New Irish Data Retention Laws Coming Down The Track

• Published date: 08 November 2022
• Subject Matter: Government, Public Sector, Media, Telecoms, IT, Entertainment, Privacy, Mobile & Cable Communications, Data Protection, Privacy Protection, Terrorism, Homeland Security & Defence, Money Laundering
• Law Firm: Matheson
• Author: Ms Kate McKenna, Davinia Brennan, Simon Shinkwin, Laura McDonnell and Florian Niesel

New Irish data retention laws governing the retention and access of electronic communications data are in the pipeline following two fresh data retention judgments from the Court of Justice of the European Union ("CJEU"). Whilst the Government recently published the Communications (Retention of Data) (Amendment) Act 2022 to provide a temporary fix to the incompatibility of certain provisions of Irish data retention laws with EU laws, a further Bill is coming down the track which will overhaul existing laws.

In this article we discuss two recent judgments of the CJEU and consider the key highlights of the 2022 Amendment Act, which has yet to come into force. We previously discussed the CJEU's prior ruling in GD v Commissioner of An Garda Síoch'na ¹, which arose as a result of a referral from the Irish Supreme Court. In that case, Mr Graham Dwyer who was convicted for murder, argued that the admission of traffic and location data retrieved by the Irish police under the Communications (Retention of Data) Act 2011 ("the 2011 Act") amounted to a breach of Irish and EU law, the Charter and the ECHR. He appealed against his conviction, seeking a declaration that certain provisions of the 2011 Act were invalid. The CJEU ultimately held that the EU law precludes the general and indiscriminate retention of such data for the purposes of combating serious crime. The CJEU also held that a declaration of invalidity of a national measure may have retrospective effect and that a 'quick freeze' of data may be permissible subject to conditions.

1. Recent CJEU Decisions

Telekom Deutschland ², concerned two German telecom companies which challenged obligations imposed on them under the German Telecommunications Law to retain, on a general and indiscriminate basis and for a period of four to ten weeks, customers' traffic and location data. The CJEU confirmed that such retention for the purposes of combating serious crime was in violation of EU law and the Charter, as it would otherwise allow the creation of exact profiles of people's private lives. The ability to draw a profile about a person's life would in any event be serious regardless of the length of the retention period and the quantity or nature of the data retained. The CJEU repeated that EU law does not preclude retention to protect national and public security and to combat serious crime where it is targeted and limited in time to what is strictly necessary. The court re-iterated that a 'quick freeze' or expedited...