Concern over Graham Dwyer phone records case a crisis of State’s own making
Net Results: Government has known data retention framework is unlawful for years
State faces European court setback over use of mobile phone records in Graham Dwyer case. Photograph: Cyril Byrne
Apparently, the Government has suddenly grown concerned that it will lose a case which the Supreme Court referred to the European Court of Justice (ECJ), regarding the use of mobile phone data for the 2015 conviction of Graham Dwyer in the 2012 murder of childcare worker Elaine O’Hara.
And apparently, this concern has arisen because the ECJ recently ruled in two other cases that mobile records retained and used outside the time period and protections outlined in its 2014 landmark Digital Rights Ireland (DRI) decision are impermissible in court.
It first needs to be said that no one can state whether a Dwyer appeal will stand or fail solely on this mobile phone data. This was a multifaceted case, with a range of evidence obtained in various ways.
But it must also be said that the State’s suggestion that the problem is the actual DRI ruling – in which the ECJ threw out the 2011 EU Data Retention Directive – or the two recent court rulings, is ridiculous.
The true problem is the State’s refusal to implement this decision, and comply with the DRI ruling, in the subsequent six years. By failing to do so, it has not only jeopardised a conviction in this one case, but potentially, also in every single other case since in which mobile records have been used.
That’s because Ireland has no compliant legislation guiding how the Garda and other services may access such records lawfully. So even if records were being retained for, say, six months, as is lawful under the DRI decision, there’s no updated legislation to permit access to it.
It’s ludicrous, not least because the DRI case was not about Lithuania’s or Finland’s or France’s data retention system, but explicitly about the Irish government’s implementation of data retention under the EU Data Retention Directive.
As data consultant Daragh O Brien tweeted this week: “Odd that the State is presenting this problem as a new thing arising from new cases at Original case was in 2014. From Ireland. State chose to ignore it and amend legislation accordingly.”
TJ McIntyre, chair of DRI, told me: “DRI warned that Ireland’s legislation would be struck down as far back as 2005 and that the current situation is the natural consequence of ignoring European law.” In 2006, DRI launched the domestic cases against data retention in Ireland that led to the ECJ ruling.
McIntyre points towards a blog post he wrote in 2015, observing that “data retention laws were struck down in Germany, Bulgaria and Romania by 2010. Successive Irish ministers knew that the law was dubious, failed to act and now have questions to answer.”
The Department of Justice needed to amend legislation to make it compliant with the ECJ ruling, a senior department official acknowledged in a 2017 Oireachtas hearing that followed the issuance of the 2017 Murray Report on data retention. He specifically noted the issues around obtaining and using retained data.
In testimony at the same hearing, DRI solicitor Simon McGarr of McGarr Solicitors noted that rulings from the ECJ are binding on Ireland. The State’s argument that the court does not make decisions on domestic law fails to recognise that nonetheless a domestic law fails if it is in contravention of EU law, he said.
He described the State’s failure to implement the DRI case, and ensure its data retention laws were compliant, as “a crisis”, not just because it was a continuing violation of Irish citizen rights, but “also because there will be . . . risk that prosecutions that would otherwise be successful could face challenge”. This warning is also implied in Murray’s 187-page report.
So don’t believe the State’s arguments that these worries have only recently arisen. Or that the DRI decision means EU policing is under threat. I spent years reporting on EU-wide data retention and prior to the DRI decision, numerous states, including Ireland, failed to produce evidence that they’d ever needed or used data retained for longer than six months to obtain a conviction.
The ECJ overturned an entire EU Directive in 2014 on evidence of the irrationality, lack of proportionality, inadequate oversight, and human rights violations within the existing Irish data retention regime. For years, the government has known that its data retention framework is unlawful.
That it has failed to amend it since 2014 is beyond appalling. That negligence risks not just one high profile criminal conviction, but many others that – as McGarr presciently noted three years ago – “would otherwise be successful”.
The State is in a crisis of its own making.