“In what circumstances does a democracy tolerate State mandated electronic surveillance of every citizen who uses a telephone device?”
In early December 2018, the Irish High Court ruled that the Communications (Retention of Data) Act 2011, requiring mobile phone data to be retained and disclosed upon request to An Garda Síochána, breached EU law. The ruling follows an application by convicted murderer, Graham Dwyer, who was sentenced to life in prison in 2015 for the murder of Elaine O'Hara. The conviction was based to a large extent on mobile phone data evidence made available under the Act.
In its ruling, the High Court agreed that aspects of the Act governing retention and disclosure of mobile phone data contravened EU law (other than where the mobile phone data was needed for national security or to save a human life) as they allowed for inappropriate, unnecessary or disproportionate use of data. The Court refused to rule on whether the Act also contravened the Constitution. This ruling follows a 2014 decision by the EU’s highest court which invalidated the EU data retention directive, implemented in Ireland by the Act. Importantly, however, the Court did not rule that the actual operation of the Act and resulting use of mobile phone data in the Dwyer case was inappropriate, unnecessary or disproportionate.
The precise extent of the fallout from the High Court’s ruling is unclear. A decision may be taken by the State to appeal the ruling to the Supreme Court. However, we consider some of the potential implications below.
Implications of the Ruling
The ruling has a number of serious implications:
For Graham Dwyer, the ruling will not lead to the automatic quashing of his murder conviction. The High Court noted that under Irish law, evidence obtained in breach of an accused person’s rights under EU law or the Constitution would not necessarily have to be excluded at trial.
This follows from a ruling of the Supreme Court in 2015. The ruling permitted the admission of evidence where the breach of rights was due to inadvertence, or subsequent legal developments and was not “deliberate and conscious”. However, Dwyer will still be able to rely on the High Court ruling if he challenges his conviction before the Court of Appeal on the grounds that his privacy rights have been breached.
In that appeal, Dwyer is likely to argue that the trial judge ought to have exercised his discretion and excluded the mobile phone data. This would be on the basis that it was available by virtue of the Act, which contravened EU law, and this constituted a “deliberate and conscious” breach of his rights. The State is likely to argue that prior to this ruling, the Act was “good law” and any breach was therefore the result of inadvertence. As such, the “state of mind” of the State will be a key consideration in the appeal. If the State can demonstrate it lacked knowledge there was a breach of Dwyer’s constitutional rights, the Court of Appeal is likely to rule the evidence was admissible. Indeed, on 10 December 2018, it was reported that the Special Criminal Court refused an application to exclude mobile phone data evidence collected under the Act in a murder trial, despite the defence citing the High Court ruling, for this reason.
Similarly, the ruling will not lead to an automatic quashing of other convictions that relied on information retained under the Act. In its ruling, the High Court made clear that a case-by-case assessment will be required in any appeal, along the same lines as those issues likely to be considered in Dwyer’s appeal.
The implications may be most significant for ongoing investigations and future prosecutions.
Ongoing investigations that have not yet reached trial are now subject to the High Court’s ruling. A trawl of current investigations is now being conducted within An Garda Síochána. The aim is to compile a list of cases that might be affected as a result of the High Court’s ruling for consideration and assessment by the Director of Public Prosecutions. It is worth noting that any evidence obtained under the Act for the purposes of investigation in current proceedings can now be challenged at trial. However, prosecutions may still be able to argue that any evidence obtained prior to the ruling should be admissible on the basis that it did not constitute a deliberate and conscious breach of rights, and until the High Court ruling there was no “knowledge” on the part of An Garda Síochána.
For future prosecutions, the implications are even more difficult to determine. While An Garda Síochána has a range of other statutory powers to facilitate the production of mobile phone data, they are not without challenges and complexity. A further complication is the reality that it is now unclear whether and to what extent mobile operators are expected to continue to retain mobile phone data given that certain aspects of the Act remain in force. This includes where retention is required for national security measures or to save a human life. In light of the High Court’s ruling, mobile operators will need to carefully consider their obligations under the Act, and indeed the GDPR, and what changes will need to be made to their law enforcement activities. Any resulting changes in retention practices could potentially deprive An Garda Síochána of having access to vital evidence for future investigations.
Data Retention Bill
The Irish Government must now take action to address the issues arising from the ruling, particularly given its awareness of the clear deficiencies in the Act and the potentially grave consequences of failing to do so for a number of years now. In a statement released on Thursday, Minister for Justice Charlie Flanagan said it was clear the current legal framework governing access to mobile phone or metadata in the context of criminal investigations is in need of urgent modernisation. He said that the Government’s draft Data Retention Bill (first published in October 2017), which takes account of various aspects of the Dwyer ruling, is already at an “advanced stage”. However, he noted that the Attorney General's advice will be taken about further changes. In particular, the Bill provides for a greater level of Ministerial oversight requiring An Garda Síochána to obtain specific authorisation before requiring service providers to retain data, a shorter maximum retention period of 12 months (in contrast to 24 months provided for by the Act) and prior judicial authorisation of any disclosure of retained data. It is hoped these changes will address the failings of the Act.
For more information on the potential impact of this ruling on your business, contact a member of our Privacy & Data Security team.
The content of this article is provided for information purposes only and does not constitute legal or other advice.