Subscriber OnlyTechnology

Graham Dwyer case: Government arrogantly ignored European Court of Justice ruling from 2014

Net Results: In light of phone data case Ireland has a cheek telling UK to abide by ECJ

Many people are angry about the dramatic but predictable guidance opinion issued by the European Court of Justice's advocate general on the Graham Dwyer case last week. But most people are angry about the wrong aspects of the case, which was referred from the Irish Supreme Court. Despite what the State and law enforcement would have you believe, this case is not about a supposedly desperate need to require communications companies to hold years of call data to adequately fight serious crime or terrorism.

Rather, it's about the arrogance of successive Irish governments inexplicably ignoring a landmark ECJ ruling from 2014. It's about them failing to transpose this decision, which they knew risked invalidating years of criminal convictions, and of choosing to disregard Europe's highest court in the hope of – what? That its ruling would go away? And yet, in Brexit negotiations, Irish Government Ministers are telling the UK that it must respect the ECJ's authority.

The guidance, which almost always becomes the full court’s ruling, relates to convicted murderer Graham Dwyer’s challenge to the validity of evidence used in his trial, which utilised mobile phone location data retained for longer than allowed by EU law. In 2014 the ECJ had invalidated the 2006 Data Retention Directive, the basis of Ireland’s still-unchanged law.

That 2014 ruling was the result of a case taken against Ireland by advocacy group Digital Rights Ireland, over the long retention periods, weak oversight, and too-broad access to retained data that were (again) criticised last week by the advocate general.

READ MORE

Callous disregard

The State appears perturbed to find that it cannot use mobile data as it did under a directive written 15 years ago, and invalidated for longer than it was in place. But successive Irish governments deliberately chose to ignore the invalidation and failed to create a fit-for-purpose Irish law, thus putting convictions at risk – a callous disregard for the safety of the population. It is especially important to question the wider EU state and law enforcement narrative that the ability to prosecute and convict criminals and terrorists is at grave risk without the ability to access years of retained mobile data. The evidence is simply not there – just as it wasn’t 20 years ago when I first disclosed that Irish mobile operators were illegally retaining seven years of call data and that Ireland lacked a valid, EU-compliant system to allow lawful access.

This story and many that followed, would ultimately become part of the evidence for the ECJ’s Digital Rights Ireland decision. Over the next decade, through Freedom of Information requests, whistleblowers’ leaked documents and interviews, I showed that the Irish government had implemented a scattershot, legally dubious, poorly implemented data retention programme tilted against human rights.

For example, at the time it started arguing for data retention up to seven years, the Department of Justice noted in a leaked EU document that it could not name a single prosecution that had failed due to the lack of a data retention system.

In one letter obtained via Freedom of Information, the Department of Communications pointed out to the Department of Justice – then pushing for three years of retention – that it found no “particular justification for this period or any statistical information that would indicate this to be the optimum period based on previous experience of gardaí in investigations”. Meanwhile, the Garda was asking for seven years’ retention, without supporting evidence.

Little evidence

You might say that was then, and this is now. But there's still little evidence for the practical utility of bulk collection of call data. In the US a federal watchdog told Congress that a controversial National Security Agency (NSA) programme that allowed the NSA to retain hundreds of millions of calls and texts from Americans annually, and cost $100 million during 2015-2019, led to only one significant investigation. One.

In 2018 alone the NSA gathered detailed records for 434 million calls involving 19 million numbers, but got only 14 court orders. However, the watchdog noted that traditional means for obtaining data, such as subpoenas (the approach supported in the Digital Rights Ireland decision) remain useful.

In the Irish decision, the ECJ recognised the importance of call records for fighting serious crime, but outlined the sensitivity of such records, which can disclose such detailed elements of people’s daily lives that extensive storage of a population’s records amounted to mass surveillance on a breathtaking scale.

Endless examples of abuses of such databases exist, for snooping, stalking, harassment and more. In one major recent case in Australia, a police agency was found to have complied with data access laws only nine times out of 1,713 instances, potentially putting past prosecutions at risk, and also to have engaged in random database "fishing expeditions".

So don’t be misled. The ECJ’s 2014 decision recognised and protected key EU human rights and placed important proportionality restrictions on retaining and accessing data. That Irish governments chose to ignore it, demonstrating a disregard for human rights while endangering its own criminal justice system – that’s what should infuriate us all.