A Balancing of Rights: The Constitutional implications of Ireland’s proposed key disclosure law, and how the proposals compare against international models
Subsequent to the publication of the general scheme of the Garda Síochána Powers Bill, recent weeks have seen both the public and academics alike speak out in criticism of the proposed legislation. Several of the Bill’s proposals have proved divisive, including provisions concerning the legal representation of an accused and also the admissibility of evidence obtained in breach of an accused’s rights. (1.) Notwithstanding this, a particular source of concern stemmed from a proposal which criminalises a refusal to disclose mobile phone or computer passwords at the request of a member of An Garda Síochána.
Head 16 of the General Scheme of the Bill provides that, subsequent to Gardaí obtaining a search warrant in relation to a particular premises, any person who is present at that premises can be required to disclose any passwords or encryption keys necessary to operate any “computer” found on that premises. (2.) “Computer” encompasses any electronic device or means of information storage, including mobile phones. (3.) Furthermore, any passwords found on a particular device may subsequently be used to gain access to other devices. (4.) Gardaí are also afforded a further power under Head 16 to retain a copy of any information found on such a device. (5.)
The introduction of some configuration of a key disclosure law can scarcely be considered surprising, owing to the Law Reform Commission’s Future of Policing in Ireland Report which recommended that Gardaí should have the power to request a person’s assistance in accessing materials. (6.) Equally, similar powers exist elsewhere in Irish legislation, including the Criminal Justice (Theft and Fraud Offences) Act 2001. (7.)
Nonetheless, it has been noted that it is the expansive breadth of these proposals which is considered both concerning and also unprecedented in an international context. (8.) The person being requested to provide the password does not need to be a suspect. Equally, Gardaí can compel password disclosure in relation to any device found on the premises irrespective of whether the device is possessed by the suspect. What is also concerning is that these powers to access devices are automatically granted upon the issuing of a search warrant for a premises. A separate warrant in relation to password access is not required.
Constitutionally, the proposed legislation faces two primary legal juxtapositions in the form of the right to privacy and the right to not incriminate oneself. It is worth noting that the provisions of the European Convention on Human Rights corroborate these rights further. The fact that the legislation criminalises a refusal to disclose passwords upon request obligates any person, irrespective of his, her or their relevance to the ongoing criminal investigation, to allow Gardaí access to devices which, in modern society, will indisputably contain information of a highly personal, sensitive nature, violating that person’s right to privacy. Equally, should a suspect’s device contain incriminating information, it is a well-established principle of the law that he, she or they should not be obliged to offer any form of assistance to the State in instituting criminal proceedings against him, her or them. Criminalising failures to comply with password requests effectively mandates that such suspects must incriminate themselves, which has sobering constitutional ramifications.
In deriving a bipartisan solution to these competing interests, parallels may be drawn between these proposals and the manner in which the inviolability of the dwelling is balanced against the pursuit of criminal activity when issuing search warrants. Search warrants are obtained on an individual basis, upon satisfying the issuer that there is a realistic prospect of criminal evidence being obtained upon searching the relevant premises, such that the breach of the right to the inviolability of the dwelling may be regarded as proportionate.
In the context of these measures however, the power to search any and all devices found on the premises, irrespective of whether the owner of the relevant device is a suspect or not, will become a default corollary of the initial power afforded to the Gardaí to search the premises. Proving that there is a reasonable prospect of the device storing information pertaining to criminal activity will not be necessary, nor will devices be considered on an individual basis. It is, perhaps, in this regard that the true disproportionality of the proposed measures becomes apparent, and constitutional considerations appear somewhat disregarded.
This is further corroborated by the fact that Ireland’s proposed password disclosure law is unparalleled internationally. Neither the USA nor Canada have implemented key disclosure laws, although there are certain instances in which law enforcement authorities may seek warrants from a court in relation to password access. Even in these limited circumstances, the constitutional implications of issuing of these warrants have often proved divisive in cases such as Commonwealth v Davis (USA) and R v Shergill (Canada), due to the right against self-incrimination. (9.) Although certain jurisdictions including both the United Kingdom and Australia have enacted key disclosure laws, such laws are much more narrowly construed than those proposed by the Garda Síochána Powers Bill. In England and Wales, judges must first be satisfied that orders made to disclose passwords are proportionate before such orders may be issued. (10.) In Australia, law enforcement authorities may apply to a magistrate for a password access warrant in relation to individual devices, again having to satisfy the magistrate that such a measure is proportionate. (11.)
Accordingly, although key disclosure laws of some calibre may be necessary in modern society where criminal activity is frequently migrating to the digital environment, the personal rights of those owning these devices cannot be discarded. Accounting for the highly sensitive nature of the information commonly stored on personal devices, the circumstances in which persons may be compelled to give law enforcement authorities access to such devices ought to be strictly limited, something which has seemingly been recognised by other western societies. In comparing these to the measures proposed by the recent Bill, it is apparent that the Irish legislature has failed to recognise how electronic devices contain information of a highly personal nature, comparable in sensitivity to the contents of one’s private dwelling. Searching devices of such a nature should warrant authorisation on an individual basis, and the current draconian proposal construing these searches as a by-product of the general power to search a premises is certainly a cause for concern.
1.) Cianan Brennan interviewing Dr. Vicky Conway, ‘Very concerning’: Experts worry over new powers for Gardaí (The Irish Examiner, June 2012)
2.) Garda Síochána Powers Bill, General Scheme, Head 16 (1)(e)
3.) Garda Síochána Powers Bill, General Scheme, Head 16 (4)
4.) Garda Síochána Powers Bill, General Scheme, Head 16 (1) (e)
5.) Garda Síochána Powers Bill, General Scheme, Head 16 (3) (a)
6.) Law Reform Commission’s Future of Policing in Ireland Report, 2018
7.) Criminal Justice (Theft and Fraud Offences) Act 2001, s48(5)
8.) T. J. McIntyre, New Garda Powers Bill must go back to the drawing board (The Irish Times, June 2021)