Cavalier approach to data retention is long-standing
Karlin Lillington: State has never addressed data retention in a timely way, in 20 years
The Graham Dwyer challenge contends that metadata obtained by the Garda in the case was gathered unlawfully. Photograph: Cyril Byrne
This week, in a long-awaited judgment in the Graham Dwyer challenge to the State’s use of data retention in his murder case, the Irish Supreme Court decided to refer several questions to the European Court of Justice (ECJ) for review.
The court stated it needed the ECJ to clarify some complex points within the ECJ’s landmark 2014 decision to invalidate the EU Data Retention Directive.
Data retention refers to the storage of communications metadata – revealing phone, text, email and internet data that discloses minute detail about communications, but not the content of such data.
The Dwyer challenge contends that metadata obtained by the Garda in the case was gathered unlawfully, because the State has never responded to the 2014 ECJ ruling, referred to as the DRI (Digital Rights Ireland) decision because DRI had taken a case years earlier against the Irish State. In it, DRI argued the State had failed to bring in data retention legislation that had adequate oversight or protection against State overreach, thus failing to properly safeguard citizens’ guaranteed rights under the Charter of Fundamental Rights of the EU.
I will not touch on the appeal, a live case. But I will offer some insight into the State’s long-standing cavalier approach to data retention – a stance that ultimately resulted in the ECJ’s DRI decision – because I covered that story for years.
Much of that investigative work became part of DRI’s evidence, and underlies the 2014 decision (which in turn laid a foundation for the ECJ’s far-reaching Schrems decision, by affirming the legal significance of the Charter).
My experience illustrates how arbitrary the State’s actions have been on data retention.
My involvement began with a story in 2001, which revealed Irish mobile companies were storing data for about six years (it should have been six months), for disputed bills, they said.
The Data Protection Commissioner’s office was concerned, and the Irish Council for Civil Liberties was equally perturbed.
The story launched a standoff between then data protection commissioner Joe Meade, the government, and telecoms companies.
Almost a year after I wrote that first piece, I learned that a group of privacy advocates in Finland had obtained a secret Council of Justice Ministers survey, revealing that the Republic, under then-minister for justice Michael McDowell, was planning to introduce data retention of at least three years, and to expand the types of data retained. Yet, to a question asking if the law enforcement work had been affected by not having data retention, the Department of Justice replied “no”.
The government also said it hadn’t consulted with the telecoms industry because the industry was already co-operative in releasing data needed for investigations – outside any laws at all.
McDowell then convened a stakeholder meeting in 2003.
In a submission, Meade disclosed the existence of a secret cabinet order for the retention of call data for three years, guaranteeing ongoing data collection and Garda access in the existing legal vacuum. McDowell had opaquely mentioned this in the forum, which meant cabinet-privileged information was now in the public domain. I wrote a story to this effect.
These details would eventually form a key part of the argument against data retention when it went before the ECJ.
Further FOI documents showed Meade questioned the constitutional validity of bringing in what was, in effect, national surveillance (a description the ECJ would eventually use for data retention), through a secret cabinet order.
Aggressive data protection laws
In early 2005, Ireland got one of the most aggressive data retention laws in the world, when McDowell introduced a small amendment to the Criminal Justice (Terrorist Offences) Bill in its final stages of discussion, mandating a three-year retention period.
This random incident, too, would form part of the case presented to the ECJ.
“Serious crime”, as the next data protection commissioner, Billy Hawkes would note, was now so flexibly defined that it would allow data access for the “serious crime” of cycling without a bicycle light.
After threats from the EU, that legislation was updated only in 2011, to include the EU 2006 Data Retention Directive.
That directive was invalidated by the ECJ in 2014, largely on DRI’s evidence of the inconsistent, non-transparent, arbitrary approach to data retention by the Irish government. That was six years ago, but the government still hasn’t enacted fresh legislation to address the invalidation, even though many warned for years that questions would inevitably be raised about convictions obtained using data gathered in this new vacuum.
Now, the State is resurfacing arguments that it needs long-term access to communications data to tackle “serious crime”, and that this should allow it to bypass elements of the 2014 ECJ decision.
Yet it has been so lackadaisical and disinterested on this supposedly critical policing issue, that it has never addressed data retention in a timely way, in 20 years.
Its broad and largely empty assertions, which have never been matched with any urgency to meet legal obligations to balance access with oversight and protections, must continue to be interrogated by the media, the public and ultimately, national and EU courts.