Ireland is one of two Member States, the other being Poland, where electronic surveillance and in particular access to phone data can be authorised directly by a law enforcement agency without a Court order, nonetheless in light of the judgment handed down by the Irish Supreme Court on 24th February 2020 in Dwyer v The Commissioner of An Garda Síochána & Others, that may need to change.

The legal challenge is brought by Mr Dwyer who was tried and convicted of the murder of Ms Elaine O’Hara in 2012. Part of the evidence used against him in the trial was obtained by the Gardaí on foot of an s.6(1)(a) disclosure request under the Communications (Retention of Data) Act 2011, where the prosecution tendered two mobile phones showing a detailed analysis of call records during 2011 and 2012. Mr Dwyer’s legal team argues in light of the Digital Rights Ireland case and subsequent CJEU case-law that the data obtained and used in evidence against him was incompatible with European Union Law. If successful in the proceedings before the Supreme Court, he will seek to use the Court’s findings in relation to data retention as part of his criminal appeal and challenge the admissibility of illegally obtained evidence in an effort to quash his conviction.

The Dwyer case comes at a time where data retention is in sharp focus across the European Union. While Justice Charleton argued in his dissenting judgment of the Supreme Court that data retention for criminal prosecutions was purely a national issue, there are currently six judgements pending before the CJEU seeking clarification on general and indiscriminate data retention according to Article 15(1) of the 2002 Directive.

The Council of the European Union published a comprehensive report in 2019 outlining the status of legislation on data retention in each Member State. Europol has also released various working papers concerning the data retention regime that currently applies in each Member State and stated that a comprehensive European legislative framework is required.

Furthermore, it was reported by Privacy International that as of 2017 - Croatia, Cyprus, Czech Republic, France, Ireland, Poland, Bulgaria Portugal and Spain had not changed their national law and were still operating their pre-Digital Rights Ireland regime transposing Directive 2006/24/EC.

Based on this report some Member States, including Cyprus, Portugal and Slovakia, have deemed that their general data retention is compatible with the Digital Rights Ireland and Tele2 judgments because it allows for a judicial control mechanism (often in the form of a court order) for access to the retained data. There are also the Member States who explored other options such as Austria who have introduced a “quick freeze” data retention system.

Pending the outcome of the Dwyer case, the ramifications it could have for the universal retention of data in other Member States are vast.

At national level, it is arguable that an amendment to the 2011 Act to include the implementation of a judicial access scheme could be sufficient to bring the Irish legislation in line with the other Member States and to be compatible with European Law. The Irish government is currently revising a Communications (Data Retention) Bill that would repeal the 2011 Act.

At European level, it appears that legislation may be required to lay down clearer and more precise rules and to balance the divergent data retention systems currently in place across the EU. It remains to be seen how exactly the Supreme Court will phrase and draft its preliminary reference and whether the CJEU will be able to offer some additional guidance following the Digital Rights Ireland and Tele2 judgments as how best to strike a balance between the interaction of privacy rights with the need to tackle serious crime.

For more information on any of our industry insights please contact our expert team at info@itrustethics.ie