The Court of Justice of the EU has confirmed in a ruling this morning that EU law precludes the general and indiscriminate retention of electronic traffic and location data for the purposes of combating serious crime.

In a case taken by convicted murderer Graham Dwyer, the court ruled today that Dwyer can use the Supreme Court’s ruling in an appeal against his conviction.

A national court may not impose a temporal limitation on the effects of a declaration of invalidity of a national law that provides for such retention.

Life sentence

Graham Dwyer had pleaded not guilty to the murder of childcare worker Elaine O’Hara in August 2012 but was convicted following a lengthy trial in March 2015 and received a life sentence.

He took a case against the Garda Commissioner and the Minister for Communications on the grounds that data gathered from his mobile phone should not have been used at his trial.

The location metadata proved key to his conviction for Elaine O’Hara’s murder, placing the device at specific places, at particular times and dates. 

‘Breach of rights’

Dwyer said the data use was unconstitutional and breached his rights under the EU Charter and the European Convention on Human Rights, including his right to privacy.

After a successful High Court hearing in 2018, the State appealed to the Supreme Court, which then referred the case to Luxembourg on the grounds that the case related to European law on data retention.  

The CJEU examined technical issues concerning the proportionality of data retention.

‘Prohibition on storage’

The CJEU has said that the EU’s privacy and electronic communications directive “does not merely create a framework for access to such data through safeguards to prevent abuse, but enshrines, in particular, the principle of the prohibition of the storage of traffic and location data”.

“The retention of traffic and location data thus constitutes, in itself, first, a derogation from the prohibition of the storage of those data, and, second, an interference with the fundamental rights to the respect for private life and the protection of personal data, enshrined in Articles 7 and 8 of the Charter,” it said.

AG’s advisory opinion

In late 2021, the court’s Advocate General Campos Sánchez-Bordona delivered an advisory opinion on the matter.

The court outlined that the EU’s privacy and electronic communications directive “does not merely create a framework for access to such data through safeguards to prevent abuse, but enshrines, in particular, the principle of the prohibition of the storage of traffic and location data”.

“The retention of traffic and location data thus constitutes, in itself, first, a derogation from the prohibition of the storage of those data, and, second, an interference with the fundamental rights to the respect for private life and the protection of personal data, enshrined in Articles 7 and 8 of the Charter,” it said.

Limitations and proportionality

While the privacy and electronic communications directive allows member states to place limitations on the exercise of those rights and obligations for the purposes of combating crime, those limitations must comply with the principle of proportionality, the court has ruled.

The objective of combating serious crime, as fundamental as it may be, does not, in itself, justify a measure providing for the general and indiscriminate retention of all traffic and location data, it adds. 

‘Serious interference’

Even fighting crime cannot have the effect of justifying such serious interference with the fundamental rights of practically the entire population, the ruling adds.

The court also recalled that authorities have positive obligations to “protect private and family life, home and communications, and also the protection of the individual’s physical and mental integrity, and the prohibition of torture and inhuman and degrading treatment”.

It is necessary to strike a balance between the various interests and rights in question, the court adds. 

Indiscriminate retention measures

Those considerations led the court to reject that particularly serious crime could be treated in the same way as a genuine threat to national security, which might justify a measure for the general and indiscriminate retention of traffic and location data.

A police officer does not constitute a court and does not have all the guarantees of independence and impartiality required in order to be able to qualify as an independent administrative body, the court pointed out.

Meanwhile, chairman of the Law Society’s Criminal Law Committee, Robert Purcell, has said that this morning’s final Dwyer judgment (issued on 5 April) ruling has been signalled for some time

“The history of this can be traced back to the Digital Rights Ireland case,” he said.

“It will have significant impact for current and future investigations,” the criminal defence lawyer warned.

Court of Appeal

The specific case of Graham Dwyer will now have to be heard by the Court of Appeal, taking into account the ruling of the CJEU. 

“How it will impact on historical cases remains to be seen, but it is probable that applications will be made by persons who have been convicted of offences on evidence that has come from mobile-phone data – the retention of which will be affected by today’s ruling,” Purcell commented.