The European Court of Justice has dismissed the Irish Government's challenge to the Data Retention Directive (2006/24) ("the Directive"). The ECJ ruled on Tuesday 9th February 2009 that the EU's Data Retention Directive had a sound legal basis. Ireland, supported by Slovakia, took legal action against the European Parliament and Council arguing that the Directive should be annulled because it was improperly adopted as an internal market measure, rather than as a criminal measure. Ireland submitted that the predominant objective of the directive is to facilitate the investigation, detection and prosecution of crime, including terrorism, and it was not intended to address defects in the internal market.

The ECJ accepted the European Parliament's evidence that following the terrorist attacks in New York, Madrid and London, a number of Member States adopted divergent rules on the retention of data, and that such differences were liable to impede the provision of electronic communications services. It found that the retention of data constitutes a significant cost element for service providers and the existence of different requirements in that field could distort competition within the internal market. The ECJ held that the directive had a sound legal basis, as the provisions of the directive are designed to harmonise national laws on the obligation to retain data; the categories of data to be retained; the periods of retention of data; data protection and security, and the conditions for data storage.

As a result of the ECJ's judgment the Irish Government must amend certain Irish legislation so as to comply with the provisions of the Directive. The Directive requires telephone operators and internet service providers ("service providers") to retain details of call and internet data for not less than six months and not more than two years, in order to ensure that the data are available for the purpose of the investigation, detection and prosecution of serious crime. The directive leaves it to Member States to define 'serious crime' in their national laws. The Directive does not require the content of calls or emails to be retained.

The Criminal Justice (Terrorist Offences) Act, 2005 ("the Act") currently allows the Garda Commissioner to require service providers to retain customers' traffic data or location data, or both, for three years, for the purposes of: a) the prevention, detection, investigation or prosecution of crime (including but not limited to terrorist offences), or (b) the safeguarding of the security of the State.

The draft Data Retention Bill has been reported to contain the following provisions:

  1. a definition of a serious crime as an offence punishable by imprisonment for a minimum period of 12 months or a fine exceeding €5,000;
  1. a controversial clause providing that a disclosure request shall not be invalid by reason only of the fact that it was obtained outside the Act's provisions; and
  1. a provision permitting the Minister for Justice by order to exclude an offence from the application of the Act, subject to approval by the Oireachtas.