The Court of Justice of the European Union (“CJEU”) has confirmed that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime. The CJEU has also found that the Irish court cannot impose a temporal limit on the effect of a declaration of invalidity of national law that provides for such retention. This effectively means that the Irish courts cannot limit the declaration of invalidity to future cases only, and that it applies retrospectively, benefitting cases like Dwyer’s.
This case arose as a result of a referral from Ireland’s Supreme Court in February 2020. Following a criminal conviction for murder, Mr Graham Dwyer argued that the trial court had incorrectly admitted traffic and location data relating to phone calls as evidence under the Communications (Retention of Data) Act 2011 (the “Data Retention Act”). Mr Dwyer appealed against his conviction, seeking a declaration of incompatibility of the Data Retention Act with EU law, the Charter and the ECHR. His appeal was upheld by the Irish High Court, and the State subsequently appealed the decision to the Supreme Court. The Supreme Court ultimately referred the matter to the CJEU.
Background
The Data Retention Act has long been the subject of criticism as it has continued to operate without modification, notwithstanding that the Data Retention Directive 2006/24/EC was declared invalid by the CJEU in Digital Rights Ireland[1] in 2014, on the grounds that the general obligation for service providers to retain all subscriber, traffic and location data was not limited to what was strictly necessary, and entailed an interference with the fundamental rights of “practically the entire European population”. The Data Retention Act gave effect to the Data Retention Directive. Once the Directive was declared invalid, the question arose as to whether national laws providing for the retention of data and access to that data by policy and security authorities fell within the scope of EU. This was answered by the CJEU in Tele2[2] in 2016.
In Tele2, the CJEU confirmed that Article 15(1) of the ePrivacy Directive 2002/58/EC precludes national legislation which provides for the general and indiscriminate retention of traffic and location data of all subscribers and users. However it is open to Member States to adopt legislation for the targeted retention of such data for the purpose of combating serious crime, provided such retention is limited to what is strictly necessary, and access by national authorities to the retained data is subject to conditions, including prior review by a court or independent authority, and the data is retained within the EU. It is notable that other Member States launched the process for amending the national data retention legislation shortly after the CJEU ruling in Digital Rights Ireland (eg, the UK Data Retention and Investigatory Powers Act 2014 was adopted only three months after the CJEU ruling).
In light of these rulings, and following media reports about access to telephone records of journalists, the Government commissioned a former Chief Justice John Murray to undertake a review of Ireland’s data laws on the retention and access to communications data (the “Murray Report”). The Murray Report criticised many aspects of the Data Retention Act, confirming that it was incompatible with EU law, and recommended a number of changes to the current legal framework in light of the Tele2 judgment.
In 2017, the government published the General Scheme of the Communications (Retention of Data) Bill 2017 (the “Bill”), to take account of the Tele2 judgment, and Mr Justice Murray’s recommendations. A Report on pre-legislative scrutiny of the Bill was published in January 2018, and the Bill was scheduled in the priority list for enactment in 2018. However the Bill has yet to be introduced at the Houses of the Oireachtas. The Bill remains on the Government’s legisiative agenda (see the Government’s Spring Legislative Programme 2022). The Bill is expected to take account of evolving jurisprudence in this area, in particular the most recent CJEU ruling in Dwyer.
CJEU Ruling in Dwyer
The CJEU confirmed that EU law (in particular Article 15(1) of the ePrivacy Directive) precludes national legislative measures which provide, as a preventative measure, for the general and indiscriminate retention of traffic and location data relating to electronic communications, for the purposes of combating serious crime.
The CJEU noted that while Article 15(1) of the ePrivacy Directive “permits member states to adopt legislative measures that restrict the scope of the rights and obligations laid down inter alia in Articles 5, 6 and 9 of that Directive, such as those arising from the principles of confidentiality of communications and the prohibition on storing related data … that provision provides for an exception to the general rule … and must thus, in accordance with settled case law, be the subject of a strict interpretation”.
The Court rejected arguments that serious crime could be treated the same as a threat to national security, which is genuine and current or foreseeable, and could for a limited time, justify the general and indiscriminate retention of metadata.
The CJEU stated that, as regards the public interest objectives that may justify a legislative measure taken pursuant to Article 15(1) of the ePrivacy Directive, it is clear from CJEU case-law that there is a hierarchy amongst those objectives according to their respective importance, and that the importance of the objective pursued by such a measure must be proportionate to the seriousness of the interference that it entails. In that regard, the CJEU has held[3] that the importance of the objective of safeguarding ‘national security’ exceeds that of the other objectives, including the objectives of ‘combating serious crime’. Subject to meeting the other requirements laid down in Article 52(1) of the Charter, the objective of safeguarding national security is therefore capable of justifying measures entailing more serious interferences with fundamental rights than those which might be justified by the objective of combating serious crime.
The CJEU highlighted that EU law does not preclude legislative measures that provide for the purposes of combating serious crime . In that respect, the CJEU referred to previous case-law, which found that national legislative measures may, in particular, provide for:
- the targeted retention of traffic and location data which is limited, according to the categories of persons concerned or using a geographical criterion, for a limited period of time;
- the general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a limited period of time;
- the general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and
- recourse to an instruction requiring providers of electronic communication services, by means of a decision of the competent authority that is subject to judicial review, to undertake for a specified period, the expedited retention (ie, a ‘quick freeze’) of traffic and location data in the possession of those service providers.
However, the CJEU stressed that such legislative measures must ensure, that the retention the data at issue is subject to compliance with applicable procedural conditions, and that the persons concerned have effective safeguards against the risks of abuse.
The CJEU further held that any requests for access to the retained data by competent national authorities must be subject to a prior review, carried out either by a court or by an independent administrative body, and that a review decision must be preceded by the proper requesting procedure. The CJEU noted that the Data Retention Act assigns to a police officer, whose rank is not below that of chief superintendent, the power to carry out a prior review of requests for access to data issued by the police investigation services and to request the providers of electronic communications services to transmit the data that they retain to those services. The CJEU ruled that, to the extent that that officer does not have the status of a third party in relation to those services, he or she does not possess the necessary independence and impartiality required, and cannot stand in for the requisite court or independent body in such cases.
Similarly, the Murray Report criticised the lack of independent vetting and authorisation of access requests made by statutory bodies and recommended that all requests for disclosure of retained data should be evaluated in accordance with the principle of proportionality and subject to authorisation by a judge or independent authority.
The CJEU further ruled that a national court may not impose a temporal limitation on the effects of a declaration of invalidity of a national law that provides for such retention. This means the Irish Supreme Court cannot apply this ruling for future cases only.
Outcome for Dwyer
Dwyer’s substantial appeal against his conviction will be decided in Ireland’s Court of Appeal, while the matter on the admissibility of metadata evidence will now be referred back to the Supreme Court. It is expected that the decision will have implications for the investigation of crime across the EU.
As the CJEU made clear, the admissibility of evidence is a matter for national law subject to the principles of equivalence and effectiveness. The Supreme Court will decide whether the retained data should have been admitted in trial. In doing so, it will take into account the principles of EU law and consider whether Dwyer was prejudiced by unfairly obtained evidence and whether that affected his right to a fair trial. The Supreme Court will also refer to its previous ruling in DPP v JC[4], where it held that evidence gathered unconstitutionally or in breach of rights is not per se excluded. Rather its exclusion is considered on a case-by-case basis, turning on whether the breach was ‘conscious and deliberate’ (ie, whether the authorities gathering the evidence knew or ought to have known that they were acting in breach of rights). The same rule will likely to apply to breaches of EU law rights.
It seems likely that the State will argue that, given the uncertainty surrounding the data retention regimes at the time, it did not know that the retention and access of data was in breach of EU rights and the ePrivacy Directive. Dwyer on the other hand, will likely argue that, given the uncertainty, the State should have known that it was.
Legal Consequences for Member States
The CJEU ruling is the latest in the growing list of judgments against Ireland for failing to update its national policies and laws on privacy and data retention after the landmark rulings in Digital Rights Ireland, Tele2 and DPP v JC. Ireland’s Minister for Justice, Helen McEntee TD expects that “the Supreme Court’s judgment will bring clarity in this important area to inform the necessary legislation, thus supporting to the greatest degree possible the work of An Garda Síochána to tackle crime and carry out effective investigations.”
In the meantime, the CJEU reiterated that ‘quick freeze’ of traffic and location data, which is limited according to the categories of persons concerned or using a geographical criterion for a limited period of time, is permissible and is expected to assist the Garda in investigating serious crimes or matters of national security. It has been reported that a ‘quick freeze’ would apply only to serious crimes, however draft legislation detailing the process is yet to be published.
The ruling has been highly anticipated by other Member States that may be retaining data on similar grounds. France’s highest administrative court, Conseil d'Etat, ruled in April 2021 that the requirement that telecommunications operators must retain all user connection data for one year for the purposes of intelligence and criminal investigations currently imposed on operators by French law is justified by a threat to national security. The ruling thus legitimised the use of data that was collected as part of a larger threat to national security. This practice may need to be reconsidered in light of the CJEU decision.
Data Retention in Criminal Investigations
The CJEU’s decision is a reminder that reform of Irish data retention laws are long overdue. Now that the State have further confirmation of the permissible scope of national laws relating to the retention of traffic and location data for the purposes of combating serious crime, it will likely progress implementation of the Data Retention Bill.
[1] Digital Rights Ireland Ltd v Minister for Communications, Marine and Natural Resources and Others; Kärntner Landesregierung, Seitlinger, Tscholl and Others: Joined Cases C-293/12 and C-594/12, available here.
[2] Tele2 Sverige AB v Post- och telestyrelsen; Secretary of State for the Home Department v Watson: Joined cases C-203/15 and C-698/15, available here.
[3] La Quadrature du Net and Others, Joined cases C‑511/18, C‑512/18 and C‑520/18, available here.
[4] DPP v JC [2015] IESC 31, available here.