Subscriber OnlyCrime & LawAnalysis

New law on phone data retention likely to be challenged in court

Data privacy campaigner concerned law permits Minister to get ‘mass surveillance’ orders after private court hearing

Mobile phone metadata retained and accessed under the 2011 Act formed a key part of the prosecution case against Graham Dwyer for the 2012 murder of childcare worker Elaine O’Hara. Photograph: Cyril Byrne
Mobile phone metadata retained and accessed under the 2011 Act formed a key part of the prosecution case against Graham Dwyer for the 2012 murder of childcare worker Elaine O’Hara. Photograph: Cyril Byrne

A legal challenge appears likely to a controversial law under which the Minister for Justice received High Court orders this week, after a private hearing, requiring the retention of mobile phone metadata and internet source data on State security grounds.

The orders were obtained on Monday under the Communications (Retention of Data) (Amendment) Act 2022, which came into operation the same day.

The Act was rushed through the Oireachtas last summer with minimal pre-legislative scrutiny in response to convicted murderer Graham Dwyer’s successful challenge to the regime for retaining and accessing data in the Communications (Retention of Data) Act 2011.

Mobile phone metadata retained and accessed under the 2011 Act formed a key part of the prosecution case against Dwyer who was convicted in 2015 for the 2012 murder of childcare worker Elaine O’Hara. Although his data case victory did not persuade the Court of Appeal earlier this year to overturn his conviction, Dwyer wants the Supreme Court to hear a further appeal.

READ MORE

His application will be considered by a panel of Supreme Court judges on Monday. Their decision on whether or not to hear an appeal will be delivered via a published determination on a later date.

The 2011 Act was introduced to implement the EC Data Retention Directive but the directive was struck down in 2014 by the Court of Justice of the European Union (CJEU) on privacy grounds following challenges by Digital Rights Ireland (DRI) and others.

Data privacy campaigners have long argued the State has failed to adequately respond to the problems with the 2011 Act, despite being on specific notice of the issues since 2017 when a review by Mr Justice John Murray concluded many of the provisions of the 2011 Act did not comply with EU law.

The Government has promised comprehensive legislation since 2017 but its legislative programme for the summer session 2023, published in April, stated that heads of a Communications (Data, Retention and Disclosure) Bill are still in preparation.

Pending that, the 2022 Act, amending the 2011 Act, has essentially been put in place as an interim measure, a workaround response to the outcome of the Dwyer data case.

Minister says phone data retention order will ‘safeguard’ State securityOpens in new window ]

The 2022 Act provides for general and indiscriminate retention of user data and internet source data for a default period of one year. The Minister may prescribe a different period of up to two years on grounds of combating crime, safeguarding State security, protecting the life and safety of people or locating missing persons.

Section 3A provides the Minister may, once satisfied of a “serious and genuine, present or foreseeable threat to the security of the State”, apply to the High Court for an order requiring general and indiscriminate retention of mobile phone traffic and location data, and internet source data, for 12 months. Before making the application, the Minister must have assessed the threat and decided the application was necessary and proportionate.

Section 3A provides such applications “shall” be made ex parte (one side only represented) and “shall be heard otherwise than in public”.

This week’s application by the Minister was made after consultation with the Garda Commissioner.

In line with some of the findings of the CJEU in Dwyer’s case, the 2022 Act also provides for gardaí and other bodies to apply to the District Court on an in-camera basis for data preservation and production orders.

According to civil liberties and data privacy lawyers and campaigners, the 2022 Act does not meet the requirements of EU law concerning data privacy. The Oireachtas justice committee is also among those to warn it may be vulnerable to legal challenge.

Solicitor Simon McGarr, a data rights specialist, has suggested the Act may also risk the validity of criminal prosecutions that rely on data gathered under it.

Among several concerns of Dr TJ McIntyre, chairperson of Digital Rights Ireland, is that an order permitting “mass surveillance” was obtained at a private court hearing on foot of material not available for public scrutiny.

A legal challenge to the 2022 Act is very likely, he believes. The State’s failure to adhere to the European law requirement to notify the European Commission of the draft legislation before the 2022 Act was signed into law is an immediate problem, he noted.

The uncertainty about the legal position is a growing source of concern for telecoms companies, an informed source said. “To say they are frustrated is an understatement.”