2008
The Law of Personal Privacy David Sherborne, Mark Thomson, Hugh Tomlinson Due August 2019
Tort Law and the Protection of Privacy John Hartshorne April 2019
The Privacy, Data Protection and Cybersecurity Law Review The Privacy, Data Protection and Cybersecurity Law Review 5th ed Edited by: Alan Charles Raul 2017
International Cybersecurity and Privacy Law in Practice International Cybersecurity and Privacy Law in Practice Charlotte A. Tschider 2017
Determann’s Field Guide to International Data Privacy Law 3rd ed Lothar Determann
The Law of Privacy and The Media 3rd ed Edited by: Nicole Moreham, Mark Warby 2016