Subscriber OnlyTechnology

Graham Dwyer ruling a reminder Ireland lives in a data rights Groundhog Day

Karlin Lillington: We just go round and round failing to address serious data issues

Ireland lives in a perpetual data rights Groundhog Day. The European Court of Justice (ECJ) ruling this week that phone data was wrongly gathered as evidence in the trial of convicted murderer Graham Dwyer, was a headlining reminder of this sad truth.

We just go round and round, rarely addressing serious issues highlighted by a succession of data protection commissioners over two decades. Even more ridiculous, the State has wilfully ignored rulings that directly affect Ireland, even when they have come from Europe’s highest court.

Ireland has instead chosen to go its merry way and appeal to an imaginary court of magical thinking, one in which interpretations of legislation are whatever Ireland wants them to be.

The State has skipped along, initially ignoring European data protection and privacy rights already in place in the 1990s. Threatened for long enough by various data protection commissioners, it eventually enacted its own legislation, and encouraged the same from EU politicians (see the now-overturned Data Retention Directive 2006) to give added heft to its own legislative interpretations.

Landmark decision

Yet the overturning of the 2006 directive occurred through a challenge brought against the Irish State by data rights group Digital Rights Ireland in a landmark 2014 ECJ decision. And for the exasperating twist: even though a specifically Irish challenge to the Irish implementation of an EU data retention directive that Ireland campaigned for, ultimately resulted in the overturning by the court of that specific directive (eight years ago to the month) – Ireland's data retention legislation remains exactly the same. It is still the 2011 law, reliant on the invalidated 2006 directive.

The State has never, in eight years, adjusted its own data retention laws, despite having been at the very centre of this important decision that in turn shaped the General Data Protection Regulation (GDPR), and is the basis for other major ECJ decisions, such as both Schrems decisions on transatlantic date transfers.

Lots of us warned for years that this conceivably could happen due to Ireland's failure to recognise the 2014 DRI decision

The two Schrems decisions invalidated two monumental transatlantic data transfer agreements. But still, the Irish government didn’t take the hint that handling data post the DRI case required serious re-evaluation, and wasn’t overly worried about adjusting its own data retention legislation, much of which now had, like the data transfer agreements, no adequate basis in law.

No surprise

And thus, to absolutely no surprise, the ECJ this week said what so many data protection and privacy experts had been saying for years (and which, stuck in my own personal Groundhog Day, I wrote about in this column many times). It stated that the type of indiscriminate retention of data that Ireland relied upon for evidence for the Dwyer case was not permissible under EU law post the DRI decision.

Minister for Justice Helen McEntee said this week’s ECJ decision would now “bring clarity”, but if anyone in the department had read the DRI decision in 2014 it was clear enough.

In 2014, the court found that the scope of data retention in the 2006 directive “entails a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data” and “entails an interference with the fundamental rights of practically the entire European population.”

It pinpointed the need for better oversight and transparency, for clarity in retaining and accessing data, for shorter retention periods, and for a right of redress for citizens wrongly surveilled. Much of the evidence in this decision was based on the identified weaknesses, overreach and illogicality of Ireland’s approach to retention. I know this all too well, because I wrote a number of the investigative stories on Irish data retention put before the court as evidence by Digital Rights Ireland.

Now, some are claiming law enforcement across the EU will not be able to conduct effective investigations and that many convictions could be overturned by the ECJ decision, including Dwyer’s (well, hello: lots of us warned for years that this conceivably could happen due to Ireland’s failure to recognise the 2014 DRI decision).

Expert barristers

However, expert barristers in criminal law across Ireland have stated they do not expect the decision to personally benefit Dwyer and probably not any convictions in other cases. They also note the ECJ made clear that national courts may consider the context of national laws and the ECJ even helpfully listed a range of ways in which national laws might be adjusted so that data may be gathered and utilised for investigations in a compliant way.

But don’t forget: European law enforcement agencies and governments have been quite aware of the DRI ruling for eight years. In the time since, many states changed their laws to comply with the DRI ruling. The laggards – including, at last, us – will now have to do the same.

And as senior counsel and experienced criminal prosecutor Brendan Grehan noted this week: "I don't believe it's the end of civilisation as we know it."