Nine million texts are sent daily in Ireland, a huge increase on when the first text was sent in 1992. All are subject to the data retention and access regime currently in place under the Communications (Retention of Data) Act 2011. That regime has now been given the kiss of death by the Court of Justice of the European Union (“CJEU”) in its recent decision on a referral by the Irish Supreme Court dealing with the validity of electronic communications evidence collected under it.

The legislation, brought in to transpose EU Directive 2006/24, regulates the retention of data by electronic communications providers and access to that data by state authorities.

Respect for EU law

The CJEU makes clear that national legislation has to measure up to European principles of necessity and proportionality in order to ensure a proper balance between respect for individual rights and the need of the State to protect itself and its people. Those principles, however, are open to interpretation and, as such, are dynamic to the context and the time in which they are invoked.

It has been 11 years since the Irish data retention legislation in question was enacted, and the ecosystem for electronic communications has evolved considerably over that time. So, too, have the attendant risks to personal data rights. The jurisprudence of the CJEU has largely tracked these developments as it considers what level of retention and State access can be appropriately mandated for surveillance purposes.

Mass retention of metadata

In the current case, the issues centered on whether the State could authorize general retention of electronic communications for criminal investigative purposes, and if so, then what level of access should the Gardaí (the national police force) have to that metadata, in order to unearth a murder suspect, which was the focus of the investigation in question.

Given that access could allow profiling of the data on a range of sensitive issues – such as religion, sexual orientation, political views and health status, all of which are afforded additional EU legal protection – the judgement holds that mass, generalized retention of this type of data is a serious interference and needs to be strictly regulated.

The CJEU had already opined on several of the issues in previous cases, and drew heavily from these cases for the purposes of deciding the Irish referral. Maintaining a consistent approach, this decisive judgement offered less support than the Irish and other governments had hoped for in retrieving metadata related to serious crime.

The CJEU pointed out that the authority for general retention of electronic communications by an EU member state like Ireland, in relation to its citizens, had to be very narrowly interpreted in order to protect the fundamental rights of privacy, data protection and freedom of expression under EU law. The objective for which the data is retained grounds the authority for which it can be accessed.

So while general data retention may be authorized for threats to national security, it is a step too far when used to combat serious crime. Limited access to targeted retained data can be authorized to investigate serious crime but it must be based on targeted, rather than general, retention.

Ability to challenge

The detail of that authority must also be clearly defined and controlled in national law, and must mirror (and stay within the confines of) EU law. The interference with personal rights must be clearly controlled to allow for challenge, according to the CJEU.

This involves, among other things, there being an independent body or court responsible for reviewing applications by national authorities for access to retained data, in advance of any such access being granted. That body or court must be free from external influence and not involved in the criminal investigation. This is to effectively protect against the risk of abuse or unlawful access, particularly given the wide and evolving swathe of electronic communications being generated today by individuals.

The CJEU views a prosecutor’s office or, as in the Irish case, a division within the police force as insufficiently independent to decide such matters. A senior Garda officer gave authority to access the metadata, which was instrumental in investigating and obtaining a murder conviction. This was not good enough, according to the CJEU, to protect the fundamental rights of those targeted.

What next?

The judgement will now be considered by the Irish Supreme Court and will also inform the appeal against conviction. There are other cases waiting in the wings, which are also largely based on traffic and location metadata, so a resultant flurry of court activity is likely to follow in Ireland. Also likely now will be new legislation filling the gaps identified by the CJEU.

Ultimately, while this judgement may give governments a headache and prisoners’ hope, it is nevertheless a clear, detailed and decisive judgement defining the conditions under which metadata may be accessed during criminal investigations.