Explainer: absence of clear law on data retention key to Dwyer appeal

Dwyer’s lawyers argued State has failed to properly respond to striking down of data directive

A file image of Graham Dwyer. Photograph: Collins

A file image of Graham Dwyer. Photograph: Collins

 

A dispute over the meaning and effect of decisions of the Court of Justice of the EU concerning the validity of general mobile phone data retention regimes is at the centre of the Graham Dwyer case.

Under pressure from the CJEU, Ireland introduced the Communications (Retention of Data) Act in 2011 to give effect to a 2006 EU Directive, the Data Retention Directive.

This Directive was introduced following a series of significant terrorist attacks across Europe and it obliged member states to have a data retention regime in place.

The Directive was subject to legal challenges, including in proceedings by Digital Rights Ireland, and was struck down by the CJEU in 2014 as invalid.

The CJEU ruled that the absence of clear and precise rules concerning its scope and application, and of minimum safeguards to protect personal data, disproportionately interfered with privacy and data protection rights under the Charter of Fundamental Rights of the EU.

In the intervening years, gardaí investigating a range of serious crimes, including the murder of Elaine O’Hara, whose remains were found in 2013, had sought and secured access to telecoms metadata retained under the 2011 Act.

Telecommunications metadata is subscriber, traffic and location data, but not the content, of phone and internet communications.

It is used for investigating crime, safeguarding national security and protecting human life.

Unsolved

The State maintained, unless there is a general retention regime for phone and internet metadata that gardaí can access, serious crimes including Ms O’Hara’s murder could remain unsolved.

After his 2015 conviction for the murder of Ms O’Hara, Dwyer challenged the retention and accessing of certain phone call metadata which formed a significant part of the evidence at his trial.

He argued the 2011 Act breached his privacy rights under the Constitution, the European Convention on Human Rights and EU law.

In December 2018, the High Court found the 2011 Act breached EU law because (1) it provided for general and indiscriminate retention of data and (2) there were inadequate safeguards for access to retained data, particularly as gardaí controlled who got access and there was no proper review of access by a court or independent administrative authority.

The High Court granted a declaration, which remains suspended pending the Supreme Court appeal, that a provision of the 2011 Act relating to retained phone data was inconsistent with Article 15.1 of a 2002 e-Privacy Directive [permitting member states adopt laws for retention of data for a limited period for purposes including investigation of serious crime] , when read in light of a number of articles of the Charter of Fundamental Rights.

The High Court analysed a number of CJEU decisions before concluding the CJEU had held that EU law precluded national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of telecoms metadata.

Correctly interpreted

In the Supreme Court, Dwyer’s lawyers argued the High Court had correctly interpreted the CJEU decisions.

They argued the State had failed to properly respond to the striking down of the Directive and to a 2017 report by former Chief Justice John Murray which was critical of the State’s data retention regime.

The State’s core position in the appeal was that EU law does not preclude the State having a general data retention regime as provided for in the 2011 Act for the purpose of fighting serious crime and thus there was no need to refer the case to the CJEU.

It argued the CJEU has distinguished between “crime” and “serious crime” and the High Court, had wrongly concluded the 2011 Act, in putting in place a regime of general data retention for the purpose of fighting serious crime, was inconsistent with EU law.

It insisted data preservation is not an effective alternative as that is only useful if suspects were known to the authorities. Data retention could assist in identify suspects who, like Dwyer, were previously unknown to the authorities, it argued.

Its back up position was that, if the Supreme Court considered it is uncertain whether EU law precludes such a regime, the Irish court was obliged to make a reference.

Following the 2014 striking down of the 2006 Directive, a number of national courts had referred questions to the CJEU concerning the status of national data retention measures.

The State urged the Supreme Court to interpret the judgments in those cases in the context of the specific national measures which formed the basis for the references.

The Supreme Court, when the appeal was heard in December, also heard references were then pending before the CJEU in which courts of other member states had asked whether Article 15.1 of the e-privacy Directive precluded data retention laws of general application, including laws aimed at fighting serious crime.

On Monday the Supreme Court referred referred key issues in Dwyer’s mobile phone data retention case to the European Court of Justice.