The European Court of Justice (CJEU) has confirmed that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime. This has arisen from a referral by the Irish Supreme Court in the Graham Dwyer data retention case. See our previous article on this case for a reminder on the Irish proceedings which resulted in the referral to the CJEU.

By way of short background, Mr. Dwyer was convicted of the murder of Elaine O’Hara in 2015 and sentenced to life in prison. The State’s case against him relied heavily on meta data collected from his phone. Following his conviction Mr Dwyer’s defence team brought a legal challenge contesting the validity of the Communications (Retention of Data) Act 2011 (2011 Act), which required mobile phone data to be retained and disclosed to An Garda Síochána on request. His appeal was upheld by the Irish High Court and the State subsequently appealed the decision. This was ultimately referred to the CJEU by the Supreme Court.

Judgment

By its reference, the Supreme Court sought clarification as to the requirements under EU law for the retention of phone meta data for the purposes of combating serious crime and the necessary safeguards required to access this data.

In its judgment, the CJEU confirmed that EU law[1] precludes national legislative measures which provide, as a preventative measure, for the general and indiscriminate retention of traffic and location data relating to electronic communications, for the purposes of combating serious crime.

The Directive on privacy and electronic communications does not merely create a framework for access to this data through safeguards to prevent abuse, but enshrines the principle of the prohibition of the storage of traffic and location data. The retention of traffic and location data constitutes a derogation to the prohibition of storage of that data and an interference with the rights to respect for private life and protection of personal data.

Under the Directive on privacy and electronic communications, Member States can place limitations on those rights and obligations for the purposes of combating crime. However, any limitations must comply with the principle of proportionality. The CJEU held that the objective of preventing serious crime does not, in itself, justify the general and indiscriminate retention of all traffic and location data.

The Court rejected arguments that serious crime could be treated the same as a threat to national security, which is genuine and current or foreseeable, and could for a limited time, justify the general and indiscriminate retention of meta data.

The Court did however confirm that EU law does not preclude legislative measures, subject to the conditions set out in its judgment, which are enacted to combat serious crime, and/or prevent serious threats to public security. The Court provided some examples of these types of measures, such as, data retention using geographic criteria, e.g. average crime rates in an area, without an authority necessarily having specific indications as to the commission of a crime in that area. Similarly, national laws can be enacted that require the purchase of pre-paid sim cards to be subject to ID checks for the purposes of crime prevention, with sellers being required to provide that information to competent national authorities. The Court found that these measures may, at the choice of the national legislature and subject to the limits of what is strictly necessary, be applied concurrently.

The Court made other important findings such as confirming that access to meta data in the context of a criminal offence, must be subject to a prior review carried out either by a court or by an independent administrative body, which should not be a police officer.

Implications

For Graham Dwyer, the implications are yet to be determined. The case will go back to the Supreme Court, and it is likely to rule in his favour. His appeal on his criminal conviction will be determined in the Court of Appeal which will hear arguments about the admissibility of this evidence at trial. The Supreme Court decision DPP v JC [2015] IESC 31 will be relevant here. It found that evidence obtained unconstitutionally will be admissible if the prosecution can show the breach was due to inadvertence. It is likely that the same analysis will be applied to breach of EU rights.

The decision does not mean other convictions that relied on information obtained under the 2011 Act will be overruled. A case-by-case assessment will be required in any appeal similar to proceedings taken by Mr. Dwyer. The Irish courts cannot limit the declaration that the legislation breaches EU law to future cases only, so there is likely to be some appeals brought challenging past convictions which relied on collecting this type of meta data.

The State will now move forward with the Communications (Data Retention and Disclosure) Bill which it had delayed publishing until the CJEU decision. In a brief statement, Minister for Justice Helen McEntee said she had noted the judgment and said, “It is clear that the current legal framework, allowing for access to communications meta-data to combat criminals and terrorists, needs to be modernised in light of evolving jurisprudence.” The Bill is hoped to address the failings of the 2011 Act.

Conclusion

The ruling by the CJEU provides further clarity on the parameters allowed for the retention of traffic and location data, for the purposes of combating serious crime. It is likely to lead to appeals of convictions which relied on the 2011 Act. Consequently, it may result in the progression of the Communications (Data Retention and Disclosure) Bill.

For more information on the potential impact of this ruling on your business, contact a member of our Privacy and Data Security team.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

[1] Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“Directive on privacy and electronic communications”). The 2011 Act was enacted to transpose the Directive on privacy and electronic communications into Irish law.