CJEU ruling in Dwyer case raises issues for Oireachtas and Irish courts

European court found indiscriminate retention of data of all citizens not permissible

On Tuesday the Court of Justice of the European Union (CJEU) found that the Communications (Retention of Data) Act 2011 was incompatible with EU law and that activities authorised under the Act – which include the use of phone data subsequently used in criminal prosecutions (including in the conviction of Graham Dwyer for the murder of Elaine O’Hara), had breached the privacy rights of the individuals to whom that data related.

The decision was, in many respects, unsurprising, coming at the end of a long line of decisions and two judgments delivered by the CJEU in 2020 which invalidated similar pieces of national legislation from other jurisdictions. Despite this somewhat predictable outcome the decision raises two issues that the Irish courts and the Oireachtas will have to address.

First, the Supreme Court must now consider whether evidence gathered in a way subsequently found to breach a person’s rights under EU law can be relied upon to ground a conviction. This applies to Dwyer’s conviction but also to other convictions which used evidence collected under the Act.

There is some indication as to how they may approach this issue from decisions in previous cases. One case (DPP v JC) dealt with evidence that was obtained in breach of a defendant’s constitutional rights. Another, older case (DPP v O’Brien) dealt with evidence illegally obtained.


The decision in both cases was that evidence obtained in breach of rights could be relied upon in certain circumstances

Supreme Court discretion

The position of the High Court in Dwyer’s case appears to have been that as the evidence in that case was obtained in a way that breaches EU law rights O’Brien should be the case relied upon. In either case, the Supreme Court would enjoy some discretion over whether the evidence could be relied upon and in light of the circumstances in which the evidence was gathered and the breach of rights that had taken place.

The Supreme Court will have to consider which of the two cases – JC or O’Brien – is relevant where a person’s rights under EU law are breached. The court will then also have to consider whether the standards that have been established for admitting evidence in those two cases can be applied to a case involving breaches of rights under EU law.

The principle of effectiveness in EU law requires national courts to make sure the procedural rules and remedies available before domestic courts do not mean that claims based on EU law (or a violation of EU law) are impossible or excessively difficult to enforce.

Figures released by the Department of Justice this week show a sharp decrease in Garda reliance on the 2011 Act since 2018, but this still leaves cases decided before 2018 (including Dwyer’s) subject to review in light of Tuesday’s judgment.

The second issue which must be addressed is how the Oireachtas legislates for retention of data – and access to retained data – in a way that complies with the court’s ruling.

EU laws permit states to put in place legislation to allow for the retention of telephony data, a fact the CJEU emphasised in its judgment. In particular, national law can provide for the retention of data including in cases involving organised crime or threats to national security or where the retention is limited to targeted categories of individuals or geographic areas.

Indiscriminate retention

However, the “indiscriminate” retention of data of all citizens is not permissible. There is concern that these limits may impact criminal investigations – as in the murder of Elaine O’Hara. The CJEU appears to be aware of this concern, noting that there is nothing to prevent the introduction of a system where national authorities can apply to a court for an order that data concerning a suspect in a criminal investigation be retained.

This expedited retention would allow An Garda Síochána or other authorities to seek an order that service providers retain telephony data of named individuals from a given date onwards so that gardaí may access it as part of their investigations.

Any national laws permitting retention of data in these circumstances, or providing for an expedited retention process, will need to be provided for through legislation that lays down clear and precise rules governing the scope and application of the measures involved.

To ensure that these rules are observed and enforced the CJEU emphasised in its judgment that national legislation should provide for prior review by a court of any request to access data. How these requirements and the provisions of the CJEU’s previous decisions in respect of data retention are reflected in legislation remains to be seen.

Previous legislative amendments proposed following CJEU decisions in 2015 lapsed and did not enter into force. The requirements of EU law in respect of retained data are now clear both as a result of the court’s decision and the broader body of decisions of which it is only the most recent iteration. How those requirements will be reflected in Irish law remains to be seen.

Róisín A Costello is an assistant professor in the School of Law and Government at DCU