The Government’s bid to address the fallout from convicted murderer Graham Dwyer’s successful challenge to mobile phone metadata retention laws here faces another hurdle with the Data Protection Commission being urged to act immediately over alleged continuing illegal retention of data by service providers.
There is also speculation in legal circles that a Bill rushed through the Oireachtas this week as a stopgap following the judgment of the European Court of Justice (CJEU) upholding Dwyer’s challenge could yet be referred by President Michael D Higgins to the Supreme Court for a determination on its constitutionality.
The Data Protection Commission has been asked by solicitors for Digital Rights Ireland (DRI) — which in 2014 won a significant CJEU decision ultimately leading to the striking down of Ireland’s 2011 data retention law in the case by Dwyer — to take “immediate” action against telecommunications companies who are continuing to process national scale data on all Irish users over the 2011 law.
In a letter to the commission on July 5th, McGarr solicitors warned that unless such action is taken, its letter may be referred to in further proceedings or complaints regarding Ireland’s compliance with EU law.
Ireland meteor shower tonight: Getting the best view of the ‘shooting stars’ during the Geminids
Stephen Collins: Despite the rhetoric from Mary Lou McDonald, Sinn Féin was the big election loser
Radio Review: At Newstalk, Ciara Kelly gets righteously annoyed
I need to book a restaurant for Christmas dinner with friends. Am I too late?
National law
The letter stated that the decision earlier this year of the CJEU in the Dwyer case meant it is “beyond doubt that the continued retention of data under the 2011 Act is illegal”. The Dwyer judgment, it said, specifically finds the retention provisions of the 2011 law are contrary to the provisions of the ePrivacy Directive. Where a state body encounters a disagreement between a national law and an EU law, it is the duty of the state body to directly disapply the national law, the solicitors wrote.
The solicitors requested the commission to immediately direct telecommunications operators to delete data retained under that Act and cease to retain further data under that Act. The commission was urged to use all measures necessary to ensure that EU law is fully effective.
The letter was sent just days before the Oireachtas this week passed a controversial Bill — the Communications (Retention of Data) Amendment Bill 2022 — aimed at going some way to address the situation following Dwyer’s CJEU victory.
Several provisions of the Bill — passed on Thursday just before the Oireachtas summer recess — had been strongly criticised by bodies including DRI and the Irish Council for Civil Liberties.
The CJEU ruled in the Dwyer case that EU law prevents the general and indiscriminate retention of electronic traffic and location data for the purposes of combating serious crime.
The 2022 Bill allows for general and indiscriminate retention of communications traffic and location data only on national security grounds, where approved by a designated judge.
It establishes a system of preservation orders and production orders to facilitate preservation of, and access to, specified data held by telecom firms for national security and for investigating serious crime, where permitted by an authorising judge. A preservation order will act as a “quick freeze”, requiring service providers to retain specified data for a period.
‘Indefinite retention’
A production order will allow access for natural security/law enforcement to specified data held by a service provider for commercial or other reasons. Traffic and location data held for national-security purposes, and subscriber data retained for national-security or law-enforcement purposes, can both be held for 12 months.
The Irish Council for Civil Liberties (ICCL) argued the Bill will permit rolling one-year renewable data retention, effectively “indefinite retention” and fails to define national security or to provide for protection of journalists’ sources and an adequate oversight mechanism.
The Bill, said the ICCL, attempts to retrospectively validate illegal data retention contrary to EU law, will “create more legal uncertainty” and result in more Dwyer-type cases in which evidence is challenged. A provision seeking to legitimise the current unlawfully retained data “creates a particular risk in this area”, it said.
The Bill is effectively intended as a stopgap prior to the introduction of a more comprehensive measure — the Data Retention and Governance Bill — but industry and legal sources remain concerned about the situation in the interim.
Industry sources say there is a lot of uncertainty about their position, particularly about the status of underlying data held by them, and about the practicalities of implementing the measures in the 2022 Act. “The retention and governance Bill needs to be finalised by the Government urgently, there are just too many unknowns,” said one source.