Dwyer: It is not possible to access that which has not been retained

Ireland is one of two Member States, the other being Poland, where electronic surveillance and in particular access to phone data can be authorised directly by the police without a Court order, but in light of the majority judgment handed down by Irish Supreme Court down on 24 February 2020 in Dwyer v The Commissioner of An Garda Síochána & Oths., that may not be the case for much longer.

The legal challenge is brought by Mr. Dwyer who was tried and convicted of the murder of Ms. Elaine O’Hara in 2012. Part of the evidence used against him in the trial was obtained by the Gardaí on foot of a s.6(1)(a) disclosure request under the Communications (Retention of Data) Act 2011, where the prosecution tendered two mobile phones showing a detailed analysis of call records during 2011 and 2012. He argues in light of the Digital Rights Ireland case and subsequent CJEU case-law that the data obtained and used in evidence against him was incompatible with European Union Law. If successful in the proceedings before the Supreme Court, he will seek to use the Court’s findings in relation to data retention as part of his criminal appeal and challenge the admissibility of illegally obtained evidence in an effort to quash his conviction.

The Irish Legislation

The Communications (Retention of Data) Act 2011 was enacted to give effect to Directive 2006/24/EC (which amended the earlier Directive 2002/58/EC) on the Retention of Data, however the Directive was subsequently declared invalid by the Court of Justice of the European Union in 2014 in the Digital Rights Ireland case. The 2011 Act implementing the now invalid 2006 Data Retention Directive  allows a service provider to retain data for certain specified categories for up to one for fixed network telephony or two years for internet access and emails that may be disclosed by way of a disclosure request from a member of An Garda Síochána (the Irish police) for the prevention, detection, investigation or prosecution of a serious offence. While there is a complaint mechanism in place for a person to challenge a disclosure request pertaining to their data, this only takes place after a service provider has complied with the disclosure request. The legislation has been called into question since Digital Rights and there is much debate as to whether it complies with European Union Law but has not been adjudicated by the Irish Courts until now.

 First Stage: The High Court

Mr. Dwyer was successful in the High Court, where Mr. Justice O’Connor considered Digital Rights Ireland (which invalidated the 2006 Directive) and the later Tele2 case (where the CJEU unequivocally stated the necessity for clear and precise rules in relation to data retention) at length. He stated that the reasoning behind Digital Rights was that as there was derogation from the system of protection of the right to privacy and confidentiality of communications established by the 2002 Directive, there was an interference with Articles 7 and 8 of the Charter. The CJEU continued and held that such interference was not accompanied by provisions to ensure that it was limited to what was strictly necessary and therefore failed to pass an assessment of proportionality. While the CJEU jurisprudence acknowledges that the retention of data is a valuable tool in criminal investigations, minimum safeguards are required so that to effectively protect their personal data against risk of abuse and against any unlawful access and use of that data.  Justice O’Connor concluded that the Communications (Retention of Data) Act 2011 permitted general or indiscriminate retention of data, which was an inappropriate, unnecessary or disproportionate use of data and was inconsistent with European Law.

Second Stage: The Supreme Court

The State parties in Dwyer appealed the decision to the Supreme Court in accordance with the expedited leap-frog appeal mechanism. While there are many issues in the case, the parties are essentially in disagreement over the correct interpretation of the conclusion in Tele2 where the CJEU stated that:

“… Article 15(1) of [the 2002 Directive], read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, must be interpreted as precluding national legislation which, for the purpose of fighting crime, provides for the general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication.”

The State parties have submitted that following the guiding principle of proportionality, general data retention is not unlawful and access protections have to be considered objectively. Submissions on behalf of Mr Dwyer argued to the contrary that the level of data retention under the Irish system is so wide it is impermissible but, if the Court held that level to be permissible in principle, there must be “robust” data access safeguards such as those that exist in other Member States.

The Supreme Court will finalise the exact terms of three questions to be referred but has stated that they will be raising the three following points;

  • Whether a system of universal retention of certain types of metadata for a fixed period of time is never permissible, irrespective of how robust any regime may be for allowing access to such data,
  • The criteria whereby an assessment can be made about whether any “access regime” to such data can be found to be sufficiently independent and robust,
  • Whether a national court, should it find that national data retention and access legislation is inconsistent with European Union law, can decide that the national law in question should not be regarded as having been invalid at all times but rather can determine invalidity to be prospective only.

The separate net questions raised by the Supreme Court at points 1 and 3 are interesting as they demonstrate that the Supreme Court is cautious and seeks clarity as how best to limit the effect of the judgment to past and present criminal investigations that rely on data retention. The Supreme Court noted that while the retention is limited as to the type of data which is retained and is limited as to the time for which it can be retained, the data retained is not limited or targeted by reference to persons or locations etc. In that sense, the retention of the data is universal.

The Supreme Court categorically stated that the universal retention was not incompatible with European Union law because of the evidence tendered that the investigation and prosecution of serious crimes, not least those against women, children and vulnerable persons, would, in many cases, be impossible without access to such data. The Chief Justice added that it would be unworkable if the Irish system was not allowed to operate universal data retention and it would be at odds with Irish constitutional values. The Supreme Court is also concerned with the retrospective effect of the judgment and seeks clarification that in the event that the CJEU finds that the 2011 Act is inconsistent with European Union law, the Supreme Court will have the power to declare any such invalidity should only have a prospective effect from the date of its judgement.

If the CJEU agrees with the first point that the Irish regime is permitted to have universal data retention and this is in accordance with Digital Rights Ireland and Tele2, this brings the Court to the main issue expressed at point 2, which is whether the current Irish system and its particular implementation of universal data retention is compatible with European Union Law. It is clear that the Supreme Court in its majority judgment was not satisfied that the Irish regime and the lack of an access regime or independent review under the disclosure request provision of the 2011 Act , currently conformed with the conclusions reached in CJEU-case law. It held that “there must be a particularly robust access system in place” including an independent prior permission given for such access. Under the current regime, the permission is granted by a separate unit within the force but does not involve any application to a Court. The Supreme Court doubted that this constituted a sufficient independent review, given that the permission is nonetheless granted from within An Garda Síochána.

European Focus

The Dwyer case comes at a time where data retention is in sharp focus across the European Union. While Charleton J argued in his dissenting judgment of the Supreme Court that data retention for criminal prosecutions was purely a national issue, there are currently two judgments pending before the CJEU seeking clarification on general and indiscriminate data retention according to Article 15(1) of the 2002 Directive. The Council of the European Union published a comprehensive report last year outlining the status of legislation on data retention in each Member State. Europol has also released various working papers concerning the data retention regime that currently applies in each Member State and stated that a comprehensive European legislative framework is required. Furthermore, it was reported by Privacy International, that as of 2017, Croatia, Cyprus, Czech Republic, France, Ireland, Poland, Bulgaria Portugal and Spain had not changed their national law and were still operating their pre Digital Rights Ireland regime transposing Directive 2006/24/EC. Based on this report some Member States, including Cyprus, Portugal and Slovakia, have deemed that their general data retention is compatible with the Digital Rights Ireland and Tele2 judgments because it allows for a judicial control mechanism (often in the form of a court order) for access to the retained data. There are also Member States who explored other options such as Austria who have introduced a “quick freeze” data retention system.

Pending the outcome of the Dwyer case, the ramifications it could have for the universal retention of data in other Member States are vast. At national level, it is arguable that an amendment to the 2011 Act to include the implementation of a judicial access scheme could be sufficient to bring the Irish legislation in line with the other Member States and to be compatible with European Law. The Irish government is currently revising a Communications (Data Retention and Disclosure) Bill that would repeal the 2011 Act. At European level, it appears that legislation may be required to lay down clearer and more precise rules and to balance the diverging data retention systems currently in place across the Union. It remains to be seen how exactly the Supreme Court will phrase and draft its preliminary reference and whether the CJEU will be able to offer some additional guidance following the Digital Rights Ireland and Tele2 judgments as how best to strike a balance between the interaction of privacy rights with the need to tackle serious crime.