Analysis: New Irish data retention laws coming down the track
Matheson partners Kate McKenna and Davinia Brennan explain coming changes to Ireland’s data retention regime.
New Irish data retention laws governing the retention and access of electronic communications data are in the pipeline following two fresh data retention judgments from the Court of Justice of the European Union (CJEU). Whilst the Government recently published the Communications (Retention of Data) (Amendment) Act 2022 to provide a temporary fix to the incompatibility of certain provisions of Irish data retention laws with EU laws, a further Bill is coming down the track which will overhaul existing laws.
In this article we discuss two recent judgments of the CJEU and consider the key highlights of the 2022 Amendment Act, which has yet to come into force. We previously discussed the CJEU’s prior ruling in GD v Commissioner of An Garda Síochána, which arose as a result of a referral from the Irish Supreme Court. In that case, Mr Graham Dwyer who was convicted for murder, argued that the admission of traffic and location data retrieved by the Irish police under the Communications (Retention of Data) Act 2011 amounted to a breach of Irish and EU law, the Charter and the ECHR. He appealed against his conviction, seeking a declaration that certain provisions of the 2011 Act were invalid. The CJEU ultimately held that the EU law precludes the general and indiscriminate retention of such data for the purposes of combating serious crime. The CJEU also held that a declaration of invalidity of a national measure may have retrospective effect and that a ‘quick freeze’ of data may be permissible subject to conditions.
Recent CJEU decisions
Telekom Deutschland concerned two German telecom companies which challenged obligations imposed on them under the German Telecommunications Law to retain, on a general and indiscriminate basis and for a period of four to ten weeks, customers’ traffic and location data. The CJEU confirmed that such retention for the purposes of combating serious crime was in violation of EU law and the Charter, as it would otherwise allow the creation of exact profiles of people’s private lives. The ability to draw a profile about a person’s life would in any event be serious regardless of the length of the retention period and the quantity or nature of the data retained. The CJEU repeated that EU law does not preclude retention to protect national and public security and to combat serious crime where it is targeted and limited in time to what is strictly necessary. The court re-iterated that a ‘quick freeze’ or expedited retention of data ordered by a competent authority (and subject to judicial review) can be legitimate. The CJEU added that a serious, genuine and present or foreseeable threat to national security may similarly be a justified reason to retain traffic and location data.
In the national proceedings that led to the preliminary referral in VD & SR, the applicants were prosecuted for insider dealing, aiding and abetting, corruption and money laundering on the basis of phone call data retrieved by the French Financial Markets Authority (AMF). VD and SR argued that the French law provisions on which the data retention was grounded did not comply with the E-Privacy Directive (2002/58/EC) and the Charter as they allowed for the general and indiscriminate retention of connection data and placed no restriction on the AMF’s power to require the retained data to be provided to them. The Paris Court of Appeal ruled that the Market Abuse Directive (2003/6/EC) and the Market Abuse Regulation (No 596/2014) allowed the data retention where there is reasonable suspicion of insider dealing. The CJEU rejected this and held that those two instruments merely granted access to data but not the power to order retention of same. It ruled that the E-Privacy Directive governs retention of data, and that it only allowed the retention of data in circumstances similar to those described above in Telekom Deutschland. The court further confirmed the retrospective effect of a declaration of invalidity, and that the admissibility of evidence obtained under national law that is incompatible with EU law is a matter for the national court, pursuant to the EU principle of procedural autonomy, but subject to the principles of equivalence and effectiveness.
Impact of decisions
The CJEU has further set in stone its saga on data retention judgments. Member States are prohibited from collecting and retaining any personal electronic communications data on a general and indiscriminate basis for the purposes of protecting national or public security or to combat serious crime except in certain limited circumstances, and only if people’s rights under EU law and the Charter are protected.
Overhaul of Irish data retention laws
Irish laws governing the access and retention of communications traffic and location data is due to be overhauled. In July 2022, the Irish government published the Communications (Retention of Data) (Amendment) Act 2022, which amends the 2011 Act, however its provisions have not yet been commenced. It is intended to address the impact of recent EU case-law on data retention, including the CJEU’s decision in Dwyer.
Key highlights of the 2022 Amendment Act include:
- The retention of “user data” and “internet source data” for a period of 12 months, for the purpose of combatting crime, safeguarding State security, protecting the life and safety of persons or locating missing persons.
- General and indiscriminate retention of communications traffic and location data may only be permitted for national security purposes, and will require approval by an authorised judge;
- Preservation Orders and Production Orders may be obtained by an Garda Síochána, the Defence Forces, the Revenue Commissioners or the Competition and Consumer Protection Commission, where approved by an authorising judge, for the purpose of investigating serious offences, national security, protecting the life and safety of persons or locating missing persons.
- Offences for non-compliance with the 2011 Act may result in penalties of up to €500,000 and/or 5 years’ imprisonment.
The 2022 Amendment Act is only intended as a temporary stopgap to allow more time for the overhaul of the 2011 Act. The government has announced that it will bring forward a set of wider reforms to clarify and consolidate the law on data retention. Heads of a new Bill entitled the Communications (Data Retention and Disclosure) Bill are in preparation.