The mobile phone data-retention practices used to convict Graham Dwyer were not in line with European Union law, a senior judicial adviser at the European Court of Justice (ECJ) has set out.
The opinion issued by the advocate general, an official adviser to the court, will assist judges in coming to a verdict expected next year in the far-reaching appeal that will shape how police gather evidence across the European Union.
Data from mobile phones was key to the conviction of Dwyer for murdering childcare worker Elaine O’Hara, and the ECJ ruling is likely to have implications for his separate ongoing appeal against his conviction in Ireland. Dwyer was convicted in 2015 for the murder of Ms O’Hara in August 2012.
The case came to the ECJ after Dwyer challenged the Irish law that allowed for the retention of his data by gardaí as contrary to EU law. Following an appeal by the Irish Government, the Supreme Court asked the ECJ to clarify some matters of EU law.
The ECJ has also been asked to rule on similar issues by French and German courts, and the three cases are all being considered together.
In his opinion, Advocate General Manuel Campos Sánchez-Bordona argued that indiscriminate retention of mobile phone traffic and location data “is permitted only in the event of a serious threat to national security”, according to a court statement.
The matter has already been settled by previous judgments of the court, Mr Campos Sánchez-Bordona wrote, pointing to a 2020 ruling that the blanket retention of electronic communications data is only permissible in very limited circumstances.
Authorities must be working to counter a specific severe threat to national security, and data can only be kept for a strictly necessary time period, according to the court’s prior ruling.
These circumstances do not include “the prosecution of offences, including serious offences”, such as murder cases, according to the advocate general.
“By permitting, for reasons going beyond those inherent in the protection of national security, the preventive, general and indiscriminate retention of traffic and location data of all subscribers for a period of two years, Irish legislation does not therefore comply with the Directive on privacy and electronic communications,” a court statement read.
In addition, Mr Campos Sánchez-Bordona pointed out that in Ireland’s case decisions about access to retained data were made at “the discretion of a police officer of a certain rank”. This is also contrary to prior EU case law, which requires decisions about access to data to be “subject to prior review by a court or an independent authority”, he pointed out.
There are also concerns about whether the ECJ ruling could have a wider effect, and lead to more challenges to criminal convictions.
The Irish Supreme Court asked if it was possible, to avoid “chaos and damage to the public interest”, to set time limits on the effect of an ECJ ruling (such as to ensure it only applies to convictions going forward).
The advocate general rejected this idea, pointing again to previous case law that ruled “the referring court cannot apply a provision of national law empowering it to limit the temporal effects of a declaration of illegality”.
The opinion goes against the hopes of multiple EU governments who joined Ireland in calling on the judges to allow less restrictive rules on the retention of data.
In a September hearing in the case, legal teams for a series of EU member states argued that too many limitations due to privacy protections would hinder day-to-day police work and give criminals the upper hand.
Ireland’s Attorney General, Paul Gallagher, argued the Dwyer case demonstrated the “critical role” of data retention and access in law enforcement, as the murder could not be solved without it.
But Dwyer’s barrister, Remy Farrell SC, told the chamber of 15 judges that the Irish law that allowed for records to be kept for two years was “extreme” and allowed for mobile phones of anyone to be used as “personal tracking devices”.
Privacy campaigners have long raised concerns about the risks of the mass retention of data, and there is intense interest from across Europe in the outcome of the case.
The Irish law in force at the time of the Dwyer investigation, Section 6 of the Communications (Retention of Data) Act 2011, was based on a 2006 EU directive on data retention.
That earlier directive was struck down by the ECJ in 2014, on grounds the universal and indiscriminate retention of mobile phone and internet data breached privacy and data protection rights.