The Court of Justice of the European Union (the “CJEU”) has confirmed that the general indiscriminate retention of traffic and location data for the purposes of preventing serious crime is inconsistent with EU Law (although certain targeted retention may be permissible), and that the effects of this finding cannot be limited to future convictions. The CJEU has further ruled that any request for access by national authorities to retained data must be subject to a prior review carried out by either a court or an independent administrative body and that the decision of the court must be made following a reasoned request by those authorities. The current approach in Ireland was determined not to be sufficient.

Graham Dwyer was convicted of murder in 2015, with location data that had been collected from his mobile phone influential in securing this result. This data was retained and accessed by An Garda Síochána (“AGS”) under the Communications (Retention of Data) Act 2011 (the “2011 Act”). On appeal, the High Court ruled that the 2011 Act was incompatible with EU law. This was appealed by the State to the Supreme Court, who decided that certain matters should be referred to the CJEU prior to a final ruling.

The 2011 Act gave effect to the Data Retention Directive (Directive 2006/24/EC). However, in Digital Rights Ireland1 it was determined by the CJEU that, while combatting serious crime is of great importance, it does not justify the general and indiscriminate retention of all traffic and location data. The CJEU stated that this would constitute a broad and far-reaching interference with the fundamental rights of practically all EU citizens. The Data Retention Directive was therefore deemed invalid. This position was confirmed by the CJEU in Tele22. However, despite these rulings no domestic repeal of the 2011 Act occurred.

CJEU Ruling

Retention of data

Article 15(1) of the Directive on Privacy and Electronic Communications (Directive 2002/58/EC) (the “Directive”) permits member states to “adopt legislative measures to restrict the scope of the rights and obligations” provided for therein. In interpreting the scope of this exception, the CJEU considered the objective of the Directive. The CJEU reaffirmed the view adopted in La Quadrature du Net3 that Article 5(1) of the Directive enshrines the principle of confidentiality and prohibition of the storage of data, and concluded that this provision reflected the objective of the legislature. The CJEU held that, when Article 15(1) is read in light of this purpose as well as Articles 7, 8, 11 and 52(2) of the Charter of Fundamental Rights of the European Union (the “Charter”), it is evident that the exception provided therein must be the subject of strict interpretation.

The CJEU noted that the justification limiting the rights established in the Directive must be proportionate to the seriousness of the limitation. In light of this, the CJEU determined that there is a hierarchy amongst the public interest objectives that may justify an interference with rights, and the objective of safeguarding national security exceeds the importance of all others. It is of such importance that it justifies the general and indiscriminate retention of data where the State is confronted with a serious threat to national security which is shown to be genuine, present or foreseeable. The European Commission submitted that particularly serious crimes could be treated in the same manner as national security, however, the CJEU ruled that national threats were distinguishable by their nature and seriousness. Therefore, the CJEU confirmed that EU law precluded the general and indiscriminate retention of data for the purpose of combatting serious crime.

The CJEU referred to La Quadrature du Net and confirmed that EU law does not preclude for the purposes of combatting serious crime:

  • The targeted retention of traffic and location data which is limited according to the categories of persons concerned (based on objective and non-discriminatory criteria) or using geographical criterion for a limited period of time;
  • The general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a limited period of time;
  • The general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and,
  • The expedited retention of traffic and location data in the possession of relevant service providers following a decision of the competent authority that is subject to effective judicial review.

The CJEU noted that these measures must ensure that the retention of data is subject to compliance with the applicable substantive and procedural conditions and that effective safeguards against the risk of abuse are in place.

Accessing data

The CJEU emphasised that access by national authorities to retained data must be subject to a prior review carried out by either a court or an independent administrative body and that the decision of the court must be made following a reasoned request by those authorities. The 2011 Act provides that a member of AGS not below the rank of chief superintendent has the power to carry out a prior review of any request for access, and to request that a service provider disclose any relevant retained data. The Telecommunications Liaison Unit was established within AGS to assist in this task. However, the CJEU determined that this process lacked sufficient independence and impartiality to be compatible with EU law.

Temporal effect

The CJEU determined that the Courts could not limit the temporal effects of the declaration of invalidity. Therefore, it is possible that past convictions which relied on data obtained under the 2011 Act may be appealed. Importantly, however, the CJEU confirmed that the admissibility of evidence obtained under the 2011 Act is a procedural matter for national law subject to compliance with the principles of equivalence and effectiveness. As such, it is a matter for the Irish Courts to determine whether any mobile phone data gathered in respect of any criminal investigation should be admissible on a case by case basis, including with regard to Graham Dwyer’s appeal.

Reform

The CJEU’s ruling is a clear reminder that Ireland’s data retention laws are in need of reform. In 2017, former Chief Justice Murray examined Ireland’s laws on data retention and access (the “Murray Report”). The Murray Report concluded that the 2011 Act permitted the universal and indiscriminate retention of data which constituted a breach of EU law, and recommended that the 2011 Act be amended in order to conform to the requirements of EU law as set out in Tele2.

The General Scheme of the Communications (Retention of Data) Bill 2017 (the “Bill”) was published on foot of Digital Rights Ireland, Tele2 and the Murray Report. While the Bill is yet to be finalised, it is likely that, as it is progressed, it will take into account the recent findings of the CJEU in the Dwyer case, in order to ensure that any retention of or access to traffic and location data (to the extent permissible) is done in a manner that is compatible with EU law. It is also probable that the Bill will be progressed as a priority in light of the recent findings by the CJEU and amid any rulings on admissibility of this form of evidence by the Irish Courts.