Ireland has been at the centre of the debate surrounding data retention since its infancy in EU law. As technology continues to evolve, so do the ways in which we communicate, conversations in social groups have been replaced with electronic communications and people are constantly connected to some online environment in some way. With this changing of social and human activity comes changes to security and the law, which in this case comes in the form of data retention. This retention of telecommunications data by service providers is in the news once again as the Graham Dwyer saga continues to unfold, as well as new laws on data retention coming into force this year which have been subject to opposition. So, in order to assess the current amendments to Ireland’s system we should also unpack how we got here.
The path to data retention in the EU
Data retention isn’t a new development, in fact it was used in Ireland during the days of state-owned Telecom Éireann. What we know of data retention now finds its start in the 2006 Data Retention Directive which obliged member states to implement regimes that require telecommunication service providers to retain traffic and location metadata on a general and indiscriminate basis, which would then be accessed for investigation of criminal matters or threats to national security. The Directive was immediately controversial with action for annulment taken by Ireland on the basis that it was not adopted on an appropriate legal basis. This controversy remained as the Directive was implemented into national law.
This came to a head in Digital Rights Ireland where the overwhelming concerns of state surveillance and interferences with privacy led to the Directive being tossed out entirely. So where does that leave the law? Well essentially the judgement left the laws on data retention in a position where the CJEU becomes responsible to charting the course of retention and ensuring protection for privacy against increasing state security. Retention is still permitted in EU law but under uncertain terms. The e-Privacy Directive which also applies to telecommunications providers allows for in Article 15(1) the restriction of privacy rights where proportionate for the purposes of national defence, security and criminal investigations.
The next crop of cases before the CJEU on this issue concerns to what extent states can actually carve out retention within this exception. This was the case in Tele2 Sverige where a Swedish service provider challenged Sweden on imposing a general retention duty. The main argument against retention is that metadata, such as traffic and location data, can reveal things about a person and may lead individuals to have the perception of near constant government surveillance. Article 15(1) of the e-Privacy Directive demands a strict application of proportionality and the CJEU noted this and that national legislation which provides for general and indiscriminate retention goes beyond with is strictly necessary in a democratic society and that 15(1) is supposed to be the exception rather than the rule. This invalidated the Swedish regime of general and indiscriminate data retention, however the court left the door open to retention in some form in its judgement, allowing for “legislation permitting, as a preventive measure, the targeted retention of traffic and location data, for the purpose of fighting serious crime, provided that the retention of data is limited, with respect to the categories of data to be retained, the means of communication affected, the persons concerned and the retention period adopted, to what is strictly necessary”, as well as the potential of access to data of other persons in instances of national security. Here we see a trend develop, namely that while general and indiscriminate schemes of data retention are a disproportionate interference with rights, targeted forms of retention, if they comply with requirements of notification and a high level of judicial safeguards, may be permissible to fight serious crime.
What was Ireland’s system of data retention?
Ireland’s system of data retention in line with the Data Retention Directive came in the form of the Communications (Retention of Data) Act 2011. Under Article 3 of this act, service providers shall retain metadata for a period of 2 years on a general and indiscriminate basis and under Article 6 this data can then be disclosed and accessed by a member of an Garda Síochána not below chief superintendent, an officer of the defence forces not below colonel or an officer of the Revenue Commissioners not below the rank of principal officer. Despite a legislative review in light of the result of Digital Rights Ireland, the act remained unchanged and in force. This was the case until 2017 when Digital Rights Ireland took an application to the High Court to refer a question to the CJEU concerning the adequacy of the 2011 act in light of the judgement in Tele2 stating that mass retention of data is prohibited and the Irish regime was beyond what was strictly necessary in a democratic society, furthermore DRI took issue with access to data not being overseen by an independent judicial or administrative authority. This application was dismissed as the High Court was not satisfied that a preliminary reference was required.
The Irish data retention case
The case of Dwyer v Commissioner of An Garda Síochána & Others is the most important challenge to the 2011 act. This case of course surrounds the murder of Elaine O’Hara and her relationship with Graham Dwyer. Using location data from mobile phones recovered from a reservoir over a year after her disappearance, Dwyer was identified as a suspect. Dwyer was convicted and sentenced after a prolonged trial. Dwyer appeals this judgement on the grounds that the 2011 act was invalid based on it being based on the defunct Data Retention Directive and it being incompatible with the situation post Tele2. This would be in line with other post Tele2 judgements such as Ordre des barreaux francophones et Germanophone & Others which restates general and indiscriminate retention regimes for serious crime is precluded by EU law. The court very much continued this reasoning and stated that serious crime could not be treated in the same way as national security, which can justify a higher degree of interference with privacy rights. The court went on to state that for crime, the following measures are permissible: the targeted retention of traffic or location data on the basis of persons concerned or by means of geographic criterion, general and indiscriminate retention of IP addresses, general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems, as well as quick freeze of traffic and location data in possession of service providers. Furthermore access to retained data must be authorised by a court or independent administrative body, in the case of Dwyer, a member of An Garda Síochána, even if chief superintendent, does not constitute a court and does not have all the guarantees of impartiality to make such an authorisation.
The new Irish data retention bill
On 21 June 2022, the Minister for Justice published the general scheme of the Communications (Retention of Data) (Amendment) Bill 2022 in response to the CJEU’s ruling in Dwyer. This provides for a system of preservation and production orders for both national security and serious crime when authorised by judicial authority, this already raises some eyebrows as in the Dwyer judgment it was stated that national authorities competent to undertake criminal investigations should not be able to access data retained for national security purposes as this would deprive the prohibition of bulk retention for serious crime of all effectiveness. Furthermore, it was stated in Wayne Cooney case in July 2022 that the judgement in Dwyer does invalidate the evidence obtained on Cooney through data retention, this is reflected in the transitional provision of the 2022 bill which seeks to allow for the accessing of data retained before the act comes into force.
This act has already come under scrutiny from the European Commission for Ireland failing to submit it to the Technical Regulation Information System process, which would make it inapplicable in its current state. It has also come under scrutiny from the ICCL and DRI groups for being rushed through the Oireachtas , failing to provide an adequate oversight mechanism, having no judicial remedies, potentially providing indefinite data retention on a rolling basis and attempting to retrospectively validate previous illegal data retention. Simply put, this new legislation does not comply with the current approach of the CJEU and the comments from Hunt J in the Wayne Cooney case were misguided, it seems that this legislation may be an attempt to avoid another Dwyer-like appeal rather than an attempt to implement a new regime of compliant data retention for crime in Ireland.
It seems that Ireland is stuck in the afterlife of the Data Retention Directive and like the rest of Europe, is having difficulty shedding its legacy. There is path for reform in the new European e-Privacy Regulation which makes explicit references to new procedures and exceptions for retention and the scope of EU law but it appears that this reform is still far off with numerous drafts and amendments exchanged between the co-legislators of Europe. Overall, it seems that the road ahead has shifted from a case of if we should have data retention, to a case of what should data retention look like, and Ireland has always been and will continue to be central to this question.