Concerns on ‘bulk collection’ of data in bill
Digital Rights Ireland (DRI) and the Irish Council for Civil Liberties (ICCL) have outlined their concerns about a draft bill on cyber-security to an Oireachtas committee.
The groups were appearing before the Oireachtas Joint Committee on Justice, Home Affairs and Migration yesterday (25 November).
They say that sections of the draft National Cyber Security Bill 2024 go beyond the transposition of the EU’s NIS2 Directive and could affect data-protection and privacy rights.
The bill puts the National Cyber Security Centre (NCSC) on a statutory footing, as well as setting out its mandate.
It also designates national competent authorities (NCAs) to oversee implementation and enforcement of the EU directive within relevant sectors.
‘National security’ concerns
DRI and the ICCL, however, are concerned about the powers given to the NCSC under heads six to ten in the bill’s general scheme.
They say that, under the bill, the centre could:
- Scan any publicly accessible network or information system in the State, without the owner’s knowledge or consent, for vulnerabilities,
- Block access to a domain name, in a way that the organisations describe as “an internet death penalty”, affecting freedom-of-expression rights and the rights of business owners,
- Scan and store, for up to 18 months, all network traffic in public-sector bodies, and collect all metadata about private communications on public electronic communications networks,
- Compel providers such as WhatsApp and iMessage, as well as data-centre operators, to install surveillance devices on their networks, and
- Handle personal data for purposes other than those for which the data were originally collected, and for ‘national-security’ purposes.
The two organisations say that ‘national security’ is not defined in the bill, compounding their concerns about bulk collection of communications content and metadata.