Irish cyber security bill faces scrutiny over broad surveillance powers

Digital Rights Ireland (DRI) and the Irish Council for Civil Liberties (ICCL) will appear today before the Oireachtas Joint Committee on Justice, Home Affairs and Migration to outline their concerns about the General Scheme of the National Cyber Security Bill 2024. While the bill is intended to transpose the EU’s Network and Information Security Directive (NIS2) into Irish law, both organisations argue that key provisions go significantly further than what the directive requires and may conflict with European standards on privacy, data protection and surveillance oversight.

One of the most contested elements is a provision that would allow the National Cyber Security Centre (NCSC) to scan any publicly accessible network or information system in the country for vulnerabilities without notifying the owner. According to DRI and ICCL, the measure would apply far beyond essential services and could include networks run by small businesses, political organisations or community groups. They warn that the proposal does not require any assessment of necessity or proportionality and risks normalising state-led scanning of private systems.

Another section focuses on powers to block access to domain names in response to cyber threats. Civil society groups describe this as an “internet death penalty”, noting that disabling a domain can remove access to all content hosted on it, including unrelated material. They highlight the absence of safeguards, such as independent authorisation or clear redress mechanisms, which international standards typically require for restricting online content.

More far-reaching still is a proposal to allow the NCSC to collect and store large volumes of network traffic from public sector bodies, including the full content of emails. It would also permit the gathering of communications metadata from telecommunications networks and social media platforms, with retention for up to 18 months. DRI and ICCL say this amounts to bulk collection affecting large parts of the population and note that consent is framed at institutional level, not individual level, raising significant concerns about privacy, sensitive data and legal confidentiality.

A related provision would empower the state to require telecommunications providers, messaging services and data centre operators to install surveillance equipment on their networks during what is defined as a national security threat. The organisations argue that this proposal resembles generalised data retention schemes that have repeatedly been struck down by the Court of Justice of the European Union. They also stress that the bill does not define what constitutes a national security threat or specify the oversight needed for such measures.

Another concern relates to how the NCSC would be permitted to use personal data. The bill allows the centre to repurpose sensitive information for broad and undefined security reasons, including unspecified national security purposes. DRI and ICCL argue that this approach lacks legal certainty and does not include the safeguards required by EU data protection law when handling sensitive categories of personal data.

Overall, the groups warn that the bill introduces scanning, blocking and data-collection powers that go beyond the scope of NIS2 and lack the guardrails necessary to protect fundamental rights. They are urging lawmakers to narrow the scope of state powers, introduce independent oversight, and ensure compliance with EU privacy and surveillance standards before the bill advances further.