CJEU Confirms EU Law Precludes The General And Indiscriminate Retention Of Telephony Data For Combating Serious Crime

• Published date: 21 April 2022
• Subject Matter: Litigation, Mediation & Arbitration, Media, Telecoms, IT, Entertainment, Criminal Law, IT and Internet, Mobile & Cable Communications, Trials & Appeals & Compensation, Crime
• Law Firm: Matheson
• Author: Ms Kate McKenna, Carlo Salizzo, Davinia Brennan, Simon Shinkwin and Neringa Juodkunaite

The Court of Justice of the European Union ("CJEU") has confirmed that EU law precludes the general and indiscriminate retention of traffic and location data relating to electronic communications for the purposes of combating serious crime. The CJEU has also found that the Irish court cannot impose a temporal limit on the effect of a declaration of invalidity of national law that provides for such retention. This effectively means that the Irish courts cannot limit the declaration of invalidity to future cases only, and that it applies retrospectively, benefitting cases like Dwyer's.

This case arose as a result of a referral from Ireland's Supreme Court in February 2020. Following a criminal conviction for murder, Mr Graham Dwyer argued that the trial court had incorrectly admitted traffic and location data relating to phone calls as evidence under the Communications (Retention of Data) Act 2011 (the "Data Retention Act"). Mr Dwyer appealed against his conviction, seeking a declaration of incompatibility of the Data Retention Act with EU law, the Charter and the ECHR. His appeal was upheld by the Irish High Court, and the State subsequently appealed the decision to the Supreme Court. The Supreme Court ultimately referred the matter to the CJEU.

Background

The Data Retention Act has long been the subject of criticism as it has continued to operate without modification, notwithstanding that the Data Retention Directive 2006/24/EC was declared invalid by the CJEU in Digital Rights Ireland¹ in 2014, on the grounds that the general obligation for service providers to retain all subscriber, traffic and location data was not limited to what was strictly necessary, and entailed an interference with the fundamental rights of "practically the entire European population". The Data Retention Act gave effect to the Data Retention Directive. Once the Directive was declared invalid, the question arose as to whether national laws providing for the retention of data and access to that data by policy and security authorities fell within the scope of EU. This was answered by the CJEU in Tele2² in 2016.

In Tele2, the CJEU confirmed that Article 15(1) of the ePrivacy Directive 2002/58/EC precludes national legislation which provides for the general and indiscriminate retention of traffic and location data of all subscribers and users. However it is open to Member States to adopt legislation for the targeted retention of such data for the purpose of combating serious crime, provided such retention is limited to what is strictly necessary, and access by national authorities to the retained data is subject to conditions, including prior review by a court or independent authority, and the data is retained within the EU. It is notable that other Member States launched the process for amending the national data retention legislation shortly after the CJEU ruling in Digital Rights Ireland (eg, the UK Data Retention and Investigatory Powers Act 2014 was adopted only three months after the CJEU...