New law to ‘fix’ impact of Graham Dwyer’s phone-data case ‘could face legal challenge’

District Court will need an estimated four days a week to hear Garda applications to retain/access phone metadata

A new law intended to minimise the impact on serious crime investigations of jailed murderer Graham Dwyer’s successful challenge to Ireland’s regime for retaining and accessing mobile phone metadata could face legal challenge, a data protection and privacy law expert has warned.

The legislation, signed into law by the President last December and expected to come into operation within months, could face challenge from the European Commission, telecommunications companies and/or data privacy campaigners, according to senior counsel Ronan Lupton.

Dwyer’s High Court data case arose because mobile phone metadata linking his work phones to other phones and text messages formed part of the prosecution case against him during his trial for the 2015 murder of childcare worker Elaine O’Hara.

The upholding of his challenge over how that data was retained and accessed by gardaí was among the grounds of Dwyer’s separate appeal against his murder conviction, on which judgment is due on March 24th.


As a result of the Court of Justice of the EU (CJEU) ruling in favour of Dwyer’s data challenge, applications to retain and access mobile phone traffic and location data must be made to an independent court or tribunal rather than the previous situation where they could be approved by a senior Garda.

Due to the volume of such applications, the time required for the District Court to deal with such applications has been estimated as the equivalent of one judge sitting four full days each week.

The Communications (Retention of Data) Act 2022 – under which the applications will be made – was enacted to amend the Communications (Retention of Data) Act 2011 after the CJEU upheld Dwyer’s argument that provisions of the 2011 Act breached EU law because they permitted general and indiscriminate retention of traffic and location date without independent oversight.

Due to earlier CJEU decisions, doubts about the validity of the 2011 Act predated the Dwyer ruling by some eight years, but amending legislation was not enacted here until last summer after the Dwyer decision.

The 2022 Act is regarded by data privacy lawyers as a temporary ‘fix’ to ensure gardaí can continue to access phone traffic and location data for criminal justice purposes pending a substantive overhaul of the 2011 Act and relevant legislation to facilitate retention of, and access to, communications traffic data and location data for criminal justice and national security purposes in a way that will withstand legal challenge.

According to Mr Lupton, a specialist in data and communications law, the 2022 Act could be susceptible to challenge for reasons including it was not put before the European Commission’s Technical Regulation Information System (TRIS) before being passed by the Oireachtas last summer. The TRIS requires EU member states to submit proposed laws that could affect the European single market to the commission before their enactment.

Mr Lupton said the draft Act should have been notified under the TRIS and the failure to notify before enactment appeared to have been based on a view here that the Act did not fall under the TRIS procedure when considering compliance with the CJEU ruling in Dwyer’s case.

The 2022 Act was ultimately notified under the TRIS in December, and a spokesman for the Department of Justice told The Irish Times it is engaging with the Commission under the TRIS.

Work is ongoing over the necessary measures to support the commencement of the 2022 Act “at the earliest possible date”, the spokesman said. “Work has been progressed on the required secondary legislation, as well as consultations with service providers and engagement with the relevant competent authorities.”

The need to protect citizens against crime suggests the Act will be commenced shortly as intended, Mr Lupton believes. “If that happens, and despite EU member states being usually permitted to legislate outside the TRIS procedure to comply with CJEU rulings, there is a risk of challenge, including from the European Commission because of the delayed notification under TRIS.

“Challenges could also be taken by telecoms companies and those concerned about data privacy,” he said.

Mary Carolan

Mary Carolan

Mary Carolan is the Legal Affairs Correspondent of the Irish Times