Venice Commission - Report on a rule of law and human rights compliant regulation of spyware
www.venice.coe.int
Disclaimer: this information was gathered by the Secretariat of the Venice Commission on the basis of contributions by the members of the Venice Commission, and complemented with information available from various open sources (academic articles, legal blogs, official information web-sites etc.).
Every effort was made to provide accurate and up-to-date information. For further details please visit our site : https://www.venice.coe.int/
1. Does your legal framework allow for the use of spyware as a tool of targeted surveillance either in criminal or intelligence investigations or is there an explicit prohibition on the use of spyware? If so, how does your domestic legal framework define spyware?
There is no Irish law specifically governing the use of spyware in criminal and intelligence investigations. The legal framework allows for the interception of communications and the use of surveillance in criminal and intelligence investigations but the use of spyware is not explicitly contemplated nor defined in Irish legislation.
2. Are there specific rules (covering notably the scope ratione materiae, temporis and personae) in place or do the general rules on targeted surveillance (interception of communications) apply (could you please provide us with such specific or general rules)?
There are no specific rules in place detailing the use of spyware. The use of spyware would
3. What kind of data, if any, could be collected with spyware?
There is no definition or general classification of types of data in Irish law. The kind of data that can be collected depends on the provisions of the Act in question.
4. Has there been any official evaluation of the need for, or added value of, spyware?
Yes. In March 2024, the Irish government signed up to the US-led Joint Statement on Efforts to Counter the Proliferation and Misuses of Commercial Spyware. On the Irish government’s website, the Department of Foreign Affairs stated;
5.Who authorises/approves measures of targeted surveillance in criminal and intelligence investigations (judiciary, executive, expert bodies, security services)?
Criminal Justice (Surveillance) Act 2009
6. What are the national oversight mechanisms in place in your country for the activities of the security services (are they judicial, parliamentary, executive, or expert)? Do these bodies have (binding) remedial powers?
Oversight of security services
7. Does a post-surveillance notification mechanism exist? Are there any other remedies available for individual targeted by measures of targeted surveillance?
Notification Mechanism
Ireland
The Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993 provides a basis for the interception of postal packets and telecommunications messages. The Criminal Justice (Surveillance) Act 2009 provides the legislative basis in Ireland for monitoring, observing, listening to or making a recording of a particular person or group of persons or their movements, activities and communications, or the monitoring or making a recording of places or things, by or with the assistance of surveillance devices, including a tracking device. These Acts include details of the purposes for which such powers are permitted to be exercised, by whom the powers are permitted to be exercised, and relevant safeguards and conditions, including prior authorisations, reporting, remedies, redress and other oversight.
In 2016, the Department of Justice and Equality announced plans to extend the interception regime to services offered directly via the internet. The 1993 Act is currently subject to review to ensure it is modernised, having regard to developments in technology.
Neither Act individually allows for the use of spyware. The 1993 Act permits interception alone, and the 2009 Act authorises the use of surveillance devices but does not give any power to interfere with computer systems and specifically excludes anything that would constitute an interception under the 1993 Act. If state spyware is deployed, it would have to be tailored to avoid capturing phone calls, text messages, and emails if they fall within the scope of the 1993 Act. There is no public information about whether state spyware has been deployed or whether An Garda Síochana (the Irish police force) has this power. However, the Department of Justice cited both Acts in response to a European Commission questionnaire that sought information from all Member States about the use of spyware by national authorities and the legal framework governing such use In addition, the Minister for Justice mentioned both Acts in response to a parliamentary question concerning the use of spyware, indicating that if the state is using spyware, it is likely under the powers contained in these Acts.
Spyware is not explicitly prohibited in Irish law. Without some statutory basis, the use of spyware would most likely constitute the offence of accessing an information system without lawful authority contrary to section 2 of the Criminal Justice (Offences Relating to Information Systems) Act 2017. There is no offence in Irish law that criminalises the surveillance of ‘over-the-top’ communications.
likely be governed by general rules on targeted surveillance and the interception of communications. Irish law regulates the following types of state surveillance; the use of tracking and surveillance devices under the Criminal Justice (Surveillance) Act 2009, interception of communications under the Interception of Postal Packets and Telecommunications Messages Act 1993, and access to retained communications data under the Communications (Retention of Data) Act 2011, as amended by the Communications (Retention of Data) (Amendment) Act 2022.
Criminal Justice (Surveillance) Act 2009
This Act covers covert surveillance, including audio and visual recordings, tracking devices and other forms of electronic surveillance. Surveillance is permitted for preventing, detecting, investigating or prosecuting serious offences. Surveillance operations require authorisation and are limited in duration. The initial authorisation can last up to three months, with possible extensions. Authorisation must be granted by a District Court judge. The Act applies to persons suspected of involvement in serious criminal activities. Surveillance is targeted and specific to individuals under investigation.
Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
The Act regulates the interception of postal packets and telecommunications messages. Interception is permitted for the protection of national security and the prevention, detection, investigation, or prosecution of serious offences. Interception requires a warrant issued by the Minister for Justice which is valid for a specific period, generally up to three months, and can be renewed. Warrants are issued following a formal application by authorised officers. The Act applies to individuals suspected or involved in serious criminal offences.
Communications (Retention of Data) Act 2011, as amended by the Communications (Retention of Data) (Amendment) Act 2022
This law sets out the data retention scheme. Unlike targeted surveillance, which involves the surveillance of a particular person, mass surveillance involves the indiscriminate retention and storage of communications data. Therefore, Irish data retention law does not strictly apply to the legal framework that could be used for spyware. It is worth noting however, as data retained under this Act can be accessed by bodies such as An Garda Síochána when such a body decides that there are grounds for suspecting a person of being involved in unlawful activity relating to the commission of a crime or the security of the state.
Data retention law has changed in Ireland in recent years. The main law in this area is the Communications (Retention of Data) Act 2011 which transposed the Data Retention Directive. The Act regulates access to and retention of information that has been generated by various service providers. Following the judgments in Digital Rights Ireland and Tele2, the Murray report was published which identified the need for reform. The law was challenged following the judgement in GD v Commissioner of An Garda Síochána and others. The judgement in this case confirmed that key elements of the 2011 Act were contrary to EU law and that the general and indiscriminate retention of traffic and location data was not permitted for the purpose of tackling serious crime. The Communications (Retention of Data) (Amendment) Act 2022 was passed and commenced in 2023. It limits the means and purpose for which certain metadata can be retained and accessed. Since June 2023, there are two separate regimes, one for user data and one for Schedule 2 data. There is no longer an obligation on service providers to retain all Schedule 2 data. This data can now only be retained for the purposes of safeguarding state security and only on the foot of a court order. However, the Act also provides for ‘quick freeze’ orders to retain certain types of Schedule 2 data for broader purposes.
The 2011 Act applies only to service providers and does not apply to non-traditional telecommunications providers such as search engines and ‘over-the-top’ communicationsservices. Certain data must be retained for a period of one year, which can be varied by the Minister for Justice.
Other Rules
Apart from interception and data retention, Ireland does not have technology-specific rules and instead relies on the general law regarding search warrants and court orders to produce or give access to information. These powers are spread across a range of statutes and common law rules which can be exercised depending on the crime being investigated. However, in the recent case DPP v Quirke, the Supreme Court identified a distinction between physical spaces and digital spaces regarding authorisation to search and seize potential evidence. The Supreme Court held that the search of digital devices was a serious intrusion on privacy which required judicial analysis of the proportionality of the search.
Criminal Justice (Surveillance) Act 2009
Under this Act, data can be collected through surveillance. Data can be in the form of books, recordings, written or printed material, or information stored or preserved electronically or otherwise than in legible form. Surveillance is defined as monitoring, observing, listening to or making a recording of someone or something or their movements activities, and communications. Data can be collected through the use of surveillance devices and tracking devices. A tracking device is defined as a surveillance device that is used only for the purpose of providing information regarding the location of a person, vehicle or thing. The courts have been strict in interpreting the Act and ensuring the data collected qualifies as surveillance under the Act.
Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993
The 1993 Act is limited to traditional telecommunications providers. Communication is defined as a postal packet or telecommunications message, including a telegram. This Act does not apply to communications from ‘over-the-top’ services, such as WhatsApp, Facebook Messenger and Gmail. It only applies to messages transmitted by traditional operators such as landline, cable and mobile phone providers and internet connectivity providers. In 2021, the designated judge reporting on the operation of the legislation noted that updated legislation to allow for state bodies to access encrypted forms of telecommunications was urgently required and long overdue. Similar comments were made by O’Connor J in the report from this year. He recommended that ‘over-the-top’ services be brought within the scope of the legislation.
Communications (Retention of Data) Act 2011, as amended by the Communications
(Retention of Data) (Amendment) Act 2022
The 2011 Act only applies to metadata and does not regulate the content of communications. It applies to data in the electronic communications sector, specifically traffic and location data, and data necessary to identify a user and data processed in connection with communications on landlines, mobile phones and the internet. This Act applies to ‘service providers’, but only to traditional telecoms and connectivity providers and not ‘over-the-top’ services. All service providers must retain ‘user data’ and ‘internet source data’. User data, internet source data, and Schedule 2 data (location and communications traffic data) can be accessed under this Act. Internet source data is available in relation to investigations of serious offences, revenue offences, police disciplinary matters, in the interest of the security of the state, to preserve human life and to locate a missing person. Schedule 2 data is generally available only in relation to state security unless the data is being held for a purpose other than compliance with a High Court order imposing data retention obligations, in which case it is also available in relation to serious offences, revenue offences and police disciplinary matters.
‘The proliferation of commercial spyware and the manner in which these technologies are being misused by authoritarian regimes and in democracies are matters of serious concern that require a coordinated international response. Ireland welcomes the opportunity to join this important collective action. We are committed to the principles of the Joint Statement and share the objectives of curbing the proliferation of these technologies and developing and implementing policies to discourage their misuse. These technologies can play a legitimate and important role in supporting the work of law enforcement agencies and security services, when used in a manner that is consistent with respect for human rights, the rule of law, and democratic principles. This initiative also seeks to elaborate best practice in this context.
Authorisation for surveillance must be granted by a judge of the District Court. A superior officer of An Garda Síochána (the national police force), the Defence Forces, the Revenue Commissioners, the Competition and Consumer Protection Commission, or the Ombudsman Commission can apply for authorisation if they have reasonable grounds to believe that the surveillance is necessary for specific purposes such as investigating an arrestable offence, preventing the commission of such offences, or in the interests of state security. The application made by the superior officer is heard ex parte and in private. The judge may grant the authorisation if they are satisfied that the conditions outlined in the law are met, ensuring that the surveillance is justified, proportionate and the least intrusive means available. In cases of urgency, members of the relevant agencies can carry out surveillance without an authorisation if the surveillance has been approved by a superior officer. Authorisation must be obtained as soon as practicable following the approval.
The courts have emphasised that an authorisation under the 2009 Act does not grant state agencies complete authority. In The People (DPP) v R McC, the Court of Appeal noted that the circumstances in which surveillance devices can be used are strictly delineated by the conditions of the authorisation and the provisions of the Act. In Idah v DPP, MacMenamin J emphasised that state agencies are not free to choose whether to apply for an authorisation with judicial oversight or internal approval.
Interception of Postal Packets and Telecommunications Act 1993
The Minister for Justice can authorise interceptions for the purpose of criminal investigations or in the interests of the security of the State. Applications for authorisations must be made in writing by the Commissioner of the Garda Síochána for criminal investigations. The Minister can consult with the designated judge before deciding whether to give an authorisation.
The Minister must be satisfied that the conditions outlined in the law are fulfilled. Authorisation may only be granted where other investigative methods have failed or are likely to have failed. For criminal investigations, interception must assist in investigations of An Garda Síochána for a serious offence, or the prevention of the commission of an offence. For state security, there must be reasonable grounds to believe that activities endangering the security of the State are occurring or are imminent, and interception must provide material assistance in obtaining necessary information that other methods cannot quickly or effectively produce.
Communications (Retention of Data) Act 2011, as amended by the Communications (Retention of Data) (Amendment) Act 2022
Section 3A permits the Minister for Justice to apply the High Court ex parte for an order providing for the retention of Schedule 2 data for 12 months. User data can be accessed by An Garda Síochána, the Defence Forces, and the Garda Síochána Ombudsman Commission. User data may be accessed the purposes of investigating an offence, a revenue offence, for national security purposes, for police disciplinary matters for protecting the life or personal safety of a person, or to locate a missing person. Disclosure of user data can be required following an internal authorisation by a senior official within each body. There is no requirement for authorisation by a judge or an independent body.
Internet source data can be accessed by An Garda Síochána, the Defence Forces, the Revenue Commissioners, and the Garda Síochána Ombudsman Commission. User data may be accessed, depending on the investigating body, for the purpose of investigating a serious offence, a revenue offence, for national security purposes, for police disciplinary matters, for protecting the life or personal safety of a person, or to locate a missing person. Authorisation to require disclosure of internet source data is granted by a District Court judge, applying a test of necessity and proportionality. In cases of urgency, these bodies can access internet source data on the basis of internal authorisation by a senior official, followed by an application to a District Court judge for approval after the fact.
Schedule 2 data can be accessed by An Garda Síochána and the Defence Forces for the purpose of protecting state security. Authorisation to require disclosure of Schedule 2 data is granted by a District Court judge. In cases of urgency, this data can be accessed on the basis of internal authorisation by a senior official, followed by an application to a District Court judge after the fact. Schedule 2 data which is being held by a service provider for a purpose other than compliance with a High Court retention order under section 3A can be accessed for purposes other than national security, including an investigation of serious offences and other offences. The mechanism for accessing such data is the same as other Schedule 2 data.
Cell site location data can be accessed by An Garda Síochána on the basis of internal authorisation for protecting the life or personal safety of a person, or for determining the whereabouts of a missing person.
Ireland does not have a distinct intelligence agency. Intelligence and state security functions are the responsibility of An Garda Síochána and the Defence Forces. In general, An Garda Síochána is answerable to the Minister for Justice and the Defence Forces are answerable to the Minister for Defence in respect of surveillance. The Policing Authority, introduced in 2015 by the Garda Síochána (Policing Authority and Miscellaneous Provisions) Act 2015, and its replacing authority, the Údarás Póilíneachta agus Sábháilteachta Pobail, to be introduced under the Policing, Security and Community Safety Act 2024, exclude security services.
Oversight of surveillance activities
Criminal Justice (Surveillance) Act 2009
The oversight mechanism under the 2009 Act currently involves judicial and executive oversight. Each year, the designated judge reviews the operation of the Act and reports to the Taoiseach. The judge has the authority to investigate any case where authorisation has been issued, renewed, or varied under the relevant sections of the Act. The Taoiseach must ensure that the report is laid before each House of the Oireachtas within six months of its completion, along with a statement on whether any sensitive matters have been excluded due to security concerns. If, during an investigation, the designated judge believes it is in the interests of justice, they can refer the case to a Referee for further investigation.
The oversight mechanism from section 12 of the 2009 Act was substituted this year following the enactment of the Policing, Security and Community Safety Act 2024. However, these provisions have not yet been commenced. When they come into force, primary oversight responsibility will be assigned to an Independent Examiner rather than a designated High Court judge.
Interception of Postal Packets and Telecommunications Act 1993
A designated judge keeps the operation of the Act under review, ensuring compliance with its provisions and reports to the Taoiseach each year regarding the general operation of the Act and as necessary on specific matters. The judge can investigate any case where an authorisation has been given and has access to and can inspect official documents related to authorisations and applications. If a designated judge finds that an authorisation should not have been given or should be cancelled, the Minister must be informed. The judge can communicate directly with the Taoiseach or the Minister on any matters concerning interceptions or disclosure requests. The Taoiseach must lay a copy of the judge’s report before the Oireachtas with a statement indicating whether any matter has been excluded due to concerns about crime prevention, detection or state security. The functions of the Data Protection Commission under the Data Protection Acts of 1988 and 2018 are not affected by the designated judge’s duties. The designated judge can communicate with the Data Protection Commission on matters related to the Commissioner’s functions under the Data Protection Acts.
The oversight mechanism from section 8 of the 1993 Act was substituted this year following the enactment of the Policing, Security and Community Safety Act 2024. However, these provisions have not been commenced. When they come into force, primary oversight responsibility will be assigned to an Independent Examiner.
The 1993 Act does not allow for the notification of surveillance after the fact. Section 10(3) of the 2009 Act provides that the Minister for Justice may make regulations for the disclosure of information about the use of a tracking or surveillance device to the person who was placed under surveillance or others affected by the surveillance. However, no such regulations have been made and as a result, there is no notification obligation in respect of this Act either.
Complaints Procedure
Criminal Justice (Surveillance) Act 2009
Under this Act, any person who believes they may have been the subject of an authorisation under sections 7 or 8 can apply to the Complaints Referee for an investigation. Where an application is made and is not considered frivolous or vexatious, the Referee must investigate whether an authorisation was issued or approval was granted as claimed, and if so, whether there has been a relevant contravention. If a contravention is found, the Referee must notify the application and any materially affected person in writing and report the findings to the Taoiseach. The Referee may also order the quashing of the authorisation or reversal of the approval and the destruction of related records, recommend compensation of up to €5,000 and report the matter to the relevant authorities (the Ombudsman Commission, Ministers, and designated judge). The Referee may decide not to notify the applicant, quash the authorisation, or recommend compensation if it is not in the public interest.
Interception of Postal Packets and Telecommunications Act 1993
Individuals who believe their communications have been intercepted under the Act can apply to the Complaints Referee for an investigation. The Referee is appointed by the Taoiseach and must be a judge of the Circuit or District Court or a barrister or solicitor with at least 10 years’ experience. The Referee investigates the validity of an authorisation and any contraventions of the Act’s provisions. If a contravention is found, then the Referee must notify the applicant in writing, and report the finding to the Taoiseach. They can take such actions as quashing the authorisation, ordering the destruction of intercepted communications, or recommending compensation for the application. If the Referee concludes that there has not been a contravention in relation to the authorisation, but that the offence concerned was not a serious offence, they can refer the question to the designated judge for further determination. The Referee has access to all official documents related to the authorisation and can request information from individuals concerned in the process. The Minister is obligated to implement any compensation recommendations made by the Referee.
Communications (Retention of Data) Act 2011, as amended by the Communications (Retention of Data) (Amendment) Act 2022
Section 12 of the 2011 Act provides that the person to whom the data relates shall be notified of the disclosure of Schedule 2 data to an applicant officer. Disclosures of Schedule 2 data made pursuant to an authorisation relating to the security of the state are excluded from this. A person who believes their data has been disclosed following a disclosure requirement may apply to the Complaints Referee to investigate.