A new report calls for Garda access to encrypted apps like WhatsApp and Telegram, while highlighting legal limits around data retention under EU law and growing challenges in accessing digital evidence in serious criminal investigations.
The findings come from the first annual report of the Independent Examiner of Security Legislation, George Birmingham. The report examines three key pieces of legislation, including the Communications (Retention of Data) Act 2011, and sets out concerns about both An Garda Síochana’s investigative capacity and safeguards for civil liberties.
In his foreword, Birmingham said that while security legislation is widely accepted as necessary, there are legitimate concerns about potential State overreach.
“Few people will question the need for security legislation designed to protect the security of the State and to combat serious crime,” he said.
“However, there can be legitimate concern whether overreach is possible and whether legislation sufficiently addresses matters in relation to the safeguarding of human rights and civil liberties.”
He also warned that a failure to properly balance these issues could weaken both legal effectiveness and public trust.
“A failure to have sufficient regard for human rights and civil liberties concerns may mean that the legislation is less effective than intended and ultimately may leave Ireland a less safe, less secure and less free, tolerant and democratic State,” he said.
The report states that Ireland now faces a more complex security environment than in previous decades, citing dissident republican activity, Islamist terrorism, extreme right-wing and extreme left-wing terrorism, as well as single-issue extremism and hostile state actors.
It notes that “the possibility of actions undertaken by so called ‘lone wolves’, whether motivated by terrorist ideology or not, also requires consideration”, adding that the overall threat picture is “complex and concerning”.
Among its key observations, the report highlights what it deems to be gaps in the Interception of Postal Packets and Telecommunications Messages (Regulation) Act 1993, describing it as out of date due to its focus on older forms of communication such as voice calls, SMS and MMS.
It states that the legislation does not provide a legal basis for accessing data-based or over-the-top services, including WhatsApp, Telegram and Snapchat, nor does it allow interception of internet browsing data.
The report also points to a lack of statutory provision for modern investigative tools such as IMSI catchers, which are used in some jurisdictions to track mobile device identifiers and location data.
On encryption, the report describes end-to-end encryption as a major challenge for law enforcement, noting that while it is widely used for financial security and private communication, it is also attractive to criminal and terrorist networks.
Encryption is defined in the report as the conversion of readable information into an unreadable form, or ciphertext, which can only be decrypted by intended recipients.
It states that encrypted messaging means service providers cannot access the content of communications, which limits investigative access even when lawful interception powers exist.
The report references previous operational successes, including the infiltration of the EncroChat communications network by French and Dutch authorities, as an example of how encrypted platforms have been targeted in previous criminal investigations.
It also notes that Justice Minister Jim O’Callaghan has indicated that communications from all devices, including encrypted services, should be capable of lawful access, subject to safeguards.
Under the Communications (Retention of Data) Act 2011, the report highlights what it describes as a structural limitation in EU law, namely the absence of a general obligation on telecoms providers to retain large volumes of user data for extended periods.
It states that in practical terms, this can result in key evidence such as phone records or location data not being available by the time an investigation begins, particularly where offences are reported long after they occur.
However, it notes that this may require the Government to push for a broader legislatively change at EU level in order to address such matters.
The report references judicial commentary noting the importance of metadata in historic criminal cases, including those related to the murder of Veronica Guerin and the Omagh bombing, and suggests that similar evidential gaps could arise in future serious cases.
It also notes that Irish legislation diverges from other regimes by placing responsibility for interception authorisation on the Minister for Justice, with limited provision for independent prior judicial scrutiny.
In addition, it raises concerns about procedural issues such as urgency provisions, secure storage of intercepted material, and the practical requirement for physical signatures in certain authorisation processes.
The report recommends a new legislative framework to replace the 1993 Act, including provisions for encrypted communications, modern digital services, courier services beyond An Post, and clearer rules around emergency authorisations.