Explained: The EU court decision on mobile phone data

13 Apr 2022

Image: © Andrey Popov/Stock.adobe.com

On 5 April, the EU Court of Justice made a landmark ruling on how mobile phone metadata is retained. William Fry’s David Cullen explains what this means for Ireland.

In 2015, Graham Dwyer was sentenced to life in prison for murder. Key evidence against Dwyer included traffic and location data relating to telephone calls from his mobile phone that was argued successfully by the prosecution to place him at the scene of the murder. Dwyer challenged the admissibility of this evidence in his conviction.

On 5 April 2022, the Court of Justice of the European Union (CJEU) issued its judgment following a reference from the Irish Supreme Court, dealing with questions focusing on the admissibility of retained mobile phone metadata as evidence.

The CJEU, agreeing with the opinion of the advocate general given in November 2021, held that Ireland’s Communications (Retention of Data) Act 2011 was in breach of EU law, following its earlier decision in a Digital Rights Ireland case.

The Digital Rights Ireland case

In 2014, the CJEU ruled that directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks was invalid.

The 2006 directive was given effect in Ireland through the 2011 act, the validity of which Dwyer contested. A deciding factor in the Digital Rights Ireland case was that the directive disproportionately interfered with the rights recognised by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

Articles 7 and 8 of the charter deal respectively with the fundamental right to respect for privacy and family life, and the right to have personal data protected.

What the CJEU judgment means

The CJEU held that there could not be general and indiscriminate retention of mobile phone metadata. Ireland raised arguments for an exception to this previously stated position, at least in relation to serious crime. However, the CJEU stated that it could not be treated in the same way as a threat to national security.

While setting a high bar, the CJEU did recognise the value of such information in tackling serious crime and held that the retention of mobile data could be allowed where that retention was targeted, for example, limited to a certain category of people or geographical criteria, and where the access to such data was subject to independent oversight.

The CJEU also clarified that where sellers of mobile phones, SIM cards or other means of electronic communication required a check of official documents to establish the purchaser’s identity for registration purposes and then retained such data, the seller can give access to that information to the competent national authorities, where it is necessary and proportionate to the aim of combatting serious crime.

Furthermore, the judgment provided a path for member states, in a similar manner, for the expedited retention or ‘quick freeze’ of traffic and location data in the possession of service providers.

The CJEU clarified that the privacy and electronic communications directive goes further than merely creating a framework for access to electronic communication data to safeguard against abuse. In fact, the privacy and electronic communications directive maintains the principle of prohibition of storage of traffic and location data.

Furthermore, the CJEU precluded the Irish courts, and any national member state courts, from limiting the temporal effects of the declaration of invalidity of national legislation in response to the decision made in this case. Therefore, this decision is likely to have retroactive effect where such data was indiscriminately and wrongfully retained.

Effect on the Dwyer case

The result of the CJEU ruling does not come as a surprise, as questions over the 2011 act’s validity had been raised ever since the Digital Rights Ireland case, and the CJEU was expected to agree with the earlier opinion of the advocate general.

The matter on the admissibility of the metadata evidence will now be referred back to the Irish Supreme Court and Dwyer’s substantial appeal against his conviction will be decided in the Court of Appeal.

The CJEU decision is not necessarily fatal to the State’s case. There is still scope for the metadata to be accepted, as previous Supreme Court jurisprudence allows for evidence to be admitted even where a breach has occurred, as long as it can be shown that the breach was inadvertent or in good faith.

It will be interesting to see if the timing of the decision in the Digital Rights Ireland case will play a factor if the court is asked to make a decision on whether the relevant actions of the police can be found to have been inadvertent or in good faith.

This decision by the CJEU shows the strict interpretation of laws regulating data protection in the EU-wide implementation of the GDPR. The application of these laws with regard to the lawful retention of data and related matters affects not only governments and state investigations, but private businesses as well.

Therefore, this decision should act as a warning to any controllers or processors of data to ensure their retention of data policies fall in line with the requirements under GDPR.

By David Cullen

David Cullen is a partner and head of the Technology Group at William Fry.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.