Editors’ Note: This post is an alternate version of a similar post by the same author that was published on the European Law Blog on 9 March 2020. This version does, however, have a slightly different focus.

Ireland is one of two Member States in the European Union, the other being Poland, where electronic surveillance and in particular access to phone data can be authorised directly by the police without a Court order, but in light of the majority judgment handed down by Irish Supreme Court on 24 February 2020 in Dwyer v The Commissioner of An Garda Síochána & Oths., that may not be the case for much longer.

The legal challenge has been brought by Mr Dwyer, who was tried and convicted of murder in 2012. Part of the evidence used against him in the trial was mobile phone data obtained by the Irish police pursuant to a disclosure request under the Communications (Retention of Data) Act 2011. That Act allows a service provider to retain certain data for up to two years, which data may be disclosed by way of a disclosure request from a member of the Irish police for the prevention, detection, investigation or prosecution of a serious offence.

The Communications (Retention of Data) Act 2011 was enacted to give effect to Directive 2006/24/EC (which amended the earlier Directive 2002/58/EC), however the directive was subsequently declared invalid by the Court of Justice of the European Union in 2014 in the Digital Rights case. Mr Dwyer argues in light of the Digital Rights case and subsequent CJEU case law, that the data obtained and used in evidence against him was incompatible with European Law. If successful in the proceedings, he will challenge the admissibility of illegally obtained evidence in a criminal appeal against his conviction.

Mr Dwyer was successful in the High Court, where Justice O’Connor considered Digital Rights (which invalidated the 2006 Directive) and the later Tele2 case (where the CJEU unequivocally stated the necessity for clear and precise rules in relation to data retention). Justice O’Connor concluded that the Communications (Retention of Data) Act 2011 permitted general or indiscriminate retention of data, which was an inappropriate, unnecessary or disproportionate use of data and was inconsistent with European Law.

The State parties in Dwyer appealed the decision to the Supreme Court in accordance with the expedited leap-frog appeal mechanism. While there are many issues in the case, the parties are essentially in disagreement over the correct interpretation of the conclusion in Tele2 where the CJEU stated that:

“Article 15(1) of [the 2002 Directive], read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.”

The Supreme Court has not finalised the exact terms of three questions to be referred but has stated that they will be raising the three following points:

1) Whether a system of universal retention of certain types of metadata for a fixed period of time is ever permissible, irrespective of how robust any regime may be for allowing access to such data;

2) The criteria whereby an assessment can be made about whether any “access regime” to such data can be found to be sufficiently independent and robust;

3) Whether a national court, should it find that national data retention and access legislation is inconsistent with European Union law, can decide that the national law in question should not be regarded as having been invalid at all times but rather can determine invalidity to be prospective only.

The separate questions raised by the Supreme Court at points 1 and 3 are interesting as they demonstrate that the Supreme Court is cautiously seeking clarity as to how best to limit the effect of the judgment to past and present criminal investigations that rely on data retention. On the first point, the Supreme Court noted that while the retention is limited as to the type of data which is retained and is limited as to the time for which it can be retained (two years), the data retained is not limited or targeted by reference to persons or locations etc. In that sense, the retention of the data is universal. The Supreme Court categorically stated that the universal retention was not incompatible with European Union law because of the evidence tendered that the investigation and prosecution of serious crimes, not least those against women, children and vulnerable persons, would, in many cases, be impossible without access to such data. The Chief Justice added that it would be unworkable if the Irish system was not allowed to operate universal data retention and it would be at odds with Irish constitutional values.

If the CJEU finds on the first point that universal data retention is permissible this would bring the Court to the main issue at point 2, which is whether the current Irish system and its particular implementation of universal data retention is compatible with European Law. It is clear that the Supreme Court in its majority judgment was not satisfied that the Irish regime and the lack of an access regime or independent review under the disclosure request provision of the Communications (Retention of Data) Act 2011, currently conformed with the conclusions reached in CJEU case law. It held that “there must be a particularly robust access system in place” including an independent prior permission given for such access. Under the current regime, the permission is granted by a separate unit within the police force and does not involve any application to a Court. The Supreme Court doubted that this constituted a sufficient independent review.

The Dwyer case comes at a time when data retention is in sharp focus across the European Union. While Charleton J argued in his dissenting judgment of the Supreme Court that data retention for criminal prosecutions was purely a national issue, there are currently two judgments pending before the CJEU seeking clarification on general and indiscriminate data retention according to Article 15(1) of the 2002 Directive. The Council of the European Union published a comprehensive report last year outlining the status of legislation on data retention in each Member State. Europol has also released various working papers concerning the data retention regime that currently applies in each Member State and stated that a comprehensive European legislative framework is required. Furthermore, it was reported by Privacy International, that as of 2017, Croatia, Cyprus, Czech Republic, France, Ireland, Poland, Bulgaria, Portugal and Spain had not changed their national law and were still operating their pre Digital Rights regime giving effect to the now invalid 2006 Directive. Based on this report some Member States, including Cyprus, Portugal and Slovakia, have deemed that their general data retention is compatible with the Digital Rights and Tele2 judgments because it allows for a judicial control mechanism (often in the form of a Court order) for access to the retained data. There are also Member States such as Austria who have introduced a “quick freeze” data retention system. In the Dwyer case itself the State parties have submitted that following the guiding principle of proportionality, general data retention is not unlawful and access protections have to be considered objectively. Submissions on behalf of Mr Dwyer argued to the contrary that the level of data retention under the Irish system is so wide it is impermissible but, if the Court held that level to be permissible in principle, there must be “robust” data access safeguards such as those that exist in other Member States.

The ramifications that Dwyer could have for the universal retention of data in other Member States are vast. At national level, an amendment to the Communications (Retention of Data) Act 2011 to include the implementation of a judicial access scheme could be sufficient to bring the Irish legislation in line with the other Member States and to be compatible with European Law. The Irish government is currently revising a Communications (Data Retention and Disclosure) Bill that would repeal the 2011 Act. At the European level, it appears that legislation may be required to lay down clearer and more precise rules and to balance the diverging data retention systems currently in place across the Union. At this juncture, it is unclear whether the CJEU will be able to assist sufficiently beyond what it has previously stated in its past and pending jurisprudence or whether the answers in the Dwyer case will offer some guidance as to how best to strike a balance between the interaction of privacy rights with the need to tackle serious crime.

Oonagh O’Sullivan, Barrister, The Bar of Ireland

Suggested citation: Oonagh O’Sullivan, ‘Data retention – Irish Case to Test the Limits of European Law’ IACL-IADC Blog (7 March 2020) https://blog-iacl-aidc.org/2020-posts/2020/4/7/data-retention-irish-case-to-test-the-limits-of-european-law