Michael Madden

The Communications (Retention of Data) (Amendment) Act 2022 is intended to amend existing Irish data retention law to address the impact of recent EU case law, including that relating to the Graham Dwyer murder conviction.

How we got here

In March 2015, Graham Dwyer was sentenced to life imprisonment for murder. In the appeal against his conviction, Dwyer criticised the lower court for having incorrectly admitted as evidence traffic and location data relating to telephone calls. He argued this on the grounds that the Communications (Retention of Data) Act 2011, which governed the retention of that data and on the basis of which the gardaí carrying out the investigation had obtained access to those data, infringed rights conferred on him by EU law.

In order to contest the admissibility of that evidence in criminal proceedings, Dwyer brought civil proceedings before the High Court seeking a declaration that some of the provisions of the 2011 Act are invalid. In December 2018, the High Court held that aspects of the 2011 Act are incompatible with EU law. Considering its significant implications for law enforcement in Ireland, Ireland appealed that decision to the Supreme Court. Expressing doubts and uncertainties around the application of EU law in this area, the Supreme Court decided to refer several questions to the Court of Justice of the EU (CJEU).

On 5 April 2022, the CJEU issued its judgment effectively confirming what we already knew, that the 2011 Act does not comply with EU law. The CJEU also provided guidance on what and how retention measures could comply with EU law.

The 2022 Act, which is intended to address the impact of EU case law by amending the 2011 Act, was signed into law on 21 July.

Overview of the 2022 Act

Who – the 2022 Act does not change the service providers to which the 2011 Act applies. The 2011 Act will continue to apply only to traditional telecoms services and not to internet-based communications services.

What – the 2022 Act introduces two new distinct categories of data - ‘user data’ and ‘internet source data’. These are presumably intended to reflect the less sensitive categories of data recognised in EU case law - ‘data relating to the civil identity of users’ and ‘IP addresses assigned to the source of an internet connection’. The categories of traffic and location data contained in Schedule 2 of the 2011 Act (Schedule 2 data) remain unchanged.

How – the 2022 Act completely overhauls the scope and application of the retention and access regime in the 2011 Act. In summary, the amendments:

• Require the general and indiscriminate retention of user data and internet source data for a default period of one year. The Minister may prescribe a different period of up to two years on the basis of combatting crime, safeguarding State security, protecting life and safety of persons or locating missing persons.
• Provide for the Minister to apply to the High Court, on the basis of a serious and genuine, present or foreseeable threat to State security, for an order requiring the general and indiscriminate retention of Schedule 2 data for 12 months.
• Set out new procedures by which applications are to be made by the Garda Síochána and other bodies to a District Court judge for orders to disclose Schedule 2 data and internet source data. There is no requirement to apply to the District Court for the disclosure of user data.
• Provide for the Garda Síochána and other bodies to apply to a District Court judge for preservation (quick freeze) and production orders regarding certain Schedule 2 data on the basis of combatting serious crime, safeguarding State security, protecting life and safety of persons or locating missing persons. The introduction of such orders is envisaged under the Council of Europe Convention on Cybercrime.
• Creates, for the first time, offences for non-compliance with the 2011 Act, with penalties of up to €500,000 and five years’ imprisonment.

In cases of urgency, applications can be made to the District Court after the fact. All applications to the Courts are to be made ex parte and in private.

Comment and next steps

The bill was signed into law just one month after the general scheme was published. During this time, the bill underwent expedited pre-legislative scrutiny and just two sessions of debate in each of the Dáil and the Seanad. The speed with which this law went through the legislative process was, at the time, heavily criticised by the joint committee on justice and by deputies and senators in both the Dáil and Seanad, with one of the primary concerns being that this would leave the law vulnerable to legal challenges.

In that regard, the 2022 bill does contain several typographical errors. Also, there are serious questions over the application of certain provisions and their compliance with requirements specified in EU case law. This inevitably risks, again, causing legal uncertainty for service providers, law enforcement and prosecutions.

Despite the rushed nature of the process, the minister has not yet made any commencement orders in relation to the 2022 Act. The minister has also indicated her intention to bring forward a more comprehensive proposal later in the year to address wider reforms and a more consolidated legal framework in this area, without giving further details.

• Michael Madden is a partner in the commercial department at Mason Hayes & Curran LLP.