knowledge 4 October 2022 |

Overhaul of Irish Data Retention Laws

Once it is brought into force the 2022 Amendment Act may serve its primary purpose of continuing to enable An Garda Síochána (“AGS”) to access communications traffic and location data for criminal justice purposes for the time being.  However the Irish Government has a difficult job on its hands to devise a longer term legislative regime facilitating the retention of and access to communications traffic data and location data for criminal justice and national security purposes that will withstand scrutiny.

As a brief recap:

• The Communications (Retention of Data) Act 2011 (the “2011 Act”) was introduced to transpose the Data Retention Directive (Directive 2006/24/EC) in Ireland. The 2011 Act, among other things, requires providers of electronic communications services to retain ‘traffic data’ and ‘location data’ relating to all users of their services and to make this data available to AGS for criminal justice and national security purposes in specific circumstances.

• In April 2014 in the Digital Rights Ireland case¹, the CJEU declared the Retention Directive invalid, on the basis that, while combatting serious crime is of great importance, it does not justify the general and indiscriminate retention of traffic and location data.

• Following the Digital Rights Ireland case, the 2011 Act remained in force in Ireland, but with doubts about its validity.

• In a series of cases after the Digital Rights Ireland case (most notably the Tele2/Watson and La Quadrature du Net cases²), the CJEU has considered communications data retention laws in a number of EU countries and has provided detailed decisions setting out the circumstances in which such laws will, and will not, be compliant with EU law.

• In 2017, former Chief Justice Murray examined and provided a report on Ireland’s laws on communications data retention and access (the “Murray Report”).  The Murray Report concluded that the 2011 Act permitted the universal and indiscriminate retention of communications data which constituted a breach of EU law, and recommended that the 2011 Act be amended in order to conform to the requirements of EU law, particularly as set out in Tele2/Watson. A General Scheme of the Communications (Retention of Data) Bill, which would replace the 2011 Act, was published in 2017 but did not progress to enactment.  

• Graham Dwyer was convicted of murder in 2015, based partly on mobile phone location data that was obtained by AGS under the 2011 Act.  He brought legal proceedings challenging the validity of the 2011 Act in connection with the use of data obtained under it in his prosecution and conviction, which ultimately ended up with questions relating to the 2011 Act and the use of such data being referred by the Irish Supreme Court to the CJEU for determination in March 2020.

• The CJEU delivered its decision on the questions referred to it by the Irish Supreme Court in April 2022³ and, unsurprisingly, confirmed that the general indiscriminate retention of traffic and location data for the purposes of preventing serious crime is inconsistent with EU Law.

• The Minister for Justice announced in May 2022 that the Cabinet had approved the preparation of legislation to amend the 2011 Act in light of the CJEU’s decision delivered the previous month. A General Scheme for the Communications (Retention of Data) (Amendment) Bill 2022 was published in June 2022 and the Communications (Retention of Data) Amendment Act 2022 (the “2022 Amendment Act”) was enacted in July 2022. At the time of writing this briefing, the 2022 Amendment Act had not yet been brought into force.

The 2022 Amendment Act was enacted as an urgent measure to provide for a revised Irish regime for the retention of and access to telecommunications traffic and location data, so that it may continue to be used for criminal justice and national security purposes, before the 2011 Act would have to be declared invalid in light of the CJEU’s recent decision. The 2011 Act, as amended by the 2022 Amendment Act, is unlikely to be a long term successor to the 2011 Act. According to comments by the Minster during parliamentary debates relating to the adoption of the 2022 Amendment Act in July 2022:

When discussing the 2022 Amendment Act and legislation in this area more generally the Minster said:

The Minister’s comments reflect the tension between data protection and privacy laws on the one hand, and the public interests in criminal justice and national security on the other, which continues to prove particularly challenging to address appropriately via legislation in this field.  Internationally there are varying views as to the circumstances in which it is appropriate for criminal justice or national security interests to override privacy and data protection rights. For communication service providers who operate in multiple jurisdictions, these varying views often result in them having to navigate complex conflict of laws issues.  The retention or production to a law enforcement authority of data in one jurisdiction may be contrary to the laws of another.

For the Irish legislature, the 2022 Amendment Act has bought some time for a more substantive overhaul of the 2011 Act and related laws to be conducted.  It is clearly intended to be no more than a temporary fix to allow more time for this overhaul (even though the Government refused to include a ‘sunset’ provision in the 2022 Amendment Act.  It will be a difficult task to further refine the proposed Bill that was first published in 2017 in order to take full account of CJEU case law in this area, while also seeking to address the Minister for Justice’s stated intention of not shifting the balance too much in favour of privacy and data protection rights in a way that would prejudice “keeping people safe and fighting crime”.  For these purposes, it will be helpful that the CJEU confirmed in April 2022 that the ePrivacy Directive (Directive 2002/58/EC, as amended), read in light of the Charter of Fundamental Rights of the EU, does not preclude legislative measures that provide, for the purposes of safeguarding national security, combating serious crime and preventing serious threats to public security, for:

• The targeted retention of traffic and location data which is limited according to the categories of persons concerned (based on objective and non-discriminatory criteria) or using geographical criterion for a limited period of time;

• The general and indiscriminate retention of IP addresses assigned to the source of an internet connection for a limited period of time;

• The general and indiscriminate retention of data relating to the civil identity of users of electronic communications systems; and

• The expedited retention of traffic and location data in the possession of relevant service providers following a decision of the competent authority that is subject to effective judicial review.

The challenge for the Irish legislature will be in identifying what measures, beyond those which have effectively been pre-approved by the CJEU, will withstand scrutiny. Considering that the validity, from an EU law perspective, of Irish law in this area has been in doubt at least since 2014 and that a substantial overhaul of the 2011 Act has been on Ireland’s ‘to do list’ at least since 2017, the Irish Government will not want to introduce reforms that are likely to be held to be contrary to EU law.

In the meantime, once the 2022 Amendment Act is brought into force the 2011 Act as amended by the 2022 Amendment Act will govern the retention of and access to traffic and location date for the time being. Under changes that will be introduced by the 2022 Amendment Act:

• the general and indiscriminate retention of communications traffic and location data may only be permitted on national security grounds, where approved by a designated judge following an application by the Minister for Justice in circumstances where the Minister is satisfied that there exists a serious and genuine, present or foreseeable threat to national security;

• preservation and production orders may be obtained by AGS to facilitate the preservation of and access to specified communications data held by service providers for both national security and for the investigation of serious crime, where permitted by an authorising judge;

• a failure by a provider of electronic communications services who is subject to the 2011 Act, as amended, to comply with certain provisions will amount to a criminal offence and be punishable on summary conviction to a class A fine or imprisonment for up to 12 months; or on conviction on indictment to a fine not exceeding €500,000 or imprisonment for up to 5 years, or both.  Where such an offence is committed by a body corporate and is proved to have been committed with the consent or connivance of, or due to any neglect of, a director, manager, secretary or other officer of the body corporate, then that individual will also be guilty of that offence. 

Service providers who are subject to 2011 Act and law enforcement authorities who rely on it to access telecommunications data for criminal justice and national security purposes are reviewing and updating their practices as necessary to prepare for the changes that will be introduced by the 2022 Amendment Act. More generally, all stakeholders who have an interest in communications data retention laws, including service providers, law enforcement authorities, representatives of those charged with serious criminal offences and the victims of those crimes and civil rights groups, will be monitoring further developments in this area closely.