The Communications (Retention of Data) Act, 2011, came into force in January. The Act imposes an obligation on service providers to retain such data as specified in the Schedule for periods of two years and one year respectively. Data is defined in the Act as meaning traffic data or location data, and the related data necessary to identify the subscriber or user, or in other words, sufficient information as the provider might be reasonably expected to have in order to identify to any investigating Garda Officer, who has been on their network. The data to be retained is sufficient data as is necessary to “trace and identify the source of a communication” including the calling telephone number and the name and address of the subscriber. You must also retain data necessary to identify the destination of the communication, namely the number called, the number to which the call may be routed, and the name and address of the subscriber. The data also needs to identify the date and time of the start and end of the communication, and such data as necessary to identify the type of communication.
The Act also becomes quite technical, referring to the International Mobile Subscriber Identifier, the IMSI, of both parties to the telephone call, and also the International Mobile Equipment Identifier, the IMEI, of both parties. In cases of anonymous services such as pre-paid “throw away” phones, the date and time of the initial activation of the service and the cell ID from which the service was activated, must be retained. In addition, data necessary to identify the location of the mobile communication equipment, including the cell ID at the start of the communication, and data to identify the geographical location of the cell, must be retained. The above data must be retained for two years.
Data to be retained for one year includes data necessary to trace and identify the source of a communication for internet access, internet email and internet telephony data, which again has the broad parameters above, including the user ID or telephone number of the recipient, the name and address of the subscriber, the date and time of log-in and log-off, together with IP address, whether dynamic or static, and such data as is necessary to identify the type of the communication.
Interestingly, Section 2 specifically excludes the content of such communications transmitted from the provisions of the Act. Thus, there is no obligation on the service provider to record the communications, which would certainly prove to be unwieldy, if not actually impossible.
The Act also imposes further data security obligations upon service providers, obliging the service provider to take such appropriate technical and organisational methods to protect the data from both accidental or unlawful destruction, accidental loss or alteration, or unauthorised or unlawful storage or processing. The Act also provides that such data must be destroyed by the service provider within specified times, one month after the two year and one year periods prescribed in the Act.
Any disclosure from An Garda Siochana must be made by a member not below the rank of Chief Superintendent, and only where that member is satisfied that data is required for; a) the prevention, detection, investigation or prosecution of a serious offence, b) the safeguarding of the security of the State, or c) the saving of human life. Disclosure requests can also be made by an Officer of the Defence Forces (not below Colonel) or an Officer of the Revenue Commissioners (not below Principal Officer), and thus disclosure requests must be made in writing, except in cases of exceptional urgency.
For those concerned about this broad power being granted, each of the three Bodies above must prepare and submit to their respective Ministers reports annually detailing the number of times the data has been disclosed, the number of times a disclosure request could not be met, and the average period of time for the disclosure of such data. The Minister is obliged to consolidate those reports and submit them to the European Commission. The Act goes on to provide for a Referee type procedure, a review by the Courts of the Act, and various other miscellaneous procedures.
While the Act does not specify specific penalties for breaching the Act, the Data Protection Commissioner is designated as a National Supervisory Authority for the purpose of the Act and the European Directives.
Section 10 sets up a procedure whereby the Referee who is appointed as a Complaints Referee under the Interception of Postal Packets and Telecommunication Messages (Regulations) Act, 1993, may also act in relation to this Act, and may make directions and indeed award compensation where appropriate.
In short, you now have additional obligations as a WiFi provider which you and your clients must comply with.
Who said that digital aid would make life simpler!