The cost and complexity of new data legislation creates difficulties for new investors
AS THE implications of our recently enacted data retention legislation sink in, internet service providers – defined broadly – are beginning to express concern.
The Communications (Retention of Data) Act 2011, signed into law in January, does not merely target telecoms companies or conventional ISPs, say legal experts. Operators of cyber cafes, and any hotel or hostel that offers internet access to customers, are likely to fall under its remit.
Handlers of internet and e-mail data – including those who operate data warehouses – may now have obligations to store user data under this Act. Even people who run internet discussion boards fall into a grey area, depending on how they manage e-mail services for board members.
Data handlers must not only store, but maintain and manage data in such a way as to make it quickly accessible to law-enforcement agencies upon request and – in a move that has been questioned by privacy advocates such as Digital Rights Ireland – the Revenue service.
Doing so will generally involve software, employee and hardware costs. These could prove crippling to smaller service providers and cause hotels to question whether to offer internet access at all.
The Act is more or less a direct transposition of an EU directive on this complex, fraught and controversial issue. That little was done to consider the directive in an Irish–appropriate context, which would be the norm for any directive, is part of the cause for alarm.
For example, the Department of Justice decided to require operators to store two years of call data and a full year of internet usage information (internet access, internet e-mail and internet telephony data, excepting the content). Many other countries opted for lower periods.
Without doubt, this places Ireland at a competitive disadvantage in attracting many internet–centric companies at a time when foreign direct investment is important to the national economic recovery.
For existing companies, whether indigenous or multinationals, the fuzziness of the legislation can only create an uncertain and cumbersome environment in which to consider expanding services.
Ironically, it is precisely these areas that the State is supposedly trying to attract and in where there is a hot-bed of activity for start-ups.
The State also decided to leave unchanged the EU directive’s definition of an offence for which data can be requested – a crime punishable by imprisonment for a period of at least six months.
The State and its past ministers for justice have always proclaimed that data-retention legislation would only ever apply here to serious crimes – necessary to address terrorism, gangland crime and child pornography.
However, data-retention legislation which preceded the enactment of the January Act never placed any such restrictions on access. Under the previous legislation, which applied only to call data, requests could be made by the Garda on almost any ground. Thousands of requests were made within the first year.
Unfortunately, the current legislation remains equally open- ended because it fails to address the definition of “serious offence” in Irish law, according to barrister Ronan Lupton. He recently joined Alex French, chief executive of Wi-Fi provider BitBuzz, and Internet Service Providers Association of Ireland chief Paul Durrant, to brief journalists on the impact of the legislation.
The fact that a serious offence is defined as an offence with a sentence of fives years or more under Irish law, conflicts with the Directive and had given rise to fears that huge amounts of data will be requested for relatively casual offences, Lupton says.
In conversation, the three expanded on many of the concerns noted above, which they say place a disproportionately large burden on the small and medium enterprise sector.
“It’s changing the landscape of internet access and is causing huge concern among small business owners,” says French.
“It’s going to be a barrier to ISPs and this is another nail in the coffin of the internet cafe.”
Durrant says a particular concern for ISPs is the complexity of the requests for internet data. Call data, as defined under the Act, is already retained by telecommunications companies for billing purposes, but ISPs would not normally keep or store the kind of data they are now required to manage. The particulars remain nebulous as well, he says, with providers uncertain about what exactly they are required to retain.
Durrant believes the Act will definitely have an impact on business and discourage companies from locating here or putting in new services.
“If you’re a multinational and are thinking ‘Which of our jurisdictions will we put this service into?’, will you put it in Ireland?” asks Durrant.
“It’s just the uncertainty. Here, you have to retain [internet data] for a year, but if you go to the Netherlands, it’s six months.” Given the choice, the Netherlands may well look to be the better location.
“There’s no point in going to all this huge expense in impact on privacy unless there’s a real public benefit and a clear deterrent to crime,” Lupton says.
Given the vagueness of the Act in an Irish context and the uncertainty about how it must be applied and whom it affects, as well as its potential to act as a deterrent to areas of business growth and opportunity that are integral to a knowledge economy, one can only hope for the success of the legal challenge to data retention taken against the State by Digital Rights Ireland, currently being considered by the European Court of Justice.
This questions many of the grounds for, and provisions within, the EU directive and would require a badly needed European rethink of this controversial legislation.